MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

new: Add all other relevant taxonomies

pull/124/head
Raphaël Vinot 2018-10-24 17:50:05 -04:00
parent c63bc2e687
commit bcbbec5b3e
2 changed files with 580 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

572
cccs/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "cccs",
"description": "Internal taxonomy for CCCS.",
"version": 1,
"version": 2,
"expanded": "CCCS",
"predicates": [
{
@ -14,11 +14,46 @@
"expanded": "Disclosure type",
"description": "Type of information being disclosed."
},
{
"value": "domain-category",
"expanded": "Domain category",
"description": "The Domain Category."
},
{
"value": "email-type",
"expanded": "Email type",
"description": "Type of email event."
},
{
"value": "exploitation-technique",
"expanded": "Exploitation technique",
"description": "The technique used to remotely exploit a GoC system."
},
{
"value": "ip-category",
"expanded": "Ip category",
"description": "The IP Category."
},
{
"value": "maliciousness",
"expanded": "Maliciousness",
"description": "Level of maliciousness."
},
{
"value": "malware-category",
"expanded": "Malware category",
"description": "The Malware Category."
},
{
"value": "misusage-type",
"expanded": "Misusage type",
"description": "The type of misusage."
},
{
"value": "mitigation-type",
"expanded": "Mitigation type",
"description": "The type of mitigation."
},
{
"value": "origin",
"expanded": "Origin",
@ -28,6 +63,21 @@
"value": "originating-organization",
"expanded": "Originating organization",
"description": "Origin of a signature."
},
{
"value": "scan-type",
"expanded": "Scan type",
"description": "The type of scan event."
},
{
"value": "severity",
"expanded": "Severity",
"description": "Severity of the event."
},
{
"value": "threat-vector",
"expanded": "Threat vector",
"description": "Specifies how the threat actor gained or attempted to gain initial access to the target GoC host."
}
],
"values": [
@ -141,6 +191,76 @@
}
]
},
{
"predicate": "domain-category",
"entry": [
{
"value": "c2",
"expanded": "C2",
"description": "Domain is being used as command-and-control infrastructure."
},
{
"value": "proxy",
"expanded": "Proxy",
"description": "Domain is being used as a proxy."
},
{
"value": "seeded",
"expanded": "Seeded",
"description": "Domain has been seeded with malware or other malicious code."
},
{
"value": "wateringhole",
"expanded": "Wateringhole",
"description": "Domain is being used a wateringhole."
},
{
"value": "cloud-infrastructure",
"expanded": "Cloud infrastructure",
"description": "Domain is hosted on cloud infrastructure."
},
{
"value": "name-server",
"expanded": "Name server",
"description": "Domain is a name server."
},
{
"value": "sinkholed",
"expanded": "Sinkholed",
"description": "Domain is being re-directed to a sinkhole."
}
]
},
{
"predicate": "email-type",
"entry": [
{
"value": "spam",
"expanded": "Spam",
"description": "Unsolicited or junk email named after a Monty Python sketch."
},
{
"value": "content\\-delivery\\-attack",
"expanded": "Content\\-delivery\\-attack",
"description": "Email contained malicious content or attachments."
},
{
"value": "phishing",
"expanded": "Phishing",
"description": "Email designed to trick the recipient into providing sensitive information."
},
{
"value": "baiting",
"expanded": "Baiting",
"description": "Email designed to trick the recipient into providing sensitive information."
},
{
"value": "unknown",
"expanded": "Unknown",
"description": "Type of email was unknown."
}
]
},
{
"predicate": "exploitation-technique",
"entry": [
@ -171,6 +291,301 @@
}
]
},
{
"predicate": "ip-category",
"entry": [
{
"value": "c2",
"expanded": "C2",
"description": "IP address is a command-and-control server."
},
{
"value": "proxy",
"expanded": "Proxy",
"description": "IP address is a proxy server."
},
{
"value": "seeded",
"expanded": "Seeded",
"description": "IP address has been seeded with malware or other malicious code."
},
{
"value": "wateringhole",
"expanded": "Wateringhole",
"description": "IP address is a wateringhole."
},
{
"value": "cloud-infrastructure",
"expanded": "Cloud infrastructure",
"description": "IP address is part of cloud infrastructure."
},
{
"value": "network-gateway",
"expanded": "Network gateway",
"description": "IP address is a network gateway."
},
{
"value": "server",
"expanded": "Server",
"description": "IP address is a server of some type."
},
{
"value": "dns-server",
"expanded": "Dns server",
"description": "IP address is a DNS server."
},
{
"value": "smtp-server",
"expanded": "Smtp server",
"description": "IP address is a mail server."
},
{
"value": "web-server",
"expanded": "Web server",
"description": "IP address is a web server."
},
{
"value": "file-server",
"expanded": "File server",
"description": "IP address is a file server."
},
{
"value": "database-server",
"expanded": "Database server",
"description": "IP address is a database server."
},
{
"value": "security-appliance",
"expanded": "Security appliance",
"description": "IP address is a security appliance of some type."
},
{
"value": "tor-node",
"expanded": "Tor node",
"description": "IP address is a node of the TOR anonymization system."
},
{
"value": "sinkhole",
"expanded": "Sinkhole",
"description": "IP address is a sinkhole."
},
{
"value": "router",
"expanded": "Router",
"description": "IP address is a router device."
}
]
},
{
"predicate": "maliciousness",
"entry": [
{
"value": "non-malicious",
"expanded": "Non-malicious",
"description": "Non-malicious is not malicious or suspicious."
},
{
"value": "suspicious",
"expanded": "Suspicious",
"description": "Suspicious is not non-malicious and not malicious."
},
{
"value": "malicious",
"expanded": "Malicious",
"description": "Malicious is not non-malicious or suspicious."
}
]
},
{
"predicate": "malware-category",
"entry": [
{
"value": "exploit-kit",
"expanded": "Exploit kit",
"description": "Toolkit used to attack vulnerabilities in systems."
},
{
"value": "first-stage",
"expanded": "First stage",
"description": "Malware used in the initial phase of an attack and commonly used to retrieve a second stage."
},
{
"value": "second-stage",
"expanded": "Second stage",
"description": "Typical more complex malware retrieved by first stage malware."
},
{
"value": "scanner",
"expanded": "Scanner",
"description": "Malware used to look for common vulnerabilities or running software."
},
{
"value": "downloader",
"expanded": "Downloader",
"description": "Malware used to retrieve additional malware or tools."
},
{
"value": "proxy",
"expanded": "Proxy",
"description": "Malware used to proxy traffic on an infected host."
},
{
"value": "reverse-proxy",
"expanded": "Reverse proxy",
"description": "If you choose this option please provide a description of what it is to the ALFRED PO."
},
{
"value": "webshell",
"expanded": "Webshell",
"description": "Malware uploaded to a web server allowing remote access to an attacker."
},
{
"value": "ransomware",
"expanded": "Ransomware",
"description": "Malware used to hold infected host's data hostage, typically through encryption until a payment is made to the attackers."
},
{
"value": "adware",
"expanded": "Adware",
"description": "Malware used to display ads to the infected host."
},
{
"value": "spyware",
"expanded": "Spyware",
"description": "Malware used to collect information from the infected host, such as credentials."
},
{
"value": "virus",
"expanded": "Virus",
"description": "Malware that propogates by inserting a copy of itself into another program."
},
{
"value": "worm",
"expanded": "Worm",
"description": "Standalone malware that propogates by copying itself.."
},
{
"value": "trojan",
"expanded": "Trojan",
"description": "Malware that looks like legitimate software but hides malicious code."
},
{
"value": "rootkit",
"expanded": "Rootkit",
"description": "Malware that can hide the existance of other malware by modifying operating system functions."
},
{
"value": "keylogger",
"expanded": "Keylogger",
"description": "Malware that runs in the background, capturing keystrokes from a user unknowingly for exfiltration."
},
{
"value": "browser-hijacker",
"expanded": "Browser hijacker",
"description": "Malware that re-directs or otherwise intercepts Internet browsing by the user."
}
]
},
{
"predicate": "misusage-type",
"entry": [
{
"value": "unauthorized-usage",
"expanded": "Unauthorized usage",
"description": "Usage of the system or resource was without appropriate permission or authorization."
},
{
"value": "misconfiguration",
"expanded": "Misconfiguration",
"description": "System or resource is misconfigured."
},
{
"value": "lack-of-encryption",
"expanded": "Lack of encryption",
"description": "System or resources has insufficient encryption or no encryption."
},
{
"value": "vulnerable-software",
"expanded": "Vulnerable software",
"description": "System or resource has software with known vulnerabilities."
},
{
"value": "privilege-escalation",
"expanded": "Privilege escalation",
"description": "System or resource was exploited to gain higher privilege level."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "mitigation-type",
"entry": [
{
"value": "anti-virus",
"expanded": "Anti-virus",
"description": "Anti-Virus"
},
{
"value": "content-filtering-system",
"expanded": "Content filtering system",
"description": "Content Filtering System"
},
{
"value": "dynamic-defense",
"expanded": "Dynamic defense",
"description": "Dynamic Defense"
},
{
"value": "insufficient-privileges",
"expanded": "Insufficient privileges",
"description": "Insufficient Privileges"
},
{
"value": "ids",
"expanded": "Ids",
"description": "Intrusion Detection System"
},
{
"value": "sink-hole-/-take-down-by-third-party",
"expanded": "Sink hole / take down by third party",
"description": "Sink Hole / Take Down by Third Party"
},
{
"value": "isp",
"expanded": "Isp",
"description": "Internet Service Provider"
},
{
"value": "invalid-credentials",
"expanded": "Invalid credentials",
"description": "Invalid Credentials"
},
{
"value": "not-vulnerable",
"expanded": "Not vulnerable",
"description": "No mitigation was required because the system was not vulnerable to the attack."
},
{
"value": "other",
"expanded": "Other",
"description": "Other"
},
{
"value": "unknown",
"expanded": "Unknown",
"description": "Unknown"
},
{
"value": "user",
"expanded": "User",
"description": "User"
}
]
},
{
"predicate": "origin",
"entry": [
@ -230,6 +645,161 @@
"description": "Other."
}
]
},
{
"predicate": "scan-type",
"entry": [
{
"value": "open-port",
"expanded": "Open port",
"description": "Scan was looking for open ports corresponding to common applications or protocols."
},
{
"value": "icmp",
"expanded": "Icmp",
"description": "Scan was attempting to enumerate devices through the ICMP protocol."
},
{
"value": "os-fingerprinting",
"expanded": "Os fingerprinting",
"description": "Scan was looking for operating system information through unique characteristics in responses."
},
{
"value": "web",
"expanded": "Web",
"description": "Scan was enumerating or otherwise traversing web hosts."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "severity",
"entry": [
{
"value": "reconnaissance",
"expanded": "Reconnaissance",
"description": "An actor attempted or succeeded in gaining information that may be used to identify and/or compromise systems or data."
},
{
"value": "attempted-compromise",
"expanded": "Attempted compromise",
"description": "An actor attempted affecting the confidentiality, integrity or availability of a system."
},
{
"value": "exploited",
"expanded": "Exploited",
"description": "A vulnerability was successfully exploited."
}
]
},
{
"predicate": "threat-vector",
"entry": [
{
"value": "application:cms",
"expanded": "Application:cms",
"description": "Content Management System."
},
{
"value": "application:bash",
"expanded": "Application:bash",
"description": "BASH script."
},
{
"value": "application:acrobat-reader",
"expanded": "Application:acrobat reader",
"description": "Adobe Acrobat Reader."
},
{
"value": "application:ms-excel",
"expanded": "Application:ms excel",
"description": "Microsoft Excel."
},
{
"value": "application:other",
"expanded": "Application:other",
"description": "Other Application."
},
{
"value": "language:sql",
"expanded": "Language:sql",
"description": "Structured Query Language."
},
{
"value": "language:php",
"expanded": "Language:php",
"description": "PHP: Hypertext Preprocessor."
},
{
"value": "language:javascript",
"expanded": "Language:javascript",
"description": "JavaScript."
},
{
"value": "language:other",
"expanded": "Language:other",
"description": "Other Language."
},
{
"value": "protocol:dns",
"expanded": "Protocol:dns",
"description": "Domain Name System."
},
{
"value": "protocol:ftp",
"expanded": "Protocol:ftp",
"description": "File Transfer Protocol."
},
{
"value": "protocol:http",
"expanded": "Protocol:http",
"description": "Hyper Text Transfer Protocol."
},
{
"value": "protocol:icmp",
"expanded": "Protocol:icmp",
"description": "Internet Control Message Protocol."
},
{
"value": "protocol:ntp",
"expanded": "Protocol:ntp",
"description": "Network Time Protocol."
},
{
"value": "protocol:rdp",
"expanded": "Protocol:rdp",
"description": "Remote Desktop Protocol."
},
{
"value": "protocol:smb",
"expanded": "Protocol:smb",
"description": "Server Message Block."
},
{
"value": "protocol:snmp",
"expanded": "Protocol:snmp",
"description": "Simple Network Management Protocol."
},
{
"value": "protocol:ssl",
"expanded": "Protocol:ssl",
"description": "Secure Sockets Layer."
},
{
"value": "protocol:telnet",
"expanded": "Protocol:telnet",
"description": "Network Virtual Terminal Protocol."
},
{
"value": "protocol:sip",
"expanded": "Protocol:sip",
"description": "Session Initiation Protocol."
}
]
}
]
}

14
tools/alfred_taxonomies.py
View File

@ -70,11 +70,15 @@ for datatype in ontology['dataTypes']:
cccs.predicates[predicate.predicate] = predicate
predicate_of_cccs = ['disclosure-type', 'origin', 'originating-organization', 'exploitation-technique']
ignore = ['dos-type', 'report-state']
skip_for_now = ['domain-category', 'email-type', 'ftp-type', 'host-category', 'ip-category',
'maliciousness', 'malware-category', 'method-match', 'misusage-type',
'mitigation-type', 'record-type', 'scan-type', 'severity', 'threat-vector']
predicate_of_cccs = ['disclosure-type', 'origin', 'originating-organization',
'exploitation-technique', 'domain-category', 'email-type',
'ip-category', 'maliciousness', 'malware-category', 'misusage-type',
'mitigation-type', 'scan-type', 'severity', 'threat-vector']
skip_for_now = []
ignore = ['dos-type', 'report-state', 'ftp-type', 'record-type', 'host-category',
'method-match']
for propertytype in ontology['propertyTypes']:
if 'accepts' in propertytype and propertytype['accepts']['name'] != 'list':