From 1eee0633d8654dd1c04b7697599639be8a9916a7 Mon Sep 17 00:00:00 2001
From: Michael Hausding <hausding@vpn-ho-c-4.switch.ch>
Date: Thu, 22 Sep 2016 14:30:10 +0200
Subject: [PATCH 1/3] Domain Name Abuse

Taxonomy to tag domain names used for cybercrime.
Use europol-incident to tag abuse-activity.

TF-CSIRT hackathon Zurich:

sykaeh
mausding
---
 domain-abuse/machinetag.json | 80 ++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 domain-abuse/machinetag.json

diff --git a/domain-abuse/machinetag.json b/domain-abuse/machinetag.json
new file mode 100644
index 0000000..1ec527d
--- /dev/null
+++ b/domain-abuse/machinetag.json
@@ -0,0 +1,80 @@
+{
+  "namespace": "domain-abuse",
+  "expanded": "Domain Name Abuse",
+  "description": "Domain Name Abuse - taxonomy to tag domain names used for cybercrime. Use europol-incident to tag abuse-activity",
+  "version": 1,
+  "predicates": [
+    {
+      "value": "domain-access-method",
+      "description": "Domain Access - describes how the adversary has gained access to the domain name",
+      "expanded": "Domain access method"
+    },
+    {
+      "value": "domain-status",
+      "description": "Domain status - describes the registration status of the domain name",
+      "expanded": "Domain status"
+    }
+  ],
+  "values": [
+    {
+      "predicate": "domain-status",
+      "entry": [
+        {
+          "value": "active",
+          "expanded": "Registered & active",
+          "description": "Domain name is registered and DNS is delegated"    
+        },
+         {
+          "value": "inactive",
+          "expanded": "Registered & inactive",
+          "description": "Domain name is registered and DNS is not delegated"
+        },
+        {
+          "value": "suspended",
+          "expanded": "Registered & suspended",
+          "description": "Domain name is registered & DNS delegation is temporarily removed by the registry"
+        },
+         {
+          "value": "not-registered",
+          "expanded": "Not registered",
+          "description": "Domain name is not registered and open for registration"
+        },
+         {
+          "value": "not-registrable",
+          "expanded": "Not registrable",
+          "description": "Domain is not registered and cannot be registered"
+        },
+    	{
+          "value": "grace-period",
+          "expanded": "Grace period",
+          "description": "Domain is deleted and still reserved for previous owner"
+        }
+      ]
+    },
+    {
+      "predicate": "domain-access-method",
+      "entry": [
+        {
+          "value": "criminal-registration",
+          "expanded": "Criminal registration",
+          "description": "Domain name is registered for criminal purposes"    
+        },
+        {
+          "value": "compromised-webserver",
+          "expanded": "Compromised webserver",
+          "description": "Webserver is compromised for criminal purposes"    
+        },
+        {
+          "value": "compromised-dns",
+          "expanded": "Compromised DNS",
+          "description": "Compromised authoritative DNS or compromised delegation"    
+        },
+        {
+          "value": "sinkhole",
+          "expanded": "Sinkhole",
+          "description": "Domain Name is sinkholed for research, detection, LE"    
+        }
+      ]  
+    }
+  ]
+}
\ No newline at end of file

From ff71eb197a9f615dbc2828f2dfcfe25b2383bf54 Mon Sep 17 00:00:00 2001
From: Michael Hausding <michael.hausding@switch.ch>
Date: Thu, 22 Sep 2016 14:53:21 +0200
Subject: [PATCH 2/3] Added domain-abuse taxonomy.

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index 840fc07..0d698d8 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@ The following taxonomies are described:
 - [Cyber Kill Chain](./kill-chain) from Lockheed Martin
 - DE German (DE) [Government classification markings (VS)](./de-vs)
 - [DHS CIIP Sectors](./dhs-ciip-sectors)
+- [Domain Name Abuse](./domain-abuse)
 - [eCSIRT](./ecsirt) and IntelMQ incident classification
 - [ENISA](./enisa) ENISA Threat Taxonomy
 - [Estimative Language](./estimative-language) Estimative Language (ICD 203)
@@ -60,6 +61,11 @@ Taxonomy for the handling of protectively marked information in MISP with German
 
 DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors.
 
+### [Domain Name Abuse](./domain-abuse)
+
+Taxonomy to tag domain names used for cybercrime. 
+We suggest to use europol-incident(./europol-incident) to tag abuse-activity.
+
 ### [eCSIRT](./ecsirt) and IntelMQ incident classification
 
 eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.

From 99118e55df165a9c4a0dd50920c0a3b4eb9c9d93 Mon Sep 17 00:00:00 2001
From: Michael Hausding <michael.hausding@switch.ch>
Date: Thu, 22 Sep 2016 14:55:26 +0200
Subject: [PATCH 3/3] added domain-abuse

---
 MANIFEST.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/MANIFEST.json b/MANIFEST.json
index 46f86c8..b7be674 100644
--- a/MANIFEST.json
+++ b/MANIFEST.json
@@ -39,6 +39,11 @@
       "description": "ISM (Information Security Marking Metadata) V13 as described by DNI.gov (Director of National Intelligence - US).",
       "name": "dni-ism",
       "version": 3
+    },
+     {
+      "description": "Taxonomy to tag domain names used for cybercrime.",
+      "name": "domain-abuse",
+      "version": 1
     },
     {
       "description": "eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.",