Merge remote-tracking branch 'origin/main'

Add 3 actors and 1 alias

.github/workflows/pytest.yml

@@ -44,6 +44,7 @@ jobs:
         git submodule foreach git pull origin main
         poetry install
         popd
+        sudo mount --bind . PyMISPGalaxies/pymispgalaxies/data/misp-galaxy
 
     - name: Test with Python module
       run: |

.vscode/launch.json

@@ -0,0 +1,40 @@
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "gen_mitre",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal",
+            "args": "-p ../../MITRE-ATTACK",
+            "cwd": "${fileDirname}"
+        },
+        {
+            "name": "gen_interpol_dwvat",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal",
+            "args": "-p ../../DW-VA-Taxonomy",
+            "cwd": "${fileDirname}"
+        },
+        {
+            "name": "gen_mitre_atlas",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal",
+            "args": "-p ../../atlas-navigator-data",
+            "cwd": "${fileDirname}"
+        },
+        {
+            "name": "Python Debugger: Current File",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal",
+            "cwd": "${fileDirname}"
+        }
+    ]
+}

README.md

@@ -6,7 +6,7 @@
 
 MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or
 attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There
-are default knowledge base (such as Threat Actors, Tools, Ransomware, ATT&CK matrixes) available in MISP galaxy 
+are default knowledge base (such as Threat Actors, Tools, Ransomware, ATT&CK matrixes) available in MISP galaxy
 but those can be overwritten, replaced, updated, forked and shared as you wish.
 
 Existing clusters and vocabularies can be used as-is or as a common knowledge base. MISP distribution can be applied
@@ -47,7 +47,7 @@ Category: *tool* - source: *Open Sources* - total: *433* elements
 
 [Azure Threat Research Matrix](https://www.misp-project.org/galaxy.html#_azure_threat_research_matrix) - The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.
 
-Category: *atrm* - source: *https://github.com/microsoft/Azure-Threat-Research-Matrix* - total: *89* elements
+Category: *atrm* - source: *https://github.com/microsoft/Azure-Threat-Research-Matrix* - total: *90* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_azure_threat_research_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/atrm.json)]
 
@@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
 
 [Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
 
-Category: *tool* - source: *Open Sources* - total: *23* elements
+Category: *tool* - source: *Open Sources* - total: *28* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
 
@@ -87,7 +87,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47
 
 [Botnet](https://www.misp-project.org/galaxy.html#_botnet) - botnet galaxy
 
-Category: *tool* - source: *MISP Project* - total: *76* elements
+Category: *tool* - source: *MISP Project* - total: *130* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)]
 
@@ -139,6 +139,38 @@ Category: *Cryptominers* - source: *Open Source Intelligence* - total: *5* eleme
 
 [[HTML](https://www.misp-project.org/galaxy.html#_cryptominers)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cryptominers.json)]
 
+## Actor Types
+
+[Actor Types](https://www.misp-project.org/galaxy.html#_actor_types) - DISARM is a framework designed for describing and understanding disinformation incidents.
+
+Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *33* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_actor_types)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-actortypes.json)]
+
+## Countermeasures
+
+[Countermeasures](https://www.misp-project.org/galaxy.html#_countermeasures) - DISARM is a framework designed for describing and understanding disinformation incidents.
+
+Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *139* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_countermeasures)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-countermeasures.json)]
+
+## Detections
+
+[Detections](https://www.misp-project.org/galaxy.html#_detections) - DISARM is a framework designed for describing and understanding disinformation incidents.
+
+Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *94* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_detections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-detections.json)]
+
+## Techniques
+
+[Techniques](https://www.misp-project.org/galaxy.html#_techniques) - DISARM is a framework designed for describing and understanding disinformation incidents.
+
+Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *298* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-techniques.json)]
+
 ## Election guidelines
 
 [Election guidelines](https://www.misp-project.org/galaxy.html#_election_guidelines) - Universal Development and Security Guidelines as Applicable to Election Technology.
@@ -147,6 +179,14 @@ Category: *guidelines* - source: *Open Sources* - total: *23* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_election_guidelines)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/election-guidelines.json)]
 
+## Entity
+
+[Entity](https://www.misp-project.org/galaxy.html#_entity) - Description of entities that can be involved in events.
+
+Category: *actor* - source: *MISP Project* - total: *4* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_entity)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/entity.json)]
+
 ## Exploit-Kit
 
 [Exploit-Kit](https://www.misp-project.org/galaxy.html#_exploit-kit) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years
@@ -171,11 +211,27 @@ Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total
 
 [[HTML](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-dns.json)]
 
+## Intelligence Agencies
+
+[Intelligence Agencies](https://www.misp-project.org/galaxy.html#_intelligence_agencies) - List of intelligence agencies
+
+Category: *Intelligence Agencies* - source: *https://en.wikipedia.org/wiki/List_of_intelligence_agencies* - total: *436* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_intelligence_agencies)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/intelligence-agencies.json)]
+
+## INTERPOL DWVA Taxonomy
+
+[INTERPOL DWVA Taxonomy](https://www.misp-project.org/galaxy.html#_interpol_dwva_taxonomy) - This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.
+
+Category: *dwva* - source: *https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/* - total: *94* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_interpol_dwva_taxonomy)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/interpol-dwva.json)]
+
 ## Malpedia
 
 [Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
 
-Category: *tool* - source: *Malpedia* - total: *2947* elements
+Category: *tool* - source: *Malpedia* - total: *3039* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)]
 
@@ -195,11 +251,27 @@ Category: *misinformation-pattern* - source: *https://github.com/misinfosecproje
 
 [[HTML](https://www.misp-project.org/galaxy.html#_misinformation_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/misinfosec-amitt-misinformation-pattern.json)]
 
+## MITRE ATLAS Attack Pattern
+
+[MITRE ATLAS Attack Pattern](https://www.misp-project.org/galaxy.html#_mitre_atlas_attack_pattern) - MITRE ATLAS Attack Pattern - Adversarial Threat Landscape for Artificial-Intelligence Systems
+
+Category: *attack-pattern* - source: *https://github.com/mitre-atlas/atlas-navigator-data* - total: *82* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_mitre_atlas_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-atlas-attack-pattern.json)]
+
+## MITRE ATLAS Course of Action
+
+[MITRE ATLAS Course of Action](https://www.misp-project.org/galaxy.html#_mitre_atlas_course_of_action) - MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems
+
+Category: *course-of-action* - source: *https://github.com/mitre-atlas/atlas-navigator-data* - total: *20* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_mitre_atlas_course_of_action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-atlas-course-of-action.json)]
+
 ## Attack Pattern
 
 [Attack Pattern](https://www.misp-project.org/galaxy.html#_attack_pattern) - ATT&CK tactic
 
-Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1099* elements
+Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1141* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-attack-pattern.json)]
 
@@ -207,10 +279,26 @@ Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *10
 
 [Course of Action](https://www.misp-project.org/galaxy.html#_course_of_action) - ATT&CK Mitigation
 
-Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *279* elements
+Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *281* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_course_of_action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-course-of-action.json)]
 
+## mitre-data-component
+
+[mitre-data-component](https://www.misp-project.org/galaxy.html#_mitre-data-component) - Data components are parts of data sources. 
+
+Category: *data-component* - source: *https://github.com/mitre/cti* - total: *117* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_mitre-data-component)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-component.json)]
+
+## mitre-data-source
+
+[mitre-data-source](https://www.misp-project.org/galaxy.html#_mitre-data-source) - Data sources represent the various subjects/topics of information that can be collected by sensors/logs. 
+
+Category: *data-source* - source: *https://github.com/mitre/cti* - total: *40* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_mitre-data-source)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-source.json)]
+
 ## Enterprise Attack - Attack Pattern
 
 [Enterprise Attack - Attack Pattern](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_attack_pattern) - ATT&CK tactic
@@ -303,7 +391,7 @@ Category: *attack-pattern* - source: *https://collaborate.mitre.org/attackics/in
 
 [Intrusion Set](https://www.misp-project.org/galaxy.html#_intrusion_set) - Name of ATT&CK Group
 
-Category: *actor* - source: *https://github.com/mitre/cti* - total: *151* elements
+Category: *actor* - source: *https://github.com/mitre/cti* - total: *165* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-intrusion-set.json)]
 
@@ -311,7 +399,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *151* elemen
 
 [Malware](https://www.misp-project.org/galaxy.html#_malware) - Name of ATT&CK software
 
-Category: *tool* - source: *https://github.com/mitre/cti* - total: *653* elements
+Category: *tool* - source: *https://github.com/mitre/cti* - total: *705* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)]
 
@@ -371,13 +459,21 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *7* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_pre_attack_-_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-pre-attack-intrusion-set.json)]
 
-## Tool
+## mitre-tool
 
-[Tool](https://www.misp-project.org/galaxy.html#_tool) - Name of ATT&CK software
+[mitre-tool](https://www.misp-project.org/galaxy.html#_mitre-tool) - Name of ATT&CK software
 
-Category: *tool* - source: *https://github.com/mitre/cti* - total: *84* elements
+Category: *tool* - source: *https://github.com/mitre/cti* - total: *87* elements
 
-[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-tool.json)]
+[[HTML](https://www.misp-project.org/galaxy.html#_mitre-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-tool.json)]
+
+## NAICS
+
+[NAICS](https://www.misp-project.org/galaxy.html#_naics) - The North American Industry Classification System or NAICS is a classification of business establishments by type of economic activity (the process of production).
+
+Category: *sector* - source: *North American Industry Classification System - NAICS* - total: *2125* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_naics)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/naics.json)]
 
 ## o365-exchange-techniques
 
@@ -403,11 +499,19 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_preventive_measure)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/preventive-measure.json)]
 
+## Producer
+
+[Producer](https://www.misp-project.org/galaxy.html#_producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.
+
+Category: *actor* - source: *MISP Project* - total: *21* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)]
+
 ## Ransomware
 
 [Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
 
-Category: *tool* - source: *Various* - total: *1705* elements
+Category: *tool* - source: *Various* - total: *1706* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
 
@@ -415,7 +519,7 @@ Category: *tool* - source: *Various* - total: *1705* elements
 
 [RAT](https://www.misp-project.org/galaxy.html#_rat) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.
 
-Category: *tool* - source: *MISP Project* - total: *265* elements
+Category: *tool* - source: *MISP Project* - total: *266* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_rat)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rat.json)]
 
@@ -447,7 +551,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements
 
 [Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
 
-Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2776* elements
+Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2888* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
 
@@ -471,7 +575,7 @@ Category: *sod-matrix* - source: *https://github.com/cudeso/SoD-Matrix* - total:
 
 [Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer.
 
-Category: *tool* - source: *Open Sources* - total: *13* elements
+Category: *tool* - source: *Open Sources* - total: *16* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)]
 
@@ -479,7 +583,7 @@ Category: *tool* - source: *Open Sources* - total: *13* elements
 
 [Surveillance Vendor](https://www.misp-project.org/galaxy.html#_surveillance_vendor) - List of vendors selling surveillance technologies including malware, interception devices or computer exploitation services.
 
-Category: *actor* - source: *MISP Project* - total: *15* elements
+Category: *actor* - source: *MISP Project* - total: *50* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_surveillance_vendor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/surveillance-vendor.json)]
 
@@ -487,7 +591,7 @@ Category: *actor* - source: *MISP Project* - total: *15* elements
 
 [Target Information](https://www.misp-project.org/galaxy.html#_target_information) - Description of targets of threat actors.
 
-Category: *target* - source: *Various* - total: *240* elements
+Category: *target* - source: *Various* - total: *241* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_target_information)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/target-information.json)]
 
@@ -511,15 +615,71 @@ Category: *tea-matrix* - source: ** - total: *7* elements
 
 [Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
 
-Category: *actor* - source: *MISP Project* - total: *432* elements
+Category: *actor* - source: *MISP Project* - total: *675* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
 
+## Tidal Campaigns
+
+[Tidal Campaigns](https://www.misp-project.org/galaxy.html#_tidal_campaigns) - Tidal Campaigns Cluster
+
+Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *48* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_tidal_campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)]
+
+## Tidal Groups
+
+[Tidal Groups](https://www.misp-project.org/galaxy.html#_tidal_groups) - Tidal Groups Galaxy
+
+Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *172* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_tidal_groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)]
+
+## Tidal References
+
+[Tidal References](https://www.misp-project.org/galaxy.html#_tidal_references) - Tidal References Cluster
+
+Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4104* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_tidal_references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)]
+
+## Tidal Software
+
+[Tidal Software](https://www.misp-project.org/galaxy.html#_tidal_software) - Tidal Software Cluster
+
+Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *962* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_tidal_software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)]
+
+## Tidal Tactic
+
+[Tidal Tactic](https://www.misp-project.org/galaxy.html#_tidal_tactic) - Tidal Tactic Cluster
+
+Category: *Tactic* - source: *https://app-api.tidalcyber.com/api/v1/tactic/* - total: *14* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_tidal_tactic)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-tactic.json)]
+
+## Tidal Technique
+
+[Tidal Technique](https://www.misp-project.org/galaxy.html#_tidal_technique) - Tidal Technique Cluster
+
+Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *202* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_tidal_technique)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-technique.json)]
+
+## Threat Matrix for storage services
+
+[Threat Matrix for storage services](https://www.misp-project.org/galaxy.html#_threat_matrix_for_storage_services) - Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.
+
+Category: *tmss* - source: *https://github.com/microsoft/Threat-matrix-for-storage-services* - total: *40* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_threat_matrix_for_storage_services)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tmss.json)]
+
 ## Tool
 
 [Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
 
-Category: *tool* - source: *MISP Project* - total: *585* elements
+Category: *tool* - source: *MISP Project* - total: *603* elements
 
 [[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]
 
@@ -531,8 +691,17 @@ Category: *military equipment* - source: *Popular Mechanics* - total: *36* eleme
 
 [[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)]
 
+## UKHSA Culture Collections
 
-# Online documentation 
+[UKHSA Culture Collections](https://www.misp-project.org/galaxy.html#_ukhsa_culture_collections) - UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.
+
+Category: *virus* - source: *https://www.culturecollections.org.uk* - total: *6667* elements
+
+[[HTML](https://www.misp-project.org/galaxy.html#_ukhsa_culture_collections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ukhsa-culture-collections.json)]
+
+# Online documentation
+
+The [misp-galaxy.org](https://misp-galaxy.org) website provides an easily navigable resource for all MISP galaxy clusters.
 
 A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) or [HTML](https://www.misp.software/galaxy.html) and generated from the JSON.
 
@@ -549,12 +718,12 @@ The MISP galaxy (JSON files) are dual-licensed under:
 or
 
 ~~~~
- Copyright (c) 2015-2023 Alexandre Dulaunoy - a@foo.be
- Copyright (c) 2015-2023 CIRCL - Computer Incident Response Center Luxembourg
- Copyright (c) 2015-2023 Andras Iklody
- Copyright (c) 2015-2023 Raphael Vinot
- Copyright (c) 2015-2023 Deborah Servili
- Copyright (c) 2016-2023 Various contributors to MISP Project
+ Copyright (c) 2015-2024 Alexandre Dulaunoy - a@foo.be
+ Copyright (c) 2015-2024 CIRCL - Computer Incident Response Center Luxembourg
+ Copyright (c) 2015-2024 Andras Iklody
+ Copyright (c) 2015-2024 Raphael Vinot
+ Copyright (c) 2015-2024 Deborah Servili
+ Copyright (c) 2016-2024 Various contributors to MISP Project
 
  Redistribution and use in source and binary forms, with or without modification,
  are permitted provided that the following conditions are met:

clusters/atrm.json

@@ -11,7 +11,8 @@
     "Ram Pliskin",
     "Nikhil Mittal",
     "MITRE ATT&CK",
-    "AlertIQ"
+    "AlertIQ",
+    "Craig Fretwell"
   ],
   "category": "atrm",
   "description": "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
@@ -491,7 +492,7 @@
       "value": "AZT404.2 - Logic Application"
     },
     {
-      "description": "By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource.",
+      "description": "By utilizing a Function Application, an attacker can execute Azure operations on a given resource.",
       "meta": {
         "kill_chain": [
           "ATRM-tactics:Privilege Escalation"
@@ -1066,10 +1067,10 @@
       "description": "By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.",
       "meta": {
         "kill_chain": [
-          "ATRM-tactics:Exfiltration"
+          "ATRM-tactics:Impact"
         ],
         "refs": [
-          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701"
+          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701"
         ]
       },
       "uuid": "9ca7b25c-643a-5e55-a210-684f49fe82d8",
@@ -1079,10 +1080,10 @@
       "description": "An adversary may create an SAS URI to download the disk attached to a virtual machine.",
       "meta": {
         "kill_chain": [
-          "ATRM-tactics:Exfiltration"
+          "ATRM-tactics:Impact"
         ],
         "refs": [
-          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-1"
+          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-1"
         ]
       },
       "uuid": "8805d880-8887-52b6-a113-8c0f4fec4230",
@@ -1092,10 +1093,10 @@
       "description": "By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.",
       "meta": {
         "kill_chain": [
-          "ATRM-tactics:Exfiltration"
+          "ATRM-tactics:Impact"
         ],
         "refs": [
-          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-2"
+          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-2"
         ]
       },
       "uuid": "aae55a3a-8e32-5a62-8d41-837b2ebb1e69",
@@ -1105,23 +1106,23 @@
       "description": "An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.",
       "meta": {
         "kill_chain": [
-          "ATRM-tactics:Exfiltration"
+          "ATRM-tactics:Impact"
         ],
         "refs": [
-          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT702/AZT702-1"
+          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT702/AZT702-1"
         ]
       },
       "uuid": "dc6f9ee0-55b2-5197-87a5-7474cfc04d72",
       "value": "AZT702 - File Share Mounting"
     },
     {
-      "description": "By setting up cross-tenant replication, an adversary may set up replication from one tenant's storage account to an external tenant's storage account.",
+      "description": "",
       "meta": {
         "kill_chain": [
-          "ATRM-tactics:Exfiltration"
+          "ATRM-tactics:Impact"
         ],
         "refs": [
-          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT703/AZT703-1"
+          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT703/AZT703-1"
         ]
       },
       "uuid": "ff4276bf-ab9e-5157-a171-5cdd4a3e6002",
@@ -1131,10 +1132,10 @@
       "description": "An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted",
       "meta": {
         "kill_chain": [
-          "ATRM-tactics:Exfiltration"
+          "ATRM-tactics:Impact"
         ],
         "refs": [
-          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704"
+          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704"
         ]
       },
       "uuid": "47ded49d-ef4c-57d4-8050-f66f884c4388",
@@ -1144,10 +1145,10 @@
       "description": "An adversary may recover a key vault object found in a 'soft deletion' state.",
       "meta": {
         "kill_chain": [
-          "ATRM-tactics:Exfiltration"
+          "ATRM-tactics:Impact"
         ],
         "refs": [
-          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-1"
+          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-1"
         ]
       },
       "uuid": "d8fc76f2-6776-5a09-bfb3-57852ae1d786",
@@ -1157,10 +1158,10 @@
       "description": "An adversary may recover a storage account object found in a 'soft deletion' state.",
       "meta": {
         "kill_chain": [
-          "ATRM-tactics:Exfiltration"
+          "ATRM-tactics:Impact"
         ],
         "refs": [
-          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-2"
+          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-2"
         ]
       },
       "uuid": "cd9f0082-b2c7-53f8-95a6-a4fe746f973e",
@@ -1170,15 +1171,28 @@
       "description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.",
       "meta": {
         "kill_chain": [
-          "ATRM-tactics:Exfiltration"
+          "ATRM-tactics:Impact"
         ],
         "refs": [
-          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-3"
+          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3"
         ]
       },
       "uuid": "d333405e-af82-555c-a68f-e723878b5f55",
       "value": "AZT704.3 - Recovery Services Vault"
+    },
+    {
+      "description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.",
+      "meta": {
+        "kill_chain": [
+          "ATRM-tactics:Impact"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3"
+        ]
+      },
+      "uuid": "9d181c95-ccf7-5c94-8f4a-f6a2df62d760",
+      "value": "AZT705 - Azure Backup Delete"
     }
   ],
-  "version": 1
+  "version": 2
 }

clusters/backdoor.json

@@ -374,7 +374,121 @@
       ],
       "uuid": "f8444fcc-730e-4898-8ef5-6cc1976ff475",
       "value": "TROIBOMB"
+    },
+    {
+      "description": "ZIPLINE makes use of extensive functionality to ensure the authentication of its custom protocol used to establish command and control (C2).",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
+        ]
+      },
+      "uuid": "14504cbe-8423-47aa-a947-a3ab5549a068",
+      "value": "ZIPLINE"
+    },
+    {
+      "description": "SPAWNSNAIL is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.\n\nSPAWNSNAIL's second purpose is to inject SPAWNSLOTH into dslogserver, a process supporting event logging on Connect Secure.",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "6fcf8d1f-2e68-4982-a579-2ca5595e4990",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        },
+        {
+          "dest-uuid": "e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "preceded-by"
+        },
+        {
+          "dest-uuid": "6c89c51f-1b97-4966-abc1-9cf526bb2892",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "interacts-with"
+        },
+        {
+          "dest-uuid": "2c237974-edc2-460a-90b5-20f699560da3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "injects"
+        }
+      ],
+      "uuid": "de390f3e-c0d1-4c70-b121-a7a98f7326aa",
+      "value": "SPAWNSNAIL"
+    },
+    {
+      "description": "BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2.",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        }
+      ],
+      "uuid": "64a0e3ab-e201-4fdc-9836-85365dfa84bb",
+      "value": "BRICKSTORM"
+    },
+    {
+      "description": "PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET's core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed.",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c5ea778c-df2f-4c63-b401-dded9cb2419c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-deployed-by"
+        },
+        {
+          "dest-uuid": "540b3e66-edbf-40ee-ae05-474b27c1ff40",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "executed-by"
+        }
+      ],
+      "uuid": "f97ea150-a727-4d47-823a-41de07a43ea9",
+      "value": "PHANTOMNET"
+    },
+    {
+      "description": "TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including Command execution, Keystroke logging, SOCKS5 proxy, Port scanning, File system interaction, SQL query execution, Screen captures, Ability to open a new SSH session, execute commands, and upload files to a remote server. ",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "083a637b-c58c-4ccb-ab59-81d783873e80",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-deployed-by "
+        }
+      ],
+      "uuid": "4838b37b-2d1f-4cb8-945d-7185580f0bff",
+      "value": "TERRIBLETEA"
     }
   ],
-  "version": 17
+  "version": 19
 }

clusters/banker.json

@@ -674,6 +674,13 @@
             "estimative-language:likelihood-probability=\"likely\""
           ],
           "type": "similar"
+        },
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
         }
       ],
       "uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e",
@@ -1219,5 +1226,5 @@
       "value": "Malteiro"
     }
   ],
-  "version": 18
+  "version": 19
 }

clusters/botnet.json

@@ -1422,7 +1422,616 @@
       ],
       "uuid": "040f2e89-b8be-4150-9426-c30f75e858a2",
       "value": "HinataBot"
+    },
+    {
+      "description": "3ve, pronounced as “Eve”, was a botnet that was halted in late 2018. 3ve utilized the malware packages Boaxxe and Kovter to infect a network of PCs. They were spread through emails and fake downloads, and once infected, the bots would generate fake clicks on online advertisements. The clicks would be used on fake websites, which hosted ads and then absorbed the ad revenue from the false impressions. Bots were able to mimic desktop and mobile traffic in order to evade detection, and went through several evolutions of tactics to grow over time. At its peak, the botnet controlled more than one million residential and corporate IP-addresses, largely within Europe and North America.",
+      "meta": {
+        "date": "2018",
+        "refs": [
+          "https://en.wikipedia.org/wiki/3ve"
+        ]
+      },
+      "uuid": "43db3e92-8c98-11ee-b9d1-0242ac120002",
+      "value": "3ve"
+    },
+    {
+      "description": "7777-Botnet has been observed brute forcing Microsoft Azure instances via Microsoft Azure PowerShell bruteforcing. The botnet has a unique pattern of opening port 7777 on infected devices, returning an “xlogin:” message. The botnet has been used for low-volume attacks against targets of all industry sectors at a global scale, almost exclusively targeting C-Level employee logins. Due to the very low volume of around 2–3 login requests per week, the botnet is able to evade most security solutions. ",
+      "meta": {
+        "refs": [
+          "https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd"
+        ]
+      },
+      "uuid": "9b3699d1-00bf-4f37-8e67-c4548b5c829a",
+      "value": "7777-Botnet"
+    },
+    {
+      "description": "Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called tasks) for all or specifically targeted computers compromised by the malware.",
+      "meta": {
+        "date": "October 2018",
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"
+        ]
+      },
+      "uuid": "063e95fc-8c98-11ee-b9d1-0242ac120002",
+      "value": "Amadey"
+    },
+    {
+      "description": "AndroidBauts botnet is a network of infected Android devices that are used for promoting advertisements to users online. At one point, the number of infected devices was more than 550,000. The creators of the AndroidBauts botnet are able to gather data regarding the compromised devices - both software and hardware.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Bauts/AndroidBauts.html"
+        ]
+      },
+      "uuid": "a9e34144-8c98-11ee-b9d1-0242ac120002",
+      "value": "AndroidBauts"
+    },
+    {
+      "description": "Andromeda botnet, also known as Gamarue or Wauchos, was first introduced to the public in 2011. During this time it was used to distribute large quantities of malware. According to Microsoft the Andromeda botnet was used to spread more than 80 malware families including ransomware, worms, and more. Andromeda is a modular malware, meaning additional components can be purchased to provide extra functionality.",
+      "meta": {
+        "date": "2011",
+        "refs": [
+          "https://blogs.blackberry.com/en/2020/05/threat-spotlight-andromeda",
+          "https://en.wikipedia.org/wiki/Andromeda_(trojan)"
+        ],
+        "synonyms": [
+          "Gamarue",
+          "Wauchos"
+        ]
+      },
+      "uuid": "520d2484-8c99-11ee-b9d1-0242ac120002",
+      "value": "Andromeda"
+    },
+    {
+      "description": "ArrkiiSDK is potentially unwanted application (PUA) for Android devices. Its functions include unauthorised user tracking, ad fraud and the silent installation of additional applications without the user's permission. ArrkiiSDK relies on the user actively installing an infected application, which is normally hidden within another software package that appears completely harmless.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ]
+      },
+      "uuid": "b3fdb226-8c99-11ee-b9d1-0242ac120002",
+      "value": "ArrkiiSDK"
+    },
+    {
+      "description": "Avalanche refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits. Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers. In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise. Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.",
+      "meta": {
+        "refs": [
+          "https://www.cisa.gov/news-events/alerts/2016/12/01/avalanche-crimeware-service-infrastructure"
+        ]
+      },
+      "uuid": "da635b2e-22f3-4374-8fca-67c4bd3cb978",
+      "value": "Avalanche"
+    },
+    {
+      "description": "Bayrob evolved from a backdoor trojan used for fraud into a cryptocurrency miner. Symantec discovered multiple versions of Bayrob malware, and witnessed Bayrob as it morphed from online fraud to a 300,000+ botnet for cryptocurrency mining.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/bayrob-malware-gang-had-elite-tactics-but-they-still-got-caught-anyway/",
+          "https://community.broadcom.com/symantecenterprise/viewdocument/bayrob-three-suspects-extradited-t?CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"
+        ]
+      },
+      "uuid": "693e1ce8-8c9a-11ee-b9d1-0242ac120002",
+      "value": "Bayrob"
+    },
+    {
+      "description": "Bedep has been mostly observed in ad-fraud campaigns, although it can also generally load modules for different tasks. It was dropped by the Angler Exploit Kit.",
+      "meta": {
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep"
+        ]
+      },
+      "uuid": "b97f3868-8c9a-11ee-b9d1-0242ac120002",
+      "value": "Bedep"
+    },
+    {
+      "description": "Bolek is a malware from the Kbot/Carberp family. It is being subject to frequent updates and has malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects, and uses asymmetric cryptography to secure network communications.",
+      "meta": {
+        "date": "May 2016",
+        "refs": [
+          "https://www.bitsight.com/blog/bolek-an-evolving-botnet-targets-poland-and-ukraine"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "0cac5b2b-a06d-40c1-b192-159148dd0132",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "79f62503-b947-40fe-91f3-4a5d567df3c6",
+      "value": "Bolek"
+    },
+    {
+      "description": "The Carna botnet was a botnet of 420,000 devices created by an anonymous hacker to measure the extent of the Internet. The data was collected by infiltrating Internet devices, especially routers, that used a default password or no password at all.",
+      "meta": {
+        "date": "2012",
+        "refs": [
+          "https://en.wikipedia.org/wiki/Carna_botnet"
+        ]
+      },
+      "uuid": "152cdb68-8ca3-11ee-b9d1-0242ac120002",
+      "value": "Carna"
+    },
+    {
+      "description": "Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering and capable of spying on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials.",
+      "meta": {
+        "date": "2011",
+        "refs": [
+          "https://en.wikipedia.org/wiki/Code_Shikara"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "93e26758-6848-4e53-ae92-a4dc9804c2f2",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
+        }
+      ],
+      "uuid": "8b21d8e6-8ca3-11ee-b9d1-0242ac120002",
+      "value": "Code Shikara"
+    },
+    {
+      "description": "DDoS-as-a-service botnet calling itself Condi. This malware employs several techniques to keep itself running in an infected system. At the same time, it also prevents infections from other botnets by attempting to terminate their processes. Typical to Mirai-based botnets, this malware cannot survive a system reboot.",
+      "meta": {
+        "date": "2023",
+        "refs": [
+          "https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389"
+        ]
+      },
+      "uuid": "0913ea8c-8ca4-11ee-b9d1-0242ac120002",
+      "value": "Condi"
+    },
+    {
+      "description": "Cooee is a trojan pre-installed on some Phillips smartphones that displays annoying advertisements and downloads and installs different software without user knowledge.",
+      "meta": {
+        "date": "2016",
+        "refs": [
+          "https://news.softpedia.com/news/trojan-found-preinstalled-on-the-firmware-of-some-phillips-s307-android-smartphones-499177.shtml"
+        ]
+      },
+      "uuid": "cbad44ed-b4d0-42c9-acfc-ee58ff85da99",
+      "value": "Cooee"
+    },
+    {
+      "description": "Coreflood is a trojan horse and botnet created by a group of Russian hackers and released in 2010. The FBI included on its list of infected systems approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or health care companies; and hundreds of businesses. It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat.",
+      "meta": {
+        "date": "2010",
+        "refs": [
+          "https://en.wikipedia.org/wiki/Coreflood"
+        ]
+      },
+      "uuid": "4f24b1dd-01a0-43cf-a0bb-eb2d70f727c1",
+      "value": "Coreflood"
+    },
+    {
+      "description": "In 2021 Crackonosh has been found in 222,000 compromised computers that were used to download illegal, torrented versions of popular video games. Crackonosh successfully operated for years because it had built-in mechanisms to disable security software and updates, which made it difficult for users to detect and remove the program. The malware is thought to have originated in the Czech Republic, but it had a global reach.",
+      "meta": {
+        "date": "2010",
+        "refs": [
+          "https://finance.yahoo.com/news/monero-mining-malware-crackonosh-infected-192448133.html"
+        ]
+      },
+      "uuid": "4ccad4ee-3bff-41ac-8d05-0d5acbaaefbe",
+      "value": "Crackonosh"
+    },
+    {
+      "description": "FluBot is a remote control and info stealer malware. It has abilities to read and send SMS message, delete app, and execute arbitrary commands. It is often distributed through SMS messages. PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.",
+      "meta": {
+        "date": "2021",
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot"
+        ],
+        "synonyms": [
+          "Cabassous",
+          "FakeChat"
+        ]
+      },
+      "uuid": "4fc7daf0-c88f-4bbd-bf3c-7189ca1fdc69",
+      "value": "FluBot"
+    },
+    {
+      "description": "FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or single point of failure.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/FritzFrog"
+        ]
+      },
+      "uuid": "fc903c58-145a-4b68-98e6-3f496c5c1a19",
+      "value": "FritzFrog"
+    },
+    {
+      "description": "Gootkit is a trojan that steals confidential information and allows criminals to take control of infected systems remotely. Gootkit can also be used to install additional malware, such as Emotet. This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return.",
+      "meta": {
+        "refs": [
+          "https://www.fortiguard.com/encyclopedia/botnet/7630462"
+        ]
+      },
+      "uuid": "410685be-999d-472e-8fd9-15366b6031a1",
+      "value": "Gootkit"
+    },
+    {
+      "description": "The Great Cannon of China is an Internet attack tool that is used by the Chinese government to launch distributed denial-of-service attacks on websites by performing a man-in-the-middle attack on large amounts of web traffic and injecting code which causes the end-user's web browsers to flood traffic to targeted websites.[1] According to the researchers at the Citizen Lab, the International Computer Science Institute, and Princeton University's Center for Information Technology Policy, who coined the term, the Great Cannon hijacks foreign web traffic intended for Chinese websites and re-purposes them to flood targeted web servers with enormous amounts of traffic in an attempt to disrupt their operations.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Great_Cannon"
+        ]
+      },
+      "uuid": "b56c8516-1f1c-42f6-8b89-37d90f50eb35",
+      "value": "Great Cannon"
+    },
+    {
+      "description": "The Hail Mary Cloud was, or is, a password guessing botnet, which used a statistical equivalent to brute force password guessing. The botnet ran from possibly as early as 2005, and certainly from 2007 until 2012 and possibly later. The botnet was named and documented by Peter N. M. Hansteen. The principle is that a botnet can try several thousands of more likely passwords against thousands of hosts, rather than millions of passwords against one host. Since the attacks were widely distributed, the frequency on a given server was low and was unlikely to trigger alarms. Moreover, the attacks come from different members of the botnet, thus decreasing the effectiveness of both IP based detection and blocking.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Hail_Mary_Cloud"
+        ]
+      },
+      "uuid": "5ae51675-518d-4e16-b339-2b029f5055e0",
+      "value": "Hail Mary Cloud"
+    },
+    {
+      "description": "Joker is a trojan that is included in several unsuspecting apps that have been offered via the Google Play Store, among others. The malware silently interacts with ad networks to perform clicks on ad banners and subscribe to paid premium services. To do this, Joker is able to read SMS messages, contact lists and device information from the victim system. It collects data from infected systems, intercepts sensitive communications and transmits the information to a remote attacker.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Joker/Joker.html"
+        ]
+      },
+      "uuid": "879bbd30-4f89-4dcb-a225-ecfed25a552f",
+      "value": "Joker"
+    },
+    {
+      "description": "KBOT penetrates users’ computers via the Internet or a local network, or from infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. For the same purpose, KBOT can download additional stealer modules that harvest and send to the C&C server almost full information about the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/kbot-sometimes-they-come-back/96157/",
+          "https://cofense.com/blog/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-campaigns/"
+        ]
+      },
+      "uuid": "0cac5b2b-a06d-40c1-b192-159148dd0132",
+      "value": "KBOT"
+    },
+    {
+      "description": "Linux.Darlloz is a worm which infects Linux embedded systems. Linux.Darlloz was first discovered by Symantec in 2013.[3] Linux.Darlloz targets the Internet of things and infects routers, security cameras, set-top boxes by exploiting a PHP vulnerability. The worm was based on a Proof of concept code that was released in October 2013. inux.Darlloz utilizes vulnerability (CVE-2012-1823) to exploit systems in order to compromise systems. Linux.Darlloz was later found in March 2014 to have started mining crypto currencies such as Mincoin and Dogecoin. Linux.Aidra, the malware that Linux.Darlloz attempts usurp - like some of the variants of Darlloz, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform DDoS attacks.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Linux.Darlloz",
+          "https://www.wired.com/2014/01/spime-watch-linux-darlloz-internet-things-worm/"
+        ]
+      },
+      "uuid": "3bc577c9-2081-4d13-a77d-91497439e634",
+      "value": "Linux.Darlloz"
+    },
+    {
+      "description": "Marcher is a banking trojan for Android devices. Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards. Securify has identified nine Marcher botnets over the last 6 months, and each of them has been provided with new modules and targeted web injects by the Trojan’s creators.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html",
+          "https://www.securityweek.com/thousands-android-devices-infected-marcher-trojan/"
+        ]
+      },
+      "uuid": "3b27313a-3122-4f7e-970e-4dc50f90526d",
+      "value": "Marcher"
+    },
+    {
+      "description": "Matsnu is a malware downloader. The malware downloaded may include the banking trojans Citadel and URLZone/Bebloh. Matsnu can also be expanded with additional functions using plug-ins. One of these plug-ins is designed to capture access data for e-mail accounts and FTP programs and pass this information to the operator of the malware.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html",
+          "https://threatpost.com/matsnu-botnet-dga-discovers-power-of-words/109426/"
+        ]
+      },
+      "uuid": "f69bc11f-871b-49c6-a2d9-66ac6a4a8ea6",
+      "value": "Matsnu"
+    },
+    {
+      "description": "Methbot was an advertising fraud scheme. Methbot was first tracked in 2015 by cybersecurity firm White Ops, and the botnet saw rapidly increased activity in 2016. The botnet originated in Russia (though it was not state sponsored), and utilized foreign computers and networks in Europe and North America. The infrastructure consisted of 571,904 dedicated IPs, 6,000 domains, and 250,267 distinct URLs, each of which could only house a video ad, and used variants of the names of famous publishers to fool those looking into the domains. This led the operators to game the system, leading ad selection algorithms to select these fake web pages over larger corporate pages from legitimate companies, and charge advertisers at a premium. About 570,000 bots were used to execute clicks on those websites, “watching” up to 300 million video ads a day while the bots mimicked normal computer user behavior. Estimated clicks per day generally reached between 200 and 300 million per day. The botnet relied on data servers instead of more traditional botnets that rely on infected PCs and mobile devices.",
+      "meta": {
+        "date": "2015",
+        "refs": [
+          "https://en.wikipedia.org/wiki/Methbot"
+        ]
+      },
+      "uuid": "24341069-4a99-4da7-b89c-230a788bb9d6",
+      "value": "Methbot"
+    },
+    {
+      "description": "The Metulji botnet, discovered in June 2011, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled, it consisted of over 12 million individual zombie computers infected with the Butterfly Bot, making it, as of June 2011, the largest known botnet. It is not known what type of computers are vulnerable, or how to tell if a computer is a part of this botnet.",
+      "meta": {
+        "date": "2011",
+        "refs": [
+          "https://en.wikipedia.org/wiki/Metulji_botnet"
+        ]
+      },
+      "uuid": "e3727560-aa99-47fb-8639-8bcf9c722168",
+      "value": "Metulji"
+    },
+    {
+      "description": "The Mevade Botnet, also known as Sefnit or SBC, is a massive botnet. Its operators are unknown and its motives seems to be multi-purpose. In late 2013 the Tor anonymity network saw a very sudden and significant increase in users, from 800,000 daily to more than 5,000,000. A botnet was suspected and fingers pointed at Mevade. Trend Micro reported that its Smart Protection Network saw a tor module being distributed to Mevade Trojans.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Mevade_Botnet"
+        ],
+        "synonyms": [
+          "Sefnit",
+          "SBC"
+        ]
+      },
+      "uuid": "9531f3c0-edb4-4bc9-9b4a-5b55d482b235",
+      "value": "Mevade"
+    },
+    {
+      "description": "MobiDash is a piece of adware for Android devices. The user is shown advertisements without their consent. Mobidash can also make calls in the background.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ]
+      },
+      "uuid": "8b1df851-125e-41dc-b91d-96b7d78825ca",
+      "value": "MobiDash"
+    },
+    {
+      "description": "Mutabaha is a Trojan for Windows devices. Outfire, a Chromium-based browser, is downloaded and installed. This pretends to be the version of the Google Chrome browser. Mutabaha is able to drain data and manipulate advertisements. Mutabaha is downloaded and installed by another malware. As a rule, this dropper is removed after the malware has been installed, making it almost impossible to trace the infection.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ]
+      },
+      "uuid": "ee68d82a-c0c1-472a-a14b-127c4f811161",
+      "value": "Mutabaha"
+    },
+    {
+      "description": "MyDoom is a malicious program that opens a backdoor to the infected device. Through this backdoor the attacker can gain access to the system and carry out further actions. The attack possibilities are diverse and range from information theft to the reloading of additional malware. MyDoom adds infected computers to a botnet and then carries out distributed denial of service (DDoS) attacks. When the worm takes control over the victim’s OS, it then opens various ports and provides a backdoor to invite even more malware in.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html",
+          "https://nordvpn.com/blog/mydoom-virus/"
+        ]
+      },
+      "uuid": "51f0388c-6984-40ac-9cbc-15c5f8685005",
+      "value": "MyDoom"
+    },
+    {
+      "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky. Around June 1, 2016, the botnet went offline, perhaps due to a glitch in the command and control server running Necurs. However, three weeks later, Jon French from AppRiver discovered a spike in spam emails, signifying either a temporary spike in the botnet's activity or return to its normal pre-June 1 state. In a 2020 report, it was noted to have particularly targeted India, Southeast Asia, Turkey and Mexico.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Necurs_botnet"
+        ]
+      },
+      "uuid": "92e12541-a834-49e6-857e-d36847551a3c",
+      "value": "Necurs"
+    },
+    {
+      "description": "The Nitol botnet mostly involved in spreading malware and distributed denial-of-service attacks. The Nitol Botnet was first discovered around December 2012, with analysis of the botnet indicating that the botnet is mostly prevalent in China where an estimate 85% of the infections are detected. In China the botnet was found to be present on systems that came brand-new from the factory, indicating the trojan was installed somewhere during the assembly and manufacturing process. According to Microsoft the systems at risk also contained a counterfeit installation of Microsoft Windows. On 10 September 2012 Microsoft took action against the Nitol Botnet by obtaining a court order and subsequently sinkholing the 3322.org domain. The 3322.org domain is a Dynamic DNS which was used by the botnet creators as a command and control infrastructure for controlling their botnet. Microsoft later settled with 3322.org operator Pen Yong, which allowed the latter to continue operating the domain on the condition that any subdomains linked to malware remain sinkholed.",
+      "meta": {
+        "date": "2012",
+        "refs": [
+          "https://en.wikipedia.org/wiki/Nitol_botnet"
+        ]
+      },
+      "uuid": "ff0e33a7-0c68-4c53-bfc2-8d22eca09748",
+      "value": "Nitol"
+    },
+    {
+      "description": "Nymaim was discovered in 2013. At that time it was only a dropper used to distribute TorrentLocker. In February 2016 it became popular again after incorporating leaked ISFB code, dubbed Goznym. When dropper obtains C&C address, it starts real communication. It downloads two important binaries and a lot more: payload – banker module (responsible for web injects – passive member of botnet); optional bot module (it is trying to open ports on a router and become an active part of a botnet. When it fails to do so, it removes itself from a system).",
+      "meta": {
+        "date": "2013",
+        "refs": [
+          "https://cert.pl/en/posts/2017/01/nymaim-revisited/"
+        ]
+      },
+      "uuid": "629cae99-a671-4162-a080-b971de54d7a1",
+      "value": "Nymaim"
+    },
+    {
+      "description": "PBot is a P2P botnet derived from the Mirai source code. PBot performs MITB (man-in-the-browser) attacks and injects various scripts into legitimate websites. Its capabilities may go beyond simple injections of ads, depending on the intentions of its distributors.",
+      "meta": {
+        "refs": [
+          "https://www.malwarebytes.com/blog/news/2018/04/pbot-python-based-adware",
+          "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pbot",
+          "https://www.bitdefender.com/blog/businessinsights/ddos-attacks-increase-28-as-pbot-authors-use-decades-old-php-code/"
+        ],
+        "synonyms": [
+          "PythonBot"
+        ]
+      },
+      "uuid": "d7047c78-1ace-4e53-93c9-a867996914ef",
+      "value": "PBot"
+    },
+    {
+      "description": "Pirrit is a potentially unwanted application (PUA) for Windows and MacOS devices. It displays additional pop-ups and advertisements when the device is used. Pirrit downloads other malicious programs from a server and runs these programs; it can also manipulate system files.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ]
+      },
+      "uuid": "42fc0e31-60c0-4a7d-8ad8-1121bb65c629",
+      "value": "Pirrit"
+    },
+    {
+      "description": "Pitou is a trojan for Windows devices. Its functions are to steal passwords and collect various pieces of information about the mobile phone, such as its location and contacts.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ]
+      },
+      "uuid": "76ed7f49-6f18-4e86-a429-7aab82468ef6",
+      "value": "Pitou"
+    },
+    {
+      "description": "Prometei is a cryptocurrency-mining botnet. Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary's part. Prometei is just one of these types of networks that focuses on Monero mining.",
+      "meta": {
+        "date": "2020",
+        "refs": [
+          "https://blog.talosintelligence.com/prometei-botnet-and-its-quest-for-monero/"
+        ]
+      },
+      "uuid": "64d360dd-a48f-4b85-98ea-b2b5dcf81898",
+      "value": "Prometei"
+    },
+    {
+      "description": "PrizeRAT is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords and the silent installation of additional applications without the user's permission. As the malware is part of the firmware of the device, it is not generally recognised by anti-virus solutions for Android. The risk affects a limited group of mobile end devices made by Chinese manufacturers for the low-price segment.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ]
+      },
+      "uuid": "440889c8-4986-4568-8fe4-f560d0d28cd7",
+      "value": "PrizeRAT"
+    },
+    {
+      "description": "Pushlran is a potentially unwanted application (PUA) for Android devices. It displays additional pop-ups and advertisements when the device is used. The app collects data from infected systems, intercepts sensitive communication and passes this information to a remote attacker.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ]
+      },
+      "uuid": "ef861a3e-b81c-43ea-8fad-03633219302f",
+      "value": "Pushlran"
+    },
+    {
+      "description": "Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to download other malware or extract personal data. There are a number of versions of this malware and it has been developed over a long period of time. Some of the most recent versions of Pykspa are able to deactivate security systems such as anti-virus programs.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ]
+      },
+      "uuid": "c49b614b-c158-42e4-91e5-c96c7573b510",
+      "value": "Pykspa"
+    },
+    {
+      "description": "Qsnatch is a trojan for Linux devices that primarily attacks network drives manufactured by QNAP. Its functions include stealing access data and opening backdoors to infected devices. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ]
+      },
+      "uuid": "513ec176-3772-40be-be88-3bcd08382f54",
+      "value": "Qsnatch"
+    },
+    {
+      "description": "Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system. Remaiten combines the features of the Tsunami and LizardStresser (aka Torlus) malware families. The command and control for Remaiten are handled by IRC communications. Additionally the command and control is done by an actual IRC channel rather than only the IRC protocol. This is an improvement over bots such as Tsunami and Torlus making Remaiten a greater threat than both combined. To avoid detection, Remaiten tries to determine the platform of a device to download the architecture-appropriate component from the command & control server. Once Remaiten infects a device it is able to perform actions such as launching distributed denial of service attacks or download more malware on a device.[5] Remaiten is able to scan and remove competing bots on a system compromised by it.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Remaiten"
+        ]
+      },
+      "uuid": "44460f62-85b9-4a36-99f7-553f58231ae2",
+      "value": "Remaiten"
+    },
+    {
+      "description": "Retadup is a worm affecting Windows machines primarily throughout Latin America. Its objective is to achieve persistence on its victims’ computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. The French law enforcement agency, National Gendarmerie, in 2019 announced the successful takedown of one of the largest wide-spread RETADUP botnet malware and how it remotely disinfected more than 850,000 computers worldwide with the help of researchers.",
+      "meta": {
+        "refs": [
+          "https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/",
+          "https://thehackernews.com/2019/08/retadup-botnet-malware.html"
+        ]
+      },
+      "uuid": "a860f4b7-68e9-4252-8ef5-2bb2ce0bc790",
+      "value": "Retadup"
+    },
+    {
+      "description": "RootSTV is a trojan and downloader for Android devices, mainly SmartTVs. RootSTV downloads additional malicious programs from a server and executes them without the user's consent. ",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze_node.html"
+        ]
+      },
+      "uuid": "0170e672-7459-4bb3-8c1f-dc70d6249843",
+      "value": "RootSTV"
+    },
+    {
+      "description": "Rovnix is a data-stealing trojan that spreads by email and infects Windows PCs. Initial versions of the malware featured the extraction of data from compromised machines using unencrypted comms but more recently this has evolved to feature encryption during broadcast. The malware spread via e-mails infected with the Andromeda downloader. The infected attachment gets executed by an unwary user and this in turn downloads and runs Rovnix. The whole attack is designed to steal financial information, mainly credit card numbers. A new cluster of infections by the Rovnix Trojan has infected more than 130,000 Windows computers in the UK alone.",
+      "meta": {
+        "refs": [
+          "https://www.theregister.com/2014/11/06/rovnix_trojan_outbreak/"
+        ]
+      },
+      "uuid": "3c4b55a6-fff0-4faf-9f7f-19f18d35223f",
+      "value": "Rovnix"
+    },
+    {
+      "description": "Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Slenfbot"
+        ]
+      },
+      "uuid": "03d4ec41-3042-44fa-8de0-127981e21e63",
+      "value": "Slenfbot"
+    },
+    {
+      "description": "Stacheldraht is malware which performs a distributed denial-of-service (DDoS) attack. Stacheldraht uses a number of different denial-of-service (DoS) attack methods, including Ping flood, UDP flood, TCP SYN flood, and Smurf attack. Further, it can detect and automatically enable source address forgery. Adding encryption, it combines features of Trinoo and of Tribe Flood Network. The software runs on both Linux and Solaris.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Stacheldraht"
+        ]
+      },
+      "uuid": "c2052368-e9f1-494c-8f23-a8d8a7cbd97b",
+      "value": "Stacheldraht"
+    },
+    {
+      "description": "Suppobox is a trojan that intercepts any network traffic connected with a monetary transaction when users buy or sell products online. The malware focuses on auction websites.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ],
+        "synonyms": [
+          "Bayrob",
+          "Nivdort"
+        ]
+      },
+      "uuid": "de003ee4-ab51-44fb-891d-133a1efaa7d7",
+      "value": "Suppobox"
+    },
+    {
+      "description": "Triada is a trojan for Android devices. Triada's primary function is to record text messages. For example, it intercepts in-app purchases via text message and redirects payments made. Triada downloads other malware from a server and runs these programs.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
+        ],
+        "synonyms": [
+          "APK. Triada"
+        ]
+      },
+      "uuid": "0f1cc805-dd9c-483d-b6b8-8c1b67861a7d",
+      "value": "Triada"
+    },
+    {
+      "description": "Trinoo is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Trinoo"
+        ],
+        "synonyms": [
+          "trin00"
+        ]
+      },
+      "uuid": "99a0484c-c252-4ce8-8e7c-413f58a373b9",
+      "value": "Trinoo"
+    },
+    {
+      "description": "Zemra is a DDoS Bot which was first discovered in underground forums in May 2012. Zemra is capable of HTTP and SYN Flood flooding and also has a simple Command & Control panel that is protected with 256-bit DES encryption for communicating with its command and control (C&C) server. Zemra also sends information such as Computer name, Language settings, and Windows version. It will send this data to a remote location on a specific date and time. It also opens a backdoor on TCP port 7710 to receive commands from a remote command-and-control server, and it is able to monitor devices, collect system information, execute files, and even update or uninstall itself if necessary.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Zemra"
+        ]
+      },
+      "uuid": "67d3961e-675f-4e81-bf8b-5b2fa1606d3c",
+      "value": "Zemra"
+    },
+    {
+      "description": "Ztorg is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords, the silent installation of additional applications without the user's permission, and the collection of data on the mobile phone, such as its location and contacts. Ztorg is a piece of malware that opens a backdoor to an infected device. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.",
+      "meta": {
+        "refs": [
+          "https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze_node.html"
+        ]
+      },
+      "uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff",
+      "value": "Ztorg"
     }
   ],
-  "version": 31
+  "version": 35
 }

clusters/disarm-actortypes.json

@@ -0,0 +1,945 @@
+{
+  "authors": [
+    "DISARM Project"
+  ],
+  "category": "disarm",
+  "description": "DISARM is a framework designed for describing and understanding disinformation incidents.",
+  "name": "Actor Types",
+  "source": "https://github.com/DISARMFoundation/DISARMframeworks",
+  "type": "disarm-actortypes",
+  "uuid": "f1cb3e2f-f760-54a1-a3aa-a4f0fc342750",
+  "values": [
+    {
+      "description": "Person who can wrangle data, implement machine learning algorithms etc",
+      "meta": {
+        "external_id": "A001",
+        "kill_chain": [
+          "sectors:Nonprofit",
+          "sectors:Civil Society",
+          "sectors:Government",
+          "sectors:Academic",
+          "sectors:Activist",
+          "sectors:General Public",
+          "sectors:Social Media Company",
+          "sectors:Other Tech Company",
+          "sectors:Other Company",
+          "sectors:Media"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A001.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "9167d3c2-1f91-58f1-9dc2-fbe948f6b31c",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "590350b9-2614-572b-825b-b2498ebf4c17",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "187285bb-a282-5a6a-833e-01d9744165c4",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "d4f0dd4b-6818-52a4-b4ca-e1fef024c1a0",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "5aca53f0-2c85-5298-9eeb-4ac8325abb6b",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "d24431db-fc6e-5c62-b3d0-113a2219dbec",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "745658e5-5437-5f92-b2c4-80569a3cb330",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "d3216499-77fd-528e-8b65-7c3bded9adda",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "1dc819ef-5eb6-51df-9614-bc9bf8218279",
+          "type": "detects"
+        }
+      ],
+      "uuid": "03aaf19c-42b9-5b8e-9d47-a6bb291f10fa",
+      "value": "data scientist"
+    },
+    {
+      "description": "Person being targeted by disinformation campaign",
+      "meta": {
+        "external_id": "A002",
+        "kill_chain": [
+          "sectors:Nonprofit",
+          "sectors:Civil Society",
+          "sectors:Government",
+          "sectors:Academic",
+          "sectors:Activist",
+          "sectors:General Public",
+          "sectors:Social Media Company",
+          "sectors:Other Tech Company",
+          "sectors:Other Company",
+          "sectors:Media"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A002.md"
+        ]
+      },
+      "related": [],
+      "uuid": "d202541b-34c0-573f-9e70-d6b0568194f6",
+      "value": "target"
+    },
+    {
+      "description": "Influencer",
+      "meta": {
+        "external_id": "A003",
+        "kill_chain": [
+          "sectors:Nonprofit",
+          "sectors:Civil Society",
+          "sectors:Government",
+          "sectors:Academic",
+          "sectors:Activist",
+          "sectors:General Public",
+          "sectors:Social Media Company",
+          "sectors:Other Tech Company",
+          "sectors:Other Company",
+          "sectors:Media"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A003.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "67bab8b7-908b-5b0f-bf56-26502798d743",
+          "type": "affects"
+        }
+      ],
+      "uuid": "52f3153f-d7ab-5e42-9ee6-aea591856214",
+      "value": "trusted authority"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A004",
+        "kill_chain": [
+          "sectors:Civil Society"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A004.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "d7895c21-5e79-58db-b055-1e065abf524b",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "2fe43d88-db8f-5156-98fb-4b9db0e5fff3",
+          "type": "affects"
+        }
+      ],
+      "uuid": "d710c91e-a2f2-54ba-9477-fe51b9f31f76",
+      "value": "activist"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A005",
+        "kill_chain": [
+          "sectors:Civil Society"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A005.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c52274ce-09fe-5b50-b2f2-741be794da6e",
+          "type": "affects"
+        }
+      ],
+      "uuid": "09f16551-695e-5d72-b58f-6cd256f7cb68",
+      "value": "community group"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A006",
+        "kill_chain": [
+          "sectors:Civil Society"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A006.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "60e783f2-4e22-5495-abdf-cb73e1a5a4c1",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "523a0f1c-bb9e-5784-8838-ca7bc389688b",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "943ccc85-a339-5e32-ade9-09bc4bf6b4fd",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "c52274ce-09fe-5b50-b2f2-741be794da6e",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "5c8fc207-b237-58cc-bedd-024fea386a7a",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "d00320eb-5cc4-52e1-ae09-8b2d79affda2",
+          "type": "affects"
+        }
+      ],
+      "uuid": "a73d7508-4e4b-57d8-9dbf-15ac73b65a15",
+      "value": "educator"
+    },
+    {
+      "description": "Someone with the skills to verify whether information posted is factual",
+      "meta": {
+        "external_id": "A007",
+        "kill_chain": [
+          "sectors:Civil Society"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A007.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "26781c01-b62d-5091-99f4-047e4a0e825e",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "5036147d-f885-5d57-98ea-2e0c478611cc",
+          "type": "affects"
+        }
+      ],
+      "uuid": "997129f2-3afb-5d5e-9b67-d864c9721676",
+      "value": "factchecker"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A008",
+        "kill_chain": [
+          "sectors:Civil Society"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A008.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c52274ce-09fe-5b50-b2f2-741be794da6e",
+          "type": "affects"
+        }
+      ],
+      "uuid": "b2457b24-f997-573e-9c25-90eab4559f8e",
+      "value": "library"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A009",
+        "kill_chain": [
+          "sectors:Civil Society"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A009.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c52274ce-09fe-5b50-b2f2-741be794da6e",
+          "type": "affects"
+        }
+      ],
+      "uuid": "253aa4f0-d720-50b7-a462-70c85f5f5b9f",
+      "value": "NGO"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A010",
+        "kill_chain": [
+          "sectors:Civil Society"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A010.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c52274ce-09fe-5b50-b2f2-741be794da6e",
+          "type": "affects"
+        }
+      ],
+      "uuid": "c198d0db-7fea-523d-acc5-24b1e7d3f47c",
+      "value": "religious organisation"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A011",
+        "kill_chain": [
+          "sectors:Civil Society"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A011.md"
+        ]
+      },
+      "related": [],
+      "uuid": "f5b2ceb2-8f32-58f7-9225-c71a8242c932",
+      "value": "school"
+    },
+    {
+      "description": "Anyone who owns an account online",
+      "meta": {
+        "external_id": "A012",
+        "kill_chain": [
+          "sectors:General Public"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A012.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "5481cc36-5af8-5ddf-bcb7-638d3be3f583",
+          "type": "affects"
+        }
+      ],
+      "uuid": "e2947637-eba1-526e-820d-7d9c0d27b6be",
+      "value": "account owner"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A013",
+        "kill_chain": [
+          "sectors:General Public"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A013.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "686ccd43-c358-5d5d-bd42-3e2279151670",
+          "type": "affects"
+        }
+      ],
+      "uuid": "6330d1dc-258f-5631-95e2-66390937cec3",
+      "value": "content creator"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A014",
+        "kill_chain": [
+          "sectors:General Public"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A014.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "7ef86cff-4401-518b-92fc-a0d88c23f280",
+          "type": "affects"
+        }
+      ],
+      "uuid": "019e73b3-c4be-5a28-a86b-4eb6d2df1217",
+      "value": "elves"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A015",
+        "kill_chain": [
+          "sectors:General Public"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A015.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "1744386c-0d46-54a8-a5b8-cba1bd7dc369",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "8cfe6ea3-7271-5578-b4f7-8eb3edbe43f5",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "7ef86cff-4401-518b-92fc-a0d88c23f280",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "11380b67-28d8-5034-a79b-fbb6150ad302",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "187285bb-a282-5a6a-833e-01d9744165c4",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "94d622e2-5909-5f88-aaaf-846907cbda1f",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "61aa4bb6-218c-5a10-9f1c-1a494f6871e7",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "7806c5d1-7c44-5ff5-a539-361c3381a67d",
+          "type": "detects"
+        }
+      ],
+      "uuid": "f6c98378-65be-5f14-af3e-326909d70d77",
+      "value": "general public"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A016",
+        "kill_chain": [
+          "sectors:General Public"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A016.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "60e783f2-4e22-5495-abdf-cb73e1a5a4c1",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "590350b9-2614-572b-825b-b2498ebf4c17",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "a479d596-6f66-53eb-ae24-d3a67536464f",
+          "type": "affects"
+        }
+      ],
+      "uuid": "ebd92d67-1d68-5542-8b48-3cfc939db88a",
+      "value": "influencer"
+    },
+    {
+      "description": "For example the DHS",
+      "meta": {
+        "external_id": "A017",
+        "kill_chain": [
+          "sectors:Government"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A017.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c52274ce-09fe-5b50-b2f2-741be794da6e",
+          "type": "affects"
+        }
+      ],
+      "uuid": "91c80826-4428-5a58-8e54-337dfee99584",
+      "value": "coordinating body"
+    },
+    {
+      "description": "Government agencies",
+      "meta": {
+        "external_id": "A018",
+        "kill_chain": [
+          "sectors:Government"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A018.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "27acb21d-afef-52b5-be75-886d2af18067",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "877c29b5-38ae-570a-93b3-9e4e70ec27ef",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "3055e156-f234-5293-9ab2-d9761a620060",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "9133c9a6-500e-537d-aaa8-be8c5da12a93",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "e81b12d2-491b-534a-88bb-221ab2cbf828",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "d00320eb-5cc4-52e1-ae09-8b2d79affda2",
+          "type": "affects"
+        }
+      ],
+      "uuid": "1975d955-01ff-5cbb-8897-b08a0b235370",
+      "value": "government"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A019",
+        "kill_chain": [
+          "sectors:Government"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A019.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "877c29b5-38ae-570a-93b3-9e4e70ec27ef",
+          "type": "affects"
+        }
+      ],
+      "uuid": "091f8344-0956-5d15-83c4-e967579c4391",
+      "value": "military"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A020",
+        "kill_chain": [
+          "sectors:Government"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A020.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "57f70a3c-63a7-5873-a0ce-49a05d5f4eb7",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "27acb21d-afef-52b5-be75-886d2af18067",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "5682293b-d9d8-5db0-90df-4bb4cedc6882",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "14dad601-4ddd-5cfd-a48d-9b53212769ce",
+          "type": "affects"
+        }
+      ],
+      "uuid": "53f1e7bd-7aa8-5e02-a0a8-3fd34ee638e1",
+      "value": "policy maker"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A021",
+        "kill_chain": [
+          "sectors:Media"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A021.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "f5764785-ced5-5faa-8e11-e442d2d3f79d",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "c52274ce-09fe-5b50-b2f2-741be794da6e",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "686ccd43-c358-5d5d-bd42-3e2279151670",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "8cfe6ea3-7271-5578-b4f7-8eb3edbe43f5",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "a1441814-0d69-5b19-9dae-64c61d7dfdbd",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "b666fbe1-04de-547c-abc5-27786c948e50",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "5c8fc207-b237-58cc-bedd-024fea386a7a",
+          "type": "affects"
+        }
+      ],
+      "uuid": "bdcbbd5d-e282-5c55-a39e-212b10f75200",
+      "value": "media organisation"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A022",
+        "kill_chain": [
+          "sectors:Other Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A022.md"
+        ]
+      },
+      "related": [],
+      "uuid": "de0bdbac-82a8-547a-9117-fa660b55b3ea",
+      "value": "company"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A023",
+        "kill_chain": [
+          "sectors:Other Tech Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A023.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "4880efa6-1123-5703-9c44-9f0600670dd9",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "bbb8b174-44b6-5f59-bcf0-eab169bc7be1",
+          "type": "affects"
+        }
+      ],
+      "uuid": "6edba8b4-fe7a-5be0-84d0-6dee21d2a48e",
+      "value": "adtech provider"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A024",
+        "kill_chain": [
+          "sectors:Other Tech Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A024.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "523a0f1c-bb9e-5784-8838-ca7bc389688b",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "e21e17e9-3834-59de-bc31-9e43b73c8973",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "1dc819ef-5eb6-51df-9614-bc9bf8218279",
+          "type": "detects"
+        }
+      ],
+      "uuid": "2057de14-930a-5199-8e8e-9969173d36bb",
+      "value": "developer"
+    },
+    {
+      "description": "Funding site admin",
+      "meta": {
+        "external_id": "A025",
+        "kill_chain": [
+          "sectors:Other Tech Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A025.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "5b5c3e04-acf2-50dd-9861-c44bcc8f2cc3",
+          "type": "affects"
+        }
+      ],
+      "uuid": "a97e25d4-62cf-5040-8274-1a71104104b2",
+      "value": "funding_site_admin"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A026",
+        "kill_chain": [
+          "sectors:Other Tech Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A026.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "523a0f1c-bb9e-5784-8838-ca7bc389688b",
+          "type": "affects"
+        }
+      ],
+      "uuid": "6ff00416-5f81-5cc5-a07e-dff63a8a09a5",
+      "value": "games designer"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A027",
+        "kill_chain": [
+          "sectors:Other Tech Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A027.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "22e5b817-e45b-5f41-8806-8e0c66f181cc",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "14b886aa-c023-5a84-9605-e4a9cb22e4f4",
+          "type": "affects"
+        }
+      ],
+      "uuid": "a0c301a5-5675-5d79-bd8c-2afde063697e",
+      "value": "information security"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A028",
+        "kill_chain": [
+          "sectors:Other Tech Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A028.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "5481cc36-5af8-5ddf-bcb7-638d3be3f583",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "dae93cbd-eb65-5fb0-9d4e-4571ff54b6ff",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "e18bd403-00d9-5767-9e5c-b597f623821a",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "f2adbe9e-7c80-504d-adc5-624e04eab4f1",
+          "type": "detects"
+        }
+      ],
+      "uuid": "f4dc44c5-e021-524b-9909-678f11a9f10d",
+      "value": "platform administrator"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A029",
+        "kill_chain": [
+          "sectors:Other Tech Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A029.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "ae4b53ba-9dd6-53af-a624-d5929944117c",
+          "type": "affects"
+        }
+      ],
+      "uuid": "b7db36e3-3dbb-5f91-be61-076996a4c57b",
+      "value": "server admininistrator"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A030",
+        "kill_chain": [
+          "sectors:Social Media Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A030.md"
+        ]
+      },
+      "related": [],
+      "uuid": "2a1f51c4-ded0-530d-a54c-5834898d4c47",
+      "value": "platforms"
+    },
+    {
+      "description": "Person with the authority to make changes to algorithms, take down content etc.",
+      "meta": {
+        "external_id": "A031",
+        "kill_chain": [
+          "sectors:Social Media Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A031.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "bb1f5f27-16da-59da-9972-32bb25568d02",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "e23dbc10-0eca-5100-bf14-cf2db9db31b8",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "5481cc36-5af8-5ddf-bcb7-638d3be3f583",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "dae93cbd-eb65-5fb0-9d4e-4571ff54b6ff",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "01b3516b-b8b1-5a56-ae24-5300cceb70f8",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "eaef2d36-c5a8-59b9-9075-c6cdaa060e5d",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "33d7f540-0adb-5ab5-ae09-1c7a20e125b1",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "a64a6568-d047-55b9-a3ab-f77fb3c9ada3",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "e9cf452f-3ebc-5de8-9f21-dde3133c92c0",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "0b0f003a-4bb7-5f1e-8bc6-987c680cba39",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "027421d5-7c11-5c13-aa91-5cf6a01b72ef",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "f3edf130-0096-5a49-a3f1-d97974a70494",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "0acbac2f-7bd4-51d1-aaac-e12cebcddb31",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "49f92a32-bac9-56af-ac97-3b09f23b8fa6",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "dcb94d22-45a2-5433-bc4c-634add96088b",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "b20e5c17-f2dd-5057-9af2-a9586e72de9e",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "2fe43d88-db8f-5156-98fb-4b9db0e5fff3",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "187285bb-a282-5a6a-833e-01d9744165c4",
+          "type": "detects"
+        },
+        {
+          "dest-uuid": "94d622e2-5909-5f88-aaaf-846907cbda1f",
+          "type": "detects"
+        }
+      ],
+      "uuid": "667967b8-b3f1-55ad-8f8a-8c43c1290e6e",
+      "value": "social media platform adminstrator"
+    },
+    {
+      "description": "",
+      "meta": {
+        "external_id": "A032",
+        "kill_chain": [
+          "sectors:Social Media Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A032.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c52274ce-09fe-5b50-b2f2-741be794da6e",
+          "type": "affects"
+        }
+      ],
+      "uuid": "75f1924e-e711-5d07-8336-865b277c30d0",
+      "value": "social media platform outreach"
+    },
+    {
+      "description": "Person with authority to make changes to a social media company’s business model",
+      "meta": {
+        "external_id": "A033",
+        "kill_chain": [
+          "sectors:Social Media Company"
+        ],
+        "refs": [
+          "https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A033.md"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "0aa00b22-361f-5e5b-ac46-901cf6d2dfcc",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "27acb21d-afef-52b5-be75-886d2af18067",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "9133c9a6-500e-537d-aaa8-be8c5da12a93",
+          "type": "affects"
+        },
+        {
+          "dest-uuid": "e81b12d2-491b-534a-88bb-221ab2cbf828",
+          "type": "affects"
+        }
+      ],
+      "uuid": "15428e72-df7e-5483-a59c-bf84bb46928f",
+      "value": "social media platform owner"
+    }
+  ],
+  "version": 1
+}

clusters/entity.json

@@ -0,0 +1,34 @@
+{
+  "authors": [
+    "Various"
+  ],
+  "category": "actor",
+  "description": "Description of entities that can be involved in events.",
+  "name": "Entity",
+  "source": "MISP Project",
+  "type": "entity",
+  "uuid": "cd80fe0d-b905-449c-89f5-9a6b0ea09fc3",
+  "values": [
+    {
+      "description": "An individual involved in an event.",
+      "uuid": "e3983732-c670-4ea1-a28e-1f60bb3d74b7",
+      "value": "Individual"
+    },
+    {
+      "description": "A group involved in an event.",
+      "uuid": "d32a81f3-ed96-4bb0-a6b2-37efbeaa8cc0",
+      "value": "Group"
+    },
+    {
+      "description": "A employee involved in an event.",
+      "uuid": "35afacc1-8b9d-41b2-b90e-d2e2b2602aa9",
+      "value": "Employee"
+    },
+    {
+      "description": "A structure involved in an event.",
+      "uuid": "019a12dc-5325-4672-82b2-56558b661fe8",
+      "value": "Structure"
+    }
+  ],
+  "version": 1
+}

clusters/microsoft-activity-group.json

@@ -343,7 +343,8 @@
       "description": "Threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware.",
       "meta": {
         "refs": [
-          "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
+          "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+          "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
         ]
       },
       "related": [
@@ -1840,5 +1841,5 @@
       "value": "Zigzag Hail"
     }
   ],
-  "version": 20
+  "version": 21
 }

clusters/mitre-atlas-course-of-action.json

@@ -0,0 +1,771 @@
+{
+  "authors": [
+    "MITRE"
+  ],
+  "category": "course-of-action",
+  "description": "MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems",
+  "name": "MITRE ATLAS Course of Action",
+  "source": "https://github.com/mitre-atlas/atlas-navigator-data",
+  "type": "mitre-atlas-course-of-action",
+  "uuid": "951d5a45-43c2-422b-90af-059014f15714",
+  "values": [
+    {
+      "description": "Limit the public release of technical information about the machine learning stack used in an organization's products or services. Technical knowledge of how machine learning is used can be leveraged by adversaries to perform targeting and tailor attacks to the target system. Additionally, consider limiting the release of organizational information - including physical locations, researcher names, and department structures - from which technical details such as machine learning techniques, model architectures, or datasets may be inferred.\n",
+      "meta": {
+        "external_id": "AML.M0000",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0000"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "65d21e6b-7abe-4623-8f5c-88011cb362cb",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "8c26f51a-c403-4c4d-852a-a1c56fe9e7cd",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "aa17fe8d-62f8-4c4c-b7a2-6858c82dd84b",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "b23cda85-3457-406d-b043-24d2cf9e6fcf",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "40076545-e797-4508-a294-943096a12111",
+      "value": "Limit Release of Public Information"
+    },
+    {
+      "description": "Limit public release of technical project details including data, algorithms, model architectures, and model checkpoints that are used in production, or that are representative of those used in production.\n",
+      "meta": {
+        "external_id": "AML.M0001",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0001"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "0ec538ca-589b-4e42-bcaa-06097a0d679f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "a3baff3d-7228-4ab7-ae00-ffe150e7ef8a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "c086784e-1494-4f75-a4a0-d3ad054b9428",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "79c75215-ada9-4c22-bfed-7d13fb6e966e",
+      "value": "Limit Model Artifact Release"
+    },
+    {
+      "description": "Decreasing the fidelity of model outputs provided to the end user can reduce an adversaries ability to extract information about the model and optimize attacks for the model.\n",
+      "meta": {
+        "external_id": "AML.M0002",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0002"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "86b5f486-afb8-4aa9-991f-0e24d5737f0c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "943303ef-846b-49d6-b53f-b0b9341ac1ca",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "c4e52005-7416-45c4-9feb-8cd5fd34f70a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "c552f0b5-2e2c-4f8f-badc-0876ecca7255",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "e19c6f8a-f1e2-46cc-9387-03a3092f01ed",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "f78e0ac3-6d72-42ed-b20a-e10d8c752cf6",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "9f92e876-e2c0-4def-afee-626a4a79c524",
+      "value": "Passive ML Output Obfuscation"
+    },
+    {
+      "description": "Use techniques to make machine learning models robust to adversarial inputs such as adversarial training or network distillation.\n",
+      "meta": {
+        "external_id": "AML.M0003",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0003"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "071df654-813a-4708-85dc-f715f785d37f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "8735735d-c09d-4298-8e64-9a2b6168a74c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "216f862c-7f34-4676-a913-c4ec6cc4c2cd",
+      "value": "Model Hardening"
+    },
+    {
+      "description": "Limit the total number and rate of queries a user can perform.\n",
+      "meta": {
+        "external_id": "AML.M0004",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0004"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "6c1fca80-3ba9-41c9-8f7b-9824310a94f1",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "86b5f486-afb8-4aa9-991f-0e24d5737f0c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "8f644f37-e2e6-468e-b720-f395b8c27fbc",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "943303ef-846b-49d6-b53f-b0b9341ac1ca",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "ae71ca3a-8ca4-40d2-bdba-4276b29ac8f9",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "b07d147f-51c8-4eb6-9a05-09c86762a9c1",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "c4e52005-7416-45c4-9feb-8cd5fd34f70a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "c552f0b5-2e2c-4f8f-badc-0876ecca7255",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "e19c6f8a-f1e2-46cc-9387-03a3092f01ed",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "f78e0ac3-6d72-42ed-b20a-e10d8c752cf6",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "46b3e92d-600b-47c9-80f5-ed62a5db0377",
+      "value": "Restrict Number of ML Model Queries"
+    },
+    {
+      "description": "Establish access controls on internal model registries and limit internal access to production models. Limit access to training data only to approved users.\n",
+      "meta": {
+        "external_id": "AML.M0005",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0005"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "0ec538ca-589b-4e42-bcaa-06097a0d679f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "2680aa95-5620-4677-9c62-b0c3d15d9450",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "452b8fdf-8679-4013-bb38-4d16f65430bc",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "8d644240-ad99-4410-a7f8-3ef8f53a463e",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "a50f02df-1130-4945-94bb-7857952da585",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "d1f013a8-11f3-4560-831c-8ed5e39247c9",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "e0eb2b64-aebd-4412-80f3-b71d7805a65f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "0025dadf-7900-497f-aa03-39f0e319f20e",
+      "value": "Control Access to ML Models and Data at Rest"
+    },
+    {
+      "description": "Use an ensemble of models for inference to increase robustness to adversarial inputs. Some attacks may effectively evade one model or model family but be ineffective against others.\n",
+      "meta": {
+        "external_id": "AML.M0006",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0006"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "071df654-813a-4708-85dc-f715f785d37f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "452b8fdf-8679-4013-bb38-4d16f65430bc",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "8735735d-c09d-4298-8e64-9a2b6168a74c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "c552f0b5-2e2c-4f8f-badc-0876ecca7255",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "d8292a1c-21e7-4b45-b110-0e05feb30a9a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "dcb586a2-1135-4e2a-97bd-d4adbc79758b",
+      "value": "Use Ensemble Methods"
+    },
+    {
+      "description": "Detect and remove or remediate poisoned training data.  Training data should be sanitized prior to model training and recurrently for an active learning model.\n\nImplement a filter to limit ingested training data.  Establish a content policy that would remove unwanted content such as certain explicit or offensive language from being used.\n",
+      "meta": {
+        "external_id": "AML.M0007",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0007"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "0ec538ca-589b-4e42-bcaa-06097a0d679f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "8d644240-ad99-4410-a7f8-3ef8f53a463e",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "e0eb2b64-aebd-4412-80f3-b71d7805a65f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "9395d240-cc32-452a-911b-04feea01bcfb",
+      "value": "Sanitize Training Data"
+    },
+    {
+      "description": "Validate that machine learning models perform as intended by testing for backdoor triggers or adversarial bias.\nMonitor model for concept drift and training data drift, which may indicate data tampering and poisoning.\n",
+      "meta": {
+        "external_id": "AML.M0008",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0008"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "452b8fdf-8679-4013-bb38-4d16f65430bc",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "a50f02df-1130-4945-94bb-7857952da585",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "e0eb2b64-aebd-4412-80f3-b71d7805a65f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "01c2ec0a-e257-4a75-9e59-f71aa6362b6e",
+      "value": "Validate ML Model"
+    },
+    {
+      "description": "Incorporate multiple sensors to integrate varying perspectives and modalities to avoid a single point of failure susceptible to physical attacks.\n",
+      "meta": {
+        "external_id": "AML.M0009",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0009"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "071df654-813a-4708-85dc-f715f785d37f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "4d5c6974-0307-4535-bf37-7bb4c6a2ef47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "1bb9d9a7-c05a-470f-a709-64bd240e2eb0",
+      "value": "Use Multi-Modal Sensors"
+    },
+    {
+      "description": "Preprocess all inference data to nullify or reverse potential adversarial perturbations.\n",
+      "meta": {
+        "external_id": "AML.M0010",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0010"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "071df654-813a-4708-85dc-f715f785d37f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "8735735d-c09d-4298-8e64-9a2b6168a74c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "c4e52005-7416-45c4-9feb-8cd5fd34f70a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "73a34f24-1ad1-4421-b9c8-c2cbd13e6f47",
+      "value": "Input Restoration"
+    },
+    {
+      "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.\n\nFile formats such as pickle files that are commonly used to store machine learning models can contain exploits that allow for loading of malicious libraries.\n",
+      "meta": {
+        "external_id": "AML.M0011",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0011"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "be6ef5c5-1ecb-486d-9743-42085bd2c256",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "179e00cb-0948-4282-9132-f8a1f0ff6bd7",
+      "value": "Restrict Library Loading"
+    },
+    {
+      "description": "Encrypt sensitive data such as ML models to protect against adversaries attempting to access sensitive data.\n",
+      "meta": {
+        "external_id": "AML.M0012",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0012"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "6a88dccb-fb37-4f11-a5ad-42908aaee1d0",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "d1f013a8-11f3-4560-831c-8ed5e39247c9",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "e2ebc190-9ff6-496e-afeb-ac868df2361e",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "aad92d43-774b-4612-8437-8d6c7ee7e4af",
+      "value": "Encrypt Sensitive Information"
+    },
+    {
+      "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. Adversaries can embed malicious code in ML software or models. Enforcement of code signing can prevent the compromise of the machine learning supply chain and prevent execution of malicious code.\n",
+      "meta": {
+        "external_id": "AML.M0013",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0013"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "452b8fdf-8679-4013-bb38-4d16f65430bc",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "be6ef5c5-1ecb-486d-9743-42085bd2c256",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "d8292a1c-21e7-4b45-b110-0e05feb30a9a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "88073b07-2fe9-41cb-8e76-6e244fbabc74",
+      "value": "Code Signing"
+    },
+    {
+      "description": "Verify the cryptographic checksum of all machine learning artifacts to verify that the file was not modified by an attacker.\n",
+      "meta": {
+        "external_id": "AML.M0014",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0014"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "be6ef5c5-1ecb-486d-9743-42085bd2c256",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "d2cf31e0-a550-4fe0-8fdb-8941b3ac00d9",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "f4fc2abd-71a4-401a-a742-18fc5aeb4bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "cdccb3ab-2dde-41a9-a988-783a25b7bd00",
+      "value": "Verify ML Artifacts"
+    },
+    {
+      "description": "Detect and block adversarial inputs or atypical queries that deviate from known benign behavior, exhibit behavior patterns observed in previous attacks or that come from potentially malicious IPs.\nIncorporate adversarial detection algorithms into the ML system prior to the ML model.\n",
+      "meta": {
+        "external_id": "AML.M0015",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0015"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "071df654-813a-4708-85dc-f715f785d37f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "8735735d-c09d-4298-8e64-9a2b6168a74c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "8f644f37-e2e6-468e-b720-f395b8c27fbc",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "c4e52005-7416-45c4-9feb-8cd5fd34f70a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "0ed2ef71-cdc9-4eef-8432-1c3dadbdda20",
+      "value": "Adversarial Input Detection"
+    },
+    {
+      "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.\n\nFile formats such as pickle files that are commonly used to store machine learning models can contain exploits that allow for arbitrary code execution.\nBoth model artifacts and downstream products produced by models should be scanned for known vulnerabilities.\n",
+      "meta": {
+        "external_id": "AML.M0016",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0016"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "be6ef5c5-1ecb-486d-9743-42085bd2c256",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "c704a49c-abf0-4258-9919-a862b1865469",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "79752061-aac1-4ed9-b7f3-3b4dc5e81280",
+      "value": "Vulnerability Scanning"
+    },
+    {
+      "description": "Deploying ML models to edge devices can increase the attack surface of the system.\nConsider serving models in the cloud to reduce the level of access the adversary has to the model.\nAlso consider computing features in the cloud to prevent gray-box attacks, where an adversary has access to the model preprocessing methods.\n",
+      "meta": {
+        "external_id": "AML.M0017",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0017"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "3de90963-bc9f-4ae1-b780-7d05e46eacdd",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "452b8fdf-8679-4013-bb38-4d16f65430bc",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "ab01ba21-1438-4cd9-a588-92eb271086bc",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "432c3a44-3974-4b73-9eb9-fa5dd5298e47",
+      "value": "Model Distribution Methods"
+    },
+    {
+      "description": "Educate ML model developers on secure coding practices and ML vulnerabilities.\n",
+      "meta": {
+        "external_id": "AML.M0018",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0018"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "8c849dd4-5d15-45aa-b5b2-59c96a3ab939",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "be6ef5c5-1ecb-486d-9743-42085bd2c256",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "cce983e7-13a2-4545-8c39-ec6c8dff148d",
+      "value": "User Training"
+    },
+    {
+      "description": "Require users to verify their identities before accessing a production model.\nRequire authentication for API endpoints and monitor production model queries to ensure compliance with usage policies and to prevent model misuse.\n",
+      "meta": {
+        "external_id": "AML.M0019",
+        "refs": [
+          "https://atlas.mitre.org/mitigations/AML.M0019"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "90a420d4-3f03-4800-86c0-223c4376804a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        },
+        {
+          "dest-uuid": "b07d147f-51c8-4eb6-9a05-09c86762a9c1",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "mitigates"
+        }
+      ],
+      "uuid": "7b00dd51-f719-433d-afd6-3d386f64386d",
+      "value": "Control Access to ML Models and Data in Production"
+    }
+  ],
+  "version": 12
+}

clusters/producer.json

@@ -0,0 +1,467 @@
+{
+  "authors": [
+    "Various"
+  ],
+  "category": "actor",
+  "description": "List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.",
+  "name": "Producer",
+  "source": "MISP Project",
+  "type": "producer",
+  "uuid": "faab7b69-c850-491a-b36c-ba48c1c03279",
+  "values": [
+    {
+      "description": "Intel 471 provides adversary and malware intelligence for leading security teams. Our adversary intelligence is focused on infiltrating access to closed sources where threat actors collaborate, communicate and plan cyber attacks. Our malware intelligence leverages our adversary intelligence and underground capabilities to provide timely data and context on malicious infrastructure.",
+      "meta": {
+        "company-type": [
+          "Cyber Security Vendor"
+        ],
+        "country": "US",
+        "official-refs": [
+          "https://intel471.com/"
+        ],
+        "product-type": [
+          "intelligence-feed-provider"
+        ],
+        "products": [
+          "Malware Intelligence",
+          "Vulnerability Intelligence"
+        ],
+        "refs": [
+          "https://www.applytosupply.digitalmarketplace.service.gov.uk/g-cloud/services/448869643798857"
+        ],
+        "synonyms": [
+          "Intel 471 Inc.",
+          "Intel 471"
+        ]
+      },
+      "uuid": "306bc923-3200-47e3-ade9-50ffc41f668c",
+      "value": "Intel471"
+    },
+    {
+      "description": "Sophos Ltd. is a British-based security software and hardware company. It was listed on the London Stock Exchange until it was acquired by Thoma Bravo in February 2020",
+      "meta": {
+        "company-type": [
+          "Cyber Security Vendor"
+        ],
+        "country": "UK",
+        "official-refs": [
+          "https://www.sophos.com/"
+        ],
+        "product-type": [
+          "antivirus-vendor"
+        ],
+        "products": [
+          "Endpoint"
+        ],
+        "refs": [
+          "https://www.sophos.com/en-us/legal"
+        ],
+        "synonyms": [
+          "Sophos LTD"
+        ]
+      },
+      "uuid": "455b9e40-e8dd-443b-87b3-c70bd09b4231",
+      "value": "Sophos"
+    },
+    {
+      "description": "Group-IB is a creator of cybersecurity technologies to investigate, prevent and fight digital crime",
+      "meta": {
+        "company-type": [
+          "Cyber Security Vendor"
+        ],
+        "official-refs": [
+          "https://www.group-ib.com/"
+        ],
+        "product-type": [
+          "Threat Intelligence",
+          "Attack Surface Management",
+          "Fraud Protection",
+          "Digital Risk Protection",
+          "Managed XDR",
+          "Business Email Protection"
+        ],
+        "products": [
+          "Unified Risk Platform"
+        ],
+        "refs": [
+          "https://www.group-ib.com/about-us/"
+        ]
+      },
+      "uuid": "21afba9e-cd2a-45c9-b421-b1f14fd181e9",
+      "value": "Group-IB"
+    },
+    {
+      "description": "Mandiant is an American cybersecurity firm and a subsidiary of Google.",
+      "meta": {
+        "company-type": [
+          "Information security"
+        ],
+        "country": "US",
+        "official-refs": [
+          "https://www.mandiant.com/"
+        ],
+        "product-type": [
+          "Proactive Exposure Management",
+          "Government",
+          "Digital Risk Protection",
+          " Ransomware Protection"
+        ],
+        "products": [
+          "OpenIOC"
+        ],
+        "refs": [
+          "https://en.wikipedia.org/wiki/Mandiant"
+        ]
+      },
+      "uuid": "da5cdcd1-7b15-4371-b7eb-ca32916d2052",
+      "value": "Mandiant"
+    },
+    {
+      "description": "Thread intelligence provider focusing on data leaks",
+      "meta": {
+        "country": "US",
+        "official-refs": [
+          "https://spycloud.com"
+        ],
+        "product-type": [
+          "Post-Infection Remediation",
+          "Ransomware Prevention",
+          "Automated ATO Prevention",
+          "Session Hijacking Prevention",
+          "Threat Actor Attribution",
+          "Fraud Prevention"
+        ]
+      },
+      "uuid": "ad99da77-986b-45bc-a7b0-c1887dd55b59",
+      "value": "Spycloud"
+    },
+    {
+      "description": "DomainTools is a leading provider of Whois and other DNS profile data for threat intelligence enrichment.",
+      "meta": {
+        "company-type": [
+          "Threat Intelligence"
+        ],
+        "country": "US",
+        "official-refs": [
+          "https://www.domaintools.com/"
+        ],
+        "products": [
+          "Iris Intelligence Platform",
+          "Farsight DNSDB",
+          "Threat Intelligence Feeds"
+        ],
+        "refs": [
+          "https://icannwiki.org/DomainTools"
+        ]
+      },
+      "uuid": "993c6a36-b625-4a1f-8737-72ba5a197744",
+      "value": "Domaintools"
+    },
+    {
+      "description": "Feedly is an AI-powered news aggregator application for various web browsers and mobile devices running iOS and Android. It is also available as a cloud-based service.",
+      "meta": {
+        "official-refs": [
+          "https://feedly.com/homepage"
+        ],
+        "product-type": [
+          "Threat Intelligence"
+        ],
+        "refs": [
+          "https://en.wikipedia.org/wiki/Feedly"
+        ]
+      },
+      "uuid": "4e7c737a-4912-488a-8571-1f9226ebad05",
+      "value": "Feedly"
+    },
+    {
+      "description": "Database of public networks, IP addresses and domain names owned by companies and organisations worldwide.",
+      "meta": {
+        "official-refs": [
+          "https://networksdb.io/"
+        ],
+        "refs": [
+          "https://twitter.com/networksdbio"
+        ]
+      },
+      "uuid": "17fec4c4-3822-4198-9735-cee04aa51305",
+      "value": "Networksdb.io"
+    },
+    {
+      "description": "Compagny providing comprehensive dataset of internet intelligence",
+      "meta": {
+        "country": "US",
+        "official-refs": [
+          "https://censys.com/",
+          "https://censys.io/"
+        ],
+        "products": [
+          "Censys Search",
+          "Exposure Management",
+          "The Censys Internet Map",
+          "Integrations"
+        ]
+      },
+      "uuid": "101ca178-12c8-4488-b234-93f263e30b1a",
+      "value": "Censys"
+    },
+    {
+      "description": "DomainIQ is an internet research tool providing information about a domain name, its owner, the server it's hosted on, its ownership history, similar domains and more.",
+      "meta": {
+        "country": "US",
+        "official-refs": [
+          "https://www.domainiq.com"
+        ]
+      },
+      "uuid": "3f79697b-63d8-4c86-aabf-84df1f03c43d",
+      "value": "DomainIQ"
+    },
+    {
+      "description": "Computer and Network Security",
+      "meta": {
+        "company-type": [
+          "Computer and Network Security"
+        ],
+        "country": "FI",
+        "official-refs": [
+          "https://www.arcticsecurity.com/"
+        ],
+        "synonyms": [
+          "Arctic Security"
+        ]
+      },
+      "uuid": "542f8890-128b-42ca-97f9-8fe2af7ab783",
+      "value": "Arctic"
+    },
+    {
+      "description": "BitSight is a cybersecurity ratings company that analyzes companies, government agencies, and educational institutions.",
+      "meta": {
+        "country": "US",
+        "official-refs": [
+          "https://www.bitsight.com"
+        ]
+      },
+      "uuid": "1e98d9ac-0ef1-4046-bf9f-7c905a56ba90",
+      "value": "Bitsight"
+    },
+    {
+      "description": "RiskIQ, Inc. is a cyber security company that was based in San Francisco, California. It provided cloud-based software as a service (SaaS) for organizations to detect phishing, fraud, malware, and other online security threats. RiskIQ was acquired by Microsoft in July 2021.",
+      "meta": {
+        "company-type": [
+          "Cyber Security company"
+        ],
+        "country": "US",
+        "official-refs": [
+          "https://community.riskiq.com/"
+        ],
+        "product-type": [
+          "Threat detection"
+        ],
+        "refs": [
+          "https://en.wikipedia.org/wiki/RiskIQ"
+        ]
+      },
+      "uuid": "9f279581-5514-42cd-8011-05af9787ee37",
+      "value": "RiskIQ"
+    },
+    {
+      "description": "Sweepatic is a cybersecurity company",
+      "meta": {
+        "company-type": [
+          "Cyber Security vendor"
+        ],
+        "country": "BE",
+        "official-refs": [
+          "https://www.sweepatic.com"
+        ],
+        "product-type": [
+          "EASM platform"
+        ]
+      },
+      "uuid": "c9bd796a-8b73-42ab-8abe-0016292f5528",
+      "value": "Sweepatic"
+    },
+    {
+      "description": "Team Cymru is an internet security firm that offers research services making the internet a more secure place.",
+      "meta": {
+        "company-type": [
+          "Cyber Security vendor"
+        ],
+        "country": "US",
+        "official-refs": [
+          "https://www.team-cymru.com/"
+        ],
+        "product-type": [
+          "Threat Intelligence Solutions",
+          "Attack Surface Management Solution",
+          "Threat Feeds"
+        ],
+        "products": [
+          "Pure Signal™ Recon",
+          "Pure Signal™ Scout",
+          "Pure Signal™ Orbit",
+          "IP Reputation Feed",
+          "Controller Feed",
+          "Botnet Analysis & Reporting"
+        ]
+      },
+      "uuid": "8a22c0b2-d05f-4142-ab74-ffdf38fe4758",
+      "value": "Team Cymru"
+    },
+    {
+      "description": "G Data CyberDefense AG (until September 2019 G Data Software AG) is a German software company that focuses on computer security.",
+      "meta": {
+        "company-type": [
+          "Computer software"
+        ],
+        "country": "DE",
+        "official-refs": [
+          "https://www.gdata-software.com",
+          "https://www.gdatasoftware.co.uk"
+        ],
+        "product-type": [
+          "Antivirus software",
+          "Mobile Device Management"
+        ],
+        "products": [
+          "AntiVirus",
+          "InternetSecurity",
+          "TotalSecurity",
+          "AntiVirus for Mac",
+          "AntiVirus Business",
+          "AntiVirus Enterprise",
+          "ClientSecurity Business",
+          "ClientSecurity Enterprise",
+          "EndpointProtection Business",
+          "EndpointProtection Enterprise",
+          "MailSecurity",
+          "PatchManagement",
+          "Mobile Security",
+          "VPN"
+        ],
+        "refs": [
+          "https://en.wikipedia.org/wiki/G_Data_CyberDefense"
+        ],
+        "synonyms": [
+          "GDATA",
+          "G Data CyberDefense AG",
+          "G Data Software AG"
+        ]
+      },
+      "uuid": "2b69f676-c875-4000-8350-5f162e69d908",
+      "value": "G DATA"
+    },
+    {
+      "description": "Sekoia.io is a European cybersecurity SAAS company, whose mission is to develop the best protection capabilities against cyber attacks.",
+      "meta": {
+        "company-type": [
+          "Cyber Security Vendor"
+        ],
+        "country": "FR",
+        "official-refs": [
+          "https://www.sekoia.io"
+        ],
+        "product-type": [
+          "eXtended Detection and Response SaaS platform"
+        ],
+        "products": [
+          "SIEM RELOADED | Sekoia Defend",
+          "CTI RELOADED"
+        ]
+      },
+      "uuid": "6c9ef130-7cf6-4eeb-9e65-46228fc5e30c",
+      "value": "Sekoia"
+    },
+    {
+      "description": "Excellium Services Group is a cyber-security consulting and technology Integration Company established since 2012 in Luxemburg and Belgium, with activities and in France and Africa.",
+      "meta": {
+        "company-type": [
+          "Cyber-security consulting and technology Integration Company",
+          "CSIRT"
+        ],
+        "country": "LU",
+        "official-refs": [
+          "https://excellium-services.com"
+        ],
+        "product-type": [
+          "CERT-XLM",
+          "SOC",
+          "GDPR Services",
+          "Information Security Governance",
+          "Intrusion Tests – Red Team (Application Security Team)",
+          "Network & Security Infrastructure",
+          "Training"
+        ],
+        "products": [
+          "EyeGuard",
+          "EyeTools",
+          "EyeDeep",
+          "EyeTLD",
+          "EyeNotify"
+        ]
+      },
+      "uuid": "73ae2776-3700-4120-84ae-7e9785e6071b",
+      "value": "Excellium"
+    },
+    {
+      "description": "Telindus is a brand of Proximus Luxembourg SA. Founded in 1979, Telindus Luxembourg accompanies all organizations in their digital transformation, by providing holistic ICT & Telecommunication solutions, as well as tailored support services. Our areas of expertise include Telecommunication Services, ICT Infrastructure, Multi-Cloud, Digital Trust Solutions, Cybersecurity, Business Applications, Managed Services and Training.",
+      "meta": {
+        "company-type": [
+          "Service Provider"
+        ],
+        "country": "LU",
+        "official-refs": [
+          "https://www.telindus.lu/en"
+        ],
+        "product-type": [
+          "Ethical Hacking",
+          "Infrastructure Security",
+          "Managed Security Services",
+          "Protection, Detection and Orchestration",
+          "Security Operations Center",
+          "Strategy, risk, management and advice",
+          "ICT solutions",
+          "Telecoms",
+          "Cloud"
+        ]
+      },
+      "uuid": "4155eec3-fae2-4e80-a9a6-89b0f976851a",
+      "value": "Telindus"
+    },
+    {
+      "description": "Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.",
+      "meta": {
+        "company-type": [
+          "Technology news and computer help"
+        ],
+        "country": "US",
+        "official-refs": [
+          "https://www.bleepingcomputer.com/"
+        ],
+        "product-type": [
+          "Security and Technology Blog Posts"
+        ],
+        "refs": [
+          "https://en.wikipedia.org/wiki/Bleeping_Computer"
+        ]
+      },
+      "uuid": "ec3fb9b0-4f24-4099-ad48-3e8f68e88275",
+      "value": "BleepingComputer"
+    },
+    {
+      "description": "",
+      "meta": {
+        "country": "US",
+        "refs": [
+          "https://talosintelligence.com/",
+          "https://blog.talosintelligence.com/"
+        ],
+        "synonyms": [
+          "Cisco Talos"
+        ]
+      },
+      "uuid": "0adf6f0f-3795-4de1-9763-1bdd1c31a5d7",
+      "value": "Cisco Talos Intelligence Group"
+    }
+  ],
+  "version": 6
+}

clusters/ransomware.json

@@ -23395,6 +23395,36 @@
     },
     {
       "description": "ransomware",
+      "related": [
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        },
+        {
+          "dest-uuid": "509aff15-ba17-4582-b1a0-b0ed89df01d8",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "c76e2ee8-52d1-4a55-81df-5542d232ca32",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
       "uuid": "d650da35-7ad7-417a-902a-16ea55bd1126",
       "value": "XRat"
     },
@@ -26174,7 +26204,18 @@
       },
       "uuid": "476de1fe-d9b7-441a-8cb9-e6648189be3b",
       "value": "Yanluowang"
+    },
+    {
+      "meta": {
+        "links": [
+          "https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/",
+          "https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/n",
+          "https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/"
+        ]
+      },
+      "uuid": "74f4aa81-d494-41b0-90dd-b5958fa4a822",
+      "value": "Akira"
     }
   ],
-  "version": 118
+  "version": 120
 }

clusters/rat.json

@@ -760,6 +760,27 @@
             "estimative-language:likelihood-probability=\"likely\""
           ],
           "type": "similar"
+        },
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        },
+        {
+          "dest-uuid": "4d58ad7d-b5ee-4efb-b6af-6c70aadb326a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
         }
       ],
       "uuid": "6efa425c-3731-44fd-9224-2a62df061a2d",
@@ -1064,6 +1085,36 @@
           "https://github.com/c4bbage/xRAT"
         ]
       },
+      "related": [
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        },
+        {
+          "dest-uuid": "c76e2ee8-52d1-4a55-81df-5542d232ca32",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "d650da35-7ad7-417a-902a-16ea55bd1126",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
       "uuid": "509aff15-ba17-4582-b1a0-b0ed89df01d8",
       "value": "xRAT"
     },
@@ -1496,6 +1547,15 @@
           "https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp?hl=en"
         ]
       },
+      "related": [
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        }
+      ],
       "uuid": "6583d982-a5cb-47e0-a3b0-bc18cadaeb53",
       "value": "Chrome Remote Desktop"
     },
@@ -3574,7 +3634,19 @@
       },
       "uuid": "b30cb6f4-1e0a-4a97-8d88-ca38f83b4422",
       "value": "STRRAT"
+    },
+    {
+      "description": "Chinese FortiGate RAT. The COATHANGER malware is a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code./nThe COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades./nMIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies./nMIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.",
+      "meta": {
+        "refs": [
+          "https://github.com/JSCU-NL/COATHANGER",
+          "https://www.ncsc.nl/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear",
+          "https://twitter.com/sehof/status/1754883344574103670"
+        ]
+      },
+      "uuid": "c04e9738-de62-43e4-b645-2e308c1f77f7",
+      "value": "COATHANGER"
     }
   ],
-  "version": 43
+  "version": 45
 }

clusters/sector.json

@@ -18,6 +18,11 @@
       "value": "Other"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "P - Education"
+        ]
+      },
       "uuid": "98821a86-3c11-474b-afab-3c84af061407",
       "value": "Academia - University"
     },
@@ -26,22 +31,47 @@
       "value": "Activists"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "12f90076-f03d-4a2d-9f33-7a274dc462bb",
       "value": "Aerospace"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "A - Agriculture, forestry and fishing"
+        ]
+      },
       "uuid": "e2214f48-0cdd-4110-ba59-e703282adf2c",
       "value": "Agriculture"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "R - Arts, entertainment and recreation"
+        ]
+      },
       "uuid": "b5283132-9245-4a5f-b4bc-1937fd80d80a",
       "value": "Arts"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "K - Financial and Insurance Activities"
+        ]
+      },
       "uuid": "19cc9f22-e682-4808-a96c-82e573703dff",
       "value": "Bank"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "306f828d-8eb8-4adb-bee9-3211bf2a4ff7",
       "value": "Chemical"
     },
@@ -50,6 +80,11 @@
       "value": "Citizens"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "H - Transporting and storage"
+        ]
+      },
       "uuid": "ed13b6c9-c32c-4a58-82a7-ce64dc7fa086",
       "value": "Civil Aviation"
     },
@@ -58,14 +93,29 @@
       "value": "Country"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "R - Arts, entertainment and recreation"
+        ]
+      },
       "uuid": "8c645d4e-8fcc-48a8-9656-5135cfbc10a6",
       "value": "Culture"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "0a2c80eb-ae5d-4d5e-b6fd-2703bc6a750d",
       "value": "Data Broker"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "O - Public administration and defence; compulsory social security"
+        ]
+      },
       "uuid": "9df5fb28-2298-4030-9db3-8cdef35bee14",
       "value": "Defense"
     },
@@ -74,39 +124,82 @@
       "value": "Development"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "O - Public administration and defence; compulsory social security"
+        ]
+      },
       "uuid": "33cbaf17-7600-47f7-87c7-39640874a1b4",
       "value": "Diplomacy"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "P - Education"
+        ]
+      },
       "uuid": "19eca562-123d-449b-af33-5a36e5279b12",
       "value": "Education"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "D - Electricity, gas, steam and air conditioning supply"
+        ]
+      },
       "uuid": "ac2dad84-5194-41bb-9edd-aad8d42f828f",
       "value": "Electric"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "04e0eef9-d7e8-4280-86bb-cc9897be8e08",
       "value": "Electronic"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "O - Public administration and defence; compulsory social security"
+        ]
+      },
       "uuid": "474e6647-ff06-4a9b-8061-a1a43baf8b15",
       "value": "Employment"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "O - Public administration and defence; compulsory social security"
+        ]
+      },
       "uuid": "3a94474b-7e23-4e06-9129-faea7ef55af8",
       "value": "Energy"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "R - Arts, entertainment and recreation"
+        ]
+      },
       "uuid": "beb9d5d6-53df-4e99-8fa8-e52880fbe740",
       "value": "Entertainment"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "E - Water supply; sewerage; waste managment and remediation activities"
+        ]
+      },
       "uuid": "8291a998-e888-4351-87ec-c6da6b06bff6",
       "value": "Environment"
     },
     {
       "meta": {
+        "NACE_CODE": [
+          "K - Financial and Insurance Activities"
+        ],
         "synonyms": [
           "Financial"
         ]
@@ -115,19 +208,37 @@
       "value": "Finance"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "I - Accommodation and food service activities"
+        ]
+      },
       "uuid": "9ade7eff-e2ce-4f05-85de-bb6b70444db4",
       "value": "Food"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "64493b1b-04eb-4f4d-94c7-65c3713131de",
       "value": "Game"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "D - Electricity, gas, steam and air conditioning supply"
+        ]
+      },
       "uuid": "851c28c6-2e80-4d63-959b-44037931175b",
       "value": "Gas"
     },
     {
       "meta": {
+        "NACE_CODE": [
+          "O - Public administration and defence; compulsory social security"
+        ],
         "synonyms": [
           "Government",
           "Administration"
@@ -138,6 +249,9 @@
     },
     {
       "meta": {
+        "NACE_CODE": [
+          "Q - Human health and social work activities"
+        ],
         "synonyms": [
           "Healthcare"
         ]
@@ -146,50 +260,110 @@
       "value": "Health"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "P - Education"
+        ]
+      },
       "uuid": "b822d660-fad3-40da-b4db-9bbf8fe23b27",
       "value": "Higher education"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "I - Accommodation and food service activities"
+        ]
+      },
       "uuid": "909f4de6-91ea-44b6-9c8f-5983fd4877c2",
       "value": "Hotels"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "D - Electricity, gas, steam and air conditioning supply"
+        ]
+      },
       "uuid": "641af156-12d0-4fb4-b89d-971cd454914f",
       "value": "Infrastructure"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "O - Public administration and defence; compulsory social security"
+        ]
+      },
       "uuid": "7aeb79bf-cc1a-49b5-b2ec-5b1fe4a7e295",
       "value": "Intelligence"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "3f18e5e7-c77d-4890-9d09-412a39a822e5",
       "value": "IT"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "342d0a71-584c-4e3f-9b2d-1dc5b5e53e97",
       "value": "IT - Hacker"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "872de996-e069-4cd9-b227-d5ca01dc020c",
       "value": "IT - ISP"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "6d9dbde3-25de-48b9-ab98-361c4211e6be",
       "value": "IT - Security"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "O - Public administration and defence; compulsory social security"
+        ]
+      },
       "uuid": "784e59ae-89bb-4bc8-82c8-7fab6ca5fb8a",
       "value": "Justice"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "5cacd8fb-a3d4-4ed7-84b5-d69378038591",
       "value": "Manufacturing"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "82ac6245-8691-4216-a6dd-8c99ebb8ce51",
       "value": "Maritime"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "O - Public administration and defence; compulsory social security"
+        ]
+      },
       "uuid": "5aec0d78-53b2-4fcf-b165-537494b866e4",
       "value": "Military"
     },
@@ -199,6 +373,9 @@
     },
     {
       "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ],
         "synonyms": [
           "News",
           "Media"
@@ -208,19 +385,38 @@
       "value": "News - Media"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "Section S: Other Service Activities"
+        ]
+      },
       "uuid": "d2f31b1f-a9b1-4f5b-b2b3-1aa2732a0608",
       "value": "NGO"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "B - Mining and quarrying",
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "5875cc3f-d0a5-445e-abb2-08411fc82522",
       "value": "Oil"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "K - Financial and insurance activities"
+        ]
+      },
       "uuid": "0d688425-afb5-4f71-8b5a-f9be7d2d1551",
       "value": "Payment"
     },
     {
       "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ],
         "synonyms": [
           "Pharmaceutical"
         ]
@@ -229,35 +425,74 @@
       "value": "Pharmacy"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "O - Public administration and defence; compulsory social security"
+        ]
+      },
       "uuid": "36432a96-225a-4c90-b0f5-44eaee45e306",
       "value": "Police - Law enforcement"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "738939b4-c93f-4972-938a-7eb1f60188b9",
       "value": "Research - Innovation"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "40082760-ed9e-4fcb-8bfa-2341d81d5e22",
       "value": "Satellite navigation"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "N - Administrative and support service activities"
+        ]
+      },
       "uuid": "23429f36-298a-4ac6-8db9-87223bef9cbf",
       "value": "Security systems"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "61809257-9f13-4910-b824-f483c4334bb5",
       "value": "Social networks"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing",
+          "H - Transporting and storage"
+        ]
+      },
       "uuid": "595be3ad-bfb3-4bea-b81a-2fef618a1075",
       "value": "Space"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "cdc8b76f-a8df-4d30-81c1-bdb4935c718d",
       "value": "Steel"
     },
     {
       "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ],
         "synonyms": [
           "Telecommunications"
         ]
@@ -266,15 +501,28 @@
       "value": "Telecoms"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "3c70895b-573b-450c-ad0a-98b0e1a9741e",
       "value": "Think Tanks"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "G - Wholesale and retail trade; repair of motor vehicles and motorcycles"
+        ]
+      },
       "uuid": "4fef12b1-0bee-4855-81fb-9b7d2c5a1dec",
       "value": "Trade"
     },
     {
       "meta": {
+        "NACE_CODE": [
+          "H - Transporting and storage"
+        ],
         "synonyms": [
           "Transportation"
         ]
@@ -283,10 +531,20 @@
       "value": "Transport"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "I - Accommodation and food service activities"
+        ]
+      },
       "uuid": "33a4f4fe-9bc3-4d43-b5ab-64fcc35882cf",
       "value": "Travel"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "69b8bfcd-600e-45d8-962a-ce09ed0914ab",
       "value": "Turbine"
     },
@@ -295,14 +553,29 @@
       "value": "Tourism"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "87eae00d-b973-46db-83a2-1f520aebcd44",
       "value": "Life science"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "Q - Human health and social work activities"
+        ]
+      },
       "uuid": "58282b0e-10d4-4294-8845-6f41a1e79730",
       "value": "Biomedical"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "cd4dfa11-5f4a-4d02-a2cc-35603261e631",
       "value": "High tech"
     },
@@ -311,59 +584,127 @@
       "value": "Opposition"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "S - Other services activities"
+        ]
+      },
       "uuid": "a93f281c-1fb4-471d-88ba-dfe5f3af13ff",
       "value": "Political party"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "I - Accommodation and food service activities"
+        ]
+      },
       "uuid": "d1aa1165-981a-4d9f-aece-c130c5034e1b",
       "value": "Hospitality"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "79e7755d-d7fa-4bbc-b956-e296c614745e",
       "value": "Automotive"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "3a7dae7d-2590-4e80-9c13-c22048a09f8a",
       "value": "Metal"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "H - Transporting and storage"
+        ]
+      },
       "uuid": "02847338-fe03-4073-9f5b-c6fedc244b04",
       "value": "Railway"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "E - Water supply; sewerage; waste managment and remediation activities"
+        ]
+      },
       "uuid": "26282f7e-8db4-4369-8af1-3981f6a93350",
       "value": "Water"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "D - Electricity, gas, steam and air conditioning supply"
+        ]
+      },
       "uuid": "62487559-c0e5-4250-af48-d43fa2e61b82",
       "value": "Smart meter"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "G - Wholesale and retail trade; repair of motor vehicles and motorcycles"
+        ]
+      },
       "uuid": "a26ae91b-df10-4c6f-b7bc-14c7ba13f21d",
       "value": "Retail"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "ff403f0f-67d0-494c-aff9-1d748b7e7d8d",
       "value": "Technology"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "e07cd84c-1d66-4de3-8b93-15fa93f119cc",
       "value": "Engineering"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "B - Mining and quarrying"
+        ]
+      },
       "uuid": "7508db07-ffd1-4137-9941-718f18370c4c",
       "value": "Mining"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "R - Arts, entertainment and recreation"
+        ]
+      },
       "uuid": "e8355f07-48c7-497b-9a14-3c2a6325ef3d",
       "value": "Sport"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "I - Accommodation and food service activities"
+        ]
+      },
       "uuid": "5eee85f4-f8dc-4dea-9ba2-af1e9f957097",
       "value": "Restaurant"
     },
     {
       "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ],
         "synonyms": [
           "Semiconductor"
         ]
@@ -372,27 +713,55 @@
       "value": "Semi-conductors"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "K - Financial and Insurance Activities"
+        ]
+      },
       "uuid": "c4f35266-0f80-4948-9c0a-f4681ed0d507",
       "value": "Insurance"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "94a7ffd4-d2e4-4324-be71-f274e84de089",
       "value": "Legal"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "H - Transporting and storage"
+        ]
+      },
       "uuid": "64483d7b-71a4-4130-803e-2c614a098d8b",
       "value": "Shipping"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "H - Transporting and storage"
+        ]
+      },
       "uuid": "934bc859-ebc4-48d7-adb7-5accd4f0f965",
       "value": "Logistic"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "F - Construction"
+        ]
+      },
       "uuid": "4b5c230d-70b8-4748-a27c-bec121c436d8",
       "value": "Construction"
     },
     {
       "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ],
         "synonyms": [
           "ICS"
         ]
@@ -401,18 +770,38 @@
       "value": "Industrial"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "C - Manufacturing"
+        ]
+      },
       "uuid": "f4e11fd2-f2a2-4d09-8ed4-7ef978ccc03b",
       "value": "Communication equipment"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "N - Administrative and support service activities"
+        ]
+      },
       "uuid": "886e517c-0331-445e-9c4b-ebe08aeb01cd",
       "value": "Security Service"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "138159c5-0b29-46a5-91e2-fe01f7e7111d",
       "value": "Tax firm"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "13fe4a5d-8d86-4875-b763-02bc5705810f",
       "value": "Television broadcast"
     },
@@ -425,18 +814,38 @@
       "value": "Dissidents"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "5a9da7ef-57b8-4a22-88be-b8b6556fd447",
       "value": "Digital services"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "a10c2362-3ee9-4741-b5a5-c2fd1c7c730f",
       "value": "Digital infrastructure"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "N - Administrative and support service activities"
+        ]
+      },
       "uuid": "0904672b-c18a-450e-88d6-6a94dd0eb25a",
       "value": "Security actors"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "G - Wholesale and retail trade; repair of motor vehicles and motorcycles"
+        ]
+      },
       "uuid": "7e1ec8ba-24c4-4ad4-a596-7532ecbd0fbd",
       "value": "eCommerce"
     },
@@ -445,78 +854,173 @@
       "value": "Islamic forums"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "ea95dce2-c2fc-48cb-95c7-d9200811f030",
       "value": "Journalist"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "2287c024-9643-43ef-8776-858d3994b9ac",
       "value": "Streaming service"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "867cbcb3-8baa-476f-bec5-ceb36e9b1e09",
       "value": "Publishing industry"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "S - Other services activities"
+        ]
+      },
       "uuid": "3929f589-ac94-4a6a-8360-122e06484db8",
       "value": "Islamic organisation"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "R - Arts, entertainment and recreation"
+        ]
+      },
       "uuid": "2e7ad54f-7637-4268-a9b9-cb2975d6bab9",
       "value": "Casino"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "87ad7866-bdfa-4a22-a4f3-c411fecb1d0d",
       "value": "Consulting"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "G - Wholesale and retail trade; repair of motor vehicles and motorcycles"
+        ]
+      },
       "uuid": "737a196b-7bab-460b-b199-d6626fca1af1",
       "value": "Online marketplace"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "e48c0afc-afab-4ced-9a8b-a28d4a2efa08",
       "value": "DNS service provider"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "Q - Human health and social work activities"
+        ]
+      },
       "uuid": "4bc73e7c-d174-4faf-9176-d0ccc8ccfbbf",
       "value": "Veterinary"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "ee5720bb-c638-46f8-bdf2-55579bf37eb2",
       "value": "Marketing"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "55d12d41-c558-4cdf-b2c5-f246403ca68f",
       "value": "Video Sharing"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "b018010e-272e-4ca9-8551-073618d7f2ad",
       "value": "Advertising"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "K - Financial and Insurance Activities"
+        ]
+      },
       "uuid": "40d66f31-36c2-42ff-97c6-97b34b5ce04e",
       "value": "Investment"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "6edffd60-443c-4238-b368-362b47340d8b",
       "value": "Accounting"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "855f40e1-074e-4818-8082-696a54adf13f",
       "value": "Programming"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "J - Information and communication"
+        ]
+      },
       "uuid": "f9260307-f792-4e60-8aa5-e2b4f84adadb",
       "value": "Managed Services Provider"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "M - Professional, scientific and technical activities"
+        ]
+      },
       "uuid": "56eee132-fc01-410c-ada0-44d713443bf2",
       "value": "Lawyers"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "S - Other services activities"
+        ]
+      },
       "uuid": "9c1f6a5b-d9de-4cce-a024-7437cb20e24e",
       "value": "Civil society"
     },
     {
+      "meta": {
+        "NACE_CODE": [
+          "B - Mining and quarrying"
+        ]
+      },
       "uuid": "1f1c762b-1e39-4989-8679-cc1f9cb08349",
       "value": "Petrochemical"
     },
@@ -526,6 +1030,9 @@
     },
     {
       "meta": {
+        "NACE_CODE": [
+          "S - Other services activities"
+        ],
         "synonyms": [
           "voluntary",
           "charitable",

clusters/stealer.json

@@ -223,7 +223,77 @@
       },
       "uuid": "0266302b-52d3-44da-ab63-a8a6f16de737",
       "value": "Sordeal-Stealer"
+    },
+    {
+      "description": "Mars stealer is an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins. Mars Stealer written in ASM/C using WinApi, weight is 95 kb. Uses special techniques to hide WinApi calls, encrypts strings, collects information in the memory, supports secure SSL-connection with C&C, doesn’t use CRT, STD.",
+      "meta": {
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer",
+          "https://3xp0rt.com/posts/mars-stealer/",
+          "https://cyberint.com/blog/research/mars-stealer/",
+          "https://isc.sans.edu/diary/rss/28468",
+          "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468",
+          "https://blog.morphisec.com/threat-research-mars-stealer",
+          "https://cert.gov.ua/article/38606",
+          "https://www.malwarebytes.com/blog/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique",
+          "https://blog.sekoia.io/mars-a-red-hot-information-stealer/",
+          "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/",
+          "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer",
+          "https://resources.infosecinstitute.com/topics/malware-analysis/mars-stealer-malware-analysis/",
+          "https://www.microsoft.com/en-us/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/",
+          "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer",
+          "https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html",
+          "https://www.kelacyber.com/information-stealers-a-new-landscape/",
+          "https://cyble.com/blog/fake-atomic-wallet-website-distributing-mars-stealer/",
+          "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
+          "https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view",
+          "https://threatmon.io/mars-stealer-malware-analysis-2022/",
+          "https://threatmon.io/storage/mars-stealer-malware-analysis-2022.pdf",
+          "https://3xp0rt.com/posts/mars-stealer/forum.png"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "54b61c7e-8ced-4b90-a295-62102bfd4f32",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "successor-of"
+        }
+      ],
+      "uuid": "64e51712-89d6-4c91-98ac-8907eafe98c6",
+      "value": "Mars Stealer"
+    },
+    {
+      "description": "The Oski stealer is a malicious information stealer, which was first introduced in November 2019. As the name implies, the Oski stealer steals personal and sensitive information from its target. “Oski” is derived from an old Nordic word meaning Viking warrior, which is quite fitting considering this popular info-stealer is extremely effective at pillaging privileged information from its victims.",
+      "meta": {
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski",
+          "https://twitter.com/albertzsigovits/status/1160874557454131200",
+          "https://www.bitdefender.com/blog/labs/",
+          "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer",
+          "https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601",
+          "https://yoroi.company/en/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/",
+          "https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view",
+          "https://www.rapid7.com/solutions/unified-mdr-xdr-vm/",
+          "https://3xp0rt.com/posts/mars-stealer/",
+          "https://cyberint.com/blog/research/mars-stealer/",
+          "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468"
+        ]
+      },
+      "uuid": "54b61c7e-8ced-4b90-a295-62102bfd4f32",
+      "value": "Oski Stealer"
+    },
+    {
+      "description": "WARPWIRE is a JavaScript-based credential stealer",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
+        ]
+      },
+      "uuid": "b581b182-505a-4243-9569-c175513c4441",
+      "value": "WARPWIRE"
     }
   ],
-  "version": 13
+  "version": 16
 }

clusters/surveillance-vendor.json

@@ -33,8 +33,15 @@
         "official-refs": [
           "https://www.nsogroup.com/"
         ],
+        "products": [
+          "PEGASUS"
+        ],
         "refs": [
           "https://en.wikipedia.org/wiki/NSO_Group"
+        ],
+        "synonyms": [
+          "Q-Cyber",
+          "Circles"
         ]
       },
       "uuid": "49d8e89f-401d-4d3d-9155-5758a346a4a1",
@@ -184,6 +191,9 @@
     {
       "description": "Cytrox’s Israeli companies were founded in 2017 as Cytrox EMEA Ltd. and Cytrox Software Ltd. Perhaps taking a page from Candiru’s corporate obfuscation playbook, both of those companies were renamed in 2019 to Balinese Ltd. and Peterbald Ltd., respectively. We also observed one entity in Hungary, Cytrox Holdings Zrt, which was also formed in 2017.",
       "meta": {
+        "products": [
+          "DevilsTongue"
+        ],
         "refs": [
           "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/"
         ],
@@ -195,21 +205,583 @@
           "Cytrox Holdings Zrt"
         ]
       },
+      "related": [
+        {
+          "dest-uuid": "ab53ed38-82ea-11ee-8613-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-acquired-by"
+        },
+        {
+          "dest-uuid": "d3e48fbb-9be5-4387-bf2b-bc9a72cdbd8a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with"
+        },
+        {
+          "dest-uuid": "ab53ed38-82ea-11ee-8613-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with"
+        },
+        {
+          "dest-uuid": "eb6af48e-82ea-11ee-a4dc-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with"
+        },
+        {
+          "dest-uuid": "1c909820-82eb-11ee-80c7-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "part-of"
+        }
+      ],
       "uuid": "4dbfa61e-0cf5-4142-babf-3cdce348568d",
       "value": "Cytrox"
     },
     {
       "description": "RCS Lab S.p.A., Italian vendor likely using Tykelab Srl as a front company.",
       "meta": {
+        "products": [
+          "Hermit"
+        ],
         "refs": [
           "https://www.rcslab.it/en/index.html",
           "https://www.lookout.com/blog/hermit-spyware-discovery",
           "https://www.vice.com/en/article/nz75wd/european-surveillance-companies-agt-rcs-sell-syria-tools-of-oppression"
+        ],
+        "synonyms": [
+          "RCS Lab"
         ]
       },
       "uuid": "28ed79b6-a11d-4e41-af80-ece8f0e0c2d3",
       "value": "RCSLab"
+    },
+    {
+      "description": "Aglaya, a contractor based in Delhi, India, emerged into the public eye in 2014 following its attempt to secure a substantial annual contract worth $5 billion. This surge in prominence was largely driven by the actions of Ankur Srivastava, Aglaya's CEO and founder, who purportedly proposed the outsourcing of surveillance and hacking services to various governments.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.vice.com/en/article/59weqb/a-spyware-company-audaciously-offers-cyber-nukes"
+        ]
+      },
+      "uuid": "4045c51a-82eb-11ee-a366-325096b39f47",
+      "value": "Aglaya"
+    },
+    {
+      "description": "Interionet Systems Ltd., headquartered in Herzliya, Israel, is a privately-held company recognized for its  approach in the cyber intelligence domain, particularly catering to law enforcement and intelligence agencies. The firm, founded by ex-NSO team members, is dedicated to the development of sophisticated cyber-intrusion and mobile interception tools.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.intelligenceonline.com/surveillance--interception/2019/05/14/interionet-former-nso-team-s-new-offensive-cyber-firm,108357090-art",
+          "https://www.interionet.com/"
+        ]
+      },
+      "uuid": "44d59236-82eb-11ee-923e-325096b39f47",
+      "value": "Interionet"
+    },
+    {
+      "description": "The Intellexa alliance is an evolving group of companies and brands that have been involved in developing and marketing a wide range of surveillance products including advanced spyware, mass surveillance platforms, and tactical systems for targeting and intercepting nearby devices. The corporate entities of the alliance span various jurisdictions, both within and outside the EU. The exact nature of links between these companies is shrouded in secrecy as corporate entities, and the structures between them, are constantly morphing, renaming, rebranding, and evolving.",
+      "meta": {
+        "products": [
+          "Nova",
+          "Triton",
+          "Helios",
+          "ALIEN",
+          "PREDATOR"
+        ],
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/",
+          "https://www.spiegel.de/international/business/the-predator-files-european-spyware-consortium-supplied-despots-and-dictators-a-2fd8043f-c5c1-4b05-b5a6-e8f8b9949978",
+          "https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "4dbfa61e-0cf5-4142-babf-3cdce348568d",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "known-as"
+        }
+      ],
+      "uuid": "1c909820-82eb-11ee-80c7-325096b39f47",
+      "value": "Intellexa"
+    },
+    {
+      "description": "Merlinx / Equus Technologies, Israeli firm, a privately held company specializing in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations. Linked to the Android malware, also sells iOS capabilities.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.vice.com/en/article/evdebz/google-revealed-an-israeli-spyware-company-that-has-quietly-sold-its-wares-for-years"
+        ]
+      },
+      "uuid": "18128362-82eb-11ee-8723-325096b39f47",
+      "value": "Merlinx / Equus Technologies"
+    },
+    {
+      "description": "AQSACOM, French company - lawful interception for IP networks. All Aqsacom's security products can be combined in a powerful solution so that Telecommunications and ISP operators can provide the Authorities with a reliable and professional service.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://aqsacom.com/"
+        ]
+      },
+      "uuid": "131a6b7c-82eb-11ee-bcb3-325096b39f47",
+      "value": "AQSACOM"
+    },
+    {
+      "description": "Area Spa is a firm based near Milan that sells monitoring systems capable of capturing internet traffic, tapping conversations, and tracking targets through GPS.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.vice.com/en/article/gv5knx/italian-cops-raid-surveillance-tech-company-area-spa-selling-spy-gear-to-syria",
+          "https://www.area.it/en/"
+        ]
+      },
+      "uuid": "0e2c2b64-82eb-11ee-b34f-325096b39f47",
+      "value": "Area"
+    },
+    {
+      "description": "ClearTrail Technologies, India based company, known for developing or selling systems for monitoring computers, mobile phones and emails of unsuspecting masses.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.clear-trail.com/about-us/",
+          "https://www.business-standard.com/article/companies/the-two-men-behind-india-s-secret-surveillance-industry-111120300053_1.html"
+        ]
+      },
+      "uuid": "0977bd04-82eb-11ee-915c-325096b39f47",
+      "value": "ClearTrail"
+    },
+    {
+      "description": "Elaman is a German company that sell a wide array of surveillance technologies. From vast monitoring centres capable of monitoring thousands of conversations simultaneously to trojans that target individual's devices specifically. They don't create these products, they resell from other surveillance companies. They have sold products from VASTech, Gamma, Utimaco and Nokia Siemens Networks. This catalogue gives an insight into one of the surveillance industries biggest middle man.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.elaman.de/",
+          "https://privacyinternational.org/blog/1540/elaman-and-gamma-whats-selling-and-whos-buying-indonesia"
+        ]
+      },
+      "uuid": "04d776c2-82eb-11ee-9d14-325096b39f47",
+      "value": "Elaman"
+    },
+    {
+      "description": "Gita Technologies, Israeli based company with a mission to be a worldwide leader in research and development of high-end security systems and SIGINT.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://gitatechnologies.com/"
+        ]
+      },
+      "uuid": "01f21098-82eb-11ee-9475-325096b39f47",
+      "value": "Gita Technologies"
+    },
+    {
+      "description": "Innova, based in Trieste, Italy, and a frequent supplier of Italian prosecutor’s offices. It was the only Italian firm at the International Exhibition for National Security and Resilience (ISNR), which was held in Abu Dhabi in October 2022. The exhibition connects regional government agencies with manufacturers from around the world, and was organised in cooperation with the Ministry of the Interior and in strategic partnership with Abu Dhabi Police GHQ. The United Arab Emirates, however, is known for human rights violations, some of which facilitated by the use of digital surveillance technology, as in the case of an iPhone spyware that was used against hundreds of activists, foreign leaders and suspected terrorists, according to Reuters. Innova’s foreign presence did not stop at ISNR. The company was also at ISS World Latin America, which took place in Panama in October 2022, and was among the sponsors of the September event of ISS World Asia Pacific 2022 in Singapore. These trade shows are not mere opportunities for display, but allow direct contact with members of intelligence agencies from various countries, law enforcement officials and government leaders or ministers.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://irpimedia.irpi.eu/en-italian-spyware-on-the-international-market/"
+        ]
+      },
+      "uuid": "fda75d0e-82ea-11ee-9668-325096b39f47",
+      "value": "Innova"
+    },
+    {
+      "description": "Jenovice, an Israeli firm that flies under the radar has invented a remotely-operated WiFi interception device that can facilitate spy missions. Jenovice Cyber Labs' Piranha exploits vulnerabilities in WiFi networks to connect an attacker to as many as 50 targeted devices at once.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://cyberscoop.com/jenovice-cyber-labs-metropolink-city-wide-surveillance/",
+          "https://www.jenovice.com/"
+        ]
+      },
+      "uuid": "f88c61fc-82ea-11ee-9ba8-325096b39f47",
+      "value": "Jenovice"
+    },
+    {
+      "description": "Lumacron, a British startup which is developing interception tools to capture the massive data flows that transit through the principal international communications networks.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.intelligenceonline.com/surveillance--interception/2018/06/19/lumacron-extends-interception-to-undersea-cables,108314081-art"
+        ]
+      },
+      "uuid": "f4f39ee8-82ea-11ee-babc-325096b39f47",
+      "value": "Lumacron"
+    },
+    {
+      "description": "NeoSoft AG, Switzerland manufacturer of Passive, Active (Semi-Active), Hybrid GSM Monitoring systems with A5.2/A5.1 deciphering, CDMA Passive Monitoring systems, IMSI/IMEI Catchers 2G/3G, InPoint SMS System (sends SMS to everybody). All NeoSoft systems support the following bands: GSM, PCS, EGSM, 2100, 850. NeoSoft has world-wide experience.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.burojansen.nl/pdf/ISSWorldEuropejune2011sponsorsfromwebsite.pdf",
+          "https://riskybiznews.substack.com/p/risky-biz-news-australia-passes-new",
+          "https://www.neosoft.ch/"
+        ]
+      },
+      "uuid": "f10f551a-82ea-11ee-a915-325096b39f47",
+      "value": "NeoSoft"
+    },
+    {
+      "description": "Nexa Technologies was indicted for complicity in acts of torture, the French firm is accused of having sold surveillance equipment to the Egypt.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://securityaffairs.com/125083/intelligence/nexa-technologies-indicted.html",
+          "https://wearenexa.com/aboutus/"
+        ],
+        "synonyms": [
+          "Nexa Technologies"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "d3e48fbb-9be5-4387-bf2b-bc9a72cdbd8a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with"
+        },
+        {
+          "dest-uuid": "4dbfa61e-0cf5-4142-babf-3cdce348568d",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with"
+        },
+        {
+          "dest-uuid": "ab53ed38-82ea-11ee-8613-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with"
+        },
+        {
+          "dest-uuid": "1c909820-82eb-11ee-80c7-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "part-of"
+        }
+      ],
+      "uuid": "eb6af48e-82ea-11ee-a4dc-325096b39f47",
+      "value": "Nexa"
+    },
+    {
+      "description": "Norsi-Trans produces SIGINT and lawful interception equipment and software for the Russian government and also sells an OSINT platform called Vitok-ROI (or Vitok-OSINT).",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://keyfindings.blog/2020/03/23/be-careful-what-you-osint-with/",
+          "https://norsi-trans.com/"
+        ]
+      },
+      "uuid": "e63a05d6-82ea-11ee-99d2-325096b39f47",
+      "value": "Norsi-Trans"
+    },
+    {
+      "description": "Polaris Wireless, US based company that specializes in the development of wireless surveillance products.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.zdnet.com/google-amp/article/polaris-wireless-secures-contract-in-surveillance-tracking-software/"
+        ]
+      },
+      "uuid": "e1d96f90-82ea-11ee-b499-325096b39f47",
+      "value": "Polaris Wireless"
+    },
+    {
+      "description": "Pro4Tech, Tel Aviv/Israel based company which provides tactical surveillance systems designed by field-professionals for law-enforcement and government agencies.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.israeldefense.co.il/en/content/israeli-companies-milopol-pro4tech"
+        ]
+      },
+      "uuid": "dd594940-82ea-11ee-b2da-325096b39f47",
+      "value": "Pro4Tech"
+    },
+    {
+      "description": "Rayzone, Israeli cyber intelligence company. The surveillance software makes it possible, among other things, to locate a person's location and path of movement with an accuracy of one meter and makes it possible to receive additional information from the applications on the target's device.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.haaretz.com/israel-news/tech-news/2020-12-17/ty-article/israeli-spy-tech-firm-tracked-mobile-users-around-the-world-investigation-suggests/0000017f-e76b-da9b-a1ff-ef6f847c0000"
+        ]
+      },
+      "uuid": "d7f0eac6-82ea-11ee-a3fc-325096b39f47",
+      "value": "Rayzone"
+    },
+    {
+      "description": "Seartech is a South African company specializing in the design and manufacture of tactical surveillance equipment.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.seartech.co.za/"
+        ]
+      },
+      "uuid": "d2af90da-82ea-11ee-ae9e-325096b39f47",
+      "value": "Seartech"
+    },
+    {
+      "description": "Securcube s.r.l is an Italian company that specializes in services and products for the Digital Forensics..",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://securcube.net/"
+        ]
+      },
+      "uuid": "ce09094e-82ea-11ee-92b0-325096b39f47",
+      "value": "Securcube"
+    },
+    {
+      "description": "Septier Communication Ltd, with global headquarters in Israel and offices across several continentshas dozens of installations serving telecommunication operators and law-enforcement agencies and organizations throughout the world. Septier develops and markets comprehensive lawful interception systems which include cutting-edge monitor centers and passive front ends based on high capacity signaling monitoring probes.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.israeldefense.co.il/company/septier-communication-ltd"
+        ]
+      },
+      "uuid": "c8b2b486-82ea-11ee-bf5a-325096b39f47",
+      "value": "Septier"
+    },
+    {
+      "description": "Cy4gate, Italian based company, sells its products worldwide, including to dictatorships, while competing with companies involved in scandals related to repression of opponents and journalists.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://irpimedia.irpi.eu/en-surveillances-cy4gate/",
+          "https://www.vice.com/en/article/m7awav/prosecutors-suspend-cy4gate-government-spyware-used-in-whatsapp-phishing-attacks"
+        ]
+      },
+      "uuid": "c36f60aa-82ea-11ee-9893-325096b39f47",
+      "value": "Cy4gate"
+    },
+    {
+      "description": "Toka, Israeli based company, which offers its police, government and intelligence clients the ability to obtain targeted intelligence and conduct forensic investigations as well as covert operations. In addition, Toka offers governments its Cyber Designers service, which provides agencies with the full-spectrum strategies, customized projects, and technologies needed to ensure the security and sustainability of critical infrastructure, the digital landscape, and government institutions.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.haaretz.com/israel-news/security-aviation/2022-12-26/ty-article-magazine/.premium/this-dystopian-cyber-firm-could-have-saved-mossad-assassins-from-exposure/00000185-0bc6-d26d-a1b7-dbd739100000",
+          "https://www.orishas-finance.com/actualite/5310?lang=en"
+        ]
+      },
+      "uuid": "bef4dde8-82ea-11ee-b431-325096b39f47",
+      "value": "Toka"
+    },
+    {
+      "description": "Trovicor, Germany based companies’ surveillance technology allegedly used in connection with human rights abuses by authoritarian govts.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.business-humanrights.org/en/latest-news/response-by-trovicor-german-companies-surveillance-technology-allegedly-used-in-connection-with-human-rights-abuses-by-authoritarian-govts/",
+          "https://trovicor.com/"
+        ]
+      },
+      "uuid": "b857854e-82ea-11ee-8e7b-325096b39f47",
+      "value": "Trovicor"
+    },
+    {
+      "description": "Utimaco, Aachen/Germany based company which praises itself as market leader in eavesdropping technology.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://digit.site36.net/2022/03/07/utimaco-german-wiretapping-technology-could-strengthen-junta-in-myanmar/"
+        ]
+      },
+      "uuid": "b46b4d8a-82ea-11ee-a797-325096b39f47",
+      "value": "Utimaco"
+    },
+    {
+      "description": "Wintego Systems develops advanced communication, intelligence, and data-decoding solutions for the government and homeland security sectors.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.forbes.com/sites/thomasbrewster/2016/09/29/wintego-whatsapp-encryption-surveillance-exploits/?sh=53f93cd1aa95"
+        ]
+      },
+      "uuid": "afc73226-82ea-11ee-8a25-325096b39f47",
+      "value": "Wintego"
+    },
+    {
+      "description": "Wispear Systems Ltd (renamed Passitoria Ltd), provides interception equipment designed for the extraction of voice or data, transmitted over the air interface.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://in-cyprus.philenews.com/local/surveillance-software-has-been-exported-from-cyprus/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "4dbfa61e-0cf5-4142-babf-3cdce348568d",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "acquires"
+        },
+        {
+          "dest-uuid": "4dbfa61e-0cf5-4142-babf-3cdce348568d",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with "
+        },
+        {
+          "dest-uuid": "eb6af48e-82ea-11ee-a4dc-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with "
+        },
+        {
+          "dest-uuid": "d3e48fbb-9be5-4387-bf2b-bc9a72cdbd8a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with "
+        },
+        {
+          "dest-uuid": "1c909820-82eb-11ee-80c7-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "part-of"
+        }
+      ],
+      "uuid": "ab53ed38-82ea-11ee-8613-325096b39f47",
+      "value": "Wispear"
+    },
+    {
+      "description": "DarkMatter founded in the United Arab Emirates (UAE) was under investigation by the FBI for crimes including digital espionage services, involvement in the Jamal Khashoggi assassination, and incarceration of foreign dissidents.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://en.wikipedia.org/wiki/DarkMatter_Group"
+        ]
+      },
+      "uuid": "a6712272-82ea-11ee-b70e-325096b39f47",
+      "value": "DarkMatter"
+    },
+    {
+      "description": "Lench IT Solutions, Germany based company. Lench IT Solutions plc has a UK-based branch, Gamma International Ltd in Andover, England, and a Germany-based branch, Gamma International GmbH in Munich. FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://en.wikipedia.org/wiki/FinFisher"
+        ]
+      },
+      "uuid": "a1002342-82ea-11ee-8b84-325096b39f47",
+      "value": "Lench"
+    },
+    {
+      "description": "GR Sistemi, Italian firm that's been trying to enter the crowded market of government spyware, also known by insiders as lawful interception.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.vice.com/en/article/kbyg7a/government-spyware-maker-doxes-itself-by-linking-to-its-site-in-malware-code"
+        ]
+      },
+      "uuid": "9c29b716-82ea-11ee-a0d8-325096b39f47",
+      "value": "GR Sistemi"
+    },
+    {
+      "description": "SS8, US based company is selling to a range of US government agencies as well as exporting surveillance equipment abroad. SS8 were also reportedly responsible for selling intrusion systems to the United Arab Emirates.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://privacyinternational.org/sites/default/files/2017-12/global_surveillance_0.pdf"
+        ]
+      },
+      "uuid": "8f3205ae-82ea-11ee-be61-325096b39f47",
+      "value": "SS8"
+    },
+    {
+      "description": "Wolf Intelligence a Germany-based spyware company that made headlines for sending a bodyguard to Mauritania and prompting an international incident after the local government detained the bodyguard as collateral for a deal went wrong, left a trove of its own data exposed online.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.vice.com/en/article/vbka8b/wolf-intelligence-leak-customer-victim-data-online",
+          "https://www.vice.com/en/article/wxq85w/scam-spyware-vendor-gets-caught-once-again"
+        ]
+      },
+      "uuid": "8b50f9e0-82ea-11ee-b818-325096b39f47",
+      "value": "Wolf Intelligence"
+    },
+    {
+      "description": "Vervata, Thailand-based software company, which among other, provides mobile monitoring applications that secretly records all activity on a phone.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.gmanetwork.com/news/topstories/nation/3072/new-program-snoops-on-cell-phones/story/",
+          "https://www.forbes.com/sites/thomasbrewster/2017/02/16/government-iphone-android-spyware-is-the-same-as-seedy-spouseware/?sh=3a06dacb455c"
+        ]
+      },
+      "uuid": "86cb5eb0-82ea-11ee-83e0-325096b39f47",
+      "value": "Vervata"
+    },
+    {
+      "description": "Raxir, Italy based surveillance firm that is housed in Naples, in a tech startup incubator. According to the company's page on the incubator's website, Raxir was founded in 2013 and produces software systems to support legal and intelligence investigations.",
+      "meta": {
+        "refs": [
+          "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
+          "https://www.vice.com/en/article/9a3g4e/malware-hunters-catch-new-android-spyware-raxir"
+        ]
+      },
+      "uuid": "8198124e-82ea-11ee-859b-325096b39f47",
+      "value": "Raxir"
+    },
+    {
+      "description": "Senpai Technologies is a company specializing in OSINT and persona creation based out of Israel, while WiSpear, also based in Israel, specializes in Wi-Fi interception.",
+      "meta": {
+        "refs": [
+          "https://blog.talosintelligence.com/intellexa-and-cytrox-intel-agency-grade-spyware/"
+        ],
+        "synonyms": [
+          "Senpai Technologies"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "1c909820-82eb-11ee-80c7-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "part-of"
+        },
+        {
+          "dest-uuid": "4dbfa61e-0cf5-4142-babf-3cdce348568d",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with"
+        },
+        {
+          "dest-uuid": "ab53ed38-82ea-11ee-8613-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with"
+        },
+        {
+          "dest-uuid": "eb6af48e-82ea-11ee-a4dc-325096b39f47",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-allied-with"
+        }
+      ],
+      "uuid": "d3e48fbb-9be5-4387-bf2b-bc9a72cdbd8a",
+      "value": "Senpai"
     }
   ],
-  "version": 3
+  "version": 7
 }

clusters/target-information.json

@@ -8118,7 +8118,27 @@
       },
       "uuid": "da228f94-4412-4226-9113-e19a55cd4aa5",
       "value": "Zimbabwe"
+    },
+    {
+      "meta": {
+        "capital": "El Aaiún",
+        "currency": "Sahrawi peseta",
+        "iso-code": [
+          "EH"
+        ],
+        "official-languages": [
+          "Arabic",
+          "Spanish"
+        ],
+        "synonyms": [
+          "Sahrawi Republic",
+          "Western Sahara"
+        ],
+        "top-level-domain": ".eh"
+      },
+      "uuid": "e21d3329-62f1-4ee3-8441-586d988a22e2",
+      "value": "Sahrawi Arab Democratic Republic"
     }
   ],
-  "version": 8
+  "version": 9
 }

clusters/tidal-campaigns.json

@@ -0,0 +1,757 @@
+{
+  "authors": [
+    "Tidal Cyber"
+  ],
+  "category": "Campaigns",
+  "description": "Tidal Campaigns Cluster",
+  "name": "Tidal Campaigns",
+  "source": "https://app-api.tidalcyber.com/api/v1/campaigns/",
+  "type": "campaigns",
+  "uuid": "3db4b6cb-5b89-4096-a057-e0205777adc9",
+  "values": [
+    {
+      "description": "[2015 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/96e367d0-a744-5b63-85ec-595f505248a3) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign during which they used [BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) (specifically BlackEnergy3) and [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.",
+      "meta": {
+        "campaign_attack_id": "C0028",
+        "first_seen": "2015-12-01T05:00:00Z",
+        "last_seen": "2016-01-01T05:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "96e367d0-a744-5b63-85ec-595f505248a3",
+      "value": "2015 Ukraine Electric Power Attack"
+    },
+    {
+      "description": "[2016 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/06197e03-e1c1-56af-ba98-5071f98f91f1) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign during which they used [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666).<sup>[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)]</sup><sup>[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0025",
+        "first_seen": "2016-12-01T05:00:00Z",
+        "last_seen": "2016-12-01T05:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "06197e03-e1c1-56af-ba98-5071f98f91f1",
+      "value": "2016 Ukraine Electric Power Attack"
+    },
+    {
+      "description": "The [2022 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/a79e06d1-df08-5c72-9180-2c373274f889) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign that used a combination of GOGETTER, Neo-REGEORG, [CaddyWiper](https://app.tidalcyber.com/software/62d0ddcd-790d-4d2d-9d94-276f54b40cf0), and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.<sup>[[Mandiant-Sandworm-Ukraine-2022](https://app.tidalcyber.com/references/7ad64744-2790-54e4-97cd-e412423f6ada)]</sup><sup>[[Dragos-Sandworm-Ukraine-2022](https://app.tidalcyber.com/references/a17aa1b1-cda4-5aeb-b401-f4fd47d29f93)]</sup> ",
+      "meta": {
+        "campaign_attack_id": "C0034",
+        "first_seen": "2022-06-01T04:00:00Z",
+        "last_seen": "2022-10-01T04:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "a79e06d1-df08-5c72-9180-2c373274f889",
+      "value": "2022 Ukraine Electric Power Attack"
+    },
+    {
+      "description": "In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>\n\nThe Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup><sup>[[Cisco Talos Blog December 08 2022](/references/bcf92374-48a3-480f-a679-9fd34b67bcdd)]</sup>\n\n**Related Vulnerabilities**: CVE-2022-31199<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5000",
+        "first_seen": "2022-08-01T00:00:00Z",
+        "last_seen": "2023-05-31T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "1dc8fd1e-0737-405a-98a1-111dd557f1b5",
+          "15787198-6c8b-4f79-bf50-258d55072fee",
+          "7cc57262-5081-447e-85a3-31ebb4ab2ae5"
+        ]
+      },
+      "related": [],
+      "uuid": "87e14285-b86f-4f50-8d60-85398ba728b1",
+      "value": "2023 Increased Truebot Activity"
+    },
+    {
+      "description": "In August 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) authorities released Cybersecurity Advisory AA23-213A, which detailed observed exploitation of two vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM), a solution which provides elevated access to an organization's mobile devices. According to the Advisory, authorities observed unspecified advanced persistent threat (APT) actors exploiting CVE-2023-35078 as a zero-day from at least April 2023 in order to gather information from unspecified organizations in Norway, and to gain initial access to a Norwegian government agency.\n\nIvanti released a CVE-2023-35078 patch on July 23, but then determined that CVE-2023-35081 could be chained together with the first vulnerability, a process which can enable arbitrary upload and execution of actor files, such as web shells. Ivanti released a CVE-2023-35081 patch on July 28. The Advisory provided mitigation recommendations, vulnerability and compromise identification methods, and incident response guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a).<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-35078<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>, CVE-2023-35081<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5004",
+        "first_seen": "2023-04-01T00:00:00Z",
+        "last_seen": "2023-07-28T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "2d80c940-ba2c-4d45-8272-69928953e9eb",
+          "15787198-6c8b-4f79-bf50-258d55072fee",
+          "a98d7a43-f227-478e-81de-e7299639a355",
+          "81e948b3-5ec0-4df8-b6e7-1b037b1b2e67",
+          "7551097a-dfdd-426f-aaa2-a2916dd9b873"
+        ]
+      },
+      "related": [],
+      "uuid": "33fd2417-0a9c-4748-ab99-0e641ab29fbc",
+      "value": "2023 Ivanti EPMM APT Vulnerability Exploits"
+    },
+    {
+      "description": "In September 2023, U.S. cybersecurity authorities released Cybersecurity Advisory AA23-250A, which detailed multiple intrusions in early 2023 involving an aeronautical sector organization and attributed to multiple unspecified “nation-state advanced persistent threat (APT) actors”. As early as January, one set of actors exploited CVE-2022-47966, a vulnerability in the Zoho ManageEngine ServiceDesk Plus IT service management application that allows remote code execution, to access the organization’s public-facing web servers. A separate set of actors was also observed exploiting CVE-2022-42475, a vulnerability in Fortinet, Inc.’s FortiOS SSL-VPN that also allows remote code execution, to gain access to the organization’s firewall devices.\n\nAfter gaining access, the actors downloaded malware, performed network discovery, collected administrator credentials, and moved laterally, but according to the advisory, unclear data storage records inhibited insight into whether any proprietary information was accessed, altered, or exfiltrated. A common behavior among both sets of actors was log deletion from critical servers and the use of disabled, legitimate administrator credentials, which in one case belonged to a previously employed contractor (the organization confirmed the credentials were disabled before the observed threat activity).<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>\n\nIn addition to behavioral observations and indicators of compromise, the Advisory provided detection and mitigation guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a).\n\n**Related Vulnerabilities**: CVE-2022-47966, CVE-2022-42475, CVE-2021-44228<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5005",
+        "first_seen": "2023-01-01T00:00:00Z",
+        "last_seen": "2023-04-01T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "15787198-6c8b-4f79-bf50-258d55072fee",
+          "a98d7a43-f227-478e-81de-e7299639a355",
+          "7e6ef160-8e4f-4132-bdc4-9991f01c472e",
+          "793f4441-3916-4b3d-a3fd-686a59dc3de2",
+          "532b7819-d407-41e9-9733-0d716b69eb17"
+        ]
+      },
+      "related": [],
+      "uuid": "d25f0485-fdf3-4b85-b2ec-53e98e215d0b",
+      "value": "2023 Zoho ManageEngine APT Exploits"
+    },
+    {
+      "description": "In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.\n\nActors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>\n\nIn addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).\n\n**Related Vulnerabilities**: CVE-2017-6742<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5007",
+        "first_seen": "2021-01-01T00:00:00Z",
+        "last_seen": "2021-12-31T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "f01290d9-7160-44cb-949f-ee4947d04b6f",
+          "b20e7912-6a8d-46e3-8e13-9a3fc4813852"
+        ]
+      },
+      "related": [],
+      "uuid": "ed8de8c3-03d2-4892-bd74-ccbc9afc3935",
+      "value": "APT28 Cisco Router Exploits"
+    },
+    {
+      "description": "U.S. authorities and various international partners released joint cybersecurity advisory AA20-150A, which detailed a series of attacks linked to APT28 that leveraged compromised Ubiquiti EdgeRouters to facilitate the attacks. Actors used the network of compromised routers for a range of malicious activities, including harvesting credentials, proxying network traffic, and hosting fake landing pages and post-exploitation tools. Attacks targeted organizations in a wide range of sectors around the world.<sup>[[U.S. Federal Bureau of Investigation 2 27 2024](/references/962fb031-dfd1-43a7-8202-3a2231b0472b)]</sup> According to a separate U.S. Justice Department announcement, the botnet involved in these attacks differed from previous APT28-linked cases, since nation-state actors accessed routers that had been initially compromised by a separate, unspecified cybercriminal group.<sup>[[U.S. Justice Department GRU Botnet February 2024](/references/26a554dc-39c0-4638-902d-7e84fe01b961)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5015",
+        "first_seen": "2022-12-01T00:00:00Z",
+        "last_seen": "2024-01-01T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "af5e9be5-b86e-47af-91dd-966a5e34a186",
+          "6070668f-1cbd-4878-8066-c636d1d8659c",
+          "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+          "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
+          "e551ae97-d1b4-484e-9267-89f33829ec2c",
+          "a98d7a43-f227-478e-81de-e7299639a355",
+          "916ea1e8-d117-45a4-8564-0597a02b06e4",
+          "b20e7912-6a8d-46e3-8e13-9a3fc4813852",
+          "e809d252-12cc-494d-94f5-954c49eb87ce"
+        ]
+      },
+      "related": [],
+      "uuid": "2514a83a-3516-4d5d-a13c-2b6175989a26",
+      "value": "APT28 Router Compromise Attacks"
+    },
+    {
+      "description": "UK cybersecurity authorities and international partners published Cybersecurity Advisory AA24-057A (February 2024), which detailed recent tactics, techniques, and procedures (TTPs) used by Russian state-backed adversary group APT29 to target cloud environments. The advisory indicated that as more government agencies and enterprises move elements of their operations to cloud infrastructure, APT29 actors have especially adapted their TTPs for gaining initial access into these cloud environments.<sup>[[U.S. CISA APT29 Cloud Access](/references/e9e08eca-1e01-4ff0-a8ef-49ecf66aaf3d)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5016",
+        "first_seen": "2023-02-26T00:00:00Z",
+        "last_seen": "2024-02-26T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "af5e9be5-b86e-47af-91dd-966a5e34a186",
+          "291c006e-f77a-4c9c-ae7e-084974c0e1eb"
+        ]
+      },
+      "related": [],
+      "uuid": "c1257a02-716f-4477-9eab-c38827418ed2",
+      "value": "APT29 Cloud TTP Evolution"
+    },
+    {
+      "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nIn December 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-347A, which detailed large-scale observed exploitation of CVE-2023-42793 since September 2023 by cyber threat actors associated with Russia’s Foreign Intelligence Service (SVR). According to the advisory, these actors are also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.\n\nCVE-2023-42793 is an authentication bypass vulnerability in the JetBrains TeamCity software development program. After exploiting the vulnerability to gain access into victim networks, SVR actors were then observed escalating privileges, moving laterally, and deploying additional backdoors in an apparent effort to maintain long-term persistent access to victim environments. The advisory noted how SVR actors used access gained during the 2020 compromise of SolarWinds, another software company, to conduct supply chain operations affecting SolarWinds customers, but it also noted that such activity has not been observed in this case to date.\n\nJetBrains released a patch for CVE-2023-42793 in September 2023. The advisory indicated that the compromises observed to date appear to be opportunistic, impacting unpatched, internet-accessible TeamCity servers. “A few dozen” compromised entities have been identified so far (companies in disparate sectors in the United States, Europe, Asia, and Australia), but authorities assess that this tally does not represent the full number of compromised victims. Indicators of compromise, mitigation guidance, and detection resources – including Sigma and YARA rules – can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a).<sup>[[U.S. CISA SVR TeamCity Exploits December 2023](/references/5f66f864-58c2-4b41-8011-61f954e04b7e)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5012",
+        "first_seen": "2023-09-01T00:00:00Z",
+        "last_seen": "2023-12-14T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "08809fa0-61b6-4394-b103-1c4d19a5be16",
+          "4a457eb3-e404-47e5-b349-8b1f743dc657"
+        ]
+      },
+      "related": [],
+      "uuid": "80ae546a-70e5-4427-be1d-e74efc428ffd",
+      "value": "APT29 TeamCity Exploits"
+    },
+    {
+      "description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.<sup>[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]</sup> The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5019",
+        "first_seen": "2023-11-01T00:00:00Z",
+        "last_seen": "2024-02-29T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "a159c91c-5258-49ea-af7d-e803008d97d3",
+          "af5e9be5-b86e-47af-91dd-966a5e34a186",
+          "15787198-6c8b-4f79-bf50-258d55072fee",
+          "6bb2f579-a5cd-4647-9dcd-eff05efe3679",
+          "c25f341a-7030-4688-a00b-6d637298e52e",
+          "9768aada-9d63-4d46-ab9f-d41b8c8e4010",
+          "2e85babc-77cd-4455-9c6e-312223a956de",
+          "0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3"
+        ]
+      },
+      "related": [],
+      "uuid": "ccc6401a-b79f-424b-8617-3c2d55475584",
+      "value": "ArcaneDoor"
+    },
+    {
+      "description": "[C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) began by at least late 2020, and was still ongoing as of mid-2022.<sup>[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0010",
+        "first_seen": "2020-12-01T07:00:00Z",
+        "last_seen": "2022-08-01T06:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "a1e33caf-6eb0-442f-b97a-f6042f21df48",
+      "value": "C0010"
+    },
+    {
+      "description": "[C0011](https://app.tidalcyber.com/campaigns/4c7386a7-9741-4ae4-8ad9-def03ed77e29) was a suspected cyber espionage campaign conducted by [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25) that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25)'s historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.<sup>[[Cisco Talos Transparent Tribe Education Campaign July 2022](https://app.tidalcyber.com/references/acb10fb6-608f-44d3-9faf-7e577b0e2786)]</sup> ",
+      "meta": {
+        "campaign_attack_id": "C0011",
+        "first_seen": "2021-12-01T06:00:00Z",
+        "last_seen": "2022-07-01T05:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "4c7386a7-9741-4ae4-8ad9-def03ed77e29",
+      "value": "C0011"
+    },
+    {
+      "description": "[C0015](https://app.tidalcyber.com/campaigns/85bbff82-ba0c-4193-a3b5-985afd5690c5) was a ransomware intrusion during which the unidentified attackers used [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac), [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), and [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5), along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) ransomware playbook based on the observed pattern of activity and operator errors.<sup>[[DFIR Conti Bazar Nov 2021](https://app.tidalcyber.com/references/a6f1a15d-448b-41d4-81f0-ee445cba83bd)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0015",
+        "first_seen": "2021-08-01T05:00:00Z",
+        "last_seen": "2021-08-01T05:00:00Z",
+        "source": "MITRE",
+        "tags": [
+          "5e7433ad-a894-4489-93bc-41e90da90019",
+          "7e7b0c67-bb85-4996-a289-da0e792d7172"
+        ]
+      },
+      "related": [],
+      "uuid": "85bbff82-ba0c-4193-a3b5-985afd5690c5",
+      "value": "C0015"
+    },
+    {
+      "description": "[C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100) was an [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During [C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100), [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of [C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100) are unknown, however [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) was observed exfiltrating Personal Identifiable Information (PII).<sup>[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0017",
+        "first_seen": "2021-05-01T04:00:00Z",
+        "last_seen": "2022-02-01T05:00:00Z",
+        "source": "MITRE",
+        "tags": [
+          "a98d7a43-f227-478e-81de-e7299639a355"
+        ]
+      },
+      "related": [],
+      "uuid": "a56d7700-c015-52ca-9c52-fed4d122c100",
+      "value": "C0017"
+    },
+    {
+      "description": "\n[C0018](https://app.tidalcyber.com/campaigns/0452e367-aaa4-5a18-8028-a7ee136fe646) was a month-long ransomware intrusion that successfully deployed [AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0) onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing [AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0).<sup>[[Costa AvosLocker May 2022](https://app.tidalcyber.com/references/a94268d8-6b7c-574b-a588-d8fd80c27fd3)]</sup><sup>[[Cisco Talos Avos Jun 2022](https://app.tidalcyber.com/references/1170fdc2-6d8e-5b60-bf9e-ca915790e534)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0018",
+        "first_seen": "2022-02-01T05:00:00Z",
+        "last_seen": "2022-03-01T05:00:00Z",
+        "source": "MITRE",
+        "tags": [
+          "5e7433ad-a894-4489-93bc-41e90da90019",
+          "7e7b0c67-bb85-4996-a289-da0e792d7172"
+        ]
+      },
+      "related": [],
+      "uuid": "0452e367-aaa4-5a18-8028-a7ee136fe646",
+      "value": "C0018"
+    },
+    {
+      "description": "[C0021](https://app.tidalcyber.com/campaigns/86bed8da-4cab-55fe-a2d0-9214db1a09cf) was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. [C0021](https://app.tidalcyber.com/campaigns/86bed8da-4cab-55fe-a2d0-9214db1a09cf)'s technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity.<sup>[[Microsoft Unidentified Dec 2018](https://app.tidalcyber.com/references/896c88f9-8765-4b60-b679-667b338757e3)]</sup><sup>[[FireEye APT29 Nov 2018](https://app.tidalcyber.com/references/30e769e0-4552-429b-b16e-27830d42edea)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0021",
+        "first_seen": "2018-11-01T05:00:00Z",
+        "last_seen": "2018-11-01T05:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "86bed8da-4cab-55fe-a2d0-9214db1a09cf",
+      "value": "C0021"
+    },
+    {
+      "description": "[C0026](https://app.tidalcyber.com/campaigns/41f283a1-b2ac-547d-98d5-ff907afd08c7) was a campaign identified in September 2022 that included the selective distribution of [KOPILUWAK](https://app.tidalcyber.com/software/d09c4459-1aa3-547d-99f4-7ac73b8043f0) and [QUIETCANARY](https://app.tidalcyber.com/software/52d3515c-5184-5257-bf24-56adccb4cccd) malware to previous [ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) malware victims in Ukraine through re-registered [ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) C2 domains. Several tools and tactics used during [C0026](https://app.tidalcyber.com/campaigns/41f283a1-b2ac-547d-98d5-ff907afd08c7) were consistent with historic [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) operations.<sup>[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0026",
+        "first_seen": "2022-08-01T05:00:00Z",
+        "last_seen": "2022-09-01T04:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "41f283a1-b2ac-547d-98d5-ff907afd08c7",
+      "value": "C0026"
+    },
+    {
+      "description": "[C0027](https://app.tidalcyber.com/campaigns/a9719584-4f52-5a5d-b0f7-1059e715c2b8) was a financially-motivated campaign linked to [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During [C0027](https://app.tidalcyber.com/campaigns/a9719584-4f52-5a5d-b0f7-1059e715c2b8) [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.<sup>[[Crowdstrike TELCO BPO Campaign December 2022](https://app.tidalcyber.com/references/382785e1-4ef3-506e-b74f-cd07df9ae46e)]</sup>\n",
+      "meta": {
+        "campaign_attack_id": "C0027",
+        "first_seen": "2022-06-01T04:00:00Z",
+        "last_seen": "2022-12-01T05:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "a9719584-4f52-5a5d-b0f7-1059e715c2b8",
+      "value": "C0027"
+    },
+    {
+      "description": "[C0032](https://app.tidalcyber.com/campaigns/c26b3156-8472-5b87-971f-41a7a4702268) was an extended campaign suspected to involve the [Triton](https://app.tidalcyber.com/software/) adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the [Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b).<sup>[[FireEye TRITON 2019](https://app.tidalcyber.com/references/49c97b85-ca22-400a-9dc4-6290cc117f04)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0032",
+        "first_seen": "2014-10-01T04:00:00Z",
+        "last_seen": "2017-01-01T05:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "c26b3156-8472-5b87-971f-41a7a4702268",
+      "value": "C0032"
+    },
+    {
+      "description": "[C0033](https://app.tidalcyber.com/campaigns/c5d35d8d-fe96-5210-bb57-4692081a25a9) was a [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0) campaign during which they used [StrongPity](https://app.tidalcyber.com/software/ed563524-235e-4e06-8c69-3f9d8ddbfd8a) to target Android users. [C0033](https://app.tidalcyber.com/campaigns/c5d35d8d-fe96-5210-bb57-4692081a25a9) was the first publicly documented mobile campaign for [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0), who previously used Windows-based techniques.<sup>[[welivesec_strongpity](https://app.tidalcyber.com/references/1b89df2c-e756-599a-9f7f-a5230db9de46)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0033",
+        "first_seen": "2016-05-01T07:00:00Z",
+        "last_seen": "2023-01-01T08:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "c5d35d8d-fe96-5210-bb57-4692081a25a9",
+      "value": "C0033"
+    },
+    {
+      "description": "In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup> Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.<sup>[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-34362<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5002",
+        "first_seen": "2023-05-27T00:00:00Z",
+        "last_seen": "2023-06-16T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "5e7433ad-a894-4489-93bc-41e90da90019",
+          "a98d7a43-f227-478e-81de-e7299639a355",
+          "173e1480-8d9b-49c5-854d-594dde9740d6"
+        ]
+      },
+      "related": [],
+      "uuid": "f20c935b-e0c5-4941-b710-73cf06dd2b4a",
+      "value": "Clop MOVEit Transfer Vulnerability Exploitation"
+    },
+    {
+      "description": "[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.<sup>[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0004",
+        "first_seen": "2019-10-01T04:00:00Z",
+        "last_seen": "2020-11-01T04:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48",
+      "value": "CostaRicto"
+    },
+    {
+      "description": "[Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) targeted the U.S. defense industrial base and multiple sectors globally including  telecommunications, financial, aerospace, and technology. [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.<sup>[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)]</sup><sup>[[Volexity Ivanti Zero-Day Exploitation January 2024](https://app.tidalcyber.com/references/93eda380-ea21-59e0-97e8-5bec1f9a0e71)]</sup><sup>[[Volexity Ivanti Global Exploitation January 2024](https://app.tidalcyber.com/references/b96fa4f2-864d-5d88-9a29-b117da8f8c5c)]</sup><sup>[[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)]</sup><sup>[[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0029",
+        "first_seen": "2023-12-01T05:00:00Z",
+        "last_seen": "2024-02-01T05:00:00Z",
+        "source": "MITRE",
+        "tags": [
+          "9768aada-9d63-4d46-ab9f-d41b8c8e4010",
+          "758c3085-2f79-40a8-ab95-f8a684737927",
+          "af5e9be5-b86e-47af-91dd-966a5e34a186",
+          "35e694ec-5133-46e3-b7e1-5831867c3b55",
+          "1dc8fd1e-0737-405a-98a1-111dd557f1b5",
+          "15787198-6c8b-4f79-bf50-258d55072fee",
+          "d1ab6bd6-2688-4e54-a1d3-d180bb8fd41a",
+          "1ff4614e-0ee6-4e04-921d-61abba7fcdb7",
+          "e00b65fc-8f56-4a9e-9f09-ccf3124a3272"
+        ]
+      },
+      "related": [],
+      "uuid": "4e605e33-57fe-5bb2-b0ad-ec146aac041b",
+      "value": "Cutting Edge"
+    },
+    {
+      "description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.<sup>[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5014",
+        "first_seen": "2022-12-01T00:00:00Z",
+        "last_seen": "2022-12-31T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "6070668f-1cbd-4878-8066-c636d1d8659c",
+          "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+          "e7ea1f6d-59f2-40c1-bbfe-835dedf033ee"
+        ]
+      },
+      "related": [],
+      "uuid": "1a2caf4c-658d-4117-a912-55f4d6bca899",
+      "value": "Defense Sector Supply Chain Compromise by North Korea-Linked Actors"
+    },
+    {
+      "description": "In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.\n\nThe actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.\n\nAdditional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the [source report](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf).<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5006",
+        "first_seen": "2023-03-01T00:00:00Z",
+        "last_seen": "2023-03-31T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "2743d495-7728-4a75-9e5f-b64854039792",
+          "ecd84106-2a5b-4d25-854e-b8d1f57f6b75",
+          "a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530",
+          "4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930",
+          "d385b541-4033-48df-93cd-237ca6e46f36"
+        ]
+      },
+      "related": [],
+      "uuid": "129ffe04-ea90-45d1-a2fd-7ff0bffa0433",
+      "value": "FIN12 March 2023 Hospital Center Intrusion"
+    },
+    {
+      "description": "[Frankenstein](https://app.tidalcyber.com/campaigns/2fab9878-8aae-445a-86db-6b47b473f56b) was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including [Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207). The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.<sup>[[Talos Frankenstein June 2019](https://app.tidalcyber.com/references/a6faa495-db01-43e8-9db3-d446570802bc)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0001",
+        "first_seen": "2019-01-01T06:00:00Z",
+        "last_seen": "2019-04-01T05:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "2fab9878-8aae-445a-86db-6b47b473f56b",
+      "value": "Frankenstein"
+    },
+    {
+      "description": "[FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign to possible Chinese-speaking threat actors through the use of the [Chinoxy](https://app.tidalcyber.com/software/7c36563a-9143-4766-8aef-4e1787e18d8c) backdoor and noted infrastructure overlap with the TAG-16 threat group.<sup>[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]</sup><sup>[[Kaspersky APT Trends Q1 2020](https://app.tidalcyber.com/references/23c91719-5ebe-4d03-8018-df1809fffd2f)]</sup><sup>[[Recorded Future Chinese Activity in Southeast Asia December 2021](https://app.tidalcyber.com/references/0809db3b-81a8-475d-920a-cb913b30f42e)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0007",
+        "first_seen": "2018-07-01T05:00:00Z",
+        "last_seen": "2020-11-01T04:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "94587edf-0292-445b-8c66-b16629597f1e",
+      "value": "FunnyDream"
+    },
+    {
+      "description": "In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.\n\nAdditional details, including incident response guidance and relevant mitigations, can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a).<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>\n\n**Related Vulnerabilities**: CVE-2021-44228<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5008",
+        "first_seen": "2022-06-15T00:00:00Z",
+        "last_seen": "2022-07-15T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "15787198-6c8b-4f79-bf50-258d55072fee",
+          "7e6ef160-8e4f-4132-bdc4-9991f01c472e"
+        ]
+      },
+      "related": [],
+      "uuid": "7d6ff40d-51f3-42f8-b986-e7421f59b4bd",
+      "value": "Iranian APT Credential Harvesting & Cryptomining Activity"
+    },
+    {
+      "description": "In November 2020, U.S. cybersecurity authorities released joint Cybersecurity Advisory AA20-304A, which detailed efforts by an unspecified Iranian advanced persistent threat (APT) actor to target U.S. state websites, including election-related sites, with the goal of obtaining voter registration data. The actors used a legitimate vulnerability scanner, Acunetix, to scan state election websites, and they attempted to exploit sites with directory traversal, SQL injection, and web shell upload attacks. Authorities confirmed the actors successfully obtained voter registration data in at least one state – after abusing a website misconfiguration, they used a cURL-based scripting tool to iterate through and retrieve voter records. Officials assessed that the actor behind the website attacks is responsible for mass dissemination of intimidation emails to U.S. citizens and a disinformation campaign featuring a U.S. election-related propaganda video in mid-October 2020. Authorities furthermore assessed that information obtained during the website attacks was featured in the propaganda video.<sup>[[U.S. CISA Iran Voter Data November 3 2020](/references/be89be75-c33f-4c58-8bf0-979c1debaad7)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5010",
+        "first_seen": "2020-09-20T00:00:00Z",
+        "last_seen": "2020-10-20T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber"
+      },
+      "related": [],
+      "uuid": "18cf25b5-ed3a-40f6-bf0a-a3938a4f8da2",
+      "value": "Iranian APT Targeting U.S. Voter Data"
+    },
+    {
+      "description": "In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.\n\nThe actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.\n\nIn addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a) and [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a).\n\n**Related Vulnerabilities**: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105<sup>[[U.S. CISA IRGC Actors September 14 2022](/references/728b20b0-f702-4dbe-afea-50270648a3a2)]</sup>, CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591<sup>[[U.S. CISA Iranian Government Actors November 19 2021](/references/d7014279-bc6a-43d4-953a-a6bc1d97a13b)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5009",
+        "first_seen": "2021-03-01T00:00:00Z",
+        "last_seen": "2022-09-14T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "5e7433ad-a894-4489-93bc-41e90da90019",
+          "7e7b0c67-bb85-4996-a289-da0e792d7172",
+          "15787198-6c8b-4f79-bf50-258d55072fee",
+          "d84be7c9-c652-4a43-a79e-ef0fa2318c58",
+          "1423b5a8-cff3-48d5-a0a2-09b3afc9f195",
+          "1b98f09a-7d93-4abb-8f3e-1eacdb9f9871",
+          "fde4c246-7d2d-4d53-938b-44651cf273f1",
+          "c3779a84-8132-4c62-be2f-9312ad41c273",
+          "c035da8e-f96c-4793-885d-45017d825596",
+          "7e6ef160-8e4f-4132-bdc4-9991f01c472e",
+          "d713747c-2d53-487e-9dac-259230f04460",
+          "964c2590-4b52-48c6-afff-9a6d72e68908"
+        ]
+      },
+      "related": [],
+      "uuid": "338c6497-2b13-4c2b-bd45-d8b636c35cac",
+      "value": "Iranian IRGC Data Extortion Operations"
+    },
+    {
+      "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to joint Cybersecurity Advisory AA24-060B, which detailed recent exploits of vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting Ivanti Connect Secure and Policy Secure VPN and gateway appliances by unspecified threat actors. Further background & contextual details can be found in the References tab below.",
+      "meta": {
+        "campaign_attack_id": "C5017",
+        "first_seen": "2023-12-01T00:00:00Z",
+        "last_seen": "2024-02-29T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "fe984a01-910d-4e39-9c49-179aa03f75ab",
+          "9768aada-9d63-4d46-ab9f-d41b8c8e4010",
+          "758c3085-2f79-40a8-ab95-f8a684737927",
+          "af5e9be5-b86e-47af-91dd-966a5e34a186",
+          "35e694ec-5133-46e3-b7e1-5831867c3b55",
+          "1dc8fd1e-0737-405a-98a1-111dd557f1b5",
+          "15787198-6c8b-4f79-bf50-258d55072fee",
+          "d1ab6bd6-2688-4e54-a1d3-d180bb8fd41a",
+          "1ff4614e-0ee6-4e04-921d-61abba7fcdb7",
+          "e00b65fc-8f56-4a9e-9f09-ccf3124a3272"
+        ]
+      },
+      "related": [],
+      "uuid": "c2544d1d-3c99-4601-86fe-8b62020aaffc",
+      "value": "Ivanti Gateway Vulnerability Exploits"
+    },
+    {
+      "description": "In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller (\"ADC\") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup> Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.<sup>[[Citrix Bulletin CVE-2023-3519](/references/245ef1b7-778d-4df2-99a9-b51c95c57580)]</sup>\n\nAfter achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory (\"AD\"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup> Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is \"consistent with previous operations by China-nexus actors\".<sup>[[Mandiant CVE-2023-3519 Exploitation](/references/4404ed65-3020-453d-8c51-2885018ba03b)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-3519<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5001",
+        "first_seen": "2023-06-01T00:00:00Z",
+        "last_seen": "2023-06-30T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "fe984a01-910d-4e39-9c49-179aa03f75ab",
+          "a98d7a43-f227-478e-81de-e7299639a355",
+          "c475ad68-3fdc-4725-8abc-784c56125e96"
+        ]
+      },
+      "related": [],
+      "uuid": "86e3565d-93dc-40e5-8f84-20d1c15b8e9d",
+      "value": "June 2023 Citrix Vulnerability Exploitation"
+    },
+    {
+      "description": "In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.\n\nCitrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.\n\nAfter successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a).<sup>[[U.S. CISA LockBit Citrix Bleed November 21 2023](/references/21f56e0c-9605-4fbb-9cb1-f868ba6eb053)]</sup> Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.<sup>[[Malwarebytes Citrix Bleed November 24 2023](/references/fdc86cea-0015-48d1-934f-b22244de6306)]</sup><sup>[[Cybernews Yanfeng Qilin November 2023](/references/93c89ca5-1863-4ee2-9fff-258f94f655c4)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5011",
+        "first_seen": "2023-08-01T00:00:00Z",
+        "last_seen": "2023-11-16T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "35e694ec-5133-46e3-b7e1-5831867c3b55",
+          "15787198-6c8b-4f79-bf50-258d55072fee",
+          "15b77e5c-2285-434d-9719-73c14beba8bd",
+          "5e7433ad-a894-4489-93bc-41e90da90019",
+          "7e7b0c67-bb85-4996-a289-da0e792d7172"
+        ]
+      },
+      "related": [],
+      "uuid": "f4225d6a-8734-401f-aa2a-1a73c23b16e6",
+      "value": "LockBit Affiliate Citrix Bleed Exploits"
+    },
+    {
+      "description": "[Night Dragon](https://app.tidalcyber.com/campaigns/85f136b3-d5a3-4c4c-a37c-40e4418dc989) was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.<sup>[[McAfee Night Dragon](https://app.tidalcyber.com/references/242d2933-ca2b-4511-803a-454727a3acc5)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0002",
+        "first_seen": "2009-11-01T04:00:00Z",
+        "last_seen": "2011-02-01T05:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "85f136b3-d5a3-4c4c-a37c-40e4418dc989",
+      "value": "Night Dragon"
+    },
+    {
+      "description": "\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.<sup>[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5018",
+        "first_seen": "2022-03-01T00:00:00Z",
+        "last_seen": "2022-04-01T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber"
+      },
+      "related": [],
+      "uuid": "0496e076-1813-4f51-86e6-8f551983e8f8",
+      "value": "Operation Bearded Barbie"
+    },
+    {
+      "description": "[Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1) was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of [Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1), which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed [Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1) was conducted by actors affiliated with [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b), [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9), and BARIUM.<sup>[[Cybereason OperationCuckooBees May 2022](https://app.tidalcyber.com/references/fe3e2c7e-2287-406c-b717-cf7721b5843a)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0012",
+        "first_seen": "2019-12-01T07:00:00Z",
+        "last_seen": "2022-05-01T06:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "81bf4e45-f0d3-4fec-a9d4-1259cf8542a1",
+      "value": "Operation CuckooBees"
+    },
+    {
+      "description": "[Operation Dream Job](https://app.tidalcyber.com/campaigns/9a94e646-cbe5-54a1-8bf6-70ef745e641b) was a cyber espionage operation likely conducted by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://app.tidalcyber.com/campaigns/9a94e646-cbe5-54a1-8bf6-70ef745e641b), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://app.tidalcyber.com/campaigns/9a94e646-cbe5-54a1-8bf6-70ef745e641b) as an umbrella term covering both Operation Interception and Operation North Star.<sup>[[ClearSky Lazarus Aug 2020](https://app.tidalcyber.com/references/2827e6e4-8163-47fb-9e22-b59e59cd338f)]</sup><sup>[[McAfee Lazarus Jul 2020](https://app.tidalcyber.com/references/43581a7d-d71a-4121-abb6-127483a49d12)]</sup><sup>[[ESET Lazarus Jun 2020](https://app.tidalcyber.com/references/b16a0141-dea3-4b34-8279-7bc1ce3d7052)]</sup><sup>[[The Hacker News Lazarus Aug 2022](https://app.tidalcyber.com/references/8ae38830-1547-5cc1-83a4-87c3a7c82aa6)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0022",
+        "first_seen": "2019-09-01T04:00:00Z",
+        "last_seen": "2020-08-01T04:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "9a94e646-cbe5-54a1-8bf6-70ef745e641b",
+      "value": "Operation Dream Job"
+    },
+    {
+      "description": "[Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.<sup>[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]</sup>\n\n[Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.<sup>[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0016",
+        "first_seen": "2010-01-01T07:00:00Z",
+        "last_seen": "2016-02-01T06:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "af0c0f55-dc4f-4cb5-9350-3a2d7c07595f",
+      "value": "Operation Dust Storm"
+    },
+    {
+      "description": "[Operation Ghost](https://app.tidalcyber.com/campaigns/1fcfe949-5f96-578e-86ad-069ba123c867) was an [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During [Operation Ghost](https://app.tidalcyber.com/campaigns/1fcfe949-5f96-578e-86ad-069ba123c867), [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.<sup>[[ESET Dukes October 2019](https://app.tidalcyber.com/references/fbc77b85-cc5a-4c65-956d-b8556974b4ef)]</sup>\n",
+      "meta": {
+        "campaign_attack_id": "C0023",
+        "first_seen": "2013-09-01T04:00:00Z",
+        "last_seen": "2019-10-01T04:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "1fcfe949-5f96-578e-86ad-069ba123c867",
+      "value": "Operation Ghost"
+    },
+    {
+      "description": "[Operation Honeybee](https://app.tidalcyber.com/campaigns/f741ed36-2d52-40ae-bbdc-70722f4071c7) was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. [Operation Honeybee](https://app.tidalcyber.com/campaigns/f741ed36-2d52-40ae-bbdc-70722f4071c7) initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign \"Honeybee\" after the author name discovered in malicious Word documents.<sup>[[McAfee Honeybee](https://app.tidalcyber.com/references/e6f0f7b5-01fe-437f-a9c9-2ea054e7d69d)]</sup> ",
+      "meta": {
+        "campaign_attack_id": "C0006",
+        "first_seen": "2017-08-01T05:00:00Z",
+        "last_seen": "2018-02-01T06:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "f741ed36-2d52-40ae-bbdc-70722f4071c7",
+      "value": "Operation Honeybee"
+    },
+    {
+      "description": "[Operation Sharpshooter](https://app.tidalcyber.com/campaigns/57e858c8-fd0b-4382-a178-0165d03aa8a9) was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) operations, including fake job recruitment lures and shared malware code.<sup>[[McAfee Sharpshooter December 2018](https://app.tidalcyber.com/references/96b6d012-8620-4ef5-bf9a-5f88e465a495)]</sup><sup>[[Bleeping Computer Op Sharpshooter March 2019](https://app.tidalcyber.com/references/84430646-6568-4288-8710-2827692a8862)]</sup><sup>[[Threatpost New Op Sharpshooter Data March 2019](https://app.tidalcyber.com/references/2361b5b1-3a01-4d77-99c6-261f444a498e)]</sup>    ",
+      "meta": {
+        "campaign_attack_id": "C0013",
+        "first_seen": "2017-09-01T05:00:00Z",
+        "last_seen": "2019-03-01T06:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "57e858c8-fd0b-4382-a178-0165d03aa8a9",
+      "value": "Operation Sharpshooter"
+    },
+    {
+      "description": "[Operation Spalax](https://app.tidalcyber.com/campaigns/98d3a8ac-6af9-4471-83f6-e880ca70261f) was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The [Operation Spalax](https://app.tidalcyber.com/campaigns/98d3a8ac-6af9-4471-83f6-e880ca70261f) threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to [APT-C-36](https://app.tidalcyber.com/groups/153c14a6-31b7-44f2-892e-6d9fdc152267), however identified enough differences to report this as separate, unattributed activity.<sup>[[ESET Operation Spalax Jan 2021](https://app.tidalcyber.com/references/b699dd10-7d3f-4542-bf8a-b3f0c747bd0e)]</sup>  ",
+      "meta": {
+        "campaign_attack_id": "C0005",
+        "first_seen": "2019-11-01T05:00:00Z",
+        "last_seen": "2021-01-01T06:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "98d3a8ac-6af9-4471-83f6-e880ca70261f",
+      "value": "Operation Spalax"
+    },
+    {
+      "description": "[Operation Wocao](https://app.tidalcyber.com/campaigns/56e4e10f-8c8c-4b7c-8355-7ed89af181be) was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.<sup>[[FoxIT Wocao December 2019](https://app.tidalcyber.com/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]</sup>\n\nSecurity researchers assessed the [Operation Wocao](https://app.tidalcyber.com/campaigns/56e4e10f-8c8c-4b7c-8355-7ed89af181be) actors used similar TTPs and tools as APT20, suggesting a possible overlap. [Operation Wocao](https://app.tidalcyber.com/campaigns/56e4e10f-8c8c-4b7c-8355-7ed89af181be) was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.<sup>[[FoxIT Wocao December 2019](https://app.tidalcyber.com/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C0014",
+        "first_seen": "2017-12-01T05:00:00Z",
+        "last_seen": "2019-12-01T05:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "56e4e10f-8c8c-4b7c-8355-7ed89af181be",
+      "value": "Operation Wocao"
+    },
+    {
+      "description": "In May 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) authorities released Cybersecurity Advisory AA23-131A, which detailed observed exploits of a vulnerability, CVE-2023-27350, affecting certain versions of PaperCut NG and PaperCut MF, software applications for print management. PaperCut released a patch for the vulnerability in March 2023.<sup>[[PaperCut MF/NG vulnerability bulletin](/references/d6e71b45-fc91-40f4-8201-2186994ae42a)]</sup> According to the Advisory, authorities observed unspecified threat actors exploiting the vulnerability in mid-April 2023, followed by exploitation by the self-identified Bl00dy Ransomware Gang the following month.<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>\n\nCVE-2023-27350 allows a remote actor to bypass authentication and remotely execute code on servers running affected versions of PaperCut software. In May, U.S. authorities observed Bl00dy Ransomware Gang actors exploiting the vulnerability to achieve initial access into education sector entities' networks and ingressing both legitimate remote management and maintenance (RMM) tools and several other command and control-related malware, including Lizar, Truebot, and Cobalt Strike. In some cases, the actors ultimately exfiltrated victim data and encrypted files, demanding payment in order to decrypt affected systems (the Advisory did not indicate how precisely actors encrypted data). The Advisory indicated that the \"Education Facilities Subsector\" maintains nearly 70% of exposed (but not necessarily vulnerable) U.S.-based PaperCut servers.<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>\n\nThe Advisory instructed defenders to focus CVE-2023-27350 detection efforts on three areas: network traffic signatures, system monitoring, and server settings and log files. More details and resources for detection can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a).\n\n**Related Vulnerabilities**: CVE-2023-27350<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5003",
+        "first_seen": "2023-04-15T00:00:00Z",
+        "last_seen": "2023-05-30T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "5e7433ad-a894-4489-93bc-41e90da90019",
+          "7e7b0c67-bb85-4996-a289-da0e792d7172",
+          "15787198-6c8b-4f79-bf50-258d55072fee",
+          "a98d7a43-f227-478e-81de-e7299639a355",
+          "992bdd33-4a47-495d-883a-58010a2f0efb"
+        ]
+      },
+      "related": [],
+      "uuid": "38443d11-135a-47ac-909f-fa34744bc3a5",
+      "value": "PaperCut Vulnerability Exploitation"
+    },
+    {
+      "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nThis is a single object to represent the initial access and delivery methods observed with Pikabot distribution in the first year after its discovery. Distribution campaigns have been linked to the TA577 threat actor (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike)<sup>[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]</sup><sup>[[Unit42 Malware Roundup December 29 2023](/references/a18e19b5-9046-4c2c-bd94-2cd5061064bf)]</sup>; however, the Technique- and Procedure level intelligence associated with these campaigns that is provided below was not explicitly linked to that group, so we are providing this intelligence to users in this Campaign form. The Water Curupira intrusion set (affiliated with the Black Basta ransomware operation) has also been observed distributing Pikabot.<sup>[[Trend Micro Pikabot January 9 2024](/references/dc7d882b-4e83-42da-8e2f-f557b675930a)]</sup>",
+      "meta": {
+        "campaign_attack_id": "C5013",
+        "first_seen": "2023-02-01T00:00:00Z",
+        "last_seen": "2023-12-31T00:00:00Z",
+        "owner": "TidalCyberIan",
+        "source": "Tidal Cyber",
+        "tags": [
+          "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
+          "84615fe0-c2a5-4e07-8957-78ebc29b4635"
+        ]
+      },
+      "related": [],
+      "uuid": "71f6d3b1-c45e-421c-99cb-3b695647cf0b",
+      "value": "Pikabot Distribution Campaigns 2023"
+    },
+    {
+      "description": "The [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) was a sophisticated supply chain cyber operation conducted by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered in mid-December 2020. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.<sup>[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)]</sup><sup>[[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)]</sup><sup>[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)]</sup><sup>[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)]</sup><sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup><sup>[[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)]</sup><sup>[[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)]</sup><sup>[[Microsoft Internal Solorigate Investigation Blog](https://app.tidalcyber.com/references/66cade99-0040-464c-98a6-bba57719f0a4)]</sup> \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.<sup>[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)]</sup><sup>[[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)]</sup><sup>[[Mandiant UNC2452 APT29 April 2022](https://app.tidalcyber.com/references/5276508c-6792-56be-b757-e4b495ef6c37)]</sup> The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity on their systems.<sup>[[USG Joint Statement SolarWinds January 2021](https://app.tidalcyber.com/references/336a6549-a95d-5763-bbaf-5ef0d3141800)]</sup> ",
+      "meta": {
+        "campaign_attack_id": "C0024",
+        "first_seen": "2019-08-01T05:00:00Z",
+        "last_seen": "2021-01-01T06:00:00Z",
+        "source": "MITRE",
+        "tags": [
+          "f2ae2283-f94d-4f8f-bbde-43f2bed66c55"
+        ]
+      },
+      "related": [],
+      "uuid": "8bde8146-0656-5800-82e6-e24e008e4f4a",
+      "value": "SolarWinds Compromise"
+    },
+    {
+      "description": "[Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b) was a campaign employed by [TEMP.Veles](https://app.tidalcyber.com/groups/3a54b8dc-a231-4db8-96da-1c0c1aa396f6) which leveraged the [Triton](https://app.tidalcyber.com/software/) malware framework against a petrochemical organization.<sup>[[Triton-EENews-2017](https://app.tidalcyber.com/references/5cc54d85-ee53-579d-a8fb-9b54b3540dc0)]</sup> The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.<sup>[[FireEye TRITON 2018](https://app.tidalcyber.com/references/bfa5886a-a7f4-40d1-98d0-c3358abcf265)]</sup> The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.<sup>[[FireEye TRITON 2017](https://app.tidalcyber.com/references/597a4d8b-ffb2-4551-86db-b319f5a5b707)]</sup>\n",
+      "meta": {
+        "campaign_attack_id": "C0030",
+        "first_seen": "2017-06-01T04:00:00Z",
+        "last_seen": "2017-08-01T04:00:00Z",
+        "source": "MITRE"
+      },
+      "related": [],
+      "uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b",
+      "value": "Triton Safety Instrumented System Attack"
+    }
+  ],
+  "version": 1
+}

clusters/tmss.json

@@ -0,0 +1,630 @@
+{
+  "authors": [
+    "Microsoft",
+    "Evgeny Bogokovsky",
+    "Ram Pliskin"
+  ],
+  "category": "tmss",
+  "description": "Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.",
+  "name": "Threat Matrix for storage services",
+  "source": "https://github.com/microsoft/Threat-matrix-for-storage-services",
+  "type": "tmss",
+  "uuid": "aaf033a6-7f1e-45ab-beef-20a52b75b641",
+  "values": [
+    {
+      "description": "Attackers may execute active reconnaissance scans to gather storage account names that becomes a potential target. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.",
+      "meta": {
+        "external_id": "MS-T801",
+        "kill_chain": [
+          "TMSS-tactics:Reconnaissance"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-account-discovery"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "67073dde-d720-45ae-83da-b12d5e73ca3b",
+          "type": "related-to"
+        }
+      ],
+      "uuid": "106eb589-71e3-58a1-a37e-916cdc902414",
+      "value": "MS-T801 - Storage account discovery"
+    },
+    {
+      "description": "Attackers may use search engines to collect information about victim storage accounts that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords such as storage accounts domain names (site:*.blob.core.windows.net)",
+      "meta": {
+        "external_id": "MS-T804",
+        "kill_chain": [
+          "TMSS-tactics:Reconnaissance"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/search-engines"
+        ]
+      },
+      "uuid": "044be881-7476-5fbe-a760-bdf9cf949cab",
+      "value": "MS-T804 - Search engines"
+    },
+    {
+      "description": "Attackers may search public databases for publicly available storage accounts that can be used during targeting.",
+      "meta": {
+        "external_id": "MS-T803",
+        "kill_chain": [
+          "TMSS-tactics:Reconnaissance"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/databases-of-public-accounts"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "55fc4df0-b42c-479a-b860-7a6761bcaad0",
+          "type": "related-to"
+        }
+      ],
+      "uuid": "ef3d435e-8ca6-5864-a882-e7b092870719",
+      "value": "MS-T803 - Databases of publicly available storage accounts"
+    },
+    {
+      "description": "Attackers may search for DNS data for valid storage account names that can become potential targets. Threat actors can query nameservers using brute-force technique to enumerate existing storage accounts in the wild, or search through centralized repositories of logged DNS query responses (known as passive DNS).",
+      "meta": {
+        "external_id": "MS-T826",
+        "kill_chain": [
+          "TMSS-tactics:Reconnaissance"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/dns-passive-dns"
+        ]
+      },
+      "uuid": "e5b2e210-fedb-5651-bb82-484e9f0dfde8",
+      "value": "MS-T826 - DNS/Passive DNS"
+    },
+    {
+      "description": "Attackers may look for storage accounts of a victim enterprise by searching its websites. Victim-owned website pages may be stored on a storage account or contain links to retrieve data stored in a storage account. The links contain the URL of the storage and provide an entry point into the account.",
+      "meta": {
+        "external_id": "MS-T805",
+        "kill_chain": [
+          "TMSS-tactics:Reconnaissance"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/victim-owned-websites"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "16cdd21f-da65-4e4f-bc04-dd7d198c7b26",
+          "type": "related-to"
+        }
+      ],
+      "uuid": "53e65db3-5177-56fc-ae07-088c9919463e",
+      "value": "MS-T805 - Victim-owned websites"
+    },
+    {
+      "description": "A shared access signature (SAS) is a token, that is appended to the a uniform resource identifier (URI) for a storage resource, that grants restricted access rights over the associated resource in your storage account. Attackers may get a SAS token using one of the Credential Access techniques or during the reconnaissance process through social engineering.",
+      "meta": {
+        "external_id": "MS-T814",
+        "kill_chain": [
+          "TMSS-tactics:Initial Access"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/valid-sas-token"
+        ]
+      },
+      "uuid": "1900b9ba-0b3c-5ad7-bdd0-ac8c40a8da0a",
+      "value": "MS-T814 - Valid SAS token"
+    },
+    {
+      "description": "Attackers may get a shared key using one of Credential Access techniques or capture one earlier in their reconnaissance process through social engineering to gain initial access. Adversaries may leverage keys left in source code or configuration files. Sophisticated attackers may also obtain keys from hosts (virtual machines) that have mounted File Share on their system (SMB).  Shared key provides unrestricted permissions over all data plane operations.",
+      "meta": {
+        "external_id": "MS-T815",
+        "kill_chain": [
+          "TMSS-tactics:Initial Access"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/valid-shared-key"
+        ]
+      },
+      "uuid": "3348438e-9ed7-5aa3-b60b-8c97075c0550",
+      "value": "MS-T815 - Valid shared key"
+    },
+    {
+      "description": "Attackers may steal account credentials using one of the credential access techniques or capture an account earlier in their reconnaissance process through social engineering to gain initial access. An authorized principal account can result in full control of storage account resources.",
+      "meta": {
+        "external_id": "MS-T816",
+        "kill_chain": [
+          "TMSS-tactics:Initial Access"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/authorized-principal-account"
+        ]
+      },
+      "uuid": "ad800a27-4d29-58f4-962e-f3b01acea800",
+      "value": "MS-T816 - Authorized principal account"
+    },
+    {
+      "description": "Attackers may leverage publicly exposed storage accounts to list containers/blobs and their properties. Azure Storage supports optional anonymous public read access for containers and blobs. By default, anonymous access to your data is never permitted. Unless you explicitly enable anonymous access, all requests to a container and its blobs must be authorized. When you configure a container's public access level setting to permit anonymous access, clients can read data in that container without authorizing the request.",
+      "meta": {
+        "external_id": "MS-T817",
+        "kill_chain": [
+          "TMSS-tactics:Initial Access"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/anonymous-public-read-access"
+        ]
+      },
+      "uuid": "3e5fba42-41c6-54ff-8977-e9f861f9e039",
+      "value": "MS-T817 - Anonymous public read access"
+    },
+    {
+      "description": "Attackers may obtain and abuse credentials of an SFTP account as a means of gaining initial access. SFTP is a prevalent file transfer protocol between a client and a remote service. Once the user connects to the cloud storage service, the user can upload and download blobs and perform other operations that are supported by the protocol. SFTP connection requires SFTP accounts which are managed locally in the storage service instance, including credentials in a form of passwords or key-pairs.",
+      "meta": {
+        "external_id": "MS-T825",
+        "kill_chain": [
+          "TMSS-tactics:Initial Access"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/sftp-credentials"
+        ]
+      },
+      "uuid": "abc4f207-7149-54cb-baa8-685506759e03",
+      "value": "MS-T825 - SFTP credentials"
+    },
+    {
+      "description": "Attackers may perform initial access to a storage account using NFS protocol where enabled. While access is restricted to a list of allowed virtual networks that are configured on the storage account firewall, connection via NFS protocol does not require authentication and can be performed by any source on the specified networks.",
+      "meta": {
+        "external_id": "MS-T827",
+        "kill_chain": [
+          "TMSS-tactics:Initial Access"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/nfs-access"
+        ]
+      },
+      "uuid": "6b17039c-ec8b-54af-8363-232d5acef0e3",
+      "value": "MS-T827 - NFS access"
+    },
+    {
+      "description": "Attackers may perform initial access to a storage account file shares using Server Message Block (SMB) protocol.",
+      "meta": {
+        "external_id": "MS-T828",
+        "kill_chain": [
+          "TMSS-tactics:Initial Access"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/smb-access"
+        ]
+      },
+      "uuid": "2ede6cb7-2d42-577d-814d-a767b0dccf83",
+      "value": "MS-T828 - SMB access"
+    },
+    {
+      "description": "Attackers may set a replication policy between source and destination containers that asynchronously copies objects from source to destination. This feature can be maliciously misused in both directions. Outbound replication can serve as an exfiltration channel of customer data from the victim's container to an adversary's container. Inbound replication can be used to deliver malware from an adversary's container to a victim's container. After the policy is set, the attacker can operate on their container without accessing the victim container.",
+      "meta": {
+        "external_id": "MS-T840",
+        "kill_chain": [
+          "TMSS-tactics:Initial Access",
+          "TMSS-tactics:Exfiltration"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/object-replication"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6",
+          "type": "related-to"
+        }
+      ],
+      "uuid": "8fdc8739-5b51-51c8-b290-f94a3bd07271",
+      "value": "MS-T840 - Object replication"
+    },
+    {
+      "description": "Attackers may disable firewall protection or set additional firewall rules to masquerade their access channel.  Azure Storage offers a set of built-in network access features. Administrators can leverage these capabilities to restrict access to storage resources. Restriction rules can operate at the IP level or VNet IDs. When network rules are configured, only requests originated from authorized subnets will be served.",
+      "meta": {
+        "external_id": "MS-T813",
+        "kill_chain": [
+          "TMSS-tactics:Persistence",
+          "TMSS-tactics:Defense Evasion"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/firewall-configuration-changes"
+        ]
+      },
+      "uuid": "a608566b-99bc-523c-9e7c-0e220fe2c972",
+      "value": "MS-T813 - Firewall and virtual networks configuratioin changes"
+    },
+    {
+      "description": "Storage services offer built-in RBAC roles that encompass sets of permissions used to access different data types. Definition of custom roles is also supported. Upon assignment of an RBAC role to an identity object (like Azure AD security principal) the storage provider grants access to that security principal. Attackers may leverage the RBAC mechanism to ensure persistent access to their owned identity objects.",
+      "meta": {
+        "external_id": "MS-T808",
+        "kill_chain": [
+          "TMSS-tactics:Persistence",
+          "TMSS-tactics:Defense Evasion"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/rbac-permission"
+        ]
+      },
+      "uuid": "bf27614e-18ca-5ab0-add4-610777067754",
+      "value": "MS-T808 - Role-based access control permission"
+    },
+    {
+      "description": "Attackers may create a high-privileged SAS token with long expiry to preserve valid credentials for a long period. The tokens are not monitored by storage accounts thus they cannot be revoked (except Service SAS) and it's not easy to determine whether there are valid tokens in the wild until they are used.",
+      "meta": {
+        "external_id": "MS-T806",
+        "kill_chain": [
+          "TMSS-tactics:Persistence"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/create-sas-token"
+        ]
+      },
+      "uuid": "5eefa8fc-0ae5-57f1-9a65-389186e25ca4",
+      "value": "MS-T806 - Create SAS token"
+    },
+    {
+      "description": "Attackers may adjust the container access level property at the granularity of a blob or container, to permit anonymous read access to data in the storage account. This configuration secures a channel to exfiltrate data even if the initial access technique is no longer valid.",
+      "meta": {
+        "external_id": "MS-T807",
+        "kill_chain": [
+          "TMSS-tactics:Persistence"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/container-access-level-property"
+        ]
+      },
+      "uuid": "17061b42-9706-5594-9ac2-2b9dd2150649",
+      "value": "MS-T807 - Container access level property"
+    },
+    {
+      "description": "Attackers may create an SFTP account to maintain access to a target storage account. The SFTP account is local on the storage instance and is not subject to Azure RBAC permissions. The account is also unaffected in case of storage account access keys rotation.",
+      "meta": {
+        "external_id": "MS-T809",
+        "kill_chain": [
+          "TMSS-tactics:Persistence"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/sftp-account"
+        ]
+      },
+      "uuid": "a31f49b0-5c72-577a-9f73-198daa685f17",
+      "value": "MS-T809 - SFTP account"
+    },
+    {
+      "description": "Attackers may configure the storage account firewall to allow access by trusted Azure services. Azure Storage provides a predefined list of trusted services. Any resource from that list that belongs to the same subscription as the storage account is allowed by the firewall even if there is no firewall rule that explicitly permits the source address of the resource.",
+      "meta": {
+        "external_id": "MS-T830",
+        "kill_chain": [
+          "TMSS-tactics:Persistence"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trusted-azure-services"
+        ]
+      },
+      "uuid": "c78756dd-1bb7-5145-bb82-8268b55d1996",
+      "value": "MS-T830 - Trusted Azure services"
+    },
+    {
+      "description": "Attackers may configure the storage account firewall to allow access by specific resource instances based on their system-assigned managed identity, regardless of their source address. The resource type can be chosen from a predefined list provided by Azure Storage, and the resource instance must be in the same tenant as the storage account. The RBAC permissions of the resource instance determine the types of operations that a resource instance can perform on storage account data.",
+      "meta": {
+        "external_id": "MS-T829",
+        "kill_chain": [
+          "TMSS-tactics:Persistence"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trusted-access-managed-identity"
+        ]
+      },
+      "uuid": "0f60104b-65bd-5ca4-8286-d83c6310d5b0",
+      "value": "MS-T829 - Trusted access based on a managed identity"
+    },
+    {
+      "description": "Attackers may set private endpoints for a storage account to establish a separate communication channel from a target virtual network. The new endpoint is assigned with a private IP address within the virtual network's address range. All the requests sent to the private endpoint bypass the storage account firewall by design.",
+      "meta": {
+        "external_id": "MS-T812",
+        "kill_chain": [
+          "TMSS-tactics:Persistence",
+          "TMSS-tactics:Defense Evasion"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/private-endpoint"
+        ]
+      },
+      "uuid": "b57fb931-e898-59f2-b456-fefce5e19e99",
+      "value": "MS-T812 - Private endpoint"
+    },
+    {
+      "description": "Storage services offer different types of cloning or backup data stored on them. Attackers may abuse these built-in capabilities to steal sensitive documents, source code, credentials, and other business crucial information.",
+      "meta": {
+        "external_id": "MS-T841",
+        "kill_chain": [
+          "TMSS-tactics:Defense Evasion"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-data-clone"
+        ]
+      },
+      "uuid": "1581f347-b5bf-5237-b4cf-9005fbe0fcf6",
+      "value": "MS-T841 - Storage data clone"
+    },
+    {
+      "description": "Attackers may fragment stolen information and exfiltrate it on different size chunks to avoid being detected by triggering potentially predefined transfer threshold alerts.",
+      "meta": {
+        "external_id": "MS-T831",
+        "kill_chain": [
+          "TMSS-tactics:Defense Evasion",
+          "TMSS-tactics:Exfiltration"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-transfer-size-limits"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
+          "type": "related-to"
+        }
+      ],
+      "uuid": "30de37bf-a416-5f25-8396-a2af42ff437a",
+      "value": "MS-T831 - Data transfer size limits"
+    },
+    {
+      "description": "Attackers may exploit legitimate automation processes, predefined by the compromised organization, with the goal of having their logging traces blend in normally within the company’s typical activities. Assimilating or disguising malicious intentions will keep adversary actions, such as data theft, stealthier.",
+      "meta": {
+        "external_id": "MS-T832",
+        "kill_chain": [
+          "TMSS-tactics:Defense Evasion",
+          "TMSS-tactics:Exfiltration"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/automated-exfiltration"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
+          "type": "related-to"
+        }
+      ],
+      "uuid": "f4a35b50-b56b-5663-8a84-e2235cee712f",
+      "value": "MS-T832 - Automated exfiltration"
+    },
+    {
+      "description": "Attackers may disable storage account audit logs to prevent event tracking and avoid detection. Audit logs provide a detailed record of operations performed on a target storage account and may be used to detect malicious activities. Thus, disabling these logs can leave a resource vulnerable to attacks without being detected.",
+      "meta": {
+        "external_id": "MS-T810",
+        "kill_chain": [
+          "TMSS-tactics:Defense Evasion"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/disable-audit-logs"
+        ]
+      },
+      "uuid": "ef893695-23f7-5f90-9135-9c50a259abe1",
+      "value": "MS-T810 - Disable audit logs"
+    },
+    {
+      "description": "Attackers may disable the cloud workload protection service which raises security alerts upon detection of malicious activities in cloud storage services.",
+      "meta": {
+        "external_id": "MS-T811",
+        "kill_chain": [
+          "TMSS-tactics:Defense Evasion"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/disable-protection-service"
+        ]
+      },
+      "uuid": "14af4a95-e84c-52fb-80ac-0f3aeb13a643",
+      "value": "MS-T811 - Disable cloud workload protection"
+    },
+    {
+      "description": "Attackers may split their requests across geo replicas to reduce the footprint in each region and avoid being detected by various rules and heuristics.",
+      "meta": {
+        "external_id": "MS-T833",
+        "kill_chain": [
+          "TMSS-tactics:Defense Evasion"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/operations-across-geo-replicas"
+        ]
+      },
+      "uuid": "7853ec1a-6440-5119-a719-0cee735f3034",
+      "value": "MS-T833 - Operations across geo replicas"
+    },
+    {
+      "description": "Attackers may leverage subscription/account-level access to gather storage account keys and use these keys to authenticate at the resource level. This technique exhibits cloud resource pivoting in combination with control management and data planes. Adversaries can query management APIs to fetch primary and secondary storage account keys.",
+      "meta": {
+        "external_id": "MS-T818",
+        "kill_chain": [
+          "TMSS-tactics:Credential Access"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/access-key-query"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a",
+          "type": "related-to"
+        }
+      ],
+      "uuid": "06735c35-4f9d-5ba4-9f05-7d087eac2e84",
+      "value": "MS-T818 - Access key query"
+    },
+    {
+      "description": "Cloud Shell is an interactive, authenticated, browser-accessible shell for managing cloud resources. It provides the flexibility of shell experience, either Bash or PowerShell. To support the Cloud Shell promise of being accessible from everywhere, Cloud Shell profiles and session history are saved on storage account. Attackers may leverage the legitimate use of Cloud Shell to impersonate account owners and potentially obtain additional secrets logged as part of session history.",
+      "meta": {
+        "external_id": "MS-T834",
+        "kill_chain": [
+          "TMSS-tactics:Credential Access"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/cloud-shell-profiles"
+        ]
+      },
+      "uuid": "cf858945-94ff-5d2d-ab02-bfe15626d8b3",
+      "value": "MS-T834 - Cloud shell profiles"
+    },
+    {
+      "description": "Attackers may sniff network traffic and capture credentials sent over an insecure protocol. When Storage account is configured to support unencrypted protocol such as HTTP, credentials are passed over the wire unprotected and are susceptible to leakage. The attacker can use the compromised credentials to gain initial access to the storage account.",
+      "meta": {
+        "external_id": "MS-T819",
+        "kill_chain": [
+          "TMSS-tactics:Credential Access"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/unsecured-communication-channel"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
+          "type": "related-to"
+        }
+      ],
+      "uuid": "37baec71-2c4e-5904-94c4-5bf1c88623b6",
+      "value": "MS-T819 - Unsecured communication channel"
+    },
+    {
+      "description": "Attackers may leverage access permission to explore the stored objects in the storage account. Tools witnessed, at the reconnaissance phase, are oftentimes used toward this post-compromise information-gathering objective, now with authorization to access storage APIs, such as the List Blobs call.",
+      "meta": {
+        "external_id": "MS-T820",
+        "kill_chain": [
+          "TMSS-tactics:Discovery"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-service-discovery"
+        ]
+      },
+      "uuid": "559ab713-b18f-5649-ab34-608a1f00a663",
+      "value": "MS-T820 - Storage service discovery"
+    },
+    {
+      "description": "Attackers may leverage control plane access permission to retrieve the storage account configuration. The configuration contains various technical details that may assist the attacker in implementing a variety of tactics. For example, firewall configuration provides network access information. Other parameters may reveal whether access operations are logged. The configuation may also contain the backup policy that may assist the attacker in performing data destruction.",
+      "meta": {
+        "external_id": "MS-T835",
+        "kill_chain": [
+          "TMSS-tactics:Discovery"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/account-configuration-discovery"
+        ]
+      },
+      "uuid": "a58c9198-8b41-5d88-b856-ee48801b3a79",
+      "value": "MS-T835 - Account configuration discovery"
+    },
+    {
+      "description": "Attackers may use storage services to store a malicious program or toolset that will be executed at later times during their operation. In addition, adversaries may exploit the trust between users and their organization’s Storage services by storing phishing content. Furthermore, storage services can be leveraged to park gathered intelligence that will be exfiltrated when terms suit the actor group.",
+      "meta": {
+        "external_id": "MS-T821",
+        "kill_chain": [
+          "TMSS-tactics:Lateral Movement"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/malicious-content-upload"
+        ]
+      },
+      "uuid": "23539a72-5e00-5775-8f7d-24f364dd5bb7",
+      "value": "MS-T821 - Malicious content upload"
+    },
+    {
+      "description": "Storage services offer different types of mechanisms to support auto-synchronization between various resources and the storage account. Attackers may leverage access to the storage account to upload malware and benefit from the auto-sync built-in capabilities to have their payload being populated and potentially weaponize multiple systems.",
+      "meta": {
+        "external_id": "MS-T822",
+        "kill_chain": [
+          "TMSS-tactics:Lateral Movement"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/malware-distribution"
+        ]
+      },
+      "uuid": "a7100316-2a71-5b74-a2f2-a2529c08598c",
+      "value": "MS-T822 - Malware distribution"
+    },
+    {
+      "description": "Attackers may manipulate storage services to trigger a compute service, like Azure Functions, where an attacker already has a foothold on a storage container and can inject a blob that will initiate a chain of a compute process. This may allow an attacker to infiltrate another resource and cause harm.",
+      "meta": {
+        "external_id": "MS-T823",
+        "kill_chain": [
+          "TMSS-tactics:Lateral Movement"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trigger-cross-service-interaction"
+        ]
+      },
+      "uuid": "f9d6b919-6fe3-59ea-81a3-cbac0daacfa5",
+      "value": "MS-T823 - Trigger cross-service interaction"
+    },
+    {
+      "description": "Same is applicable for data blobs or files which may be eventually processed on a host by a legitimate application with software vulnerabilities. Attackers may tamper benign data with a payload that exploits a vulnerability on a user's end and execute a malicious code.",
+      "meta": {
+        "external_id": "MS-T824",
+        "kill_chain": [
+          "TMSS-tactics:Lateral Movement"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/code-injection"
+        ]
+      },
+      "uuid": "ac060220-18b4-5757-9f5c-2fd43f2d2f61",
+      "value": "MS-T824 - Code injection"
+    },
+    {
+      "description": "Attackers may use the \"static website\" feature to exfiltrate collected data outside of the storage account. Static website is a cloud storage provider hosting capability that enables serving static web content directly from the storage account. The website can be reached via an alternative web endpoint which might be overlooked when restricting access to the storage account.",
+      "meta": {
+        "external_id": "MS-T836",
+        "kill_chain": [
+          "TMSS-tactics:Exfiltration"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/static-website"
+        ]
+      },
+      "uuid": "ae3a9c3e-3316-5165-bc98-a1df76acdee2",
+      "value": "MS-T836 - Static website"
+    },
+    {
+      "description": "Attackers may corrupt or delete data stored on storage services to disrupt the availability of systems or other lines of business.",
+      "meta": {
+        "external_id": "MS-T839",
+        "kill_chain": [
+          "TMSS-tactics:Impact"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-corruption"
+        ]
+      },
+      "uuid": "561d0cdd-ded3-5f52-b542-afd43ca5ca09",
+      "value": "MS-T839 - Data corruption"
+    },
+    {
+      "description": "Attackers may encrypt data stored on storage services to disrupt the availability of systems or other lines of business. Making resources inaccessible by encrypting files or blobs and withholding access to a decryption key. This may be done to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware).",
+      "meta": {
+        "external_id": "MS-T838",
+        "kill_chain": [
+          "TMSS-tactics:Impact"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-encryption-for-impact"
+        ]
+      },
+      "uuid": "7e243d46-1e08-51ff-af85-cb80f02c7e41",
+      "value": "MS-T838 - Data encryption for impact (Ransomware)"
+    },
+    {
+      "description": "Attackers may insert or modify data in order to influence external outcomes, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary.",
+      "meta": {
+        "external_id": "MS-T837",
+        "kill_chain": [
+          "TMSS-tactics:Impact"
+        ],
+        "refs": [
+          "https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-manipulation"
+        ]
+      },
+      "uuid": "f0556667-5e4e-51f9-a92c-9e92193d141a",
+      "value": "MS-T837 - Data manipulation"
+    }
+  ],
+  "version": 1
+}

clusters/tool.json

@@ -4249,6 +4249,27 @@
             "estimative-language:likelihood-probability=\"almost-certain\""
           ],
           "type": "similar"
+        },
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        },
+        {
+          "dest-uuid": "509aff15-ba17-4582-b1a0-b0ed89df01d8",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "d650da35-7ad7-417a-902a-16ea55bd1126",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
         }
       ],
       "uuid": "c76e2ee8-52d1-4a55-81df-5542d232ca32",
@@ -5303,6 +5324,34 @@
             "estimative-language:likelihood-probability=\"likely\""
           ],
           "type": "used-by"
+        },
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        },
+        {
+          "dest-uuid": "6efa425c-3731-44fd-9224-2a62df061a2d",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "05252643-093b-4070-b62f-d5836683a9fa",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
         }
       ],
       "uuid": "4d58ad7d-b5ee-4efb-b6af-6c70aadb326a",
@@ -8524,6 +8573,20 @@
             "estimative-language:likelihood-probability=\"almost-certain\""
           ],
           "type": "similar"
+        },
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        },
+        {
+          "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
         }
       ],
       "uuid": "78ed653d-2d76-4a99-849e-1509e4573c32",
@@ -9167,11 +9230,12 @@
       "value": "metasploit"
     },
     {
-      "description": "A swiss army knife for pentesting networks.",
+      "description": "A swiss army knife for pentesting networks. CRACKMAPEXEC is a post-exploitation tool against Microsoft Windows environments. It is recognized for its lateral movement capabilities.",
       "meta": {
         "refs": [
           "https://github.com/byt3bl33d3r/CrackMapExec",
-          "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf"
+          "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf",
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
         ],
         "synonyms": [],
         "type": [
@@ -10675,7 +10739,341 @@
       ],
       "uuid": "f162df7a-725b-40ef-add2-43ce74eb50a4",
       "value": "AtlasAgent"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://asec.ahnlab.com/en/57873/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        }
+      ],
+      "uuid": "bea5f660-a106-4983-a11a-0e0b6ce348d2",
+      "value": "RDP Wrapper"
+    },
+    {
+      "description": "open-source VNC tool",
+      "meta": {
+        "refs": [
+          "https://asec.ahnlab.com/en/57873/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        }
+      ],
+      "uuid": "e596e014-c0b7-491a-afee-3588fbfc61c1",
+      "value": "TightVNC"
+    },
+    {
+      "description": "Malware",
+      "meta": {
+        "refs": [
+          "https://asec.ahnlab.com/en/57873/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        }
+      ],
+      "uuid": "cdd432b0-8899-4e7d-ad4a-b18741ade11d",
+      "value": "RevClient"
+    },
+    {
+      "description": "Colibri Loader is a piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material“. As it names suggests, it is meant to deliver and manage payloads onto infected computers.",
+      "meta": {
+        "refs": [
+          "https://www.malwarebytes.com/blog/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "64e51712-89d6-4c91-98ac-8907eafe98c6",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "delivers"
+        }
+      ],
+      "uuid": "63615901-dd49-4541-801f-327a6963c88b",
+      "value": "Colibri Loader"
+    },
+    {
+      "description": "A mitigation bypass technique was recently identified that led to the deployment of a custom webshell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024. At this time, Mandiant assesses the mitigation bypass activity is highly targeted, limited, and is distinct from the post-advisory mass exploitation activity. BUSHWALK is written in Perl and is embedded into a legitimate CS file, querymanifest.cgi. BUSHWALK provides a threat actor the ability to execute arbitrary commands or write files to a server. BUSHWALK executes its malicious Perl function, validateVersion, if the web request platform parameter is SafariiOS. It uses Base64 and RC4 to decode and decrypt the threat actor’s payload in the web request’s command parameter.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
+        ]
+      },
+      "uuid": "0752d766-2c2a-43ce-aebd-6a4e214cd43c",
+      "value": "BUSHWALK"
+    },
+    {
+      "description": "The original LIGHTWIRE webshell sample contains a simpler obfuscation routine. It will initialize an RC4 object and then immediately use the RC4 object to decrypt the issued command./nMandiant has identified an additional variant of the LIGHTWIRE web shell that inserts itself into a legitimate component of the VPN gateway, compcheckresult.cgi./nThe new sample utilizes the same GET parameters as the original LIGHTWIRE sample./nThe new variant of LIGHTWIRE features a different obfuscation routine. It first assigns a string scalar variable to $useCompOnly. Next, it will use the Perl tr operator to transform the string using a character-by-character translation. The key is then Base64-decoded and used to RC4 decrypt the incoming request. Finally, the issued command is executed by calling eval.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
+        ]
+      },
+      "uuid": "5b9d5714-9eb9-4e3b-b437-26a9b50a633e",
+      "value": "LIGHTWIRE"
+    },
+    {
+      "description": "CHAINLINE is a Python webshell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution./nCHAINLINE was identified in the CAV Python package in the following path: /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/health.py. This is the same Python package modified to support the WIREFIRE web shell./nUnlike WIREFIRE, which modifies an existing file, CHAINLINE creates a new file called health.py, which is not a legitimate filename in the CAV Python package. The existence of this filename or an associated compiled Python cache file may indicate the presence of CHAINLINE./nUNC5221 registered a new API resource path to support the access of CHAINLINE at the REST endpoint /api/v1/cav/client/health. This was accomplished by importing the maliciously created Health API resource and then calling the add_resource() class method on the FLASK-RESTful Api object within /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/__init__.py.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
+        ]
+      },
+      "uuid": "87e353c6-e0e8-427a-b55f-61cbd2853c57",
+      "value": "CHAINLINE"
+    },
+    {
+      "description": "FRAMESTING is a Python webshell embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution./nFRAMESTING was identified in the CAV Python package in the following path: /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py. Note that this is the same Python package modified to support the WIREFIRE and CHAINLINE web shells./nWhen installed, the threat actor can access FRAMESTING web shell at the REST endpoint /api/v1/cav/client/categories with a POST request. Note that the legitimate categories endpoint only accepts GET requests./nThe web shell employs two methods of accepting commands from an attacker. It first attempts to retrieve the command stored in the value of a cookie named DSID from the current HTTP request. If the cookie is not present or is not of the expected length, it will attempt to decompress zlib data within the request's POST data. Lastly, FRAMESTING will then pass the decrypted POST data into a Python exec() statement to dynamically execute additional Python code./nNote that DSID is also the name of a cookie used by Ivanti Connect Secure appliances for maintaining user VPN sessions. FRAMESTING likely uses the same cookie name to blend in with network traffic.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
+        ]
+      },
+      "uuid": "a9470d3d-ecfd-408b-ba1e-f3ca65791e0d",
+      "value": "FRAMESTING"
+    },
+    {
+      "description": "IMPACKET is a Python library that allows for interaction with various network protocols. It is particularly effective in environments that rely on Active Directory and related Microsoft Windows network services.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
+        ]
+      },
+      "uuid": "7b02521e-422e-49a2-96fc-ad6c13057a6c",
+      "value": "IMPACKET"
+    },
+    {
+      "description": "IODINE is a network traffic tunneler that allows for tunneling of IPv4 traffic over DNS.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
+        ]
+      },
+      "uuid": "94ae63e7-7f92-4657-812c-2f27bf50ca21",
+      "value": "IODINE"
+    },
+    {
+      "description": "ENUM4LINUX is a Linux Perl script for enumerating data from Windows and Samba hosts.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
+        ]
+      },
+      "uuid": "c44c5c54-435a-453a-a128-43ca18b82c37",
+      "value": "ENUM4LINUX"
+    },
+    {
+      "description": "SPAWNANT is an installer that leverages a coreboot installer function to establish persistence for the SPAWNMOLE tunneler and SPAWNSNAIL backdoor. It hijacks a legitimate dspkginstall installer process and exports an sprintf function adding a malicious code to it before redirecting a flow back to vsnprintf.",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "6fcf8d1f-2e68-4982-a579-2ca5595e4990",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        },
+        {
+          "dest-uuid": "6c89c51f-1b97-4966-abc1-9cf526bb2892",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "followed-by"
+        },
+        {
+          "dest-uuid": "de390f3e-c0d1-4c70-b121-a7a98f7326aa",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "followed-by"
+        }
+      ],
+      "uuid": "e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87",
+      "value": "SPAWNANT"
+    },
+    {
+      "description": "SPAWNMOLE is a tunneler that injects into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign traffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host provided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where SPAWNSNAIL is operating to access the backdoor.",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "6fcf8d1f-2e68-4982-a579-2ca5595e4990",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        },
+        {
+          "dest-uuid": "e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "preceded-by"
+        },
+        {
+          "dest-uuid": "de390f3e-c0d1-4c70-b121-a7a98f7326aa",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "interacts-with"
+        }
+      ],
+      "uuid": "6c89c51f-1b97-4966-abc1-9cf526bb2892",
+      "value": "SPAWNMOLE"
+    },
+    {
+      "description": "SPAWNSLOTH is a log tampering utility injected into the dslogserver process. It can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating.",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "6fcf8d1f-2e68-4982-a579-2ca5595e4990",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        },
+        {
+          "dest-uuid": "de390f3e-c0d1-4c70-b121-a7a98f7326aa",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-injected-by"
+        },
+        {
+          "dest-uuid": "de390f3e-c0d1-4c70-b121-a7a98f7326aa",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "communicates-with"
+        }
+      ],
+      "uuid": "2c237974-edc2-460a-90b5-20f699560da3",
+      "value": "SPAWNSLOTH"
+    },
+    {
+      "description": "ROOTROT is a web shell written in Perl embedded into a legitimate Connect Secure .ttc file located at /data/runtime/tmp/tt/setcookie.thtml.ttc by exploiting CVE-2023-46805 and CVE-2024-21887. ",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-deployed-by"
+        }
+      ],
+      "uuid": "69d0512d-c12a-4e17-a335-deba012a8499",
+      "value": "ROOTROT"
+    },
+    {
+      "description": "TONERJAM is a launcher that decrypts and executes a shellcode payload, in this case PHANTOMNET, stored as an encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the encrypted payload. TONERJAM maintains persistence via the Run registry key or by hijacking COM objects depending on the permissions granted to it upon execution.",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c5ea778c-df2f-4c63-b401-dded9cb2419c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-deployed-by"
+        },
+        {
+          "dest-uuid": "f97ea150-a727-4d47-823a-41de07a43ea9",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "executes"
+        }
+      ],
+      "uuid": "540b3e66-edbf-40ee-ae05-474b27c1ff40",
+      "value": "TONERJAM"
+    },
+    {
+      "description": "A simple security tunnel written in Golang. Features: Listening on multiple ports, Multi-level forward proxy - proxy chain, Standard HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5 proxy protocols support, Probing resistance support for web proxy, Support multiple tunnel types, TLS encryption via negotiation support for SOCKS5 proxy, Tunnel UDP over TCP, TCP/UDP Transparent proxy, Local/remote TCP/UDP port forwarding, Shadowsocks protocol, SNI proxy, Permission control, Load balancing, Routing control, DNS resolver and proxy, TUN/TAP device",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement",
+          "https://github.com/ginuerzh/gost/blob/master/README_en.md",
+          "https://v2.gost.run/en/",
+          "https://gost.run/en/"
+        ],
+        "synonyms": [
+          "GO Simple Tunnel"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c5ea778c-df2f-4c63-b401-dded9cb2419c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        }
+      ],
+      "uuid": "c9f26173-ba82-4ed2-adbd-e2e07f582f31",
+      "value": "GOST"
+    },
+    {
+      "description": "Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS and are dynamically compiled with per-binary asymmetric encryption keys.",
+      "meta": {
+        "refs": [
+          "https://github.com/BishopFox/sliver",
+          "https://bishopfox.com/tools/sliver"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "083a637b-c58c-4ccb-ab59-81d783873e80",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "is-deployed-by "
+        }
+      ],
+      "uuid": "84c2d789-64be-429b-aeee-253a4e0e2aff",
+      "value": "SLIVER"
     }
   ],
-  "version": 170
+  "version": 173
 }

galaxies/atrm.json

@@ -9,12 +9,12 @@
       "Privilege Escalation",
       "Persistence",
       "Credential Access",
-      "Exfiltration"
+      "Impact"
     ]
   },
   "name": "Azure Threat Research Matrix",
-  "namespace": "atrm",
+  "namespace": "microsoft",
   "type": "atrm",
   "uuid": "b541a056-154c-41e7-8a56-41db3f871c00",
-  "version": 1
+  "version": 3
 }

galaxies/disarm-actortypes.json

@@ -0,0 +1,24 @@
+{
+  "description": "DISARM is a framework designed for describing and understanding disinformation incidents.",
+  "icon": "user-secret",
+  "kill_chain_order": {
+    "sectors": [
+      "Nonprofit",
+      "Civil Society",
+      "Government",
+      "Academic",
+      "Activist",
+      "General Public",
+      "Social Media Company",
+      "Other Tech Company",
+      "Other Company",
+      "Media",
+      ""
+    ]
+  },
+  "name": "Actor Types",
+  "namespace": "disarm",
+  "type": "disarm-actortypes",
+  "uuid": "1658af88-b847-532d-adc9-efaea8604f14",
+  "version": 1
+}

galaxies/disarm-countermeasures.json

@@ -0,0 +1,54 @@
+{
+  "description": "DISARM is a framework designed for describing and understanding disinformation incidents.",
+  "icon": "shield-alt",
+  "kill_chain_order": {
+    "metatechniques": [
+      "Resilience",
+      "Diversion",
+      "Daylight",
+      "Friction",
+      "Removal",
+      "Scoring",
+      "Metatechnique",
+      "Data Pollution",
+      "Dilution",
+      "Countermessaging",
+      "Verification",
+      "Cleaning",
+      "Targeting",
+      "Reduce Resources"
+    ],
+    "responsetypes": [
+      "Detect",
+      "Deny",
+      "Disrupt",
+      "Degrade",
+      "Deceive",
+      "Destroy",
+      "Deter"
+    ],
+    "tactics": [
+      "Plan Strategy",
+      "Plan Objectives",
+      "Microtarget",
+      "Develop Content",
+      "Select Channels and Affordances",
+      "Conduct Pump Priming",
+      "Deliver Content",
+      "Drive Offline Activity",
+      "Persist in the Information Environment",
+      "Assess Effectiveness",
+      "Target Audience Analysis",
+      "Develop Narratives",
+      "Establish Assets",
+      "Establish Legitimacy",
+      "Maximise Exposure",
+      "Drive Online Harms"
+    ]
+  },
+  "name": "Countermeasures",
+  "namespace": "disarm",
+  "type": "disarm-countermeasures",
+  "uuid": "9a3ac024-7c65-5ac0-87c4-eaed2238eec8",
+  "version": 2
+}

galaxies/disarm-detections.json

@@ -0,0 +1,38 @@
+{
+  "description": "DISARM is a framework designed for describing and understanding disinformation incidents.",
+  "icon": "bell",
+  "kill_chain_order": {
+    "responsetypes": [
+      "Detect",
+      "Deny",
+      "Disrupt",
+      "Degrade",
+      "Deceive",
+      "Destroy",
+      "Deter"
+    ],
+    "tactics": [
+      "Plan Strategy",
+      "Plan Objectives",
+      "Microtarget",
+      "Develop Content",
+      "Select Channels and Affordances",
+      "Conduct Pump Priming",
+      "Deliver Content",
+      "Drive Offline Activity",
+      "Persist in the Information Environment",
+      "Assess Effectiveness",
+      "Target Audience Analysis",
+      "Develop Narratives",
+      "Establish Assets",
+      "Establish Legitimacy",
+      "Maximise Exposure",
+      "Drive Online Harms"
+    ]
+  },
+  "name": "Detections",
+  "namespace": "disarm",
+  "type": "disarm-detections",
+  "uuid": "bb61e6f3-b2bd-5c7d-929c-b6f292ccc56a",
+  "version": 2
+}

galaxies/disarm-techniques.json

@@ -0,0 +1,29 @@
+{
+  "description": "DISARM is a framework designed for describing and understanding disinformation incidents.",
+  "icon": "map",
+  "kill_chain_order": {
+    "tactics": [
+      "Plan Strategy",
+      "Plan Objectives",
+      "Microtarget",
+      "Develop Content",
+      "Select Channels and Affordances",
+      "Conduct Pump Priming",
+      "Deliver Content",
+      "Drive Offline Activity",
+      "Persist in the Information Environment",
+      "Assess Effectiveness",
+      "Target Audience Analysis",
+      "Develop Narratives",
+      "Establish Assets",
+      "Establish Legitimacy",
+      "Maximise Exposure",
+      "Drive Online Harms"
+    ]
+  },
+  "name": "Techniques",
+  "namespace": "disarm",
+  "type": "disarm-techniques",
+  "uuid": "a90f2bb6-11e1-58a7-9962-ba37886720ec",
+  "version": 2
+}

galaxies/entity.json

@@ -0,0 +1,9 @@
+{
+  "description": "Description of entities that can be involved in events.",
+  "icon": "user",
+  "name": "Entity",
+  "namespace": "misp",
+  "type": "entity",
+  "uuid": "f1b42b47-778f-4e50-bda5-969ee7f9029f",
+  "version": 1
+}

galaxies/intelligence-agencies.json

@@ -0,0 +1,9 @@
+{
+  "description": "List of intelligence agencies",
+  "icon": "ninja",
+  "name": "Intelligence Agencies",
+  "namespace": "intelligence-agency",
+  "type": "intelligence-agency",
+  "uuid": "3ef969e7-96cd-4048-aa83-191ac457d0db",
+  "version": 1
+}

galaxies/interpol-dwva.json

@@ -0,0 +1,27 @@
+{
+  "description": "This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.",
+  "icon": "user-secret",
+  "kill_chain_order": {
+    "Abuses": [
+      "Concept"
+    ],
+    "Entities": [
+      "Actor",
+      "Asset",
+      "Authorities",
+      "Cryptocurrency",
+      "Dark_Web",
+      "Generic",
+      "Infrastructure",
+      "Process",
+      "Service",
+      "Technology",
+      "Wallet"
+    ]
+  },
+  "name": "INTERPOL DWVA Taxonomy",
+  "namespace": "interpol",
+  "type": "dwva",
+  "uuid": "a375d7fd-0a3e-41cf-a531-ef56033df967",
+  "version": 1
+}

galaxies/mitre-atlas-attack-pattern.json

@@ -0,0 +1,27 @@
+{
+  "description": "MITRE ATLAS Attack Pattern - Adversarial Threat Landscape for Artificial-Intelligence Systems",
+  "icon": "map",
+  "kill_chain_order": {
+    "mitre-atlas": [
+      "reconnaissance",
+      "resource-development",
+      "initial-access",
+      "ml-model-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "collection",
+      "ml-attack-staging",
+      "exfiltration",
+      "impact"
+    ]
+  },
+  "name": "MITRE ATLAS Attack Pattern",
+  "namespace": "mitre-atlas",
+  "type": "mitre-atlas-attack-pattern",
+  "uuid": "3f3d21aa-d8a1-4f8f-b31e-fc5425eec821",
+  "version": 1
+}

galaxies/mitre-atlas-course-of-action.json

@@ -0,0 +1,9 @@
+{
+  "description": "MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems",
+  "icon": "link",
+  "name": "MITRE ATLAS Course of Action",
+  "namespace": "mitre-atlas",
+  "type": "mitre-atlas-course-of-action",
+  "uuid": "29d13ede-9667-415c-bb75-b34a4bd89a81",
+  "version": 1
+}

galaxies/mitre-attack-pattern.json

@@ -2,9 +2,55 @@
   "description": "ATT&CK Tactic",
   "icon": "map",
   "kill_chain_order": {
-    "mitre-attack": [
-      "reconnaissance",
-      "resource-development",
+    "attack-Azure-AD": [
+      "initial-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "lateral-movement",
+      "impact"
+    ],
+    "attack-Containers": [
+      "initial-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "lateral-movement",
+      "impact"
+    ],
+    "attack-Google-Workspace": [
+      "initial-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "lateral-movement",
+      "collection",
+      "exfiltration",
+      "impact"
+    ],
+    "attack-IaaS": [
+      "initial-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "lateral-movement",
+      "collection",
+      "exfiltration",
+      "impact"
+    ],
+    "attack-Linux": [
       "initial-access",
       "execution",
       "persistence",
@@ -18,7 +64,79 @@
       "exfiltration",
       "impact"
     ],
-    "mitre-mobile-attack": [
+    "attack-Network": [
+      "initial-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "lateral-movement",
+      "collection",
+      "command-and-control",
+      "exfiltration",
+      "impact"
+    ],
+    "attack-Office-365": [
+      "initial-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "lateral-movement",
+      "collection",
+      "exfiltration",
+      "impact"
+    ],
+    "attack-PRE": [
+      "reconnaissance",
+      "resource-development"
+    ],
+    "attack-SaaS": [
+      "initial-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "lateral-movement",
+      "collection",
+      "exfiltration",
+      "impact"
+    ],
+    "attack-Windows": [
+      "initial-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "lateral-movement",
+      "collection",
+      "command-and-control",
+      "exfiltration",
+      "impact"
+    ],
+    "attack-macOS": [
+      "initial-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "lateral-movement",
+      "collection",
+      "command-and-control",
+      "exfiltration",
+      "impact"
+    ],
+    "mobile-attack-Android": [
       "initial-access",
       "execution",
       "persistence",
@@ -34,7 +152,23 @@
       "network-effects",
       "remote-service-effects"
     ],
-    "mitre-pre-attack": [
+    "mobile-attack-iOS": [
+      "initial-access",
+      "execution",
+      "persistence",
+      "privilege-escalation",
+      "defense-evasion",
+      "credential-access",
+      "discovery",
+      "lateral-movement",
+      "collection",
+      "command-and-control",
+      "exfiltration",
+      "impact",
+      "network-effects",
+      "remote-service-effects"
+    ],
+    "pre-attack": [
       "priority-definition-planning",
       "priority-definition-direction",
       "target-selection",
@@ -49,12 +183,14 @@
       "persona-development",
       "build-capabilities",
       "test-capabilities",
-      "stage-capabilities"
+      "stage-capabilities",
+      "launch",
+      "compromise"
     ]
   },
   "name": "Attack Pattern",
   "namespace": "mitre-attack",
   "type": "mitre-attack-pattern",
   "uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
-  "version": 9
+  "version": 10
 }

galaxies/mitre-data-component.json

@@ -0,0 +1,9 @@
+{
+  "description": "Data components are parts of data sources. ",
+  "icon": "sitemap",
+  "name": "mitre-data-component",
+  "namespace": "mitre-attack",
+  "type": "mitre-data-component",
+  "uuid": "afff2d74-5d4a-4aa7-995a-3701a2dbe593",
+  "version": 1
+}

galaxies/mitre-data-source.json

@@ -0,0 +1,9 @@
+{
+  "description": "Data sources represent the various subjects/topics of information that can be collected by sensors/logs. ",
+  "icon": "sitemap",
+  "name": "mitre-data-source",
+  "namespace": "mitre-attack",
+  "type": "mitre-data-source",
+  "uuid": "dca5da28-fdc0-4b37-91cd-989d139d96cf",
+  "version": 1
+}

galaxies/mitre-tool.json

@@ -1,9 +1,9 @@
 {
   "description": "Name of ATT&CK software",
   "icon": "gavel",
-  "name": "Tool",
+  "name": "mitre-tool",
   "namespace": "mitre-attack",
   "type": "mitre-tool",
   "uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649",
-  "version": 6
+  "version": 7
 }

galaxies/naics.json

@@ -0,0 +1,9 @@
+{
+  "description": "North American Industry Classification System - NAICS",
+  "icon": "industry",
+  "name": "NAICS",
+  "namespace": "misp",
+  "type": "naics",
+  "uuid": "b73ecad4-6529-4625-8c4f-ee3ef703a72a",
+  "version": 1
+}

galaxies/producer.json

@@ -0,0 +1,9 @@
+{
+  "description": "List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.",
+  "icon": "book",
+  "name": "Producer",
+  "namespace": "misp",
+  "type": "producer",
+  "uuid": "2d74a15e-9c88-452e-af14-d0ecd2e9cd63",
+  "version": 1
+}

galaxies/tidal-campaigns.json

@@ -0,0 +1,9 @@
+{
+  "description": "Tidal Campaigns Galaxy",
+  "icon": "bullhorn",
+  "name": "Tidal Campaigns",
+  "namespace": "tidal",
+  "type": "campaigns",
+  "uuid": "3db4b6cb-5b89-4096-a057-e0205777adc9",
+  "version": 1
+}

galaxies/tidal-groups.json

@@ -0,0 +1,9 @@
+{
+  "description": "Tidal Groups Galaxy",
+  "icon": "user-secret",
+  "name": "Tidal Groups",
+  "namespace": "tidal",
+  "type": "groups",
+  "uuid": "877cdc4b-3392-4353-a7d4-2e46d40e5936",
+  "version": 1
+}

galaxies/tidal-references.json

@@ -0,0 +1,9 @@
+{
+  "description": "Tidal References Galaxy",
+  "icon": "list",
+  "name": "Tidal References",
+  "namespace": "tidal",
+  "type": "references",
+  "uuid": "efd98ec4-16ef-41c4-bc3c-60c7c1ae8b39",
+  "version": 1
+}

galaxies/tidal-software.json

@@ -0,0 +1,9 @@
+{
+  "description": "Tidal Software Galaxy",
+  "icon": "file-code",
+  "name": "Tidal Software",
+  "namespace": "tidal",
+  "type": "software",
+  "uuid": "6eb44da4-ed4f-4a5d-a444-0f105ff1b3c2",
+  "version": 1
+}

galaxies/tidal-tactic.json

@@ -0,0 +1,9 @@
+{
+  "description": "Tidal Tactic Galaxy",
+  "icon": "map",
+  "name": "Tidal Tactic",
+  "namespace": "tidal",
+  "type": "tactic",
+  "uuid": "16b963e7-4b88-44e0-b184-16bf9e71fdc9",
+  "version": 1
+}

galaxies/tidal-technique.json

@@ -0,0 +1,9 @@
+{
+  "description": "Tidal Technique Galaxy",
+  "icon": "user-ninja",
+  "name": "Tidal Technique",
+  "namespace": "tidal",
+  "type": "technique",
+  "uuid": "298b6aee-981b-4fd8-8759-a2e72ad223fa",
+  "version": 1
+}

galaxies/tmss.json

@@ -0,0 +1,22 @@
+{
+  "description": "Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.",
+  "icon": "map",
+  "kill_chain_order": {
+    "TMSS-tactics": [
+      "Reconnaissance",
+      "Initial Access",
+      "Persistence",
+      "Defense Evasion",
+      "Credential Access",
+      "Discovery",
+      "Lateral Movement",
+      "Exfiltration",
+      "Impact"
+    ]
+  },
+  "name": "Threat Matrix for storage services",
+  "namespace": "microsoft",
+  "type": "tmss",
+  "uuid": "d6532b58-99e0-44a9-93c8-affe055e4443",
+  "version": 1
+}

galaxies/ukhsa-culture-collections.json

@@ -0,0 +1,9 @@
+{
+  "description": "UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.",
+  "icon": "virus",
+  "name": "UKHSA Culture Collections",
+  "namespace": "gov.uk",
+  "type": "ukhsa-culture-collections",
+  "uuid": "bbe11c06-1d6a-477e-88f1-cdda2d71de56",
+  "version": 1
+}

tools/IntelAgencies/REQUIREMENTS

@@ -0,0 +1 @@
+pycountry

tools/IntelAgencies/main.py

@@ -0,0 +1,157 @@
+from modules.api import WikipediaAPI
+from modules.intel import IntelAgency, Meta, Galaxy, Cluster
+import os
+import uuid
+import json
+
+from bs4 import BeautifulSoup
+import pycountry
+
+CLUSTER_PATH = '../../clusters'
+GALAXY_PATH = '../../galaxies'
+GALAXY_NAME = 'intelligence-agencies'
+UUID = "3ef969e7-96cd-4048-aa83-191ac457d0db"
+WIKIPEDIA_URL = "https://en.wikipedia.org"
+
+COUNTRY_CODES = {
+    "Brunei": "BN",
+    "People's Republic of China": "CN",
+    "Democratic Republic of the Congo": "CD",  # Note: This is for the Democratic Republic of the Congo, not to be confused with the Republic of the Congo (CG)
+    "Czech Republic": "CZ",
+    "Iran": "IR",
+    "Moldova": "MD",  # Officially known as the Republic of Moldova
+    "North Korea": "KP",  # Officially the Democratic People's Republic of Korea (DPRK)
+    "Palestine": "PS",
+    "Russia": "RU",  # Officially the Russian Federation
+    "South Korea": "KR",  # Officially the Republic of Korea (ROK)
+    "Syria": "SY",  # Officially the Syrian Arab Republic
+    "Taiwan": "TW",  # ISO code is assigned as "Taiwan, Province of China"
+    "Tanzania": "TZ",  # Officially the United Republic of Tanzania
+    "Trinidad & Tobago": "TT",
+    "Turkey": "TR",
+    "Venezuela": "VE",  # Officially the Bolivarian Republic of Venezuela
+    "Vietnam": "VN",  # Officially the Socialist Republic of Vietnam
+    "European Union": None,  # Not a country, no ISO code
+    "Shanghai Cooperation Organisation": None  # Not a country, no ISO code
+}
+
+def compute_uuid(value, namespace=UUID):
+    return str(uuid.uuid5(uuid.UUID(namespace), value))
+
+def get_notes_on_lower_level(content):
+    notes = []
+    for li in content.find_all('li', recursive=False):
+        if li.find('ul'):
+            notes.extend(get_notes_on_lower_level(li.find('ul')))
+        else:
+            a_tag = li.find('a')
+
+            title = li.text
+            link_href = None
+            description = li.text
+
+            i_tag = li.find_all('i')
+            synonyms = [i.text for i in i_tag]
+            
+            if a_tag:
+                title = a_tag.get('title', description)
+                if a_tag.has_attr('href'):
+                    link_href = f'{WIKIPEDIA_URL}{a_tag["href"]}'
+
+            if len(synonyms) == 0 or synonyms[0] == title:
+                synonyms = None
+
+            notes.append((title, link_href, description, synonyms))
+    return notes
+
+def get_agencies_from_country(heading, current_country):
+    agencies = []
+    contents = []
+    contents.append(heading.find_next('ul'))
+    
+    current_content = contents[0]
+    while True:
+        next_sibling = current_content.find_next_sibling()
+
+        if next_sibling is None or next_sibling.name == 'h2':
+            break
+
+        if next_sibling.name == 'ul':
+            contents.append(next_sibling)
+
+        current_content = next_sibling
+    
+    for content in contents:
+        agency_names = get_notes_on_lower_level(content)
+        for name, links, description, synonyms in agency_names:
+            country_code = pycountry.countries.get(name=current_country)
+
+            # Set country
+            country_name = current_country
+
+            if country_code:
+                country_code = country_code.alpha_2
+            else:
+                country_code = COUNTRY_CODES.get(current_country)
+
+            if current_country in ["European Union", "Shanghai Cooperation Organisation"]: # Not a country
+                country_name = None
+
+            # Set names for duplicates
+            if name in ['Special Branch', 'Financial Intelligence Unit']:
+                name = f'{name} ({current_country})'
+            
+            agencies.append(IntelAgency(value=name, uuid=compute_uuid(name), meta=Meta(country=country_code, country_name=country_name, refs=[links], synonyms=synonyms), description=description))
+                
+    return agencies
+    
+def extract_info(content):
+    IGNORE = ["See also", "References", "External links", "Further reading"]
+    soup = BeautifulSoup(content, 'html.parser')
+    agencies = []
+    current_country = None
+    for h2 in soup.find_all('h2'):
+        span = h2.find('span', {'class': 'mw-headline'})
+        if span and span.text not in IGNORE:
+            current_country = span.text.strip()
+            agencies.extend(get_agencies_from_country(h2, current_country))
+        else:
+            continue
+    return agencies
+    
+if __name__ == '__main__':
+    wiki = WikipediaAPI()
+    page_title = 'List of intelligence agencies'
+    content = wiki.get_page_html(page_title)
+    if content:
+        agencies = extract_info(content)
+    else:
+        raise ValueError("Error: No content found: ", content)
+
+    authors = [x['name'] for x in wiki.get_authors(page_title)]
+    # Write to files
+    galaxy = Galaxy(
+        description="List of intelligence agencies",
+        icon="ninja",
+        name="Intelligence Agencies",
+        namespace="intelligence-agency",
+        type="intelligence-agency",
+        uuid=UUID,
+        version=1,
+    )
+    galaxy.save_to_file(os.path.join(GALAXY_PATH, f'{GALAXY_NAME}.json'))
+
+    cluster = Cluster(
+        authors=authors,
+        category="Intelligence Agencies",
+        description="List of intelligence agencies",
+        name="Intelligence Agencies",
+        source="https://en.wikipedia.org/wiki/List_of_intelligence_agencies",
+        type="intelligence-agency",
+        uuid=UUID,
+        version=1,
+    )
+    for agency in agencies:
+        cluster.add_value(agency)
+
+    cluster.save_to_file(os.path.join(CLUSTER_PATH, f'{GALAXY_NAME}.json'))

tools/IntelAgencies/modules/api.py

@@ -0,0 +1,72 @@
+import requests
+
+class WikipediaAPI():
+    def __init__(self):
+        self.base_url = 'https://en.wikipedia.org/w/api.php'
+
+    def get_page_summary(self, page_title):
+        params = {
+            'action': 'query',
+            'format': 'json',
+            'titles': page_title,
+            'prop': 'extracts',
+            'explaintext': True,
+        }
+        
+        try:
+            response = requests.get(self.base_url, params=params)
+            data = response.json()
+            page_id = next(iter(data['query']['pages']))
+            return data['query']['pages'][page_id]['extract']
+        except Exception as e:
+            print(f'Error: {e}')
+            return None
+        
+    def get_page_content(self, page_title):
+        params = {
+            'action': 'query',
+            'format': 'json',
+            'titles': page_title,
+            'prop': 'revisions',
+            'rvprop': 'content',
+        }
+        try:
+            response = requests.get(self.base_url, params=params)
+            data = response.json()
+            page_id = next(iter(data['query']['pages']))
+            return data['query']['pages'][page_id]['revisions'][0]['*']
+        except Exception as e:
+            print(f'Error: {e}')
+            return None
+        
+    def get_page_html(self, page_title):
+        params = {
+            'action': 'parse',
+            'format': 'json',
+            'page': page_title,
+            'prop': 'text',
+            'disableeditsection': True, 
+        }
+        try:
+            response = requests.get(self.base_url, params=params)
+            data = response.json()
+            return data['parse']['text']['*']
+        except Exception as e:
+            print(f'Error: {e}')
+            return None
+        
+    def get_authors(self, page_title):
+        params = {
+            'action': 'query',
+            'format': 'json',
+            'titles': page_title,
+            'prop': 'contributors',
+        }
+        try:
+            response = requests.get(self.base_url, params=params)
+            data = response.json()
+            page_id = next(iter(data['query']['pages']))
+            return data['query']['pages'][page_id]['contributors']
+        except Exception as e:
+            print(f'Error: {e}')
+            return None

tools/IntelAgencies/modules/intel.py

@@ -0,0 +1,76 @@
+from dataclasses import dataclass, field, asdict, is_dataclass
+import json
+
+@dataclass
+class Meta:
+    country: str = None
+    country_name: str = None
+    refs: list = field(default_factory=list)
+    synonyms: list = field(default_factory=list)
+    
+def custom_asdict(obj):
+    if is_dataclass(obj):
+        result = {}
+        for field_name, field_def in obj.__dataclass_fields__.items():
+            value = getattr(obj, field_name)
+            if field_name == 'meta': 
+                meta_value = custom_asdict(value)
+                meta_value = {k: v for k, v in meta_value.items() if v is not None and not (k in ['refs', 'synonyms'] and (not v or all(e is None for e in v)))}
+                value = meta_value
+            elif isinstance(value, (list, tuple)) and all(is_dataclass(i) for i in value):
+                value = [custom_asdict(i) for i in value]
+            elif isinstance(value, list) and all(e is None for e in value):
+                continue
+            if value is None and field_name in ['country', 'country_name']:
+                continue
+            result[field_name] = value
+        return result
+    else:
+        return obj
+
+@dataclass
+class IntelAgency:
+    description: str = ""
+    meta: Meta = field(default_factory=Meta)
+    related: list = field(default_factory=list)
+    uuid: str = None
+    value: str = None
+
+    def __post_init__(self):
+            if not self.value:
+                raise ValueError("IntelAgency 'value' cannot be empty.")
+            if not self.uuid:
+                 raise ValueError("IntelAgency 'uuid' cannot be empty.")
+    
+@dataclass
+class Galaxy:
+    description: str
+    icon: str 
+    name: str
+    namespace: str
+    type: str 
+    uuid: str 
+    version: int 
+
+    def save_to_file(self, path: str):
+        with open(path, "w") as file:
+            file.write(json.dumps(asdict(self), indent=4))
+
+@dataclass
+class Cluster:
+    authors: str
+    category: str
+    description: str
+    name: str
+    source: str
+    type: str
+    uuid: str
+    version: int
+    values: list = field(default_factory=list)
+
+    def add_value(self, value: IntelAgency):
+        self.values.append(value)
+
+    def save_to_file(self, path: str):
+        with open(path, "w") as file:
+            file.write(json.dumps(custom_asdict(self), indent=4, ensure_ascii=False))

tools/NER/extract.py

@@ -0,0 +1,41 @@
+import os
+import json
+import argparse
+
+thisDir = os.path.dirname(__file__)
+
+clusters = []
+
+pathClusters = os.path.join(thisDir, '../../clusters')
+pathGalaxies = os.path.join(thisDir, '../../galaxies')
+
+skip_list = ["cancer.json", "handicap.json", "ammunitions.json", "firearms.json"]
+
+for f in os.listdir(pathGalaxies):
+    if '.json' in f:
+        with open(os.path.join(pathGalaxies, f), 'r') as f_in:
+            galaxy_data = json.load(f_in)
+            if galaxy_data.get('namespace') != 'deprecated':
+                if f not in skip_list:
+                    clusters.append(f)
+
+clusters.sort()
+
+for cluster in clusters:
+    fullPathClusters = os.path.join(pathClusters, cluster)
+    with open(fullPathClusters) as fp:
+        c = json.load(fp)
+    cluster_name = cluster.split(".")[0].upper()
+    l = f'{cluster_name}'
+    for v in c['values']:
+        if 'uuid' not in v:
+            continue
+        l += f",{v['value']}"
+        if 'meta' not in v:
+            continue
+        if 'synonyms' not in v['meta']:
+            continue
+        for synonym in v['meta']['synonyms']:
+            l += f',{synonym}'
+    print(l)
+

tools/gen_disarm.py

@@ -0,0 +1,9 @@
+#!/usr/bin/env python3
+
+print("""
+To generate DISARM please:
+cd ../../
+git clone https://github.com/DISARMFoundation/DISARMframeworks.git
+cd DISARMframeworks/CODE
+python3 generate_DISARM_MISP_galaxy.py
+""")

tools/gen_interpol_dwvat.py

@@ -0,0 +1,163 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+#
+#    A simple convertor of the Interpol Dark Web and Virtual Assets Taxonomies to a MISP Galaxy datastructure.
+#    https://github.com/INTERPOL-Innovation-Centre/DW-VA-Taxonomy
+#    Copyright (C) 2024 Christophe Vandeplas
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import yaml
+import os
+import uuid
+import re
+import json
+
+import argparse
+
+parser = argparse.ArgumentParser(description='Create/update the Interpol Dark Web and Virtual Assets Taxonomies based on Markdown files.')
+parser.add_argument("-p", "--path", required=True, help="Path of the 'DW-VA-Taxonomy' git clone folder")
+
+args = parser.parse_args()
+
+if not os.path.exists(args.path):
+    exit("ERROR: DW-VA-Taxonomy folder incorrect")
+
+'''
+contains _data folder with
+- abuses.yaml - simple taxonomy
+- entities.yaml - matrix like taxonomy
+'''
+
+try:
+    with open(os.path.join('..', 'galaxies', 'interpol-dwva.json'), 'r') as f:
+        json_galaxy = json.load(f)
+
+except FileNotFoundError:
+    json_galaxy = {
+        'icon': "user-secret",
+        'kill_chain_order': {
+            'Entities': [],
+            'Abuses': ['Concept']
+        },
+        'name': "INTERPOL DWVA Taxonomy",
+        'description': "This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.",
+        'namespace': "interpol",
+        'type': "dwva",
+        'uuid': "a375d7fd-0a3e-41cf-a531-ef56033df967",
+        'version': 1
+    }
+
+try:
+    with open(os.path.join('..', 'clusters', 'interpol-dwva.json'), 'r') as f:
+        json_cluster = json.load(f)
+except FileNotFoundError:
+    json_cluster = {
+        'authors': ["INTERPOL Darkweb and Virtual Assets Working Group"],
+        'category': 'dwva',
+        'name': "INTERPOL DWVA Taxonomy",
+        'description': "This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.",
+        'source': 'https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/',
+        'type': "dwva",
+        'uuid': "b15898ba-a923-4916-856c-0dfe8b174196",
+        'values': [],
+        'version': 1
+    }
+
+
+tactics = set()
+clusters_dict = {}
+# FIXME create dict for the existing clusters, so we can update the clusters without losing the relations
+
+#
+# Entities
+#
+with open(os.path.join(args.path, '_data', 'entities.yaml'), 'r') as f:
+    entities_data = yaml.safe_load(f)
+
+# build a broader concept list so we can ignore them later on
+broaders = set()
+for section in entities_data:
+    try:
+        broaders.add(entities_data[section]['broader'])
+    except KeyError:
+        pass
+# the Entities
+for section in entities_data:
+    item = entities_data[section]
+    if item['type'] == 'concept':
+        if item['id'] in broaders:  # skip the broader concepts
+            continue
+        if 'broader' not in item:
+            item['broader'] = 'generic'
+        tactics.add(item['broader'].title())
+        value = item['prefLabel']
+        clusters_dict[value] = {
+            'value': value,
+            'description': item['description'],
+            'uuid': str(uuid.uuid5(uuid.UUID("d0ceebc2-877b-4873-9785-d00f279ccb45"), value)),
+            'meta': {
+                'kill_chain': [f"Entities:{item['broader'].title()}"],
+            }
+        }
+        try:
+            clusters_dict[value]['meta']['refs'] = [item['seeAlso']]
+        except KeyError:
+            pass
+
+#
+# Abuses
+#
+with open(os.path.join(args.path, '_data', 'abuses.yaml'), 'r') as f:
+    entities_data = yaml.safe_load(f)
+for section in entities_data:
+    item = entities_data[section]
+    if item['type'] == 'concept':
+        value = item['prefLabel']
+        clusters_dict[value] = {
+            'value': value,
+            'description': item['description'],
+            'uuid': str(uuid.uuid5(uuid.UUID("d0ceebc2-877b-4873-9785-d00f279ccb45"), value)),
+            'meta': {
+                'kill_chain': [f"Abuses:Concept"],
+            }
+        }
+        try:
+            clusters_dict[value]['meta']['refs'] = [item['seeAlso']]
+        except KeyError:
+            pass
+
+
+#
+# Finally transform dict to list
+#
+clusters = []
+for item in clusters_dict.values():
+    clusters.append(item)
+
+json_cluster['values'] = clusters
+json_galaxy['kill_chain_order']['Entities'] = sorted(list(tactics))
+
+# save the Galaxy and Cluster file
+with open(os.path.join('..', 'galaxies', 'interpol-dwva.json'), 'w') as f:
+    json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
+    f.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
+
+
+with open(os.path.join('..', 'clusters', 'interpol-dwva.json'), 'w') as f:
+    json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
+    f.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
+
+print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

tools/gen_mitre.py

@@ -4,19 +4,83 @@ import re
 import os
 import argparse
 
-parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the mitre/cti/enterprise-attack/intrusion-set folder')
+parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the tools folder')
 parser.add_argument("-p", "--path", required=True, help="Path of the mitre/cti folder")
 
 args = parser.parse_args()
+root_folder = args.path
 
 values = []
 misp_dir = '../'
 
 
 domains = ['enterprise-attack', 'mobile-attack', 'pre-attack']
-types = ['attack-pattern', 'course-of-action', 'intrusion-set', 'malware', 'tool']
+types = {'data-source': 'x-mitre-data-source',
+         'attack-pattern': 'attack-pattern',
+         'course-of-action': 'course-of-action',
+         'intrusion-set': 'intrusion-set',
+         'malware': 'malware',
+         'tool': 'tool',
+         'data-component': 'x-mitre-data-component'
+         }
 mitre_sources = ['mitre-attack', 'mitre-ics-attack', 'mitre-pre-attack', 'mitre-mobile-attack']
 
+
+kill_chain_order_sort_order = {
+    "attack": [
+        "reconnaissance",
+        "resource-development",
+        "initial-access",
+        "execution",
+        "persistence",
+        "privilege-escalation",
+        "defense-evasion",
+        "credential-access",
+        "discovery",
+        "lateral-movement",
+        "collection",
+        "command-and-control",
+        "exfiltration",
+        "impact"
+    ],
+    "mobile-attack": [
+        "initial-access",
+        "execution",
+        "persistence",
+        "privilege-escalation",
+        "defense-evasion",
+        "credential-access",
+        "discovery",
+        "lateral-movement",
+        "collection",
+        "command-and-control",
+        "exfiltration",
+        "impact",
+        "network-effects",
+        "remote-service-effects"
+    ],
+    "pre-attack": [
+        "priority-definition-planning",
+        "priority-definition-direction",
+        "target-selection",
+        "technical-information-gathering",
+        "people-information-gathering",
+        "organizational-information-gathering",
+        "technical-weakness-identification",
+        "people-weakness-identification",
+        "organizational-weakness-identification",
+        "adversary-opsec",
+        "establish-&-maintain-infrastructure",
+        "persona-development",
+        "build-capabilities",
+        "test-capabilities",
+        "stage-capabilities",
+        "launch",     # added manually
+        "compromise"  # added manually
+    ]
+}
+
+
 all_data = {}  # variable that will contain everything
 
 # read in the non-MITRE data
@@ -71,7 +135,7 @@ for t in types:
 
 # now load the MITRE ATT&CK
 for domain in domains:
-    attack_dir = os.path.join(args.path, domain)
+    attack_dir = os.path.join(root_folder, domain)
     if not os.path.exists(attack_dir):
         exit("ERROR: MITRE ATT&CK folder incorrect")
 
@@ -79,7 +143,7 @@ for domain in domains:
         attack_data = json.load(f)
 
     for item in attack_data['objects']:
-        if item['type'] not in types:
+        if item['type'] not in types.values():
             continue
 
         # print(json.dumps(item, indent=2, sort_keys=True, ensure_ascii=False))
@@ -89,12 +153,16 @@ for domain in domains:
             uuid = re.search('--(.*)$', item['id']).group(0)[2:]
             # item exist already in the all_data set
             update = False
+
             if uuid in all_data_uuid:
                 value = all_data_uuid[uuid]
 
             if 'description' in item:
                 value['description'] = item['description']
-            value['value'] = item['name'] + ' - ' + item['external_references'][0]['external_id']
+            if 'external_references' in item:
+                value['value'] = item['name'] + ' - ' + item['external_references'][0]['external_id']
+            else:
+                value['value'] = item['name']
             value['meta'] = {}
             value['meta']['refs'] = []
             value['uuid'] = re.search('--(.*)$', item['id']).group(0)[2:]
@@ -104,26 +172,49 @@ for domain in domains:
             if 'x_mitre_aliases' in item:
                 value['meta']['synonyms'] = item['x_mitre_aliases']
 
-            for reference in item['external_references']:
-                if 'url' in reference and reference['url'] not in value['meta']['refs']:
-                    value['meta']['refs'].append(reference['url'])
-                # Find Mitre external IDs from allowed sources
-                if 'external_id' in reference and reference.get("source_name", None) in mitre_sources:
-                    value['meta']['external_id'] = reference['external_id']
-            if not value['meta'].get('external_id', None):
-                exit("Entry is missing an external ID, please update mitre_sources. Available references: {}".format(
-                    json.dumps(item['external_references'])
-                ))
+            # handle deprecated and/or revoked
+            # if 'x_mitre_deprecated' in item and item['x_mitre_deprecated']:
+            #     value['deprecated'] = True
+            # if 'revoked' in item and item['revoked']:
+            #     value['revoked'] = True
+
+            if 'external_references' in item:
+                for reference in item['external_references']:
+                    if 'url' in reference and reference['url'] not in value['meta']['refs']:
+                        value['meta']['refs'].append(reference['url'])
+                    # Find Mitre external IDs from allowed sources
+                    if 'external_id' in reference and reference.get("source_name", None) in mitre_sources:
+                        value['meta']['external_id'] = reference['external_id']
+                if not value['meta'].get('external_id', None):
+                    exit("Entry is missing an external ID, please update mitre_sources. Available references: {}".format(
+                        json.dumps(item['external_references'])
+                    ))
 
             if 'kill_chain_phases' in item:   # many (but not all) attack-patterns have this
                 value['meta']['kill_chain'] = []
                 for killchain in item['kill_chain_phases']:
-                    value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':' + killchain['phase_name'])
+                    kill_chain_name = killchain['kill_chain_name'][6:]
+                    phase_name = killchain['phase_name']
+                    if 'x_mitre_platforms' in item:
+                        for platform in item['x_mitre_platforms']:
+                            platform = platform.replace(' ', '-')
+                            value['meta']['kill_chain'].append(f"{kill_chain_name}-{platform}:{phase_name}")
+                    else:
+                        value['meta']['kill_chain'].append(f"{kill_chain_name}:{phase_name}")
             if 'x_mitre_data_sources' in item:
                 value['meta']['mitre_data_sources'] = item['x_mitre_data_sources']
             if 'x_mitre_platforms' in item:
                 value['meta']['mitre_platforms'] = item['x_mitre_platforms']
-            # TODO add the other x_mitre elements dynamically
+            # TODO add the other x_mitre elements dynamically, but now it seems to break the tests
+            # x_mitre_fields = [key for key in item.keys() if key.startswith('x_mitre')]
+            # skip_x_mitre_fields = ['x_mitre_deprecated', 'x_mitre_aliases', 'x_mitre_version', 'x_mitre_old_attack_id', 'x_mitre_attack_spec_version']
+            # for skip_field in skip_x_mitre_fields:
+            #     try:
+            #         x_mitre_fields.remove(skip_field)
+            #     except ValueError:
+            #         pass
+            # for x_mitre_field in x_mitre_fields:
+            #     value['meta'][x_mitre_field[2:]] = item[x_mitre_field]
 
             # relationships will be build separately afterwards
             value['type'] = item['type']  # remove this before dump to json
@@ -131,7 +222,7 @@ for domain in domains:
 
             all_data_uuid[uuid] = value
 
-        except Exception as e:
+        except Exception:
             print(json.dumps(item, sort_keys=True, indent=2))
             import traceback
             traceback.print_exc()
@@ -152,10 +243,6 @@ for domain in domains:
             "dest-uuid": dest_uuid,
             "type": rel_type
         }
-        if rel_type != 'subtechnique-of':
-            rel_source['tags'] = [
-                "estimative-language:likelihood-probability=\"almost-certain\""
-            ]
         try:
             if 'related' not in all_data_uuid[source_uuid]:
                 all_data_uuid[source_uuid]['related'] = []
@@ -166,9 +253,41 @@ for domain in domains:
 
         # LATER find the opposite word of "rel_type" and build the relation in the opposite direction
 
+    # process (again) the data-component, as they create relationships using 'x_mitre_data_source_ref' instead...
+    for item in attack_data['objects']:
+        if item['type'] != 'x-mitre-data-component':
+            continue
+        data_source_uuid = re.findall(r'--([0-9a-f-]+)', item['x_mitre_data_source_ref']).pop()
+        data_component_uuid = re.findall(r'--([0-9a-f-]+)', item['id']).pop()
+        # create relationship bidirectionally
+        rel_data_source = {
+            "dest-uuid": data_component_uuid,
+            "type": 'includes'  # FIXME use a valid type
+        }
+        try:
+            if 'related' not in all_data_uuid[data_source_uuid]:
+                all_data_uuid[data_source_uuid]['related'] = []
+            if rel_data_source not in all_data_uuid[data_source_uuid]['related']:
+                all_data_uuid[data_source_uuid]['related'].append(rel_data_source)
+        except KeyError:
+            pass  # ignore relations from which we do not know the source
+        rel_data_component = {
+            "dest-uuid": data_component_uuid,
+            "type": 'included-in'  # FIXME use a valid type
+        }
+        try:
+            if 'related' not in all_data_uuid[data_component_uuid]:
+                all_data_uuid[data_component_uuid]['related'] = []
+            if rel_data_component not in all_data_uuid[data_component_uuid]['related']:
+                all_data_uuid[data_component_uuid]['related'].append(rel_data_component)
+        except KeyError:
+            pass  # ignore relations from which we do not know the source
+
 
 # dump all_data to their respective file
-for t in types:
+for t, meta_t in types.items():
+    kill_chain_order = {}
+
     fname = os.path.join(misp_dir, 'clusters', 'mitre-{}.json'.format(t))
     if not os.path.exists(fname):
         exit("File {} does not exist, this is unexpected.".format(fname))
@@ -178,11 +297,16 @@ for t in types:
     file_data['values'] = []
     for item in all_data_uuid.values():
         # print(json.dumps(item, sort_keys=True, indent=2))
-        if 'type' not in item or item['type'] != t:  # drop old data or not from the right type
+        if 'type' not in item or item['type'] != meta_t:  # drop old data or not from the right type
             continue
         item_2 = item.copy()
         item_2.pop('type', None)
         file_data['values'].append(item_2)
+        for kill_chains in item['meta'].get('kill_chain', []):
+            kill_chain_name, kill_chain_phase = kill_chains.split(':')
+            if kill_chain_name not in kill_chain_order:
+                kill_chain_order[kill_chain_name] = set()
+            kill_chain_order[kill_chain_name].add(kill_chain_phase)
 
     # FIXME the sort algo needs to be further improved, potentially with a recursive deep sort
     file_data['values'] = sorted(file_data['values'], key=lambda x: sorted(x['value']))
@@ -199,4 +323,36 @@ for t in types:
         json.dump(file_data, f, indent=2, sort_keys=True, ensure_ascii=False)
         f.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
 
+    # rebuild the galaxies file with kill_chains
+    # OK, this is really inefficient, but just the easiest way to get it done now
+    fname_galaxy = os.path.join(misp_dir, 'galaxies', 'mitre-{}.json'.format(t))
+    if not os.path.exists(fname_galaxy):
+        exit("File {} does not exist, this is unexpected.".format(fname_galaxy))
+    with open(fname_galaxy) as f_galaxy:
+        file_data_galaxy = json.load(f_galaxy)
+
+    # sort the kill chain order in the right way, using the kill_chain_order_sort_order
+    kill_chain_order_sorted = {}
+    for kill_chain_name, kill_chain_phases in kill_chain_order.items():
+        for kill_chain_order_sort_order_key in kill_chain_order_sort_order.keys():
+            if kill_chain_name.startswith(kill_chain_order_sort_order_key):
+                try:
+                    kill_chain_order_sorted[kill_chain_name] = sorted(
+                        list(kill_chain_phases),
+                        key=kill_chain_order_sort_order[kill_chain_order_sort_order_key].index)
+                except ValueError as e:
+                    print("ERROR:")
+                    print(f"- Kill chain: {kill_chain_name}")
+                    print(f"- Kill chain phases: {kill_chain_phases}")
+                    print(f"- Kill chain order sort order: {kill_chain_order_sort_order[kill_chain_order_sort_order_key]}")
+                    exit(f"ERROR: kill_chain_order_sort_order does not contain a key for {kill_chain_name} - {e}. Please add it manually in the code.")
+
+    if kill_chain_order_sorted:
+        file_data_galaxy['kill_chain_order'] = dict(sorted(kill_chain_order_sorted.items()))
+        file_data_galaxy['version'] += 1
+    with open(fname_galaxy, 'w') as f_galaxy:
+        json.dump(file_data_galaxy, f_galaxy, indent=2, sort_keys=True, ensure_ascii=False)
+        f_galaxy.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
+
+
 print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

tools/gen_mitre_atlas.py

@@ -0,0 +1,200 @@
+#!/usr/bin/env python3
+import json
+import re
+import os
+import argparse
+
+parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with MITRE ATLAS - Adversarial Threat Landscape for Artificial-Intelligence Systems\nMust be in the tools folder')
+parser.add_argument("-p", "--path", required=True, help="Path of the mitre atlas-navigator-data folder")
+
+args = parser.parse_args()
+
+values = []
+misp_dir = '../'
+
+
+# domains = ['enterprise-attack', 'mobile-attack', 'pre-attack']
+types = ['attack-pattern', 'course-of-action']
+mitre_sources = ['mitre-atlas']
+
+all_data = {}  # variable that will contain everything
+
+# read in the non-MITRE data
+# we need this to be able to build a list of non-MITRE-UUIDs which we will use later on
+# to remove relations that are from MITRE.
+# the reasoning is that the new MITRE export might contain less relationships than it did before
+# so we cannot migrate all existing relationships as such
+non_mitre_uuids = set()
+for fname in os.listdir(os.path.join(misp_dir, 'clusters')):
+    if 'mitre' in fname:
+        continue
+    if '.json' in fname:
+        # print(fname)
+        with open(os.path.join(misp_dir, 'clusters', fname)) as f_in:
+            cluster_data = json.load(f_in)
+            for cluster in cluster_data['values']:
+                non_mitre_uuids.add(cluster['uuid'])
+
+# read in existing MITRE data
+# first build a data set of the MISP Galaxy ATT&CK elements by using the UUID as reference, this speeds up lookups later on.
+# at the end we will convert everything again to separate datasets
+all_data_uuid = {}
+
+for t in types:
+    fname = os.path.join(misp_dir, 'clusters', 'mitre-atlas-{}.json'.format(t))
+    if os.path.exists(fname):
+        # print("##### {}".format(fname))
+        with open(fname) as f:
+            file_data = json.load(f)
+        # print(file_data)
+        for value in file_data['values']:
+            # remove (old)MITRE relations, and keep non-MITRE relations
+            if 'related' in value:
+                related_original = value['related']
+                related_new = []
+                for rel in related_original:
+                    if rel['dest-uuid'] in non_mitre_uuids:
+                        related_new.append(rel)
+                value['related'] = related_new
+            # find and handle duplicate uuids
+            if value['uuid'] in all_data_uuid:
+                # exit("ERROR: Something is really wrong, we seem to have duplicates.")
+                # if it already exists we need to copy over all the data manually to merge it
+                # on the other hand, from a manual analysis it looks like it's mostly the relations that are different
+                # so now we will just copy over the relationships
+                # actually, at time of writing the code below results in no change as the new items always contained more than the previously seen items
+                value_orig = all_data_uuid[value['uuid']]
+                if 'related' in value_orig:
+                    for related_item in value_orig['related']:
+                        if related_item not in value['related']:
+                            value['related'].append(related_item)
+            all_data_uuid[value['uuid']] = value
+
+# now load the MITRE ATT&CK
+
+attack_dir = os.path.join(args.path, 'dist')
+if not os.path.exists(attack_dir):
+    exit("ERROR: MITRE ATT&CK folder incorrect")
+
+with open(os.path.join(attack_dir, 'stix-atlas.json')) as f:
+    attack_data = json.load(f)
+
+for item in attack_data['objects']:
+    if item['type'] not in types:
+        continue
+
+    # print(json.dumps(item, indent=2, sort_keys=True, ensure_ascii=False))
+    try:
+        # build the new data structure
+        value = {}
+        uuid = re.search('--(.*)$', item['id']).group(0)[2:]
+        # item exist already in the all_data set
+        update = False
+        if uuid in all_data_uuid:
+            value = all_data_uuid[uuid]
+
+        if 'description' in item:
+            value['description'] = item['description']
+        value['value'] = item['name']
+        value['meta'] = {}
+        value['meta']['refs'] = []
+        value['uuid'] = re.search('--(.*)$', item['id']).group(0)[2:]
+
+        for reference in item['external_references']:
+            if 'url' in reference and reference['url'] not in value['meta']['refs']:
+                value['meta']['refs'].append(reference['url'])
+            # Find Mitre external IDs from allowed sources
+            if 'external_id' in reference and reference.get("source_name", None) in mitre_sources:
+                value['meta']['external_id'] = reference['external_id']
+        if not value['meta'].get('external_id', None):
+            # dataset also contains MITRE ATT&CK, whenever we don't find external ID from the allowed sources it's a sign that the entry is not of the type of interest
+            continue
+            # exit("Entry is missing an external ID, please update mitre_sources. Available references: {}".format(
+            #     json.dumps(item['external_references'])
+            # ))
+
+        if 'kill_chain_phases' in item:   # many (but not all) attack-patterns have this
+            value['meta']['kill_chain'] = []
+            for killchain in item['kill_chain_phases']:
+                value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':' + killchain['phase_name'])
+        if 'x_mitre_data_sources' in item:
+            value['meta']['mitre_data_sources'] = item['x_mitre_data_sources']
+        if 'x_mitre_platforms' in item:
+            value['meta']['mitre_platforms'] = item['x_mitre_platforms']
+        # TODO add the other x_mitre elements dynamically
+
+        # relationships will be build separately afterwards
+        value['type'] = item['type']  # remove this before dump to json
+        # print(json.dumps(value, sort_keys=True, indent=2))
+
+        all_data_uuid[uuid] = value
+
+    except Exception:
+        print(json.dumps(item, sort_keys=True, indent=2))
+        import traceback
+        traceback.print_exc()
+
+# process the 'relationship' type as we now know the existence of all ATT&CK uuids
+for item in attack_data['objects']:
+    if item['type'] != 'relationship':
+        continue
+    # print(json.dumps(item, indent=2, sort_keys=True, ensure_ascii=False))
+
+    rel_type = item['relationship_type']
+    dest_uuid = re.findall(r'--([0-9a-f-]+)', item['target_ref']).pop()
+    source_uuid = re.findall(r'--([0-9a-f-]+)', item['source_ref']).pop()
+    tags = []
+
+    # add the relation in the defined way
+    rel_source = {
+        "dest-uuid": dest_uuid,
+        "type": rel_type
+    }
+    if rel_type != 'subtechnique-of':
+        rel_source['tags'] = [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+        ]
+    try:
+        if 'related' not in all_data_uuid[source_uuid]:
+            all_data_uuid[source_uuid]['related'] = []
+        if rel_source not in all_data_uuid[source_uuid]['related']:
+            all_data_uuid[source_uuid]['related'].append(rel_source)
+    except KeyError:
+        pass  # ignore relations from which we do not know the source
+
+    # LATER find the opposite word of "rel_type" and build the relation in the opposite direction
+
+
+# dump all_data to their respective file
+for t in types:
+    fname = os.path.join(misp_dir, 'clusters', 'mitre-atlas-{}.json'.format(t))
+    if not os.path.exists(fname):
+        exit("File {} does not exist, this is unexpected.".format(fname))
+    with open(fname) as f:
+        file_data = json.load(f)
+
+    file_data['values'] = []
+    for item in all_data_uuid.values():
+        # print(json.dumps(item, sort_keys=True, indent=2))
+        if 'type' not in item or item['type'] != t:  # drop old data or not from the right type
+            continue
+        item_2 = item.copy()
+        item_2.pop('type', None)
+        file_data['values'].append(item_2)
+
+    # FIXME the sort algo needs to be further improved, potentially with a recursive deep sort
+    file_data['values'] = sorted(file_data['values'], key=lambda x: x['meta']['external_id'])
+    for item in file_data['values']:
+        if 'related' in item:
+            item['related'] = sorted(item['related'], key=lambda x: x['dest-uuid'])
+        if 'meta' in item:
+            if 'refs' in item['meta']:
+                item['meta']['refs'] = sorted(item['meta']['refs'])
+            if 'mitre_data_sources' in item['meta']:
+                item['meta']['mitre_data_sources'] = sorted(item['meta']['mitre_data_sources'])
+    file_data['version'] += 1
+    with open(fname, 'w') as f:
+        json.dump(file_data, f, indent=2, sort_keys=True, ensure_ascii=False)
+        f.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
+
+print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

tools/gen_ms_atrm.py

@@ -84,7 +84,7 @@ json_galaxy = {
     },
     'name': "Azure Threat Research Matrix",
     'description': "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
-    'namespace': "atrm",
+    'namespace': "microsoft",
     'type': "atrm",
     'uuid': "b541a056-154c-41e7-8a56-41db3f871c00",
     'version': 1

tools/gen_ms_tmss.py

@@ -0,0 +1,149 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+#
+#    A simple convertor of the Threat Matrix for storage services to a MISP Galaxy datastructure.
+#    Copyright (C) 2022 Christophe Vandeplas
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import yaml
+import os
+import uuid
+import re
+import json
+
+import argparse
+
+parser = argparse.ArgumentParser(description='Create/update the Threat Matrix for storage services based on Markdown files.')
+parser.add_argument("-p", "--path", required=True, help="Path of the 'Threat Matrix for storage services' git clone folder")
+
+args = parser.parse_args()
+
+if not os.path.exists(args.path):
+    exit("ERROR: Threat Matrix for storage services folder incorrect")
+
+with open(os.path.join(args.path, 'mkdocs.yml'), 'r') as f:
+    mkdocs_data = yaml.load(f, Loader=yaml.BaseLoader)
+
+tactics = []
+clusters = {}
+
+def find_mitre_uuid_from_technique_id(technique_id):
+    with open('../clusters/mitre-attack-pattern.json', 'r') as mitre_f:
+        mitre = json.load(mitre_f)
+        for item in mitre['values']:
+            if item['meta']['external_id'] == technique_id:
+                return item['uuid']
+    return None
+
+for nav_item in mkdocs_data['nav']:
+    try:
+        for tact_item in nav_item['Tactics']:
+            try:
+                tactic = next(iter(tact_item.keys()))
+                tactics.append(tactic)
+                for techn_items in tact_item[tactic]:
+                    try:
+                        # for techn_fname in techn_items['Techniques']:
+                        for technique_name, fname in techn_items.items():
+                            description_lst = []
+                            with open(os.path.join(args.path, 'docs', fname), 'r') as technique_f:
+                                # find the short description, residing between the main title (#) and next title (!!!) or table (|)
+                                technique_f_lines = technique_f.read()
+                                description = technique_f_lines.split('\n')[-2].strip()
+                                technique_id = re.search(r'ID: (MS-T[0-9]+)', technique_f_lines).group(1)
+                                try:
+                                    # make relationship to MITRE ATT&CK
+                                    mitre_technique_id = re.search(r'MITRE technique: \[(T[0-9]+)\]', technique_f_lines).group(1)
+                                    mitre_technique_uuid = find_mitre_uuid_from_technique_id(mitre_technique_id)
+                                    related = [
+                                        {
+                                          "dest-uuid": mitre_technique_uuid,
+                                          "type": "related-to"
+                                        }
+                                    ]
+                                except AttributeError:
+                                    mitre_technique_uuid = None
+                                    pass
+                            # print(f"{tactic} / {technique} / {description}")
+                            technique = f'{technique_id} - {technique_name}'
+                            if technique not in clusters:
+                                clusters[technique] = {
+                                    'value': technique,
+                                    'description': description,
+                                    'uuid': str(uuid.uuid5(uuid.UUID("9319371e-2504-4128-8410-3741cebbcfd3"), technique)),
+                                    'meta': {
+                                        'kill_chain': [],
+                                        'refs': [f"https://microsoft.github.io/Threat-matrix-for-storage-services/{fname[:-3]}"],
+                                        'external_id': technique_id
+                                    }
+                                }
+                                if mitre_technique_uuid:
+                                    clusters[technique]['related'] = related
+                            clusters[technique]['meta']['kill_chain'].append(f"TMSS-tactics:{tactic}")
+                    except KeyError:
+                        continue
+                    except AttributeError:
+                        continue
+            except AttributeError:  # skip lines that have no field/value
+                continue
+        break
+    except KeyError:
+        continue
+
+galaxy_type = "tmss"
+galaxy_name = "Threat Matrix for storage services"
+galaxy_description = 'Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.'
+galaxy_source = 'https://github.com/microsoft/Threat-matrix-for-storage-services'
+json_galaxy = {
+    'icon': "map",
+    'kill_chain_order': {
+        'TMSS-tactics': tactics
+    },
+    'name': galaxy_name,
+    'description': galaxy_description,
+    'namespace': "microsoft",
+    'type': galaxy_type,
+    'uuid': "d6532b58-99e0-44a9-93c8-affe055e4443",
+    'version': 1
+}
+
+json_cluster = {
+    'authors': ["Microsoft"],
+    'category': 'tmss',
+    'name': galaxy_name,
+    'description': galaxy_description,
+    'source': galaxy_source,
+    'type': galaxy_type,
+    'uuid': "aaf033a6-7f1e-45ab-beef-20a52b75b641",
+    'values': list(clusters.values()),
+    'version': 1
+}
+# add authors based on the Acknowledgements page
+authors = ('Evgeny Bogokovsky', 'Ram Pliskin')
+for author in authors:
+    json_cluster['authors'].append(author)
+
+
+# save the Galaxy and Cluster file
+with open(os.path.join('..', 'galaxies', 'tmss.json'), 'w') as f:
+    json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
+    f.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
+
+with open(os.path.join('..', 'clusters', 'tmss.json'), 'w') as f:
+    json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
+    f.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
+
+print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

tools/gen_ukhsa_culture_collections.py

@@ -0,0 +1,142 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+#    A simple convertor of the UK Health Security Agency Culture Collections
+#    to a MISP Galaxy datastructure.
+#    Copyright (C) 2024 MISP Project
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+import os
+import json
+import requests
+import uuid
+
+'''
+From https://www.culturecollections.org.uk/search/?searchScope=Product&pageNumber=1&filter.collectionGroup=0&filter.collection=0&filter.sorting=DateCreated
+JSON is loaded, needs to be paginated
+
+Culturecollections.org.uk is published under the Open Government Licence, allowing the reproduction of information as
+long as the license terms are obeyed. Material on this website is subject to Crown copyright protection unless otherwise
+indicated. Users should be aware that information provided to third parties through feeds may be edited or cached, and
+we do not guarantee the accuracy of such third-party products.
+https://www.culturecollections.org.uk/training-and-support/policies/terms-and-conditions-of-use/
+
+The Culture Collections represent deposits of cultures from world-wide sources. While every effort is made to ensure
+details distributed by Culture Collections are accurate, Culture Collections cannot be held responsible for any
+inaccuracies in the data supplied. References where quoted are mainly attributed to the establishment of the cell
+culture and not for any specific property of the cell line, therefore further references should be obtained regarding
+cell culture characteristics. Passage numbers where given act only as a guide and Culture Collections does not guarantee
+the passage number stated will be the passage number received by the customer.
+'''
+
+def download_items():
+    data = {'items': [],
+            'collections': {},
+            'collection_groups': {}}
+    page_number = 1
+    page_number_max = None
+    while True:
+        url = 'https://www.culturecollections.org.uk/umbraco/api/searchApi/getSearchResults?searchParams={"searchText":"","searchScope":"Product","pageNumber":' + str(page_number) + ',"filter":{"collectionGroup":"0","collection":"0","facets":{},"sorting":"DateCreated"}}'
+        page_resp = requests.get(url)
+        page_resp.encoding = 'utf-8-sig'
+        page_data = page_resp.json()
+        page_number_max = page_data['pagination']['totalPages']
+
+        for c in page_data['filter']['collections']['aggregationItems']:
+            data['collections'][int(c['value'])] = c['title']
+        for cg in page_data['filter']['collectionGroups']['aggregationItems']:
+            data['collection_groups'][int(cg['value'])] = cg['title']
+        for item in page_data['items']:
+            item['collection'] = data['collections'][item['collectionId']]
+        data['items'].extend(page_data['items'])
+        print(f"Fetching page {page_number}/{page_number_max}: ", end="")
+        print(f"items size is now {len(data['items'])} as I extended with {len(page_data['items'])} items.")
+        if page_number >= page_number_max:
+            break
+        page_number += 1
+    return data
+
+
+def save_items(d):
+    with open('items.json', 'w') as f:
+        json.dump(d, f, indent=2, sort_keys=True)
+    return True
+
+def load_saved_items():
+    with open('items.json', 'r') as f:
+        d = json.load(f)
+    return d
+
+data = download_items()
+# save_items(data)
+# data = load_saved_items()
+
+clusters_dict = {}
+for item in data['items']:
+    # create a cluster
+    cluster = {
+        'value': f"{item['name']}",
+        'uuid': str(uuid.uuid5(uuid.UUID("bbe11c06-1d6a-477e-88f1-cdda2d71de56"), item['name'])),
+        'meta': {
+            'refs': [item['url']],
+            'external_id': [item['catalogueNumber']]
+        }
+    }
+    # add all properties of the culture
+    for p in item['properties']:
+        if p['value']:
+            p_name = p['name'].lower().replace(' ', '_')
+            if p['name'] not in cluster['meta']:
+                cluster['meta'][p_name] = []
+            cluster['meta'][p_name].append(p['value'])
+    # merge if the collection already exists
+    if cluster['value'] in clusters_dict:
+        clusters_dict[cluster['value']]['meta']['refs'].extend(cluster['meta']['refs'])
+        clusters_dict[cluster['value']]['meta']['external_id'].extend(cluster['meta']['external_id'])
+    else:
+        clusters_dict[cluster['value']] = cluster
+
+# transform dict to list
+clusters = []
+for item in clusters_dict.values():
+    clusters.append(item)
+
+
+json_galaxy = {
+    'icon': "virus",
+    'name': "UKHSA Culture Collections",
+    'description': "UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.",
+    'namespace': "gov.uk",
+    'type': "ukhsa-culture-collections",
+    'uuid': "bbe11c06-1d6a-477e-88f1-cdda2d71de56",
+    'version': 1
+}
+
+with open(os.path.join('..', 'clusters', 'ukhsa-culture-collections.json'), 'r') as f:
+    json_cluster = json.load(f)
+json_cluster['values'] = clusters
+json_cluster['version'] += 1
+
+# save the Galaxy and Cluster file
+with open(os.path.join('..', 'galaxies', 'ukhsa-culture-collections.json'), 'w') as f:
+    json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
+    f.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
+
+with open(os.path.join('..', 'clusters', 'ukhsa-culture-collections.json'), 'w') as f:
+    json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
+    f.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
+
+print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

tools/generate_naics_clusters.py

@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+#Used to generate naics galaxy clusters; takes naics.csv as entry
+#naics.csv is extract from [2022]_NAICS_Structure.xlsx and only uses the 2022 NAICS Code and 2022 NAICS Title columns, without title.
+#Note 1 : This only generate the file for the "clusters" folder
+#Note 2 : The generated file needs to pass the jq_all_the_thigs.sh script to be in the corresponding information
+#Note 3 : New uuids are generated on every run
+
+import json
+import csv
+import uuid
+
+galaxy={}
+galaxy['description']="The North American Industry Classification System or NAICS is a classification of business establishments by type of economic activity (the process of production)."
+galaxy['name']="NAICS"
+galaxy['source']="North American Industry Classification System - NAICS"
+galaxy['type']="naics"
+galaxy['uuid']="b73ecad4-6529-4625-8c4f-ee3ef703a72a"
+galaxy['version']=2022  #Change when updating
+galaxy['authors']=[]
+galaxy['authors'].append("Executive Office of the President Office of Management and Budget")
+galaxy['category']="sector"
+
+values = []
+
+with open('naics.csv', newline='') as csvfile:
+    reader = csv.reader(csvfile, delimiter=',', quotechar='"')
+    for row in reader:
+        #Cluster creation
+        cluster = {}
+        cluster['value']=row[0]
+        cluster['description']=row[1].strip()
+        cluster['uuid']=str(uuid.uuid4())
+        cluster['related']=[]
+
+        values.append(cluster)
+
+        #Relationsship preparation (Yes it's crappy but at least it works as intended ¯\_(ツ)_/¯)
+        relationparent={}
+        relationparent['tags']=[]
+        relationparent['tags'].append("estimative-language:likelihood-probability=\"likely\"")
+        relationparent['type']="parent-of"
+
+        relationchild={}
+        relationchild['tags']=[]
+        relationchild['tags'].append("estimative-language:likelihood-probability=\"likely\"")
+        relationchild['type']="child-of"
+
+        relationsiblings={}
+        relationsiblings['tags']=[]
+        relationsiblings['tags'].append("estimative-language:likelihood-probability=\"likely\"")
+        relationsiblings['type']="similar"
+
+        relationsiblings2={}
+        relationsiblings2['tags']=[]
+        relationsiblings2['tags'].append("estimative-language:likelihood-probability=\"likely\"")
+        relationsiblings2['type']="similar"
+
+        #Building relationships
+        if len(cluster['value']) > 2:               #2 digit codes have no parents
+            if len(cluster['value']) == 6:          #specific case of 6 digit codes, parent have only 4 digits
+                for value in values:
+                    if value['value'] == cluster['value'][0:len(cluster['value'])-2]:
+                        relationchild['dest-uuid']=value['uuid']
+                        cluster['related'].append(relationchild)
+
+                        relationparent['dest-uuid']=cluster['uuid']
+                        value['related'].append(relationparent)
+                        break
+
+                if cluster['value'][5] == "0":      #If a 6 digit code ends with 0, it has a similar/identical 5 digit code
+                    for value in values:
+                        if value['value'] == cluster['value'][0:len(cluster['value'])-1]:
+                            relationsiblings['dest-uuid']=value['uuid']
+                            cluster['related'].append(relationsiblings)
+
+                            relationsiblings2['dest-uuid']=cluster['uuid']
+                            value['related'].append(relationsiblings2)
+                            break
+
+
+
+            else:                                   #All other cases (codes with 3 to 5 digits)
+                for value in values:
+                    if value['value'] == cluster['value'][0:len(cluster['value'])-1]:
+                        relationchild['dest-uuid']=value['uuid']
+                        cluster['related'].append(relationchild)
+
+                        relationparent['dest-uuid']=cluster['uuid']
+                        value['related'].append(relationparent)
+                        break
+
+
+
+galaxy['values']=values
+
+tojson = json.dumps(galaxy, indent=2)
+jsonFile = open("naisc_cluster.json", "w")
+jsonFile.write(tojson)
+jsonFile.close()

tools/mkdocs/.gitignore

@@ -0,0 +1,4 @@
+/site/docs/*
+!/site/docs/01_attachements
+
+/site/site

tools/mkdocs/build.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+requirements_path="requirements.txt"
+
+pip freeze > installed.txt
+diff -u <(sort $requirements_path) <(sort installed.txt)
+
+if [ $? -eq 0 ]; then
+    echo "All dependencies are installed with correct versions."
+else
+    echo "Dependencies missing or with incorrect versions. Please install all dependencies from $requirements_path into your environment."
+    rm installed.txt # Clean up
+#    exit 1
+fi
+
+rm installed.txt # Clean up
+
+python3 generator.py
+cd ./site/ || exit
+mkdocs build
+rsync --include ".*" -avh --delete -rz --checksum site/ circl@cppz.circl.lu:/var/www/misp-galaxy.org

tools/mkdocs/generator.py

@@ -0,0 +1,172 @@
+from modules.universe import Universe
+from modules.site import IndexSite, StatisticsSite
+from utils.helper import generate_relations_table
+
+import multiprocessing
+from multiprocessing import Pool
+
+from concurrent.futures import ThreadPoolExecutor
+
+import json
+import os
+import time
+import sys
+
+sys.setrecursionlimit(10000)
+
+FILES_TO_IGNORE = []
+CLUSTER_PATH = "../../clusters"
+SITE_PATH = "./site/docs"
+GALAXY_PATH = "../../galaxies"
+
+
+def write_relations_table(cluster):
+    if cluster.relationships:
+        print(f"Writing {cluster.uuid}.md")
+        with open(os.path.join(relation_path, f"{cluster.uuid}.md"), "w") as index:
+            index.write(generate_relations_table(cluster))
+
+
+def get_cluster_relationships(cluster_data):
+    galaxy, cluster = cluster_data
+    relationships = universe.get_relationships_with_levels(
+        universe.galaxies[galaxy].clusters[cluster]
+    )
+    print(f"Processed {galaxy}, {cluster}")
+    return cluster, galaxy, relationships
+
+
+def get_deprecated_galaxy_files():
+    deprecated_galaxy_files = []
+    for f in os.listdir(GALAXY_PATH):
+        with open(os.path.join(GALAXY_PATH, f)) as fr:
+            galaxy_json = json.load(fr)
+            if "namespace" in galaxy_json and galaxy_json["namespace"] == "deprecated":
+                deprecated_galaxy_files.append(f)
+
+    return deprecated_galaxy_files
+
+
+if __name__ == "__main__":
+    start_time = time.time()
+    universe = Universe()
+
+    FILES_TO_IGNORE.extend(get_deprecated_galaxy_files())
+    galaxies_fnames = []
+    for f in os.listdir(CLUSTER_PATH):
+        if ".json" in f and f not in FILES_TO_IGNORE:
+            galaxies_fnames.append(f)
+    galaxies_fnames.sort()
+
+    # Create the universe of clusters and galaxies
+    for galaxy in galaxies_fnames:
+        with open(os.path.join(CLUSTER_PATH, galaxy)) as fr:
+            galaxy_json = json.load(fr)
+            universe.add_galaxy(
+                galaxy_name=galaxy_json["name"],
+                json_file_name=galaxy,
+                authors=galaxy_json["authors"],
+                description=galaxy_json["description"],
+            )
+            for cluster in galaxy_json["values"]:
+                universe.add_cluster(
+                    galaxy_name=galaxy_json.get("name", None),
+                    uuid=cluster.get("uuid", None),
+                    description=cluster.get("description", None),
+                    value=cluster.get("value", None),
+                    meta=cluster.get("meta", None),
+                )
+
+    # Define the relationships between clusters
+    for galaxy in galaxies_fnames:
+        with open(os.path.join(CLUSTER_PATH, galaxy)) as fr:
+            galaxy_json = json.load(fr)
+            for cluster in galaxy_json["values"]:
+                if "related" in cluster:
+                    for related in cluster["related"]:
+                        universe.define_relationship(
+                            cluster["uuid"], related["dest-uuid"]
+                        )
+
+    tasks = []
+    for galaxy_name, galaxy in universe.galaxies.items():
+        for cluster_name, cluster in galaxy.clusters.items():
+            tasks.append((galaxy_name, cluster_name))
+
+    with Pool(processes=multiprocessing.cpu_count()) as pool:
+        result = pool.map(get_cluster_relationships, tasks)
+
+    for cluster, galaxy, relationships in result:
+        universe.galaxies[galaxy].clusters[cluster].relationships = relationships
+
+    print("All clusters processed.")
+
+    print(f"Finished relations in {time.time() - start_time} seconds")
+
+    # Write output
+    if not os.path.exists(SITE_PATH):
+        os.mkdir(SITE_PATH)
+
+    index = IndexSite(SITE_PATH)
+    index.add_content(
+        "# MISP Galaxy\n\nThe MISP galaxy offers a streamlined approach for representing large entities, known as clusters, which can be linked to MISP events or attributes. Each cluster consists of one or more elements, represented as key-value pairs. MISP galaxy comes with a default knowledge base, encompassing areas like Threat Actors, Tools, Ransomware, and ATT&CK matrices. However, users have the flexibility to modify, update, replace, or share these elements according to their needs.\n\nClusters and vocabularies within MISP galaxy can be utilized in their original form or as a foundational knowledge base. The distribution settings for each cluster can be adjusted, allowing for either restricted or wide dissemination.\n\nAdditionally, MISP galaxies enable the representation of existing standards like the MITRE ATT&CK™ framework, as well as custom matrices.\n\nThe aim is to provide a core set of clusters for organizations embarking on analysis, which can be further tailored to include localized, private information or additional, shareable data.\n\nClusters serve as an open and freely accessible knowledge base, which can be utilized and expanded within [MISP](https://www.misp-project.org/) or other threat intelligence platforms.\n\n![Overview of the integration of MISP galaxy in the MISP Threat Intelligence Sharing Platform](https://raw.githubusercontent.com/MISP/misp-galaxy/aa41337fd78946a60aef3783f58f337d2342430a/doc/images/galaxy.png)\n\n## Publicly available clusters\n"
+    )
+    index.add_toc(universe.galaxies.values())
+    index.add_content(
+        "## Statistics\n\nYou can find some statistics about MISP galaxies [here](./statistics.md).\n\n"
+    )
+    index.add_content(
+        "# Contributing\n\nIn the dynamic realm of threat intelligence, a variety of models and approaches exist to systematically organize, categorize, and delineate threat actors, hazards, or activity groups. We embrace innovative methodologies for articulating threat intelligence. The galaxy model is particularly versatile, enabling you to leverage and integrate methodologies that you trust and are already utilizing within your organization or community.\n\nWe encourage collaboration and contributions to the [MISP Galaxy JSON files](https://github.com/MISP/misp-galaxy/). Feel free to fork the project, enhance existing elements or clusters, or introduce new ones. Your insights are valuable - share them with us through a pull-request.\n"
+    )
+    index.write_entry()
+
+    statistics = StatisticsSite(SITE_PATH)
+    statistics.add_content("# MISP Galaxy Statistics\n\n")
+    statistics.add_cluster_statistics(
+        len(
+            [
+                cluster
+                for galaxy in universe.galaxies.values()
+                for cluster in galaxy.clusters.values()
+            ]
+        ),
+        len(universe.private_clusters),
+    )
+    statistics.add_galaxy_statistics(universe.galaxies.values())
+    statistics.add_relation_statistics(
+        [
+            cluster
+            for galaxy in universe.galaxies.values()
+            for cluster in galaxy.clusters.values()
+        ]
+    )
+    statistics.add_synonym_statistics(
+        [
+            cluster
+            for galaxy in universe.galaxies.values()
+            for cluster in galaxy.clusters.values()
+        ]
+    )
+    statistics.write_entry()
+
+    for galaxy in universe.galaxies.values():
+        galaxy.write_entry(SITE_PATH)
+
+    for galaxy in universe.galaxies.values():
+        galaxy_path = os.path.join(
+            SITE_PATH, f"{galaxy.json_file_name}".replace(".json", "")
+        )
+        if not os.path.exists(galaxy_path):
+            os.mkdir(galaxy_path)
+        relation_path = os.path.join(galaxy_path, "relations")
+        if not os.path.exists(relation_path):
+            os.mkdir(relation_path)
+        with open(os.path.join(relation_path, ".pages"), "w") as index:
+            index.write(f"hide: true\n")
+
+        with ThreadPoolExecutor(
+            max_workers=(multiprocessing.cpu_count() * 4)
+        ) as executor:
+            executor.map(write_relations_table, galaxy.clusters.values())
+
+    print(f"Finished in {time.time() - start_time} seconds")

tools/mkdocs/modules/cluster.py

@@ -0,0 +1,110 @@
+import validators
+
+
+class Cluster:
+    def __init__(self, uuid, galaxy, description=None, value=None, meta=None):
+        self.uuid = uuid
+        self.description = description
+        self.value = value
+        self.meta = meta
+
+        self.galaxy = galaxy  # Reference to the Galaxy object this cluster belongs to
+        self.outbound_relationships = set()
+        self.inbound_relationships = set()
+        self.relationships = set()
+
+    def add_outbound_relationship(self, cluster):
+        self.outbound_relationships.add(cluster)
+
+    def add_inbound_relationship(self, cluster):
+        self.inbound_relationships.add(cluster)
+
+    def save_relationships(self, relationships):
+        self.relationships = relationships
+
+    def generate_entry(self):
+        entry = ""
+        entry += self._create_title_entry()
+        entry += self._create_description_entry()
+        entry += self._create_synonyms_entry()
+        entry += self._create_uuid_entry()
+        entry += self._create_refs_entry()
+        entry += self._create_associated_metadata_entry()
+        if self.relationships:
+            entry += self._create_related_entry()
+        return entry
+
+    def _create_title_entry(self):
+        entry = ""
+        entry += f"## {self.value}\n"
+        entry += f"\n"
+        return entry
+
+    def _create_description_entry(self):
+        entry = ""
+        if self.description:
+            entry += f"{self.description}\n"
+        return entry
+
+    def _create_synonyms_entry(self):
+        entry = ""
+        if isinstance(self.meta, dict) and self.meta.get("synonyms"):
+            entry += f"\n"
+            entry += f'??? info "Synonyms"\n'
+            entry += f"\n"
+            entry += f'     "synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular {self.value}.\n\n'
+            entry += f"    | Known Synonyms      |\n"
+            entry += f"    |---------------------|\n"
+            synonyms_count = 0
+            for synonym in sorted(self.meta["synonyms"]):
+                synonyms_count += 1
+                entry += f"     | `{synonym}`      |\n"
+        return entry
+
+    def _create_uuid_entry(self):
+        entry = ""
+        if self.uuid:
+            entry += f"\n"
+            entry += f'??? tip "Internal MISP references"\n'
+            entry += f"\n"
+            entry += f"    UUID `{self.uuid}` which can be used as unique global reference for `{self.value}` in MISP communities and other software using the MISP galaxy\n"
+            entry += f"\n"
+        return entry
+
+    def _create_refs_entry(self):
+        entry = ""
+        if isinstance(self.meta, dict) and self.meta.get("refs"):
+            entry += f"\n"
+            entry += f'??? info "External references"\n'
+            entry += f"\n"
+
+            for ref in self.meta["refs"]:
+                if validators.url(ref):
+                    entry += f"     - [{ref}]({ref}) - :material-archive: :material-arrow-right: [webarchive](https://web.archive.org/web/*/{ref})\n"
+                else:
+                    entry += f"     - {ref}\n"
+
+            entry += f"\n"
+        return entry
+
+    def _create_associated_metadata_entry(self):
+        entry = ""
+        if isinstance(self.meta, dict):
+            excluded_meta = ["synonyms", "refs"]
+            entry += f"\n"
+            entry += f'??? info "Associated metadata"\n'
+            entry += f"\n"
+            entry += f"    |Metadata key {{ .no-filter }}      |Value|\n"
+            entry += f"    |-----------------------------------|-----|\n"
+            for meta in sorted(self.meta.keys()):
+                if meta not in excluded_meta:
+                    entry += f"    | {meta} | {self.meta[meta]} |\n"
+        return entry
+
+    def _create_related_entry(self):
+        entry = ""
+        entry += f"\n"
+        entry += f'??? info "Related clusters"\n'
+        entry += f"\n"
+        entry += f"    To see the related clusters, click [here](./relations/{self.uuid}.md).\n"
+        return entry

tools/mkdocs/modules/galaxy.py

@@ -0,0 +1,82 @@
+from modules.cluster import Cluster
+from typing import List
+import os
+
+
+class Galaxy:
+    def __init__(
+        self,
+        galaxy_name: str,
+        json_file_name: str,
+        authors: List[str],
+        description: str,
+    ):
+        self.galaxy_name = galaxy_name
+        self.json_file_name = json_file_name
+        self.authors = authors
+        self.description = description
+
+        self.clusters = {}  # Maps uuid to Cluster objects
+
+    def add_cluster(self, uuid, description, value, meta):
+        if uuid not in self.clusters:
+            self.clusters[uuid] = Cluster(
+                uuid=uuid, galaxy=self, description=description, value=value, meta=meta
+            )
+
+    def write_entry(self, path):
+        galaxy_path = os.path.join(path, f"{self.json_file_name}".replace(".json", ""))
+        if not os.path.exists(galaxy_path):
+            os.mkdir(galaxy_path)
+        with open(os.path.join(galaxy_path, "index.md"), "w") as index:
+            index.write(self.generate_entry())
+
+    def generate_entry(self):
+        entry = ""
+        entry += self._create_metadata_entry()
+        entry += self._create_title_entry()
+        entry += self._create_description_entry()
+        entry += self._create_authors_entry()
+        entry += self._create_clusters_entry()
+        return entry
+
+    def _create_metadata_entry(self):
+        entry = ""
+        entry += "---\n"
+        entry += f"title: {self.galaxy_name}\n"
+        meta_description = self.description.replace('"', "-")
+        entry += f"description: {meta_description}\n"
+        entry += "---\n"
+        return entry
+
+    def _create_title_entry(self):
+        entry = ""
+        entry += f"[Hide Navigation](#){{ .md-button #toggle-navigation }}\n"
+        entry += f"[Hide TOC](#){{ .md-button #toggle-toc }}\n"
+        entry += f"<div class=\"clearfix\"></div>\n"
+        entry += f"[Edit :material-pencil:](https://github.com/MISP/misp-galaxy/edit/main/clusters/{self.json_file_name}){{ .md-button }}\n"
+        entry += f"# {self.galaxy_name}\n"
+        return entry
+
+    def _create_description_entry(self):
+        entry = ""
+        entry += f"{self.description}\n"
+        return entry
+
+    def _create_authors_entry(self):
+        entry = ""
+        if self.authors:
+            entry += f"\n"
+            entry += f'??? info "Authors"\n'
+            entry += f"\n"
+            entry += f"     | Authors and/or Contributors|\n"
+            entry += f"     |----------------------------|\n"
+            for author in self.authors:
+                entry += f"     |{author}|\n"
+        return entry
+
+    def _create_clusters_entry(self):
+        entry = ""
+        for cluster in self.clusters.values():
+            entry += cluster.generate_entry()
+        return entry

tools/mkdocs/modules/site.py

@@ -0,0 +1,117 @@
+import os
+
+from utils.helper import create_bar_chart, get_top_x, create_pie_chart
+
+
+class Site:
+    def __init__(self, path, name) -> None:
+        self.path = path
+        self.name = name
+        self.content = '[Hide Navigation](#){ .md-button #toggle-navigation }\n[Hide TOC](#){ .md-button #toggle-toc }\n<div class="clearfix"></div> \n\n'
+
+    def add_content(self, content):
+        self.content += content
+
+    def write_entry(self):
+        if not os.path.exists(self.path):
+            os.makedirs(self.path)
+        with open(os.path.join(self.path, self.name), "w") as index:
+            index.write(self.content)
+
+
+class IndexSite(Site):
+    def __init__(self, path) -> None:
+        super().__init__(path=path, name="index.md")
+
+    def add_toc(self, galaxies):
+        for galaxy in galaxies:
+            galaxy_folder = galaxy.json_file_name.replace(".json", "")
+            self.add_content(f"- [{galaxy.galaxy_name}](./{galaxy_folder}/index.md)\n")
+            self.add_content("\n")
+
+
+class StatisticsSite(Site):
+    def __init__(self, path) -> None:
+        super().__init__(path=path, name="statistics.md")
+
+    def add_galaxy_statistics(self, galaxies):
+        galaxy_cluster_count = {galaxy: len(galaxy.clusters) for galaxy in galaxies}
+        top_20 = get_top_x(galaxy_cluster_count, 20)
+        flop_20 = get_top_x(galaxy_cluster_count, 20, False)
+        self.add_content(f"# Galaxy statistics\n")
+        self.add_content(f"## Galaxies with the most clusters\n\n")
+        self.add_content(
+            create_bar_chart(
+                x_axis="Galaxy", y_axis="Count", values=top_20, galaxy=True
+            )
+        )
+        self.add_content(f"## Galaxies with the least clusters\n\n")
+        self.add_content(
+            create_bar_chart(
+                x_axis="Galaxy", y_axis="Count", values=flop_20, galaxy=True
+            )
+        )
+
+    def add_cluster_statistics(self, public_clusters, private_clusters):
+        values = {
+            "Public clusters": public_clusters,
+            "Private clusters": private_clusters,
+        }
+        self.add_content(f"# Cluster statistics\n")
+        self.add_content(f"## Number of clusters\n")
+        self.add_content(
+            f"Here you can find the total number of clusters including public and private clusters.The number of public clusters has been calculated based on the number of unique Clusters in the MISP galaxy JSON files. The number of private clusters could only be approximated based on the number of relations to non-existing clusters. Therefore the number of private clusters is not accurate and only an approximation.\n\n"
+        )
+        self.add_content(create_pie_chart(sector="Type", unit="Count", values=values))
+
+    def add_relation_statistics(self, clusters):
+        cluster_relations = {}
+        private_relations = 0
+        public_relations = 0
+        for cluster in clusters:
+            cluster_relations[cluster] = len(cluster.relationships)
+            for relation in cluster.relationships:
+                if relation[1].value == "Private Cluster":
+                    private_relations += 1
+                else:
+                    public_relations += 1
+        top_20 = get_top_x(cluster_relations, 20)
+        flop_20 = get_top_x(cluster_relations, 20, False)
+        self.add_content(f"# Relation statistics\n")
+        self.add_content(
+            f"Here you can find the total number of relations including public and private relations. The number includes relations between public clusters and relations between public and private clusters. Therefore relatons between private clusters are not included in the statistics.\n\n"
+        )
+        self.add_content(f"## Number of relations\n\n")
+        self.add_content(
+            create_pie_chart(
+                sector="Type",
+                unit="Count",
+                values={
+                    "Public relations": public_relations,
+                    "Private relations": private_relations,
+                },
+            )
+        )
+        self.add_content(
+            f"**Average number of relations per cluster**: {int(sum(cluster_relations.values()) / len(cluster_relations))}\n"
+        )
+        self.add_content(f"## Cluster with the most relations\n\n")
+        self.add_content(
+            create_bar_chart(x_axis="Cluster", y_axis="Count", values=top_20)
+        )
+        self.add_content(f"## Cluster with the least relations\n\n")
+        self.add_content(
+            create_bar_chart(x_axis="Cluster", y_axis="Count", values=flop_20)
+        )
+
+    def add_synonym_statistics(self, clusters):
+        synonyms = {}
+        for cluster in clusters:
+            if cluster.meta and cluster.meta.get("synonyms"):
+                synonyms[cluster] = len(cluster.meta["synonyms"])
+        top_20 = get_top_x(synonyms, 20)
+        self.add_content(f"# Synonym statistics\n")
+        self.add_content(f"## Cluster with the most synonyms\n\n")
+        self.add_content(
+            create_bar_chart(x_axis="Cluster", y_axis="Count", values=top_20)
+        )

tools/mkdocs/modules/universe.py

@@ -0,0 +1,109 @@
+from modules.galaxy import Galaxy
+from modules.cluster import Cluster
+
+from collections import defaultdict, deque
+
+
+class Universe:
+    def __init__(self, add_inbound_relationship=False):
+        self.galaxies = {}  # Maps galaxy_name to Galaxy objects
+        self.add_inbound_relationship = add_inbound_relationship
+        self.private_clusters = {}
+
+    def add_galaxy(self, galaxy_name, json_file_name, authors, description):
+        if galaxy_name not in self.galaxies:
+            self.galaxies[galaxy_name] = Galaxy(
+                galaxy_name=galaxy_name,
+                json_file_name=json_file_name,
+                authors=authors,
+                description=description,
+            )
+
+    def add_cluster(self, galaxy_name, uuid, description, value, meta):
+        if galaxy_name in self.galaxies:
+            self.galaxies[galaxy_name].add_cluster(
+                uuid=uuid, description=description, value=value, meta=meta
+            )
+
+    def define_relationship(self, cluster_a_id, cluster_b_id):
+        cluster_a = None
+        cluster_b = None
+
+        if cluster_a_id == cluster_b_id:
+            return
+
+        # Search for Cluster A and Cluster B in all galaxies
+        for galaxy in self.galaxies.values():
+            if cluster_a_id in galaxy.clusters:
+                cluster_a = galaxy.clusters[cluster_a_id]
+            if cluster_b_id in galaxy.clusters:
+                cluster_b = galaxy.clusters[cluster_b_id]
+            if cluster_a and cluster_b:
+                break
+
+        # If both clusters are found, define the relationship
+        if cluster_a and cluster_b:
+            cluster_a.add_outbound_relationship(cluster_b)
+            cluster_b.add_inbound_relationship(cluster_a)
+        else:
+            if cluster_a:
+                # private_cluster = self.add_cluster(uuid=cluster_b_id, galaxy_name="Unknown", description=None, value="Private Cluster", meta=None)
+                private_cluster = Cluster(
+                    uuid=cluster_b_id,
+                    galaxy=None,
+                    description=None,
+                    value="Private Cluster",
+                    meta=None,
+                )
+                self.private_clusters[cluster_b_id] = private_cluster
+                cluster_a.add_outbound_relationship(private_cluster)
+            else:
+                raise ValueError(f"Cluster {cluster_a} not found in any galaxy")
+
+    def get_relationships_with_levels(self, start_cluster):
+
+        def bfs_with_undirected_relationships(start_cluster):
+            visited = set()  # Tracks whether a cluster has been visited
+            relationships = defaultdict(
+                lambda: float("inf")
+            )  # Tracks the lowest level for each cluster pair
+
+            queue = deque([(start_cluster, 0)])  # Queue of (cluster, level)
+
+            while queue:
+                current_cluster, level = queue.popleft()
+                if current_cluster not in visited:
+                    visited.add(current_cluster)
+
+                    # Process all relationships regardless of direction
+                    if self.add_inbound_relationship:
+                        neighbors = current_cluster.outbound_relationships.union(
+                            current_cluster.inbound_relationships
+                        )
+                    else:
+                        neighbors = current_cluster.outbound_relationships
+                    for neighbor in neighbors:
+                        link = frozenset([current_cluster, neighbor])
+                        if level + 1 < relationships[link]:
+                            relationships[link] = level + 1
+                            if (
+                                neighbor not in visited
+                                and neighbor.value != "Private Cluster"
+                            ):
+                                queue.append((neighbor, level + 1))
+
+            # Convert the defaultdict to a list of tuples, ignoring direction
+            processed_relationships = []
+            for link, lvl in relationships.items():
+                # Extract clusters from the frozenset; direction is irrelevant
+                clusters = list(link)
+
+                # Arbitrarily choose the first cluster as 'source' for consistency
+                if clusters[0].value == "Private Cluster":
+                    processed_relationships.append((clusters[1], clusters[0], lvl))
+                else:
+                    processed_relationships.append((clusters[0], clusters[1], lvl))
+
+            return processed_relationships
+
+        return bfs_with_undirected_relationships(start_cluster)

tools/mkdocs/requirements.txt

@@ -0,0 +1,48 @@
+Babel==2.14.0
+bracex==2.4
+certifi==2023.11.17
+cffi==1.16.0
+charset-normalizer==3.3.2
+click==8.1.7
+colorama==0.4.6
+cryptography==42.0.4
+Deprecated==1.2.14
+ghp-import==2.1.0
+gitdb==4.0.11
+GitPython==3.1.41
+graphviz==0.20.1
+idna==3.7
+Jinja2==3.1.4
+Markdown==3.5.2
+MarkupSafe==2.1.4
+mergedeep==1.3.4
+mkdocs==1.5.3
+mkdocs-awesome-pages-plugin==2.9.2
+mkdocs-git-committers-plugin==0.2.3
+mkdocs-material==9.5.6
+mkdocs-material-extensions==1.3.1
+mkdocs-rss-plugin==1.12.0
+natsort==8.4.0
+packaging==23.2
+paginate==0.5.6
+pathspec==0.12.1
+platformdirs==4.1.0
+pycparser==2.21
+PyGithub==2.2.0
+Pygments==2.17.2
+PyJWT==2.8.0
+pymdown-extensions==10.7
+PyNaCl==1.5.0
+python-dateutil==2.8.2
+PyYAML==6.0.1
+pyyaml_env_tag==0.1
+regex==2023.12.25
+requests==2.32.0
+six==1.16.0
+smmap==5.0.1
+typing_extensions==4.9.0
+urllib3==2.1.0
+validators==0.22.0
+watchdog==3.0.0
+wcmatch==8.5
+wrapt==1.16.0

tools/mkdocs/site/docs/01_attachements/javascripts/graph.js

@@ -0,0 +1,461 @@
+document$.subscribe(function () {
+
+    const NODE_RADIUS = 8;
+    // const NODE_COLOR = "#69b3a2";
+    const Parent_Node_COLOR = "#ff0000";
+
+
+    function applyTableFilter(tf) {
+        var valuesToSelect = ['1', '2', '3'];
+        tf.setFilterValue(4, valuesToSelect);
+        tf.filter();
+    }
+
+    function parseFilteredTable(tf, allData) {
+        var data = [];
+        tf.getFilteredData().forEach((row, i) => {
+            sourcePath = allData[row[0] - 2].sourcePath;
+            targetPath = allData[row[0] - 2].targetPath;
+            data.push({
+                source: row[1][0],
+                sourcePath: sourcePath,
+                sourceGalaxy: row[1][1],
+                target: row[1][2],
+                targetPath: targetPath,
+                targetGalaxy: row[1][3],
+                level: row[1][4]
+            });
+        });
+        return data;
+    }
+
+    function parseTable(table) {
+        var data = [];
+        table.querySelectorAll("tr").forEach((row, i) => {
+            if (i > 1) {
+                var cells = row.querySelectorAll("td");
+                var sourceAnchor = cells[0].querySelector("a");
+                var sourcePath = sourceAnchor ? sourceAnchor.getAttribute("href") : null;
+                var targetAnchor = cells[2].querySelector("a");
+                var targetPath = targetAnchor ? targetAnchor.getAttribute("href") : null;
+                data.push({
+                    source: cells[0].textContent,
+                    sourceGalaxy: cells[1].textContent,
+                    target: cells[2].textContent,
+                    targetGalaxy: cells[3].textContent,
+                    sourcePath: sourcePath,
+                    targetPath: targetPath,
+                    level: cells[4].textContent
+                });
+            }
+        });
+        return data;
+    }
+
+    function processNewData(newData) {
+        var nodePaths = {};
+        newData.forEach(d => {
+            nodePaths[d.source] = d.sourcePath || null;
+            nodePaths[d.target] = d.targetPath || null;
+        });
+        var newNodes = Array.from(new Set(newData.flatMap(d => [d.source, d.target])))
+            .map(id => ({
+                id,
+                path: nodePaths[id],
+                galaxy: newData.find(d => d.source === id) ? newData.find(d => d.source === id).sourceGalaxy : newData.find(d => d.target === id).targetGalaxy
+            }));
+
+        var newLinks = newData.map(d => ({ source: d.source, target: d.target }));
+        return { newNodes, newLinks };
+    }
+
+    function filterTableAndGraph(tf, simulation, data) {
+        var filteredData = parseFilteredTable(tf, data);
+        var { newNodes, newLinks } = processNewData(filteredData);
+
+        simulation.update({ newNodes: newNodes, newLinks: newLinks });
+    }
+
+    function extractNodePaths(data) {
+        return data.reduce((acc, d) => ({
+            ...acc,
+            [d.source]: d.sourcePath || null,
+            [d.target]: d.targetPath || null,
+        }), {});
+    }
+
+    function defineColorScale(galaxies) {
+        const colorScheme = [
+            '#E63946', // Red
+            '#F1FAEE', // Off White
+            '#A8DADC', // Light Blue
+            '#457B9D', // Medium Blue
+            '#1D3557', // Dark Blue
+            '#F4A261', // Sandy Brown
+            '#2A9D8F', // Teal
+            '#E9C46A', // Saffron
+            '#F77F00', // Orange
+            '#D62828', // Dark Red
+            '#023E8A', // Royal Blue
+            '#0077B6', // Light Sea Blue
+            '#0096C7', // Sky Blue
+            '#00B4D8', // Bright Sky Blue
+            '#48CAE4', // Light Blue
+            '#90E0EF', // Powder Blue
+            '#ADE8F4', // Pale Cerulean
+            '#CAF0F8', // Blithe Blue
+            '#FFBA08', // Selective Yellow
+            '#FFD60A'  // Naples Yellow
+        ];
+        return d3.scaleOrdinal(colorScheme)
+            .domain(galaxies);
+    }
+
+    function initializeNodeInteractions(node, link, tooltip, simulation, links, Parent_Node, NODE_RADIUS) {
+        // Mouseover event handler
+        node.on("mouseover", function (event, d) {
+            tooltip.transition()
+                .duration(200)
+                .style("opacity", .9);
+            tooltip.html(d.id)
+                .style("left", (event.pageX) + "px")
+                .style("top", (event.pageY - 28) + "px");
+            node.style("opacity", 0.1);
+            link.style("opacity", 0.1);
+            d3.select(this)
+                .attr("r", parseFloat(d3.select(this).attr("r")) + 5)
+                .style("opacity", 1);
+            d3.selectAll(".legend-text.galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
+                .style("font-weight", "bold")
+                .style("font-size", "14px");
+            link.filter(l => l.source.id === d.id || l.target.id === d.id)
+                .attr("stroke-width", 3)
+                .style("opacity", 1);
+            node.filter(n => n.id === d.id || links.some(l => (l.source.id === d.id && l.target.id === n.id) || (l.target.id === d.id && l.source.id === n.id)))
+                .style("opacity", 1);
+        })
+            .on("mousemove", function (event) {
+                tooltip.style("left", (event.pageX) + "px")
+                    .style("top", (event.pageY - 28) + "px");
+            })
+            .on("mouseout", function (event, d) {
+                tooltip.transition()
+                    .duration(500)
+                    .style("opacity", 0);
+                node.style("opacity", 1);
+                link.style("opacity", 1);
+                d3.select(this).attr("r", d => d.id === Parent_Node.id ? NODE_RADIUS + 5 : NODE_RADIUS);
+                d3.selectAll(".legend-text.galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
+                    .style("font-weight", "normal")
+                    .style("font-size", "12px");
+                link.filter(l => l.source.id === d.id || l.target.id === d.id)
+                    .attr("stroke-width", 1);
+                node.filter(n => n.id === d.id || links.some(l => (l.source.id === d.id && l.target.id === n.id) || (l.target.id === d.id && l.source.id === n.id)));
+            })
+            .on("dblclick", function (event, d) {
+                location.href = d.path;
+            });
+
+        // Define drag behavior
+        var drag = d3.drag()
+            .on("start", dragstarted)
+            .on("drag", dragged)
+            .on("end", dragended);
+
+        // Apply drag behavior to nodes
+        node.call(drag);
+
+        function dragstarted(event, d) {
+            if (!event.active) simulation.alphaTarget(0.3).restart();
+            d.fx = d.x;
+            d.fy = d.y;
+        }
+
+        function dragged(event, d) {
+            d.fx = event.x;
+            d.fy = event.y;
+        }
+
+        function dragended(event, d) {
+            if (!event.active) simulation.alphaTarget(0);
+        }
+    }
+
+
+
+    function createGalaxyColorLegend(svg, width, galaxies, colorScale, node, link, tooltip) {
+        // Prepare legend data
+        const legendData = galaxies.map(galaxy => ({
+            name: galaxy,
+            color: colorScale(galaxy)
+        }));
+
+        const maxCharLength = 10; // Maximum number of characters to display in legend
+
+        // Create legend
+        const legend = svg.append("g")
+            .attr("class", "legend")
+            .attr("transform", "translate(" + (width - 100) + ",20)"); // Adjust position as needed
+
+        // Add legend title
+        legend.append("text")
+            .attr("x", 0)
+            .attr("y", -10)
+            .style("font-size", "13px")
+            .style("text-anchor", "start")
+            .style("fill", "grey")
+            .text("Galaxy Colors");
+
+        // Add colored rectangles and text labels for each galaxy
+        const legendItem = legend.selectAll(".legend-item")
+            .data(legendData)
+            .enter().append("g")
+            .attr("class", "legend-item")
+            .attr("transform", (d, i) => `translate(0, ${i * 20})`);
+
+        legendItem.append("rect")
+            .attr("width", 12)
+            .attr("height", 12)
+            .style("fill", d => d.color)
+            .on("mouseover", mouseoverEffect)
+            .on("mouseout", mouseoutEffect);
+
+        legendItem.append("text")
+            .attr("x", 24)
+            .attr("y", 9)
+            .attr("dy", "0.35em")
+            .style("text-anchor", "start")
+            .style("fill", "grey")
+            .style("font-size", "12px")
+            .attr("class", d => "legend-text galaxy-" + d.name.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
+            .text(d => d.name.length > maxCharLength ? d.name.substring(0, maxCharLength) + "..." : d.name)
+            .on("mouseover", mouseoverEffect)
+            .on("mouseout", mouseoutEffect);
+
+        function mouseoverEffect(event, d) {
+            // Dim the opacity of all nodes and links
+            node.style("opacity", 0.1);
+            link.style("opacity", 0.1);
+
+            // Highlight elements associated with the hovered galaxy
+            svg.selectAll(".galaxy-" + d.name.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
+                .each(function () {
+                    d3.select(this).style("opacity", 1); // Increase opacity for related elements
+                });
+
+            // Show tooltip
+            tooltip.transition()
+                .duration(200)
+                .style("opacity", .9);
+            tooltip.html(d.name)
+                .style("left", (event.pageX) + "px")
+                .style("top", (event.pageY - 28) + "px");
+        }
+
+        function mouseoutEffect(event, d) {
+            // Restore the opacity of nodes and links
+            node.style("opacity", 1);
+            link.style("opacity", 1);
+
+            // Hide tooltip
+            tooltip.transition()
+                .duration(500)
+                .style("opacity", 0);
+        }
+
+    }
+
+
+    function createForceDirectedGraph(data, elementId) {
+        const nodePaths = extractNodePaths(data);
+
+        // // Extract unique galaxy names from data
+        const galaxies = Array.from(new Set(data.flatMap(d => [d.sourceGalaxy, d.targetGalaxy])));
+        const colorScale = defineColorScale(data);
+
+        var nodes = Array.from(new Set(data.flatMap(d => [d.source, d.target])))
+            .map(id => ({
+                id,
+                path: nodePaths[id],
+                galaxy: data.find(d => d.source === id) ? data.find(d => d.source === id).sourceGalaxy : data.find(d => d.target === id).targetGalaxy
+            }));
+
+        let header = document.querySelector('h1').textContent;
+        const Parent_Node = nodes.find(node => node.id.includes(header));
+
+        var links = data.map(d => ({ source: d.source, target: d.target }));
+
+        var tooltip = d3.select("body").append("div")
+            .attr("class", "tooltip") // Add relevant classes for styling
+            .style("opacity", 0);
+
+        // Set up the dimensions of the graph
+        var width = document.querySelector('.md-content__inner').offsetWidth;
+        var height = width;
+
+        var svg = d3.select("div#container")
+            .append("svg")
+            .attr("preserveAspectRatio", "xMinYMin meet")
+            .attr("viewBox", "0 0 " + width + " " + height)
+            .classed("svg-content", true);
+
+        // Create a force simulation
+        linkDistance = Math.sqrt((width * height) / nodes.length);
+        var simulation = d3.forceSimulation(nodes)
+            .force("link", d3.forceLink(links).id(d => d.id).distance(linkDistance))
+            .force("charge", d3.forceManyBody().strength(-70))
+            .force("center", d3.forceCenter(width / 2, height / 2))
+            .alphaDecay(0.05); // A lower value, adjust as needed
+
+        // Create links
+        var link = svg.append("g")
+            .attr("stroke", "#999")
+            .attr("stroke-opacity", 0.6)
+            .selectAll("line")
+            .data(links)
+            .enter().append("line")
+            .attr("stroke-width", 1);
+
+        // Create nodes
+        var node = svg.append("g")
+            .attr("stroke", "#D3D3D3")
+            .attr("stroke-width", 1.5)
+            .selectAll("circle")
+            .data(nodes)
+            .enter().append("circle")
+            .attr("r", function (d, i) {
+                return d.id === Parent_Node.id ? NODE_RADIUS + 5 : NODE_RADIUS;
+            })
+            .attr("fill", function (d, i) {
+                return d.id === Parent_Node.id ? Parent_Node_COLOR : colorScale(d.galaxy);
+            })
+            .attr("class", d => "node galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-'));
+
+        initializeNodeInteractions(node, link, tooltip, simulation, links, Parent_Node, NODE_RADIUS);
+        createGalaxyColorLegend(svg, width, galaxies, colorScale, node, link, tooltip);
+
+        // Update positions on each simulation 'tick'
+        simulation.on("tick", () => {
+            nodes.forEach(d => {
+                d.x = Math.max(NODE_RADIUS, Math.min(width - NODE_RADIUS, d.x));
+                d.y = Math.max(NODE_RADIUS, Math.min(height - NODE_RADIUS, d.y));
+            });
+            link
+                .attr("x1", d => d.source.x)
+                .attr("y1", d => d.source.y)
+                .attr("x2", d => d.target.x)
+                .attr("y2", d => d.target.y);
+
+            node
+                .attr("cx", d => d.x)
+                .attr("cy", d => d.y);
+        });
+
+        return Object.assign(svg.node(), {
+            update({ newNodes, newLinks }) {
+                const oldNodesMap = new Map(node.data().map(d => [d.id, d]));
+                nodes = newNodes.map(d => Object.assign(oldNodesMap.get(d.id) || {}, d));
+
+                // Update nodes with new data
+                node = node.data(nodes, d => d.id)
+                    .join(
+                        enter => enter.append("circle")
+                            .attr("r", function (d, i) {
+                                return d.id === Parent_Node.id ? NODE_RADIUS + 5 : NODE_RADIUS;
+                            })
+                            .attr("fill", function (d, i) {
+                                return d.id === Parent_Node.id ? Parent_Node_COLOR : colorScale(d.galaxy);
+                            })
+                            .attr("class", d => "node galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-')),
+                        update => update,
+                        exit => exit.remove()
+                    );
+
+                // Process new links
+                const oldLinksMap = new Map(link.data().map(d => [`${d.source.id},${d.target.id}`, d]));
+                links = newLinks.map(d => Object.assign(oldLinksMap.get(`${d.source.id},${d.target.id}`) || {}, d));
+
+                // Update links with new data
+                link = link.data(links, d => `${d.source.id},${d.target.id}`)
+                    .join(
+                        enter => enter.append("line")
+                            .attr("stroke-width", d => Math.sqrt(d.value)),
+                        update => update,
+                        exit => exit.remove()
+                    );
+
+                initializeNodeInteractions(node, link, tooltip, simulation, links, Parent_Node, NODE_RADIUS);
+                createGalaxyColorLegend(svg, width, galaxies, colorScale, node, link, tooltip);
+
+                // Restart the simulation with new data
+                simulation.nodes(nodes);
+                simulation.force("link").links(links);
+                linkDistance = Math.sqrt((width * height) / nodes.length);
+                simulation.force("link").distance(linkDistance);
+                simulation.alpha(1).restart();
+            }
+        });
+    }
+
+    // Find all tables that have a th with the class .graph and generate Force-Directed Graphs
+    document.querySelectorAll("table").forEach((table, index) => {
+        var graphHeader = table.querySelector("th.graph");
+        if (graphHeader) {
+            var tf = new TableFilter(table, {
+                base_path: "../../../../01_attachements/modules/tablefilter/",
+                highlight_keywords: true,
+                col_1: "checklist",
+                col_3: "checklist",
+                col_4: "checklist",
+                col_types: ["string", "string", "string", "string", "number"],
+                grid_layout: false,
+                responsive: true,
+                watermark: ["Filter table ...", "Filter table ...", "Filter table ...", "Filter table ..."],
+                auto_filter: {
+                    delay: 100 //milliseconds
+                },
+                filters_row_index: 1,
+                state: false,
+                rows_counter: true,
+                status_bar: true,
+                themes: [{
+                    name: "transparent",
+                }],
+                btn_reset: {
+                    tooltip: "Reset",
+                    toolbar_position: "right",
+                },
+                toolbar: true,
+                extensions: [{
+                    name: "sort",
+                },
+                {
+                    name: 'filtersVisibility',
+                    description: 'Sichtbarkeit der Filter',
+                    toolbar_position: 'right',
+                }],
+            });
+
+            tf.init();
+            var allData = parseTable(table);
+            if (allData.length > 1000) {
+                applyTableFilter(tf);
+                data = parseFilteredTable(tf, allData);
+            } else {
+                data = allData;
+            }
+            var graphId = "container";
+            var div = document.createElement("div");
+            // div.id = graphId;
+            div.id = graphId;
+            div.className = "svg-container";
+            table.parentNode.insertBefore(div, table);
+            var simulation = createForceDirectedGraph(data, "#" + graphId);
+
+            // Listen for table filtering events
+            tf.emitter.on(['after-filtering'], function () {
+                filterTableAndGraph(tf, simulation, allData);
+            });
+        }
+    });
+});

tools/mkdocs/site/docs/01_attachements/javascripts/navigation.js

@@ -0,0 +1,22 @@
+document.addEventListener('DOMContentLoaded', function () {
+    const body = document.body;
+    const toggleNavigationBtn = document.getElementById('toggle-navigation');
+    const toggleTocBtn = document.getElementById('toggle-toc');
+
+    function updateButtonText() {
+        toggleNavigationBtn.textContent = body.classList.contains('hide-navigation') ? '>>> Show Navigation' : '<<< Hide Navigation';
+        toggleTocBtn.textContent = body.classList.contains('hide-toc') ? 'Show TOC <<<' : 'Hide TOC >>>';
+    }
+
+    toggleNavigationBtn.addEventListener('click', function () {
+        body.classList.toggle('hide-navigation');
+        updateButtonText();
+    });
+
+    toggleTocBtn.addEventListener('click', function () {
+        body.classList.toggle('hide-toc');
+        updateButtonText();
+    });
+
+    updateButtonText(); // Initialize button text based on current state
+});

tools/mkdocs/site/docs/01_attachements/javascripts/statistics.js

@@ -0,0 +1,168 @@
+document$.subscribe(function () {
+
+    function parseTable(table) {
+        var data = [];
+        table.querySelectorAll("tr").forEach((row, i) => {
+            if (i > 0) {
+                var cells = row.querySelectorAll("td");
+                data.push({ name: cells[1].textContent, value: Number(cells[2].textContent) });
+            }
+        });
+        return data;
+    }
+
+    function createPieChart(data, elementId) {
+        // Set up the dimensions of the graph
+        var width = 500, height = 500;
+
+        // Append SVG for the graph
+        var svg = d3.select(elementId).append("svg")
+            .attr("width", width)
+            .attr("height", height);
+
+        // Set up the dimensions of the graph
+        var radius = Math.min(width, height) / 2 - 20;
+
+        // Append a group to the SVG
+        var g = svg.append("g")
+            .attr("transform", "translate(" + width / 2 + "," + height / 2 + ")");
+
+        // Set up the color scale
+        var color = d3.scaleOrdinal()
+            .domain(data.map(d => d.name))
+            .range(d3.quantize(t => d3.interpolateSpectral(t * 0.8 + 0.1), data.length).reverse());
+
+        // Compute the position of each group on the pie
+        var pie = d3.pie()
+            .value(d => d.value);
+        var data_ready = pie(data);
+
+        // Build the pie chart
+        g.selectAll('whatever')
+            .data(data_ready)
+            .enter()
+            .append('path')
+            .attr('d', d3.arc()
+                .innerRadius(0)
+                .outerRadius(radius)
+            )
+            .attr('fill', d => color(d.data.name))
+            .attr("stroke", "black")
+            .style("stroke-width", "2px")
+            .style("opacity", 0.7);
+
+        // Add labels
+        g.selectAll('whatever')
+            .data(data_ready)
+            .enter()
+            .append('text')
+            .text(d => d.data.name)
+            .attr("transform", d => "translate(" + d3.arc().innerRadius(0).outerRadius(radius).centroid(d) + ")")
+            .style("text-anchor", "middle")
+            .style("font-size", 17);
+    }
+
+    function createBarChart(data, elementId, mode) {
+        // Set up the dimensions of the graph
+        var svgWidth = 1000, svgHeight = 1000;
+        var margin = { top: 20, right: 200, bottom: 350, left: 60 }, // Increase bottom margin for x-axis labels
+            width = svgWidth - margin.left - margin.right,
+            height = svgHeight - margin.top - margin.bottom;
+
+        // Append SVG for the graph
+        var svg = d3.select(elementId).append("svg")
+            .attr("width", svgWidth)
+            .attr("height", svgHeight)
+            .append("g")
+            .attr("transform", "translate(" + margin.left + "," + margin.top + ")");
+
+        // Set up the scales
+        var x = d3.scaleBand()
+            .range([0, width])
+            .padding(0.2)
+            .domain(data.map(d => d.name));
+
+        var maxYValue = d3.max(data, d => d.value);
+        if (mode == "log") {
+            var minYValue = d3.min(data, d => d.value);
+            if (minYValue <= 0) {
+                console.error("Logarithmic scale requires strictly positive values");
+                return;
+            }
+        }
+        var y = mode == "log" ? d3.scaleLog().range([height, 0]).domain([1, maxYValue]) : d3.scaleLinear().range([height, 0]).domain([0, maxYValue + maxYValue * 0.1]);
+
+        // Set up the color scale
+        var color = d3.scaleOrdinal()
+            .range(d3.schemeCategory10);
+
+        // Set up the axes
+        var xAxis = d3.axisBottom(x)
+            .tickSize(0)
+            .tickPadding(6);
+
+        var yAxis = d3.axisLeft(y);
+
+        // Add the bars
+        svg.selectAll(".bar")
+            .data(data)
+            .enter().append("rect")
+            .attr("class", "bar")
+            .attr("x", d => x(d.name))
+            .attr("y", d => {
+                if (mode == "log") {
+                    return y(Math.max(1, d.value));
+                } else if (mode == "linear") {
+                    return y(d.value);
+                }
+            })
+            .attr("width", x.bandwidth())
+            .attr("height", d => {
+                if (mode == "log") {
+                    return height - y(Math.max(1, d.value));
+                } else if (mode == "linear") {
+                    return height - y(d.value);
+                }
+            })
+            .attr("fill", d => color(d.name));
+
+
+        // Add and rotate x-axis labels
+        svg.append("g")
+            .attr("transform", "translate(0," + height + ")")
+            .call(xAxis)
+            .selectAll("text")
+            .style("text-anchor", "end")
+            .attr("dx", "-.8em")
+            .attr("dy", ".15em")
+            .attr("transform", "rotate(-65)"); // Rotate the labels
+
+        // Add the y-axis
+        svg.append("g")
+            .call(yAxis);
+    }
+
+
+    document.querySelectorAll("table").forEach((table, index) => {
+        var pieChart = table.querySelector("th.pie-chart");
+        var barChart = table.querySelector("th.bar-chart");
+        var logBarChart = table.querySelector("th.log-bar-chart");
+        graphId = "graph" + index;
+        var div = document.createElement("div");
+        div.id = graphId;
+        table.parentNode.insertBefore(div, table);
+        if (pieChart) {
+            var data = parseTable(table);
+            createPieChart(data, "#" + graphId);
+        }
+        if (barChart) {
+            var data = parseTable(table);
+            createBarChart(data, "#" + graphId, "linear");
+        }
+        if (logBarChart) {
+            var data = parseTable(table);
+            createBarChart(data, "#" + graphId, "log");
+        }
+    })
+
+});

tools/mkdocs/site/docs/01_attachements/javascripts/tablefilter.js

@@ -0,0 +1,53 @@
+document$.subscribe(function () {
+    var tables = document.querySelectorAll("article table")
+    tables.forEach(function (table) {
+        var excludeTable = table.querySelector("td.no-filter, th.no-filter");
+        if (!excludeTable) {
+            var tf = new TableFilter(table, {
+                base_path: "https://unpkg.com/tablefilter@0.7.3/dist/tablefilter/",
+                highlight_keywords: true,
+                // col_0: "select",
+                // col_1: "select",
+                col_2: "checklist",
+                col_widths: ["350px", "350px", "100px"],
+                col_types: ["string", "string", "number"],
+                grid_layout: false,
+                responsive: false,
+                watermark: ["Filter table ...", "Filter table ..."],
+
+                auto_filter: {
+                    delay: 100 //milliseconds
+                },
+                filters_row_index: 1,
+                state: true,
+                // alternate_rows: true,
+                rows_counter: true,
+                status_bar: true,
+
+                themes: [{
+                    name: "transparent",
+                }],
+
+                btn_reset: {
+                    tooltip: "Reset",
+                    toolbar_position: "right",
+                },
+                // no_results_message: {
+                //     content: "No matching records found",
+                // },
+                toolbar: true,
+                extensions: [{
+                    name: "sort",
+                },
+                {
+                    name: 'filtersVisibility',
+                    description: 'Sichtbarkeit der Filter',
+                    toolbar_position: 'right',
+                },],
+            })
+            tf.init()
+        }
+    })
+})
+
+

tools/mkdocs/site/docs/01_attachements/modules/tablefilter/style/colsVisibility.css

@@ -0,0 +1 @@
+span.colVisSpan{text-align:left;}span.colVisSpan a.colVis{display:inline-block;padding:7px 5px 0;font-size:inherit;font-weight:inherit;vertical-align:top}div.colVisCont{position:relative;background:#fff;-webkit-box-shadow:3px 3px 2px #888;-moz-box-shadow:3px 3px 2px #888;box-shadow:3px 3px 2px #888;position:absolute;display:none;border:1px solid #ccc;height:auto;width:250px;background-color:#fff;margin:35px 0 0 -100px;z-index:10000;padding:10px 10px 10px 10px;text-align:left;font-size:inherit;}div.colVisCont:after,div.colVisCont:before{bottom:100%;left:50%;border:solid transparent;content:" ";height:0;width:0;position:absolute;pointer-events:none}div.colVisCont:after{border-color:rgba(255,255,255,0);border-bottom-color:#fff;border-width:10px;margin-left:-10px}div.colVisCont:before{border-color:rgba(255,255,255,0);border-bottom-color:#ccc;border-width:12px;margin-left:-12px}div.colVisCont p{margin:6px auto 6px auto}div.colVisCont a.colVis{display:initial;font-weight:inherit}ul.cols_checklist{padding:0;margin:0;list-style-type:none;}ul.cols_checklist label{display:block}ul.cols_checklist input{vertical-align:middle;margin:2px 5px 2px 1px}li.cols_checklist_item{padding:4px;margin:0;}li.cols_checklist_item:hover{background-color:#335ea8;color:#fff}.cols_checklist_slc_item{background-color:#335ea8;color:#fff}

tools/mkdocs/site/docs/01_attachements/modules/tablefilter/style/filtersVisibility.css

@@ -0,0 +1 @@
+span.expClpFlt a.btnExpClpFlt{width:35px;height:35px;display:inline-block;}span.expClpFlt a.btnExpClpFlt:hover{background-color:#f4f4f4}span.expClpFlt img{padding:8px 11px 11px 11px}