0528a62d9b | ||
---|---|---|
.github/workflows | ||
.vscode | ||
clusters | ||
doc/images | ||
galaxies | ||
misp | ||
tools | ||
vocabularies | ||
.gitchangelog.rc | ||
.gitignore | ||
.travis.yml | ||
CONTRIBUTE.md | ||
LICENSE.md | ||
README.md | ||
jq_all_the_things.sh | ||
schema_clusters.json | ||
schema_galaxies.json | ||
schema_misp.json | ||
schema_vocabularies.json | ||
validate_all.sh |
README.md
misp-galaxy
MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default knowledge base (such as Threat Actors, Tools, Ransomware, ATT&CK matrixes) available in MISP galaxy but those can be overwritten, replaced, updated, forked and shared as you wish.
Existing clusters and vocabularies can be used as-is or as a common knowledge base. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.
Galaxies can be also used to expressed existing matrix-like standards such as MITRE ATT&CK(tm) or custom ones.
The objective is to have a comment set of clusters for organizations starting analysis but that can be expanded to localized information (which is not shared) or additional information (that can be shared).
Available Galaxy - clusters
360.net Threat Actors
360.net Threat Actors - Known or estimated adversary groups as identified by 360.net.
Category: actor - source: https://apt.360.net/aptlist - total: 42 elements
Ammunitions
Ammunitions - Common ammunitions galaxy
Category: firearm - source: https://ammo.com/ - total: 410 elements
Android
Android - Android malware galaxy based on multiple open sources.
Category: tool - source: Open Sources - total: 433 elements
Azure Threat Research Matrix
Azure Threat Research Matrix - The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.
Category: atrm - source: https://github.com/microsoft/Azure-Threat-Research-Matrix - total: 90 elements
attck4fraud
attck4fraud - attck4fraud - Principles of MITRE ATT&CK in the fraud domain
Category: guidelines - source: Open Sources - total: 71 elements
Backdoor
Backdoor - A list of backdoor malware.
Category: tool - source: Open Sources - total: 28 elements
Banker
Banker - A list of banker malware.
Category: tool - source: Open Sources - total: 53 elements
Bhadra Framework
Bhadra Framework - Bhadra Threat Modeling Framework
Category: mobile - source: https://arxiv.org/pdf/2005.05110.pdf - total: 47 elements
Botnet
Botnet - botnet galaxy
Category: tool - source: MISP Project - total: 130 elements
Branded Vulnerability
Branded Vulnerability - List of known vulnerabilities and attacks with a branding
Category: vulnerability - source: Open Sources - total: 14 elements
Cert EU GovSector
Cert EU GovSector - Cert EU GovSector
Category: sector - source: CERT-EU - total: 6 elements
China Defence Universities Tracker
China Defence Universities Tracker - The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre.
Category: academic-institution - source: ASPI International Cyber Policy Centre - total: 159 elements
CONCORDIA Mobile Modelling Framework - Attack Pattern
CONCORDIA Mobile Modelling Framework - Attack Pattern - A list of Techniques in CONCORDIA Mobile Modelling Framework.
Category: cmtmf-attack-pattern - source: https://5g4iot.vlab.cs.hioa.no/ - total: 93 elements
Country
Country - Country meta information based on the database provided by geonames.org.
Category: country - source: MISP Project - total: 252 elements
Cryptominers
Cryptominers - A list of cryptominer and cryptojacker malware.
Category: Cryptominers - source: Open Source Intelligence - total: 5 elements
Actor Types
Actor Types - DISARM is a framework designed for describing and understanding disinformation incidents.
Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 33 elements
Countermeasures
Countermeasures - DISARM is a framework designed for describing and understanding disinformation incidents.
Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 139 elements
Detections
Detections - DISARM is a framework designed for describing and understanding disinformation incidents.
Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 94 elements
Techniques
Techniques - DISARM is a framework designed for describing and understanding disinformation incidents.
Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 298 elements
Election guidelines
Election guidelines - Universal Development and Security Guidelines as Applicable to Election Technology.
Category: guidelines - source: Open Sources - total: 23 elements
Exploit-Kit
Exploit-Kit - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years
Category: tool - source: MISP Project - total: 52 elements
Firearms
Firearms - Common firearms galaxy
Category: firearm - source: https://www.impactguns.com - total: 5953 elements
FIRST DNS Abuse Techniques Matrix
FIRST DNS Abuse Techniques Matrix - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
Category: first-dns - source: https://www.first.org/global/sigs/dns/ - total: 21 elements
Intelligence Agencies
Intelligence Agencies - List of intelligence agencies
Category: Intelligence Agencies - source: https://en.wikipedia.org/wiki/List_of_intelligence_agencies - total: 436 elements
INTERPOL DWVA Taxonomy
INTERPOL DWVA Taxonomy - This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.
Category: dwva - source: https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/ - total: 94 elements
Malpedia
Malpedia - Malware galaxy cluster based on Malpedia.
Category: tool - source: Malpedia - total: 3039 elements
Microsoft Activity Group actor
Microsoft Activity Group actor - Activity groups as described by Microsoft
Category: actor - source: MISP Project - total: 79 elements
Misinformation Pattern
Misinformation Pattern - AM!TT Technique
Category: misinformation-pattern - source: https://github.com/misinfosecproject/amitt_framework - total: 61 elements
MITRE ATLAS Attack Pattern
MITRE ATLAS Attack Pattern - MITRE ATLAS Attack Pattern - Adversarial Threat Landscape for Artificial-Intelligence Systems
Category: attack-pattern - source: https://github.com/mitre-atlas/atlas-navigator-data - total: 82 elements
MITRE ATLAS Course of Action
MITRE ATLAS Course of Action - MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems
Category: course-of-action - source: https://github.com/mitre-atlas/atlas-navigator-data - total: 19 elements
Attack Pattern
Attack Pattern - ATT&CK tactic
Category: attack-pattern - source: https://github.com/mitre/cti - total: 1141 elements
Course of Action
Course of Action - ATT&CK Mitigation
Category: course-of-action - source: https://github.com/mitre/cti - total: 281 elements
mitre-data-component
mitre-data-component - Data components are parts of data sources.
Category: data-component - source: https://github.com/mitre/cti - total: 117 elements
mitre-data-source
mitre-data-source - Data sources represent the various subjects/topics of information that can be collected by sensors/logs.
Category: data-source - source: https://github.com/mitre/cti - total: 40 elements
Enterprise Attack - Attack Pattern
Enterprise Attack - Attack Pattern - ATT&CK tactic
Category: attack-pattern - source: https://github.com/mitre/cti - total: 219 elements
Enterprise Attack - Course of Action
Enterprise Attack - Course of Action - ATT&CK Mitigation
Category: course-of-action - source: https://github.com/mitre/cti - total: 215 elements
Enterprise Attack - Intrusion Set
Enterprise Attack - Intrusion Set - Name of ATT&CK Group
Category: actor - source: https://github.com/mitre/cti - total: 69 elements
Enterprise Attack - Malware
Enterprise Attack - Malware - Name of ATT&CK software
Category: tool - source: https://github.com/mitre/cti - total: 188 elements
Enterprise Attack - Tool
Enterprise Attack - Tool - Name of ATT&CK software
Category: tool - source: https://github.com/mitre/cti - total: 45 elements
Assets
Assets - A list of asset categories that are commonly found in industrial control systems.
Category: asset - source: https://collaborate.mitre.org/attackics/index.php/All_Assets - total: 7 elements
Groups
Groups - Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions.
Category: actor - source: https://collaborate.mitre.org/attackics/index.php/Groups - total: 10 elements
Levels
Levels - Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment.
Category: level - source: https://collaborate.mitre.org/attackics/index.php/All_Levels - total: 3 elements
Software
Software - Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS.
Category: tool - source: https://collaborate.mitre.org/attackics/index.php/Software - total: 17 elements
Tactics
Tactics - A list of all 11 tactics in ATT&CK for ICS
Category: tactic - source: https://collaborate.mitre.org/attackics/index.php/All_Tactics - total: 9 elements
Techniques
Techniques - A list of Techniques in ATT&CK for ICS.
Category: attack-pattern - source: https://collaborate.mitre.org/attackics/index.php/All_Techniques - total: 78 elements
Intrusion Set
Intrusion Set - Name of ATT&CK Group
Category: actor - source: https://github.com/mitre/cti - total: 165 elements
Malware
Malware - Name of ATT&CK software
Category: tool - source: https://github.com/mitre/cti - total: 705 elements
Mobile Attack - Attack Pattern
Mobile Attack - Attack Pattern - ATT&CK tactic
Category: attack-pattern - source: https://github.com/mitre/cti - total: 76 elements
Mobile Attack - Course of Action
Mobile Attack - Course of Action - ATT&CK Mitigation
Category: course-of-action - source: https://github.com/mitre/cti - total: 14 elements
Mobile Attack - Intrusion Set
Mobile Attack - Intrusion Set - Name of ATT&CK Group
Category: actor - source: https://github.com/mitre/cti - total: 1 elements
Mobile Attack - Malware
Mobile Attack - Malware - Name of ATT&CK software
Category: tool - source: https://github.com/mitre/cti - total: 35 elements
Mobile Attack - Tool
Mobile Attack - Tool - Name of ATT&CK software
Category: tool - source: https://github.com/mitre/cti - total: 1 elements
Pre Attack - Attack Pattern
Pre Attack - Attack Pattern - ATT&CK tactic
Category: attack-pattern - source: https://github.com/mitre/cti - total: 174 elements
Pre Attack - Intrusion Set
Pre Attack - Intrusion Set - Name of ATT&CK Group
Category: actor - source: https://github.com/mitre/cti - total: 7 elements
mitre-tool
mitre-tool - Name of ATT&CK software
Category: tool - source: https://github.com/mitre/cti - total: 87 elements
NAICS
NAICS - The North American Industry Classification System or NAICS is a classification of business establishments by type of economic activity (the process of production).
Category: sector - source: North American Industry Classification System - NAICS - total: 2125 elements
o365-exchange-techniques
o365-exchange-techniques - o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC and @inversecos
Category: guidelines - source: Open Sources, https://www.inversecos.com/2021/09/office365-attacks-bypassing-mfa.html - total: 62 elements
online-service
online-service - Known public online services.
Category: tool - source: Open Sources - total: 1 elements
Preventive Measure
Preventive Measure - Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.
Category: measure - source: MISP Project - total: 20 elements
Producer
Producer - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.
Category: actor - source: MISP Project - total: 15 elements
Ransomware
Ransomware - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
Category: tool - source: Various - total: 1706 elements
RAT
RAT - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.
Category: tool - source: MISP Project - total: 266 elements
Regions UN M49
Regions UN M49 - Regions based on UN M49.
Category: location - source: https://unstats.un.org/unsd/methodology/m49/overview/ - total: 32 elements
rsit
rsit - rsit
Category: rsit - source: https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force - total: 39 elements
Sector
Sector - Activity sectors
Category: sector - source: CERT-EU - total: 118 elements
Sigma-Rules
Sigma-Rules - MISP galaxy cluster based on Sigma Rules.
Category: rules - source: https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma - total: 2876 elements
Dark Patterns
Dark Patterns - Dark Patterns are user interface that tricks users into making decisions that benefit the interface's holder to the expense of the user.
Category: dark-patterns - source: CIRCL - total: 19 elements
SoD Matrix
SoD Matrix - SOD Matrix
Category: sod-matrix - source: https://github.com/cudeso/SoD-Matrix - total: 276 elements
Stealer
Stealer - A list of malware stealer.
Category: tool - source: Open Sources - total: 16 elements
Surveillance Vendor
Surveillance Vendor - List of vendors selling surveillance technologies including malware, interception devices or computer exploitation services.
Category: actor - source: MISP Project - total: 50 elements
Target Information
Target Information - Description of targets of threat actors.
Category: target - source: Various - total: 241 elements
TDS
TDS - TDS is a list of Traffic Direction System used by adversaries
Category: tool - source: MISP Project - total: 11 elements
Tea Matrix
Tea Matrix - Tea Matrix
Category: tea-matrix - source: ** - total: 7 elements
Threat Actor
Threat Actor - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: actor - source: MISP Project - total: 671 elements
Tidal Campaigns
Tidal Campaigns - Tidal Campaigns Cluster
Category: Campaigns - source: https://app-api.tidalcyber.com/api/v1/campaigns/ - total: 41 elements
Tidal Groups
Tidal Groups - Tidal Groups Galaxy
Category: Threat Groups - source: https://app-api.tidalcyber.com/api/v1/groups/ - total: 163 elements
Tidal References
Tidal References - Tidal References Cluster
Category: References - source: https://app-api.tidalcyber.com/api/v1/references/ - total: 3872 elements
Tidal Software
Tidal Software - Tidal Software Cluster
Category: Software - source: https://app-api.tidalcyber.com/api/v1/software/ - total: 931 elements
Tidal Tactic
Tidal Tactic - Tidal Tactic Cluster
Category: Tactic - source: https://app-api.tidalcyber.com/api/v1/tactic/ - total: 14 elements
Tidal Technique
Tidal Technique - Tidal Technique Cluster
Category: Technique - source: https://app-api.tidalcyber.com/api/v1/technique/ - total: 201 elements
Threat Matrix for storage services
Threat Matrix for storage services - Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.
Category: tmss - source: https://github.com/microsoft/Threat-matrix-for-storage-services - total: 40 elements
Tool
Tool - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
Category: tool - source: MISP Project - total: 603 elements
UAVs/UCAVs
UAVs/UCAVs - Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles
Category: military equipment - source: Popular Mechanics - total: 36 elements
UKHSA Culture Collections
UKHSA Culture Collections - UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.
Category: virus - source: https://www.culturecollections.org.uk - total: 6667 elements
Online documentation
The misp-galaxy.org website provides an easily navigable resource for all MISP galaxy clusters.
A readable PDF overview of the MISP galaxy is available or HTML and generated from the JSON.
How to contribute?
License
The MISP galaxy (JSON files) are dual-licensed under:
- CC0 1.0 Universal (CC0 1.0) - Public Domain Dedication.
or
Copyright (c) 2015-2024 Alexandre Dulaunoy - a@foo.be
Copyright (c) 2015-2024 CIRCL - Computer Incident Response Center Luxembourg
Copyright (c) 2015-2024 Andras Iklody
Copyright (c) 2015-2024 Raphael Vinot
Copyright (c) 2015-2024 Deborah Servili
Copyright (c) 2016-2024 Various contributors to MISP Project
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.