MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'main' of github.com:misp/misp-taxonomies

pull/286/head
Christian Studer 2023-12-07 11:25:01 +01:00
parent 4cf88d7928 8d957d224e
commit 9b96c7f493
13 changed files with 1682 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
MANIFEST.json
View File

@ -26,7 +26,7 @@
{
"description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.",
"name": "PAP",
"version": 2
"version": 3
},
{
"description": "The access method used to remotely access a system.",
@ -89,9 +89,9 @@
"version": 2
},
{
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection",
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection.",
"name": "circl",
"version": 5
"version": 6
},
{
"description": "La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú.",
@ -124,7 +124,7 @@
"version": 2
},
{
"description": "The Crowdsec behaviors and classifications taxonomy is the list of taxonomies used in Crowdsec to describe the behaviors and classifications of an IP address. The behaviors are a list of attack categories for which a given IP address was reported, where the classifications describe a list of categories associated to an IP address and, when applicable, a list of false positive categories.",
"description": "Crowdsec IP address classifications and behaviors taxonomy.",
"name": "crowdsec",
"version": 1
},
@ -238,6 +238,11 @@
"name": "domain-abuse",
"version": 2
},
{
"description": "This taxonomy aims to list doping substances",
"name": "doping-substances",
"version": 2
},
{
"description": "A taxonomy based on the superclass and class of drugs. Based on https://www.drugbank.ca/releases/latest",
"name": "drugs",
@ -511,7 +516,7 @@
{
"description": "MISP workflow taxonomy to support result of workflow execution.",
"name": "misp-workflow",
"version": 2
"version": 3
},
{
"description": "MONARC Threats Taxonomy",
@ -626,7 +631,7 @@
{
"description": "Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
"name": "runtime-packer",
"version": 1
"version": 2
},
{
"description": "Flags describing the sample",
@ -658,6 +663,11 @@
"name": "social-engineering-attack-vectors",
"version": 1
},
{
"description": "SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection",
"name": "srbcert",
"version": 3
},
{
"description": "A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.",
"name": "state-responsibility",
@ -696,7 +706,7 @@
{
"description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.",
"name": "tlp",
"version": 7
"version": 10
},
{
"description": "Taxonomy to describe Tor network infrastructure",
@ -741,9 +751,9 @@
{
"description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.",
"name": "workflow",
"version": 11
"version": 12
}
],
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
"version": "20230514"
"version": "20231122"
}

13
PAP/machinetag.json
View File

@ -2,23 +2,28 @@
"namespace": "PAP",
"expanded": "Permissible Actions Protocol",
"description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.",
"version": 2,
"version": 3,
"exclusive": true,
"predicates": [
{
"value": "RED",
"expanded": "(PAP:RED) Non-detectable actions only. Recipients may not use PAP:RED information on the network. Only passive actions on logs, that are not detectable from the outside.",
"colour": "#ff0000"
"colour": "#ff2b2b"
},
{
"value": "AMBER",
"expanded": "(PAP:AMBER) Passive cross check. Recipients may use PAP:AMBER information for conducting online checks, like using services provided by third parties (e.g. VirusTotal), or set up a monitoring honeypot.",
"colour": "#ffa800"
"colour": "#ffc000"
},
{
"value": "GREEN",
"expanded": "(PAP:GREEN) Active actions allowed. Recipients may use PAP:GREEN information to ping the target, block incoming/outgoing traffic from/to the target or specifically configure honeypots to interact with the target.",
"colour": "#00ad1c"
"colour": "#33ff00"
},
{
"value": "CLEAR",
"expanded": "(PAP:CLEAR) No restrictions in using this information.",
"colour": "#ffffff"
},
{
"value": "WHITE",

9
circl/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "circl",
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection",
"version": 5,
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection.",
"version": 6,
"predicates": [
{
"value": "incident-classification",
@ -10,6 +10,11 @@
{
"value": "topic",
"expanded": "Topic"
},
{
"value": "significant",
"expanded": "Significant",
"description": "Significant topic which has been evaluated to have a certain level of significancy which can have or had a severe impact."
}
],
"values": [

4
cryptocurrency-threat/machinetag.json
View File

@ -42,6 +42,10 @@
{
"value": "Crypto Robbing Ransomware",
"expanded": "Cyber-extortionists began distributing new malware that empties cryptocurrency wallets and steals private keys while holding user data hostage."
},
{
"value": "Pig Butchering Scam",
"expanded": "Cryptocurrency investment fraud that lures individuals into investing their money in seemingly legitimate and profitable ventures."
}
],
"refs": [

BIN
doping-substances/Misp-logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

44
doping-substances/README.md Normal file
View File

@ -0,0 +1,44 @@
# MISP_DopingSubstanceTaxonomy
This project aims to gather information about all the prohibited sports Doping Substances.
We collected all of the information on the [WADA website](https://www.wada-ama.org/en/prohibited-list).
To do that we have created a python script to scrap this website and generate a JSON file (Taxonomy).
This Taxonomy could be add in MISP to help sports organizations to fight against usage of doping substances.
## MISP
![logo](Misp-logo.png)
What is MISP ?
>A threat intelligence platform for sharing, storing and correlating
Indicators of Compromise of targeted attacks, threat intelligence,
financial fraud information, vulnerability information or even
counter-terrorism information. Discover how MISP is used today in
multiple organisations. Not only to store, share, collaborate on cyber
security indicators, malware analysis, but also to use the IoCs and
information to detect and prevent attacks, frauds or threats against ICT
infrastructures, organisations or people.
## JSON Generation
In order to build the JSON file, we created a Python script which scrap the WADA (World Anti-Doping Agency) s prohibited list.
Thanks to BeautifulSoup, a useful library that helps a lot when it comes to scrap HTLM documents, the script is able to get all the list of doping substances.
The file is created with PyTaxonomies, a MISP library that help to create valid JSON file according to the [MISP Platform](https://www.misp-project.org/taxonomies.html#_misp_taxonomies).
Finally, the script generates all predicates (doping categories) and the entries associated (the doping substances themselves).
## Installation
If you want to try it out yourself, you need to have both BeautifulSoup & PyTaxonomies installated.
## Authors
DELUS Thibaut : https://github.com/WooZyhh
JACOB Lucas : https://github.com/Chaamoxs

63
doping-substances/gen_taxonomy.py Normal file
View File

@ -0,0 +1,63 @@
import json
import requests
from bs4 import BeautifulSoup
from pathlib import Path
from pytaxonomies import Entry, Predicate, Taxonomy
CONTENT_URL = 'https://www.wada-ama.org/en/prohibited-list'
TAXONOMY_DESCRIPTION = 'This taxonomy aims to list doping substances'
TAXONOMY_EXPANDED = 'Doping substances'
TAXONOMY_NAME = 'doping-substances'
ignore = ('NON-APPROVED SUBSTANCES', )
def list_predicates(articles):
predicates = {}
for article in articles:
title = article.find('p', attrs={'class': 'h3 panel-title'}).text
if title in ignore:
continue
predicate = Predicate()
predicate.predicate = title
div = article.find('div', attrs={'class': 'layout-wysiwyg'})
description = div.find('p')
predicate.description = description.find_next_sibling().text
predicates[title] = predicate
return predicates
def generate_taxonomy():
new_taxonomy = Taxonomy()
new_taxonomy.name = TAXONOMY_NAME
new_taxonomy.expanded = TAXONOMY_EXPANDED
new_taxonomy.description = TAXONOMY_DESCRIPTION
response = requests.get(CONTENT_URL)
soup = BeautifulSoup(response.text, 'html.parser')
articles = soup.findAll('article', attrs={'class': 'panel hide-reader'})
new_taxonomy.predicates = list_predicates(articles)
for article in articles:
title = article.find('p', attrs={'class': 'h3 panel-title'}).text
if title in ignore:
continue
products = article.findAll('li')
products_list = {}
for product in products:
entry = Entry()
entry.value = product.text
products_list[entry.value] = entry
new_taxonomy.predicates[title].entries = products_list
return new_taxonomy
if __name__ == '__main__':
taxonomy = generate_taxonomy()
taxonomy.version = 2
with open(Path(__file__).resolve().parent / 'machinetag.json', 'wt', encoding='utf-8') as f:
json.dump(taxonomy.to_dict(), f, indent=2, ensure_ascii=False)

1128
doping-substances/machinetag.json Normal file
View File

File diff suppressed because it is too large Load Diff

52
misp-workflow/machinetag.json
View File

@ -2,12 +2,27 @@
"namespace": "misp-workflow",
"expanded": "MISP workflow",
"description": "MISP workflow taxonomy to support result of workflow execution.",
"version": 2,
"version": 3,
"predicates": [
{
"value": "action-taken",
"expanded": "Action taken",
"description": "Action taken during the workflow execution"
},
{
"value": "analysis",
"expanded": "Analysis",
"description": "Result of the analysis executed during the workflow execution"
},
{
"value": "mutability",
"expanded": "Mutability",
"description": "Describe if the workflow is allowed to modify data"
},
{
"value": "run",
"expanded": "Run",
"description": "Describe if the workflow is allowed to run on the data being passed"
}
],
"values": [
@ -39,6 +54,41 @@
"expanded": "Execution stopped"
}
]
},
{
"predicate": "analysis",
"entry": [
{
"value": "false-positive",
"expanded": "False positive"
},
{
"value": "highly-likely-positive",
"expanded": "Highly Likely Positive"
},
{
"value": "known-file-hash",
"expanded": "Known file hash"
}
]
},
{
"predicate": "mutability",
"entry": [
{
"value": "allowed",
"expanded": "Allowed"
}
]
},
{
"predicate": "run",
"entry": [
{
"value": "allowed",
"expanded": "Allowed"
}
]
}
]
}

177
runtime-packer/machinetag.json
View File

@ -1,12 +1,8 @@
{
"namespace": "runtime-packer",
"description": "Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
"version": 1,
"version": 2,
"predicates": [
{
"value": "portable-executable",
"expanded": "Portable Executable (PE)"
},
{
"value": "dex",
"expanded": "Dalvik Executable (DEX)"
@ -16,9 +12,13 @@
"expanded": "Executable Linkable Format (ELF)"
},
{
"value": "mach-o",
"value": "macho",
"expanded": "Mach-object (Mach-O)"
},
{
"value": "pe",
"expanded": "Portable Executable (PE)"
},
{
"value": "cli-assembly",
"expanded": "CLI assembly"
@ -26,12 +26,91 @@
],
"values": [
{
"predicate": "portable-executable",
"predicate": "dex",
"entry": [
{
"value": "apk-protect",
"expanded": "APK Protect"
},
{
"value": "dexguard",
"expanded": "DexGuard"
},
{
"value": "dexprotector",
"expanded": "DexProtector"
}
]
},
{
"predicate": "elf",
"entry": [
{
"value": "bzexe",
"expanded": "BzExe"
},
{
"value": "ezuri",
"expanded": "Ezuri"
},
{
"value": "gzexe",
"expanded": "GzExe"
},
{
"value": "midgetpack",
"expanded": "MidgetPack"
},
{
"value": "pakkero",
"expanded": "Pakkero"
},
{
"value": "papaw",
"expanded": "Papaw"
},
{
"value": "shiva",
"expanded": "Shiva"
},
{
"value": "upx",
"expanded": "UPX"
}
]
},
{
"predicate": "macho",
"entry": [
{
"value": "eleckey",
"expanded": "ElecKey"
},
{
"value": "muncho",
"expanded": "Muncho"
},
{
"value": "mpress",
"expanded": "MPRESS"
},
{
"value": "upx",
"expanded": "UPX"
}
]
},
{
"predicate": "pe",
"entry": [
{
"value": ".netshrink",
"expanded": ".netshrink"
},
{
"value": "acprotect",
"expanded": "ACProtect"
},
{
"value": "alienyze",
"expanded": "Alienyze"
@ -40,10 +119,6 @@
"value": "apack",
"expanded": "aPack"
},
{
"value": "apk-protect",
"expanded": "APK Protect"
},
{
"value": "armadillo",
"expanded": "Armadillo"
@ -53,13 +128,17 @@
"expanded": "ASPack"
},
{
"value": "aspr-asprotect",
"expanded": "ASPR (ASProtect)"
"value": "asprotect",
"expanded": "ASProtect"
},
{
"value": "autoit",
"expanded": "AutoIT"
},
{
"value": "axprotector",
"expanded": "AxProtector"
},
{
"value": "bero",
"expanded": "BeRo EXE Packer"
@ -77,21 +156,29 @@
"expanded": "Code Virtualizer"
},
{
"value": "dexguard",
"expanded": "DexGuard"
},
{
"value": "dexprotector",
"expanded": "DexProtector"
"value": "confuserex",
"expanded": "ConfuserEx"
},
{
"value": "dotbundle",
"expanded": "dotBundle"
},
{
"value": "dragon-armor",
"expanded": "Dragon Armor"
},
{
"value": "eleckey",
"expanded": "ElecKey"
},
{
"value": "enigma-protector",
"expanded": "Enigma Protector"
},
{
"value": "enigma-virtual-box",
"expanded": "Enigma Virtual Box"
},
{
"value": "exe-bundle",
"expanded": "EXE Bundle"
@ -100,6 +187,10 @@
"value": "exe-stealth",
"expanded": "EXE Stealth"
},
{
"value": "exe32pack",
"expanded": "EXE32Pack"
},
{
"value": "expressor",
"expanded": "eXPressor"
@ -109,8 +200,12 @@
"expanded": "FSG"
},
{
"value": "gzexe",
"expanded": "GzExe"
"value": "hxor-packer",
"expanded": "hXOR Packer"
},
{
"value": "jdpack",
"expanded": "JDPack"
},
{
"value": "kkrunchy",
@ -124,10 +219,26 @@
"value": "mew",
"expanded": "MEW"
},
{
"value": "molebox",
"expanded": "MoleBox"
},
{
"value": "morphine",
"expanded": "Morphine"
},
{
"value": "mpress",
"expanded": "MPRESS"
},
{
"value": "neolite",
"expanded": "Neolite"
},
{
"value": "netcrypt",
"expanded": "NetCrypt"
},
{
"value": "nspack",
"expanded": "NSPack"
@ -136,6 +247,10 @@
"value": "obsidium",
"expanded": "Obsidium"
},
{
"value": "packman",
"expanded": "Packman"
},
{
"value": "pecompact",
"expanded": "PECompact"
@ -144,6 +259,10 @@
"value": "pelock",
"expanded": "PELock"
},
{
"value": "pepacker",
"expanded": "PE Packer"
},
{
"value": "peshield",
"expanded": "PEShield"
@ -156,6 +275,10 @@
"value": "petite",
"expanded": "PEtite"
},
{
"value": "procrypt",
"expanded": "ProCrypt"
},
{
"value": "rlpack-basic",
"expanded": "RLPack Basic"
@ -164,10 +287,22 @@
"value": "smart-packer-pro",
"expanded": "Smart Packer Pro"
},
{
"value": "squishy",
"expanded": "Squishy"
},
{
"value": "telock",
"expanded": "Telock"
},
{
"value": "themida",
"expanded": "Themida"
},
{
"value": "thinstall",
"expanded": "Thinstall"
},
{
"value": "upack",
"expanded": "UPack"

193
srbcert/machinetag.json Normal file
View File

@ -0,0 +1,193 @@
{
"namespace": "srbcert",
"description": "SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection",
"version": 3,
"predicates": [
{
"value": "incident-type",
"expanded": "Incident Type"
},
{
"value": "incident-criticality-level",
"expanded": "Incident Criticality Level"
}
],
"values": [
{
"predicate": "incident-type",
"entry": [
{
"value": "virus",
"expanded": "virus",
"description": "Virus is a piece of malicious code that aims to spread from computer to computer by attacking executable files and documents and can cause deliberate deletion of files from the hard drive and similar damage"
},
{
"value": "worm",
"expanded": "worm",
"description": "Worm is a program that contains malicious code that spreads over a network, in such a way that it can reproduce and transfer , which reproduces and transfers independently, i.e. it does not depend on the files of the infected person device. Worms spread to email addresses from the victim's contact list or exploit the vulnerabilities of network applications and, due to the high speed of propagation, serve for transmission of other types of malicious software "
},
{
"value": "ransomware",
"expanded": "Ransomware"
},
{
"value": "trojan",
"expanded": "Trojan"
},
{
"value": "spyware",
"expanded": "Spyware"
},
{
"value": "rootkit",
"expanded": "Rootkit"
},
{
"value": "malware",
"expanded": "Malware is a word derived from two words - Malicious Software, and represents any software that is written for malicious purposes, i.e. that aims to cause harm computer systems or networks"
},
{
"value": "port-scanning",
"expanded": "Port scanning"
},
{
"value": "sniffing",
"expanded": "Sniffing"
},
{
"value": "social-engineering",
"expanded": "Social engineering"
},
{
"value": "data-breaches",
"expanded": "Data breaches"
},
{
"value": "other-type-of-information-gathering",
"expanded": "Other type of information gathering"
},
{
"value": "phishing",
"expanded": "Phishing"
},
{
"value": "unauthorized-use-of-resources",
"expanded": "Unauthorized use of resources"
},
{
"value": "fraud",
"expanded": "Fraud"
},
{
"value": "exploiting-known-vulnerabilities",
"expanded": "Exploiting known vulnerabilities"
},
{
"value": "brute-force",
"expanded": "Brute force"
},
{
"value": "other-type-of-intrusion-attempts",
"expanded": "Other type of Intrusion Attempts"
},
{
"value": "privilege-account-compromise",
"expanded": "Privilege account compromise"
},
{
"value": "unprivileged-account-compromise",
"expanded": "Unprivileged account compromise"
},
{
"value": "application-compromise",
"expanded": "Application compromise"
},
{
"value": "botnet",
"expanded": "Botnet"
},
{
"value": "other-type-of-intrusions",
"expanded": "Other type of intrusions"
},
{
"value": "dos",
"expanded": "DoS"
},
{
"value": "ddos",
"expanded": "DDoS"
},
{
"value": "sabotage",
"expanded": "Sabotage"
},
{
"value": "outage",
"expanded": "Outage"
},
{
"value": "other-type-of-availability-incident",
"expanded": "Other type of Availability incident"
},
{
"value": "unauthorized-access-to-information",
"expanded": "Unauthorized access to information"
},
{
"value": "unauthorized-modification-of-information",
"expanded": "Unauthorized modification of information"
},
{
"value": "cryptographic-attack",
"expanded": "Cryptographic attack"
},
{
"value": "other-type-of-information-content-security-incident",
"expanded": "Other type of Information Content Security incident"
},
{
"value": "hardware-errors",
"expanded": "Hardware errors"
},
{
"value": "software-errors",
"expanded": "Software errors"
},
{
"value": "hardware-components-theft",
"expanded": "hardware-components-theft"
},
{
"value": "other",
"expanded": "Other"
}
]
},
{
"predicate": "incident-criticality-level",
"entry": [
{
"value": "low",
"expanded": "Low",
"numerical_value": 25
},
{
"value": "medium",
"expanded": "Medium",
"numerical_value": 50
},
{
"value": "high",
"expanded": "High",
"numerical_value": 75
},
{
"value": "very-high",
"expanded": "Very High",
"numerical_value": 100
}
]
}
]
}

9
tlp/machinetag.json
View File

@ -15,7 +15,7 @@
{
"colour": "#FFC000",
"description": "Limited disclosure, recipients can only spread this on a need-to-know basis within their organization. Sources may use TLP:AMBER+STRICT when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER+STRICT information with members of their own organization.",
"expanded": "Limited disclosure, recipients can only spread this on a need-to-know basis within their organization.",
"expanded": "(TLP:AMBER+STRICT) Limited disclosure, recipients can only spread this on a need-to-know basis within their organization.",
"value": "amber+strict"
},
{
@ -40,12 +40,17 @@
"colour": "#d208f4",
"expanded": "(TLP:EX:CHR) Information extended with a specific tag called Chatham House Rule (CHR). When this specific CHR tag is mentioned, the attribution (the source of information) must not be disclosed. This additional rule is at the discretion of the initial sender who can decide to apply or not the CHR tag.",
"value": "ex:chr"
},
{
"colour": "#7e7eae",
"expanded": "(TLP:UNCLEAR) Community, Organization, Clients, and Recipients are all so confused what the appropriate disclosure level is, and if this or that indicator can or cannot be shared. Assumptions are rampant and the confusion is so high that a chi-square test might in fact be required to ensure the randomness of the mess before labelling this case TLP:UNCLEAR.",
"value": "unclear"
}
],
"refs": [
"https://www.first.org/tlp"
],
"version": 7,
"version": 10,
"description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.",
"expanded": "Traffic Light Protocol",
"exclusive": true,

2
tools/machinetag.py
View File

@ -32,7 +32,7 @@ import argparse
import os
import sys
skip_list = ['death-possibilities', 'poison-taxonomy']
skip_list = ['death-possibilities', 'poison-taxonomy', 'doping-substances']
taxonomies = []
# Get our current directory from file location