MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Compare commits

base: MISP:dd8b317912f8e94fcfbe18e95b021e8ac869793a
Branches Tags
MISP:main
MISP:master
MISP:dev
MISP:training
MISP:v2.4.192
MISP:v2.4.190
MISP:v2.4.189
MISP:v2.4.188
MISP:v2.4.187
MISP:v2.4.186
MISP:v2.4.185
MISP:v2.4.184
MISP:v2.4.183
MISP:v2.4.182
MISP:v2.4.180
MISP:v2.4.179
MISP:v2.4.178
MISP:v2.4.176
MISP:v2.4.175
MISP:v2.4.174
MISP:v2.4.173
MISP:v2.4.172
MISP:v2.4.171
MISP:v2.4.170
MISP:v2.4.169
MISP:v2.4.168
MISP:v2.4.167
MISP:v2.4.166
MISP:v2.4.165
MISP:v2.4.163
MISP:v2.4.162
MISP:v2.4.160
MISP:v2.4.159
MISP:v2.4.158
MISP:v2.4.157
MISP:v2.4.156
MISP:v2.4.154
MISP:v2.4.153
MISP:v2.4.152
MISP:v2.4.151
MISP:v2.4.147
MISP:v2.4.145
MISP:v2.4.144
MISP:v2.4.143
MISP:v2.4.142
...
compare: MISP:72402ce38bfc0681b070a25f1337ccae8463241f
Branches Tags
MISP:main
MISP:master
MISP:dev
MISP:training
MISP:v2.4.192
MISP:v2.4.190
MISP:v2.4.189
MISP:v2.4.188
MISP:v2.4.187
MISP:v2.4.186
MISP:v2.4.185
MISP:v2.4.184
MISP:v2.4.183
MISP:v2.4.182
MISP:v2.4.180
MISP:v2.4.179
MISP:v2.4.178
MISP:v2.4.176
MISP:v2.4.175
MISP:v2.4.174
MISP:v2.4.173
MISP:v2.4.172
MISP:v2.4.171
MISP:v2.4.170
MISP:v2.4.169
MISP:v2.4.168
MISP:v2.4.167
MISP:v2.4.166
MISP:v2.4.165
MISP:v2.4.163
MISP:v2.4.162
MISP:v2.4.160
MISP:v2.4.159
MISP:v2.4.158
MISP:v2.4.157
MISP:v2.4.156
MISP:v2.4.154
MISP:v2.4.153
MISP:v2.4.152
MISP:v2.4.151
MISP:v2.4.147
MISP:v2.4.145
MISP:v2.4.144
MISP:v2.4.143
MISP:v2.4.142

33 Commits
dd8b317912 ... 72402ce38b

Author SHA1 Message Date
Rony 72402ce38b
chg: [threat-actor] STORM ->> Storm 2024-04-26 19:15:47 +00:00
Rony e71398bbd5
Merge branch 'main' into fix 2024-04-27 00:31:16 +05:30
Rony 3d5c61a8ef
fix: resolve conflict 2024-04-26 18:56:46 +00:00
Alexandre Dulaunoy e97c01101a
Merge pull request #969 from Mathieu4141/threat-actors/74b921ec-6404-4d0c-b49b-169be387d1f9 
[threat actors] add 2 actors
 2024-04-26 20:05:16 +02:00
Mathieu4141 dd14938a49 [threat-actors] Add USDoD 2024-04-26 09:01:34 -07:00
Mathieu4141 2bf2bad2a9 [threat-actors] Add STORM-1849 2024-04-26 09:01:34 -07:00
Alexandre Dulaunoy c8c55a84b7
Merge pull request #968 from Delta-Sierra/main 
add Cisco Talos and more producers
 2024-04-26 14:00:43 +02:00
Delta-Sierra 3c20f87966 add Cisco Talos and more producers 2024-04-26 12:30:25 +02:00
Alexandre Dulaunoy 5559aeee47
Merge pull request #965 from Delta-Sierra/main 
Creation new galaxy "entity"
 2024-04-26 11:47:39 +02:00
Delta-Sierra 0e3bab72d9 Fix uuid 2024-04-26 11:39:43 +02:00
Delta-Sierra 177fadbc10 Add Arcane Door 2024-04-26 10:36:26 +02:00
Delta-Sierra de0b4145c9 Merge https://github.com/MISP/misp-galaxy 2024-04-24 14:56:01 +02:00
Delta-Sierra 9a2ec1c7e4 creation new galaxy entity 2024-04-24 14:51:59 +02:00
Alexandre Dulaunoy b4f90c7490
chg: [doc] index updated 2024-04-24 08:46:50 +02:00
Alexandre Dulaunoy 8c334c8f12
chg: [tidal] updated to the latest version 2024-04-24 08:43:19 +02:00
Alexandre Dulaunoy bac3ba7f49
chg: [sigma] Updated to the latest version 2024-04-24 08:34:56 +02:00
Alexandre Dulaunoy 29f419d590
chg: [mitre-attack] updated to the latest version ATT&CK v15 2024-04-24 08:19:40 +02:00
Christophe Vandeplas 3a4695a906
new: [interpol] INTERPOL Dark Web and Virtual Assets Taxonomies 
INTERPOL Dark Web and Virtual Assets Taxonomies
 2024-04-23 11:30:30 +02:00
Christophe Vandeplas 285892c854
chg: [interpol] add Abuses together with Entities 2024-04-23 11:20:22 +02:00
Christophe Vandeplas 35d9b7bb67
fix: [interpol] use yaml.safe_load 2024-04-23 10:38:47 +02:00
Christophe Vandeplas 1651787577
Merge remote-tracking branch 'MISP/main' 2024-04-23 10:26:52 +02:00
Christophe Vandeplas 83ffa6fa6f
new: [interpol] Addition of INTERPOL Darknet- and Cryptoasset Ecosystems taxonomy 2024-04-23 10:22:48 +02:00
Alexandre Dulaunoy 973eafb521
Merge pull request #962 from Mathieu4141/threat-actors/c453ff21-ff60-435c-b245-56e293d39bc0 
[threat actors] Add 3 actors
 2024-04-22 22:18:11 +02:00
Mathieu4141 2de3357ec0 [threat-actors] Add UAC-0149 2024-04-22 07:48:44 -07:00
Mathieu4141 337c21be5b [threat-actors] Add UTA0218 2024-04-22 07:48:44 -07:00
Mathieu4141 6ca498872a [threat-actors] Add GhostR 2024-04-22 07:48:44 -07:00
Christophe Vandeplas 9f1a8a7407
Merge pull request #955 from cvandeplas/main 
Added UK Health Security Agency Culture Collections
 2024-04-22 09:42:04 +02:00
Christophe Vandeplas fbc6cfcac0
[UKHSA] fix: addressed duplicate issue 2024-04-22 09:09:57 +02:00
Christophe Vandeplas d7f25da68c
Merge branch 'main' of https://github.com/cvandeplas/misp-galaxy 2024-04-22 08:24:26 +02:00
Christophe Vandeplas 7d5044ccaf
fix: [ukhsa] fix duplicate entry 2024-03-29 19:31:14 +01:00
Christophe Vandeplas 43e543c3f9
new: [UKHSA] Added UK Health Security Agency Culture Collections 2024-03-29 14:45:34 +01:00
Christophe Vandeplas 1c0beeaecf
new: [UKHSA] Added UK Health Security Agency Culture Collections 2024-03-29 14:45:13 +01:00
Christophe Vandeplas 91827dbe83
new: [tool] Generator for UK Health Security Agency Culture Collections 2024-03-29 14:43:41 +01:00
24 changed files with 205578 additions and 34859 deletions
Show Stats Expand all files Collapse all files

23
.vscode/launch.json vendored Normal file
View File

@ -0,0 +1,23 @@
{
"version": "0.2.0",
"configurations": [
{
"name": "gen_interpol_dwvat",
"type": "debugpy",
"request": "launch",
"program": "${file}",
"console": "integratedTerminal",
"args": "-p ../../DW-VA-Taxonomy",
"cwd": "${fileDirname}"
},
{
"name": "Python Debugger: Current File",
"type": "debugpy",
"request": "launch",
"program": "${file}",
"console": "integratedTerminal",
"cwd": "${fileDirname}"
}
]
}

52
README.md
View File

@ -6,7 +6,7 @@
MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or
attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There
are default knowledge base (such as Threat Actors, Tools, Ransomware, ATT&CK matrixes) available in MISP galaxy
are default knowledge base (such as Threat Actors, Tools, Ransomware, ATT&CK matrixes) available in MISP galaxy
but those can be overwritten, replaced, updated, forked and shared as you wish.
Existing clusters and vocabularies can be used as-is or as a common knowledge base. MISP distribution can be applied
@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
Category: *tool* - source: *Open Sources* - total: *24* elements
Category: *tool* - source: *Open Sources* - total: *28* elements
[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@ -211,6 +211,14 @@ Category: *Intelligence Agencies* - source: *https://en.wikipedia.org/wiki/List_
[[HTML](https://www.misp-project.org/galaxy.html#_intelligence_agencies)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/intelligence-agencies.json)]
## INTERPOL DWVA Taxonomy
[INTERPOL DWVA Taxonomy](https://www.misp-project.org/galaxy.html#_interpol_dwva_taxonomy) - This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.
Category: *dwva* - source: *https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/* - total: *94* elements
[[HTML](https://www.misp-project.org/galaxy.html#_interpol_dwva_taxonomy)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/interpol-dwva.json)]
## Malpedia
[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
@ -255,7 +263,7 @@ Category: *course-of-action* - source: *https://github.com/mitre-atlas/atlas-nav
[Attack Pattern](https://www.misp-project.org/galaxy.html#_attack_pattern) - ATT&CK tactic
Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1124* elements
Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1141* elements
[[HTML](https://www.misp-project.org/galaxy.html#_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-attack-pattern.json)]
@ -263,7 +271,7 @@ Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *11
[Course of Action](https://www.misp-project.org/galaxy.html#_course_of_action) - ATT&CK Mitigation
Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *280* elements
Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *281* elements
[[HTML](https://www.misp-project.org/galaxy.html#_course_of_action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-course-of-action.json)]
@ -271,7 +279,7 @@ Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *
[mitre-data-component](https://www.misp-project.org/galaxy.html#_mitre-data-component) - Data components are parts of data sources.
Category: *data-component* - source: *https://github.com/mitre/cti* - total: *116* elements
Category: *data-component* - source: *https://github.com/mitre/cti* - total: *117* elements
[[HTML](https://www.misp-project.org/galaxy.html#_mitre-data-component)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-component.json)]
@ -375,7 +383,7 @@ Category: *attack-pattern* - source: *https://collaborate.mitre.org/attackics/in
[Intrusion Set](https://www.misp-project.org/galaxy.html#_intrusion_set) - Name of ATT&CK Group
Category: *actor* - source: *https://github.com/mitre/cti* - total: *157* elements
Category: *actor* - source: *https://github.com/mitre/cti* - total: *165* elements
[[HTML](https://www.misp-project.org/galaxy.html#_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-intrusion-set.json)]
@ -383,7 +391,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *157* elemen
[Malware](https://www.misp-project.org/galaxy.html#_malware) - Name of ATT&CK software
Category: *tool* - source: *https://github.com/mitre/cti* - total: *671* elements
Category: *tool* - source: *https://github.com/mitre/cti* - total: *705* elements
[[HTML](https://www.misp-project.org/galaxy.html#_malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)]
@ -495,7 +503,7 @@ Category: *actor* - source: *MISP Project* - total: *15* elements
[Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
Category: *tool* - source: *Various* - total: *1705* elements
Category: *tool* - source: *Various* - total: *1706* elements
[[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
@ -535,7 +543,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2840* elements
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2876* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@ -575,7 +583,7 @@ Category: *actor* - source: *MISP Project* - total: *50* elements
[Target Information](https://www.misp-project.org/galaxy.html#_target_information) - Description of targets of threat actors.
Category: *target* - source: *Various* - total: *240* elements
Category: *target* - source: *Various* - total: *241* elements
[[HTML](https://www.misp-project.org/galaxy.html#_target_information)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/target-information.json)]
@ -599,7 +607,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *644* elements
Category: *actor* - source: *MISP Project* - total: *671* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -615,7 +623,7 @@ Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns
[Tidal Groups](https://www.misp-project.org/galaxy.html#_tidal_groups) - Tidal Groups Galaxy
Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *441* elements
Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *163* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tidal_groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)]
@ -623,7 +631,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group
[Tidal References](https://www.misp-project.org/galaxy.html#_tidal_references) - Tidal References Cluster
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *3848* elements
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *3872* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tidal_references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)]
@ -631,7 +639,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc
[Tidal Software](https://www.misp-project.org/galaxy.html#_tidal_software) - Tidal Software Cluster
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1386* elements
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *931* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tidal_software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)]
@ -647,7 +655,7 @@ Category: *Tactic* - source: *https://app-api.tidalcyber.com/api/v1/tactic/* - t
[Tidal Technique](https://www.misp-project.org/galaxy.html#_tidal_technique) - Tidal Technique Cluster
Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *625* elements
Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *201* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tidal_technique)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-technique.json)]
@ -663,7 +671,7 @@ Category: *tmss* - source: *https://github.com/microsoft/Threat-matrix-for-stora
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
Category: *tool* - source: *MISP Project* - total: *596* elements
Category: *tool* - source: *MISP Project* - total: *603* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]
@ -675,11 +683,17 @@ Category: *military equipment* - source: *Popular Mechanics* - total: *36* eleme
[[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)]
[[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)]
## UKHSA Culture Collections
# Online documentation
[UKHSA Culture Collections](https://www.misp-project.org/galaxy.html#_ukhsa_culture_collections) - UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.
The [misp-galaxy.org](https://misp-galaxy.org) website provides an easily navigable resource for all MISP galaxy clusters.
Category: *virus* - source: *https://www.culturecollections.org.uk* - total: *6667* elements
[[HTML](https://www.misp-project.org/galaxy.html#_ukhsa_culture_collections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ukhsa-culture-collections.json)]
# Online documentation
The [misp-galaxy.org](https://misp-galaxy.org) website provides an easily navigable resource for all MISP galaxy clusters.
A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) or [HTML](https://www.misp.software/galaxy.html) and generated from the JSON.

34
clusters/entity.json Normal file
View File

@ -0,0 +1,34 @@
{
"authors": [
"Various"
],
"category": "actor",
"description": "Description of entities that can be involved in events.",
"name": "Entity",
"source": "MISP Project",
"type": "entity",
"uuid": "cd80fe0d-b905-449c-89f5-9a6b0ea09fc3",
"values": [
{
"description": "An individual involved in an event.",
"uuid": "e3983732-c670-4ea1-a28e-1f60bb3d74b7",
"value": "Individual"
},
{
"description": "A group involved in an event.",
"uuid": "d32a81f3-ed96-4bb0-a6b2-37efbeaa8cc0",
"value": "Group"
},
{
"description": "A employee involved in an event.",
"uuid": "35afacc1-8b9d-41b2-b90e-d2e2b2602aa9",
"value": "Employee"
},
{
"description": "A structure involved in an event.",
"uuid": "019a12dc-5325-4672-82b2-56558b661fe8",
"value": "Structure"
}
],
"version": 1
}

1005
clusters/interpol-dwva.json Normal file
View File

File diff suppressed because it is too large Load Diff

1562
clusters/mitre-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

2438
clusters/mitre-course-of-action.json
View File

File diff suppressed because it is too large Load Diff

196
clusters/mitre-data-component.json
View File

@ -179,6 +179,10 @@
"dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331",
"type": "detects"
},
{
"dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a",
"type": "detects"
},
{
"dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
"type": "detects"
@ -199,6 +203,10 @@
"dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99",
"type": "detects"
},
{
"dest-uuid": "ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae",
"type": "detects"
},
{
"dest-uuid": "d50955c2-272d-4ac8-95da-10c29dda1c48",
"type": "detects"
@ -867,6 +875,10 @@
"dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8",
"type": "detects"
},
{
"dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee",
"type": "detects"
},
{
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
"type": "detects"
@ -1051,6 +1063,10 @@
"dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc",
"type": "detects"
},
{
"dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc",
"type": "detects"
},
{
"dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
"type": "detects"
@ -1099,6 +1115,10 @@
"dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb",
"type": "detects"
},
{
"dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6",
"type": "detects"
},
{
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
"type": "detects"
@ -1115,6 +1135,10 @@
"dest-uuid": "e848506b-8484-4410-8017-3d235a52f5b3",
"type": "detects"
},
{
"dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d",
"type": "detects"
},
{
"dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
"type": "detects"
@ -2487,6 +2511,10 @@
"dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d",
"type": "detects"
},
{
"dest-uuid": "ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae",
"type": "detects"
},
{
"dest-uuid": "e52d89f9-1710-4708-88a5-cbef77c4cd5e",
"type": "included-in"
@ -2494,6 +2522,10 @@
{
"dest-uuid": "e848506b-8484-4410-8017-3d235a52f5b3",
"type": "detects"
},
{
"dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
"type": "detects"
}
],
"uuid": "e52d89f9-1710-4708-88a5-cbef77c4cd5e",
@ -2877,6 +2909,10 @@
"dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a",
"type": "detects"
},
{
"dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
"type": "detects"
},
{
"dest-uuid": "cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8",
"type": "detects"
@ -2921,6 +2957,10 @@
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "detects"
},
{
"dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d",
"type": "detects"
},
{
"dest-uuid": "ee7ff928-801c-4f34-8a99-3df965e581a5",
"type": "detects"
@ -3601,6 +3641,24 @@
"uuid": "b9a1578e-8653-4103-be23-cb52e0b1816e",
"value": "Named Pipe Metadata"
},
{
"description": "Additional assets included with an application",
"meta": {
"refs": []
},
"related": [
{
"dest-uuid": "613788f2-ad72-43f5-b5f7-a93e2adc70fa",
"type": "included-in"
},
{
"dest-uuid": "dfafc230-5465-4993-8dc5-f51fa9fec002",
"type": "detects"
}
],
"uuid": "613788f2-ad72-43f5-b5f7-a93e2adc70fa",
"value": "Application Assets"
},
{
"description": "API calls utilized by an application that could indicate malicious activity",
"meta": {
@ -4153,6 +4211,10 @@
"refs": []
},
"related": [
{
"dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5",
"type": "detects"
},
{
"dest-uuid": "1126cab1-c700-412f-a510-61f4937bb096",
"type": "detects"
@ -4180,6 +4242,10 @@
{
"dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"type": "detects"
},
{
"dest-uuid": "b0e54bf7-835e-4f44-bd8e-62f431b9b76a",
"type": "detects"
}
],
"uuid": "a5ae90ca-0c4b-481c-959f-0eb18a7ff953",
@ -4539,6 +4605,10 @@
"dest-uuid": "3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc",
"type": "detects"
},
{
"dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5",
"type": "detects"
},
{
"dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a",
"type": "detects"
@ -4663,6 +4733,10 @@
"dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf",
"type": "detects"
},
{
"dest-uuid": "561ae9aa-c28a-4144-9eec-e7027a14c8c3",
"type": "detects"
},
{
"dest-uuid": "562e9b64-7239-493d-80f4-2bff900d9054",
"type": "detects"
@ -5039,6 +5113,10 @@
"dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"type": "detects"
},
{
"dest-uuid": "b0e54bf7-835e-4f44-bd8e-62f431b9b76a",
"type": "detects"
},
{
"dest-uuid": "b22e5153-ac28-4cc6-865c-2054e36285cb",
"type": "detects"
@ -5275,6 +5353,14 @@
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "detects"
},
{
"dest-uuid": "e6f19759-dde3-47fc-99cc-d9f5fa4ade60",
"type": "detects"
},
{
"dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb",
"type": "detects"
},
{
"dest-uuid": "ea071aa0-8f17-416f-ab0d-2bab7e79003d",
"type": "detects"
@ -5385,6 +5471,14 @@
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
"type": "detects"
},
{
"dest-uuid": "09b008a9-b4eb-462a-a751-a0eb58050cd9",
"type": "detects"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"type": "detects"
},
{
"dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32",
"type": "detects"
@ -5397,6 +5491,10 @@
"dest-uuid": "0cfe31a7-81fc-472c-bc45-e2808d1066a3",
"type": "detects"
},
{
"dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144",
"type": "detects"
},
{
"dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3",
"type": "detects"
@ -5477,6 +5575,10 @@
"dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1",
"type": "detects"
},
{
"dest-uuid": "356662f7-e315-4759-86c9-6214e2a50ff8",
"type": "detects"
},
{
"dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0",
"type": "detects"
@ -5553,6 +5655,10 @@
"dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825",
"type": "detects"
},
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "detects"
},
{
"dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979",
"type": "detects"
@ -5597,6 +5703,10 @@
"dest-uuid": "90c4a591-d02d-490b-92aa-619d9701ac04",
"type": "detects"
},
{
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
"type": "detects"
},
{
"dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5",
"type": "detects"
@ -6123,6 +6233,10 @@
"dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf",
"type": "detects"
},
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"type": "detects"
},
{
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
"type": "detects"
@ -6239,6 +6353,10 @@
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "detects"
},
{
"dest-uuid": "356662f7-e315-4759-86c9-6214e2a50ff8",
"type": "detects"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"type": "detects"
@ -6263,6 +6381,14 @@
"dest-uuid": "3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc",
"type": "detects"
},
{
"dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5",
"type": "detects"
},
{
"dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a",
"type": "detects"
},
{
"dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e",
"type": "detects"
@ -6383,6 +6509,10 @@
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"type": "detects"
},
{
"dest-uuid": "561ae9aa-c28a-4144-9eec-e7027a14c8c3",
"type": "detects"
},
{
"dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
"type": "detects"
@ -6447,6 +6577,10 @@
"dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b",
"type": "detects"
},
{
"dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35",
"type": "detects"
},
{
"dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd",
"type": "detects"
@ -6487,6 +6621,10 @@
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"type": "detects"
},
{
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
"type": "detects"
},
{
"dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177",
"type": "detects"
@ -6891,6 +7029,14 @@
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"type": "detects"
},
{
"dest-uuid": "e6f19759-dde3-47fc-99cc-d9f5fa4ade60",
"type": "detects"
},
{
"dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb",
"type": "detects"
},
{
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
"type": "detects"
@ -6919,6 +7065,10 @@
"dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995",
"type": "detects"
},
{
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
"type": "detects"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"type": "detects"
@ -7033,6 +7183,10 @@
"dest-uuid": "0dcbbf4f-929c-489a-b66b-9b820d3f7f0e",
"type": "included-in"
},
{
"dest-uuid": "149b477f-f364-4824-b1b5-aa1d56115869",
"type": "detects"
},
{
"dest-uuid": "155207c0-7f53-4f13-a06b-0a9907ef5096",
"type": "detects"
@ -7121,6 +7275,10 @@
"dest-uuid": "e5d550f3-2202-4634-85f2-4a200a1d49b3",
"type": "detects"
},
{
"dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d",
"type": "detects"
},
{
"dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf",
"type": "detects"
@ -7595,6 +7753,10 @@
"dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9",
"type": "detects"
},
{
"dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d",
"type": "detects"
},
{
"dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba",
"type": "detects"
@ -7895,6 +8057,10 @@
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"type": "detects"
},
{
"dest-uuid": "e6f19759-dde3-47fc-99cc-d9f5fa4ade60",
"type": "detects"
},
{
"dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe",
"type": "detects"
@ -7961,6 +8127,10 @@
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
"type": "detects"
},
{
"dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144",
"type": "detects"
},
{
"dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847",
"type": "detects"
@ -8593,6 +8763,10 @@
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"type": "detects"
},
{
"dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb",
"type": "detects"
},
{
"dest-uuid": "ea071aa0-8f17-416f-ab0d-2bab7e79003d",
"type": "detects"
@ -8743,6 +8917,10 @@
"dest-uuid": "670a4d75-103b-4b14-8a9e-4652fa795edd",
"type": "detects"
},
{
"dest-uuid": "6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe",
"type": "detects"
},
{
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
"type": "detects"
@ -9017,6 +9195,10 @@
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
"type": "detects"
},
{
"dest-uuid": "356662f7-e315-4759-86c9-6214e2a50ff8",
"type": "detects"
},
{
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
"type": "detects"
@ -9452,6 +9634,10 @@
{
"dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5",
"type": "detects"
},
{
"dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d",
"type": "detects"
}
],
"uuid": "1067aa74-5796-4d9b-b4f1-a4c9eb6fd9da",
@ -9763,6 +9949,10 @@
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
"type": "detects"
},
{
"dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d",
"type": "detects"
},
{
"dest-uuid": "498e7b81-238d-404c-aa5e-332904d63286",
"type": "detects"
@ -9811,6 +10001,10 @@
"dest-uuid": "b1e0bb80-23d4-44f2-b919-7e9c54898f43",
"type": "included-in"
},
{
"dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80",
"type": "detects"
},
{
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
"type": "detects"
@ -10058,5 +10252,5 @@
"value": "System Settings"
}
],
"version": 1
"version": 2
}

6
clusters/mitre-data-source.json
View File

@ -225,6 +225,10 @@
"dest-uuid": "5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
"type": "includes"
},
{
"dest-uuid": "613788f2-ad72-43f5-b5f7-a93e2adc70fa",
"type": "includes"
},
{
"dest-uuid": "6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
"type": "includes"
@ -1251,5 +1255,5 @@
"value": "Certificate - DS0037"
}
],
"version": 1
"version": 2
}

2459
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

5140
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

352
clusters/mitre-tool.json
View File

@ -29,13 +29,6 @@
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
@ -211,13 +204,6 @@
{
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"type": "uses"
},
{
"dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
@ -395,13 +381,6 @@
{
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f",
@ -423,13 +402,6 @@
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
@ -526,13 +498,6 @@
{
"dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163",
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
@ -575,13 +540,6 @@
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
@ -666,13 +624,6 @@
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700",
@ -708,13 +659,6 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54",
@ -743,13 +687,6 @@
{
"dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0",
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
@ -768,13 +705,6 @@
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
@ -799,13 +729,6 @@
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe",
@ -828,13 +751,6 @@
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
@ -853,13 +769,6 @@
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
@ -931,13 +840,6 @@
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
@ -972,6 +874,10 @@
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144",
"type": "uses"
},
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"type": "uses"
@ -1012,10 +918,6 @@
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52",
"type": "uses"
@ -1076,13 +978,6 @@
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
@ -1131,13 +1026,6 @@
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
@ -1175,20 +1063,6 @@
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "3e205e84-9f90-4b4b-8896-c82189936a15",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
@ -1226,13 +1100,6 @@
{
"dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed",
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
@ -1269,13 +1136,6 @@
{
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "64764dc6-a032-495f-8250-1e4c06bdc163",
@ -1454,13 +1314,6 @@
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
@ -1474,9 +1327,9 @@
"Windows"
],
"refs": [
"http://windowsitpro.com/windows/netexe-reference",
"https://attack.mitre.org/software/S0039",
"https://msdn.microsoft.com/en-us/library/aa939914"
"https://msdn.microsoft.com/en-us/library/aa939914",
"https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference"
],
"synonyms": [
"Net",
@ -1543,13 +1396,6 @@
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"type": "uses"
},
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "03342581-f790-4f03-ba41-e82e67392e23",
@ -1723,13 +1569,6 @@
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"type": "uses"
},
{
"dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
@ -1759,13 +1598,6 @@
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
@ -1890,13 +1722,6 @@
{
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
@ -1918,13 +1743,6 @@
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
@ -1946,13 +1764,6 @@
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
@ -1984,13 +1795,6 @@
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
@ -2016,13 +1820,6 @@
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
@ -2047,13 +1844,6 @@
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b",
@ -2079,13 +1869,6 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
@ -2153,13 +1936,6 @@
{
"dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530",
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
@ -2290,13 +2066,6 @@
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d",
@ -2315,13 +2084,6 @@
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
@ -2586,13 +2348,6 @@
{
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
@ -2690,13 +2445,6 @@
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"type": "uses"
},
{
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
@ -2723,13 +2471,6 @@
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2",
@ -2795,13 +2536,6 @@
{
"dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e",
"type": "uses"
},
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
@ -2936,13 +2670,6 @@
{
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d",
@ -2968,13 +2695,6 @@
{
"dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2",
"type": "uses"
},
{
"dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
@ -3000,6 +2720,10 @@
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
},
{
"dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144",
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "uses"
@ -3016,10 +2740,6 @@
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"type": "uses"
@ -3089,13 +2809,6 @@
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153",
@ -3194,13 +2907,6 @@
{
"dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d",
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27",
@ -3219,13 +2925,6 @@
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"type": "uses"
},
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
@ -3244,13 +2943,6 @@
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"type": "uses"
},
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555",
@ -3395,13 +3087,6 @@
{
"dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a",
"type": "uses"
},
{
"dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4",
@ -3976,13 +3661,6 @@
{
"dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4",
@ -4328,6 +4006,10 @@
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
"type": "uses"
},
{
"dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144",
"type": "uses"
},
{
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
"type": "uses"
@ -4356,10 +4038,6 @@
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"type": "uses"
@ -5248,5 +4926,5 @@
"value": "Mythic - S0699"
}
],
"version": 31
"version": 32
}

157
clusters/producer.json
View File

@ -306,7 +306,162 @@
},
"uuid": "8a22c0b2-d05f-4142-ab74-ffdf38fe4758",
"value": "Team Cymru"
},
{
"description": "G Data CyberDefense AG (until September 2019 G Data Software AG) is a German software company that focuses on computer security.",
"meta": {
"company-type": [
"Computer software"
],
"country": "DE",
"official-refs": [
"https://www.gdata-software.com",
"https://www.gdatasoftware.co.uk"
],
"product-type": [
"Antivirus software",
"Mobile Device Management"
],
"products": [
"AntiVirus",
"InternetSecurity",
"TotalSecurity",
"AntiVirus for Mac",
"AntiVirus Business",
"AntiVirus Enterprise",
"ClientSecurity Business",
"ClientSecurity Enterprise",
"EndpointProtection Business",
"EndpointProtection Enterprise",
"MailSecurity",
"PatchManagement",
"Mobile Security",
"VPN"
],
"refs": [
"https://en.wikipedia.org/wiki/G_Data_CyberDefense"
],
"synonyms": [
"GDATA",
"G Data CyberDefense AG",
"G Data Software AG"
]
},
"uuid": "2b69f676-c875-4000-8350-5f162e69d908",
"value": "G DATA"
},
{
"description": "Sekoia.io is a European cybersecurity SAAS company, whose mission is to develop the best protection capabilities against cyber attacks.",
"meta": {
"company-type": [
"Cyber Security Vendor"
],
"country": "FR",
"official-refs": [
"https://www.sekoia.io"
],
"product-type": [
"eXtended Detection and Response SaaS platform"
],
"products": [
"SIEM RELOADED | Sekoia Defend",
"CTI RELOADED"
]
},
"uuid": "6c9ef130-7cf6-4eeb-9e65-46228fc5e30c",
"value": "Sekoia"
},
{
"description": "Excellium Services Group is a cyber-security consulting and technology Integration Company established since 2012 in Luxemburg and Belgium, with activities and in France and Africa.",
"meta": {
"company-type": [
"Cyber-security consulting and technology Integration Company",
"CSIRT"
],
"country": "LU",
"official-refs": [
"https://excellium-services.com"
],
"product-type": [
"CERT-XLM",
"SOC",
"GDPR Services",
"Information Security Governance",
"Intrusion Tests Red Team (Application Security Team)",
"Network & Security Infrastructure",
"Training"
],
"products": [
"EyeGuard",
"EyeTools",
"EyeDeep",
"EyeTLD",
"EyeNotify"
]
},
"uuid": "73ae2776-3700-4120-84ae-7e9785e6071b",
"value": "Excellium"
},
{
"description": "Telindus is a brand of Proximus Luxembourg SA. Founded in 1979, Telindus Luxembourg accompanies all organizations in their digital transformation, by providing holistic ICT & Telecommunication solutions, as well as tailored support services. Our areas of expertise include Telecommunication Services, ICT Infrastructure, Multi-Cloud, Digital Trust Solutions, Cybersecurity, Business Applications, Managed Services and Training.",
"meta": {
"company-type": [
"Service Provider"
],
"country": "LU",
"official-refs": [
"https://www.telindus.lu/en"
],
"product-type": [
"Ethical Hacking",
"Infrastructure Security",
"Managed Security Services",
"Protection, Detection and Orchestration",
"Security Operations Center",
"Strategy, risk, management and advice",
"ICT solutions",
"Telecoms",
"Cloud"
]
},
"uuid": "4155eec3-fae2-4e80-a9a6-89b0f976851a",
"value": "Telindus"
},
{
"description": "Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.",
"meta": {
"company-type": [
"Technology news and computer help"
],
"country": "US",
"official-refs": [
"https://www.bleepingcomputer.com/"
],
"product-type": [
"Security and Technology Blog Posts"
],
"refs": [
"https://en.wikipedia.org/wiki/Bleeping_Computer"
]
},
"uuid": "ec3fb9b0-4f24-4099-ad48-3e8f68e88275",
"value": "BleepingComputer"
},
{
"description": "",
"meta": {
"country": "US",
"refs": [
"https://talosintelligence.com/",
"https://blog.talosintelligence.com/"
],
"synonyms": [
"Cisco Talos"
]
},
"uuid": "0adf6f0f-3795-4de1-9763-1bdd1c31a5d7",
"value": "Cisco Talos Intelligence Group"
}
],
"version": 4
"version": 6
}

3040
clusters/sigma-rules.json
View File

File diff suppressed because it is too large Load Diff

71
clusters/threat-actor.json
View File

@ -15863,7 +15863,76 @@
},
"uuid": "c6e2e5ba-ffad-4258-8b6e-775b3fa230c3",
"value": "Earth Freybug"
},
{
"description": "Ghostr is a financially motivated threat actor known for stealing a confidential database containing 5.3 million records from the World-Check and leaking about 186GB of data from a stock trading platform. They have been active on Breachforums.is, revealing massive data breaches involving comprehensive details of Thai users, including full names, phone numbers, email addresses, and ID card numbers.",
"meta": {
"refs": [
"https://securityaffairs.com/162136/cyber-crime/hackers-threaten-leak-world-check.html",
"https://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web"
]
},
"uuid": "0e4ed0ab-87e2-4588-8fc0-3d720e0efebd",
"value": "GhostR"
},
{
"description": "UTA0218 is a threat actor with advanced capabilities, targeting organizations to establish a reverse shell, acquire tools, and extract data. They exploit vulnerabilities in firewall devices to move laterally within victim networks, focusing on obtaining domain backup keys and active directory credentials. The actor deploys a custom Python backdoor named UPSTYLE to execute commands and download additional tools. UTA0218 is likely state-backed, utilizing a mix of infrastructure including VPNs and compromised routers to store malicious files.",
"meta": {
"refs": [
"https://www.enigmasoftware.com/cve20243400vulnerability-removal/",
"https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/"
]
},
"uuid": "ee8b8fc4-59f4-4442-a4e6-3686d09c6509",
"value": "UTA0218"
},
{
"description": "UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.",
"meta": {
"refs": [
"https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/",
"https://cert.gov.ua/article/6277849"
]
},
"uuid": "f5f6d4eb-1ec3-494e-807d-5b767122f9b2",
"value": "UAC-0149"
},
{
"description": "ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/"
]
},
"uuid": "97a10d3b-5cb5-4df9-856c-515994f3e953",
"value": "ArcaneDoor"
},
{
"description": "UAT4356 is a state-sponsored threat actor that targeted government networks globally through a campaign named ArcaneDoor. They exploited two zero-day vulnerabilities in Cisco Adaptive Security Appliances to deploy custom malware implants called \"Line Runner\" and \"Line Dancer.\" The actor demonstrated a deep understanding of Cisco systems, utilized anti-forensic measures, and took deliberate steps to evade detection. UAT4356's sophisticated attack chain allowed them to conduct malicious actions such as configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement on compromised devices.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/"
],
"synonyms": [
"UAT4356"
]
},
"uuid": "3d94ef07-9fd6-4d64-bf1e-f1316f2686a4",
"value": "Storm-1849"
},
{
"description": "USDoD is a threat actor known for leaking large databases of personal information, including from companies like Airbus and the U.S. Environmental Protection Agency. They have a history of engaging in high-profile data breaches, such as exposing data from the FBI's InfraGard program. USDoD has also been involved in web scraping to obtain information from websites like LinkedIn.",
"meta": {
"refs": [
"https://www.hackread.com/us-environmental-protection-agency-hacked-data-leaked/",
"https://www.cysecurity.news/2023/09/transunion-refutes-data-breach-reports.html",
"https://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/",
"https://krebsonsecurity.com/2023/09/fbi-hacker-dropped-stolen-airbus-data-on-9-11/"
]
},
"uuid": "d6882fb9-d1e4-4cec-889c-5423c772d199",
"value": "USDoD"
}
],
"version": 307
"version": 308
}

5856
clusters/tidal-groups.json
View File

File diff suppressed because it is too large Load Diff

1640
clusters/tidal-references.json
View File

File diff suppressed because it is too large Load Diff

13246
clusters/tidal-software.json
View File

File diff suppressed because one or more lines are too long

8672
clusters/tidal-technique.json
View File

File diff suppressed because one or more lines are too long

194138
clusters/ukhsa-culture-collections.json Normal file
View File

File diff suppressed because it is too large Load Diff

9
galaxies/entity.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "Description of entities that can be involved in events.",
"icon": "user",
"name": "Entity",
"namespace": "misp",
"type": "entity",
"uuid": "f1b42b47-778f-4e50-bda5-969ee7f9029f",
"version": 1
}

27
galaxies/interpol-dwva.json Normal file
View File

@ -0,0 +1,27 @@
{
"description": "This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.",
"icon": "user-secret",
"kill_chain_order": {
"Abuses": [
"Concept"
],
"Entities": [
"Actor",
"Asset",
"Authorities",
"Cryptocurrency",
"Dark_Web",
"Generic",
"Infrastructure",
"Process",
"Service",
"Technology",
"Wallet"
]
},
"name": "INTERPOL DWVA Taxonomy",
"namespace": "interpol",
"type": "dwva",
"uuid": "a375d7fd-0a3e-41cf-a531-ef56033df967",
"version": 1
}

9
galaxies/ukhsa-culture-collections.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.",
"icon": "virus",
"name": "UKHSA Culture Collections",
"namespace": "gov.uk",
"type": "ukhsa-culture-collections",
"uuid": "bbe11c06-1d6a-477e-88f1-cdda2d71de56",
"version": 1
}

163
tools/gen_interpol_dwvat.py Executable file
View File

@ -0,0 +1,163 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# A simple convertor of the Interpol Dark Web and Virtual Assets Taxonomies to a MISP Galaxy datastructure.
# https://github.com/INTERPOL-Innovation-Centre/DW-VA-Taxonomy
# Copyright (C) 2024 Christophe Vandeplas
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import yaml
import os
import uuid
import re
import json
import argparse
parser = argparse.ArgumentParser(description='Create/update the Interpol Dark Web and Virtual Assets Taxonomies based on Markdown files.')
parser.add_argument("-p", "--path", required=True, help="Path of the 'DW-VA-Taxonomy' git clone folder")
args = parser.parse_args()
if not os.path.exists(args.path):
exit("ERROR: DW-VA-Taxonomy folder incorrect")
'''
contains _data folder with
- abuses.yaml - simple taxonomy
- entities.yaml - matrix like taxonomy
'''
try:
with open(os.path.join('..', 'galaxies', 'interpol-dwva.json'), 'r') as f:
json_galaxy = json.load(f)
except FileNotFoundError:
json_galaxy = {
'icon': "user-secret",
'kill_chain_order': {
'Entities': [],
'Abuses': ['Concept']
},
'name': "INTERPOL DWVA Taxonomy",
'description': "This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.",
'namespace': "interpol",
'type': "dwva",
'uuid': "a375d7fd-0a3e-41cf-a531-ef56033df967",
'version': 1
}
try:
with open(os.path.join('..', 'clusters', 'interpol-dwva.json'), 'r') as f:
json_cluster = json.load(f)
except FileNotFoundError:
json_cluster = {
'authors': ["INTERPOL Darkweb and Virtual Assets Working Group"],
'category': 'dwva',
'name': "INTERPOL DWVA Taxonomy",
'description': "This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.",
'source': 'https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/',
'type': "dwva",
'uuid': "b15898ba-a923-4916-856c-0dfe8b174196",
'values': [],
'version': 1
}
tactics = set()
clusters_dict = {}
# FIXME create dict for the existing clusters, so we can update the clusters without losing the relations
#
# Entities
#
with open(os.path.join(args.path, '_data', 'entities.yaml'), 'r') as f:
entities_data = yaml.safe_load(f)
# build a broader concept list so we can ignore them later on
broaders = set()
for section in entities_data:
try:
broaders.add(entities_data[section]['broader'])
except KeyError:
pass
# the Entities
for section in entities_data:
item = entities_data[section]
if item['type'] == 'concept':
if item['id'] in broaders: # skip the broader concepts
continue
if 'broader' not in item:
item['broader'] = 'generic'
tactics.add(item['broader'].title())
value = item['prefLabel']
clusters_dict[value] = {
'value': value,
'description': item['description'],
'uuid': str(uuid.uuid5(uuid.UUID("d0ceebc2-877b-4873-9785-d00f279ccb45"), value)),
'meta': {
'kill_chain': [f"Entities:{item['broader'].title()}"],
}
}
try:
clusters_dict[value]['meta']['refs'] = [item['seeAlso']]
except KeyError:
pass
#
# Abuses
#
with open(os.path.join(args.path, '_data', 'abuses.yaml'), 'r') as f:
entities_data = yaml.safe_load(f)
for section in entities_data:
item = entities_data[section]
if item['type'] == 'concept':
value = item['prefLabel']
clusters_dict[value] = {
'value': value,
'description': item['description'],
'uuid': str(uuid.uuid5(uuid.UUID("d0ceebc2-877b-4873-9785-d00f279ccb45"), value)),
'meta': {
'kill_chain': [f"Abuses:Concept"],
}
}
try:
clusters_dict[value]['meta']['refs'] = [item['seeAlso']]
except KeyError:
pass
#
# Finally transform dict to list
#
clusters = []
for item in clusters_dict.values():
clusters.append(item)
json_cluster['values'] = clusters
json_galaxy['kill_chain_order']['Entities'] = sorted(list(tactics))
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', 'interpol-dwva.json'), 'w') as f:
json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
with open(os.path.join('..', 'clusters', 'interpol-dwva.json'), 'w') as f:
json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

142
tools/gen_ukhsa_culture_collections.py Executable file
View File

@ -0,0 +1,142 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# A simple convertor of the UK Health Security Agency Culture Collections
# to a MISP Galaxy datastructure.
# Copyright (C) 2024 MISP Project
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import json
import requests
import uuid
'''
From https://www.culturecollections.org.uk/search/?searchScope=Product&pageNumber=1&filter.collectionGroup=0&filter.collection=0&filter.sorting=DateCreated
JSON is loaded, needs to be paginated
Culturecollections.org.uk is published under the Open Government Licence, allowing the reproduction of information as
long as the license terms are obeyed. Material on this website is subject to Crown copyright protection unless otherwise
indicated. Users should be aware that information provided to third parties through feeds may be edited or cached, and
we do not guarantee the accuracy of such third-party products.
https://www.culturecollections.org.uk/training-and-support/policies/terms-and-conditions-of-use/
The Culture Collections represent deposits of cultures from world-wide sources. While every effort is made to ensure
details distributed by Culture Collections are accurate, Culture Collections cannot be held responsible for any
inaccuracies in the data supplied. References where quoted are mainly attributed to the establishment of the cell
culture and not for any specific property of the cell line, therefore further references should be obtained regarding
cell culture characteristics. Passage numbers where given act only as a guide and Culture Collections does not guarantee
the passage number stated will be the passage number received by the customer.
'''
def download_items():
data = {'items': [],
'collections': {},
'collection_groups': {}}
page_number = 1
page_number_max = None
while True:
url = 'https://www.culturecollections.org.uk/umbraco/api/searchApi/getSearchResults?searchParams={"searchText":"","searchScope":"Product","pageNumber":' + str(page_number) + ',"filter":{"collectionGroup":"0","collection":"0","facets":{},"sorting":"DateCreated"}}'
page_resp = requests.get(url)
page_resp.encoding = 'utf-8-sig'
page_data = page_resp.json()
page_number_max = page_data['pagination']['totalPages']
for c in page_data['filter']['collections']['aggregationItems']:
data['collections'][int(c['value'])] = c['title']
for cg in page_data['filter']['collectionGroups']['aggregationItems']:
data['collection_groups'][int(cg['value'])] = cg['title']
for item in page_data['items']:
item['collection'] = data['collections'][item['collectionId']]
data['items'].extend(page_data['items'])
print(f"Fetching page {page_number}/{page_number_max}: ", end="")
print(f"items size is now {len(data['items'])} as I extended with {len(page_data['items'])} items.")
if page_number >= page_number_max:
break
page_number += 1
return data
def save_items(d):
with open('items.json', 'w') as f:
json.dump(d, f, indent=2, sort_keys=True)
return True
def load_saved_items():
with open('items.json', 'r') as f:
d = json.load(f)
return d
data = download_items()
# save_items(data)
# data = load_saved_items()
clusters_dict = {}
for item in data['items']:
# create a cluster
cluster = {
'value': f"{item['name']}",
'uuid': str(uuid.uuid5(uuid.UUID("bbe11c06-1d6a-477e-88f1-cdda2d71de56"), item['name'])),
'meta': {
'refs': [item['url']],
'external_id': [item['catalogueNumber']]
}
}
# add all properties of the culture
for p in item['properties']:
if p['value']:
p_name = p['name'].lower().replace(' ', '_')
if p['name'] not in cluster['meta']:
cluster['meta'][p_name] = []
cluster['meta'][p_name].append(p['value'])
# merge if the collection already exists
if cluster['value'] in clusters_dict:
clusters_dict[cluster['value']]['meta']['refs'].extend(cluster['meta']['refs'])
clusters_dict[cluster['value']]['meta']['external_id'].extend(cluster['meta']['external_id'])
else:
clusters_dict[cluster['value']] = cluster
# transform dict to list
clusters = []
for item in clusters_dict.values():
clusters.append(item)
json_galaxy = {
'icon': "virus",
'name': "UKHSA Culture Collections",
'description': "UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.",
'namespace': "gov.uk",
'type': "ukhsa-culture-collections",
'uuid': "bbe11c06-1d6a-477e-88f1-cdda2d71de56",
'version': 1
}
with open(os.path.join('..', 'clusters', 'ukhsa-culture-collections.json'), 'r') as f:
json_cluster = json.load(f)
json_cluster['values'] = clusters
json_cluster['version'] += 1
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', 'ukhsa-culture-collections.json'), 'w') as f:
json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
with open(os.path.join('..', 'clusters', 'ukhsa-culture-collections.json'), 'w') as f:
json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")