diff --git a/cccs/machinetag.json b/cccs/machinetag.json index dcbe576..8198420 100644 --- a/cccs/machinetag.json +++ b/cccs/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "cccs", "description": "Internal taxonomy for CCCS.", - "version": 1, + "version": 2, "expanded": "CCCS", "predicates": [ { @@ -14,11 +14,46 @@ "expanded": "Disclosure type", "description": "Type of information being disclosed." }, + { + "value": "domain-category", + "expanded": "Domain category", + "description": "The Domain Category." + }, + { + "value": "email-type", + "expanded": "Email type", + "description": "Type of email event." + }, { "value": "exploitation-technique", "expanded": "Exploitation technique", "description": "The technique used to remotely exploit a GoC system." }, + { + "value": "ip-category", + "expanded": "Ip category", + "description": "The IP Category." + }, + { + "value": "maliciousness", + "expanded": "Maliciousness", + "description": "Level of maliciousness." + }, + { + "value": "malware-category", + "expanded": "Malware category", + "description": "The Malware Category." + }, + { + "value": "misusage-type", + "expanded": "Misusage type", + "description": "The type of misusage." + }, + { + "value": "mitigation-type", + "expanded": "Mitigation type", + "description": "The type of mitigation." + }, { "value": "origin", "expanded": "Origin", @@ -28,6 +63,21 @@ "value": "originating-organization", "expanded": "Originating organization", "description": "Origin of a signature." + }, + { + "value": "scan-type", + "expanded": "Scan type", + "description": "The type of scan event." + }, + { + "value": "severity", + "expanded": "Severity", + "description": "Severity of the event." + }, + { + "value": "threat-vector", + "expanded": "Threat vector", + "description": "Specifies how the threat actor gained or attempted to gain initial access to the target GoC host." } ], "values": [ @@ -141,6 +191,76 @@ } ] }, + { + "predicate": "domain-category", + "entry": [ + { + "value": "c2", + "expanded": "C2", + "description": "Domain is being used as command-and-control infrastructure." + }, + { + "value": "proxy", + "expanded": "Proxy", + "description": "Domain is being used as a proxy." + }, + { + "value": "seeded", + "expanded": "Seeded", + "description": "Domain has been seeded with malware or other malicious code." + }, + { + "value": "wateringhole", + "expanded": "Wateringhole", + "description": "Domain is being used a wateringhole." + }, + { + "value": "cloud-infrastructure", + "expanded": "Cloud infrastructure", + "description": "Domain is hosted on cloud infrastructure." + }, + { + "value": "name-server", + "expanded": "Name server", + "description": "Domain is a name server." + }, + { + "value": "sinkholed", + "expanded": "Sinkholed", + "description": "Domain is being re-directed to a sinkhole." + } + ] + }, + { + "predicate": "email-type", + "entry": [ + { + "value": "spam", + "expanded": "Spam", + "description": "Unsolicited or junk email named after a Monty Python sketch." + }, + { + "value": "content\\-delivery\\-attack", + "expanded": "Content\\-delivery\\-attack", + "description": "Email contained malicious content or attachments." + }, + { + "value": "phishing", + "expanded": "Phishing", + "description": "Email designed to trick the recipient into providing sensitive information." + }, + { + "value": "baiting", + "expanded": "Baiting", + "description": "Email designed to trick the recipient into providing sensitive information." + }, + { + "value": "unknown", + "expanded": "Unknown", + "description": "Type of email was unknown." + } + ] + }, { "predicate": "exploitation-technique", "entry": [ @@ -171,6 +291,301 @@ } ] }, + { + "predicate": "ip-category", + "entry": [ + { + "value": "c2", + "expanded": "C2", + "description": "IP address is a command-and-control server." + }, + { + "value": "proxy", + "expanded": "Proxy", + "description": "IP address is a proxy server." + }, + { + "value": "seeded", + "expanded": "Seeded", + "description": "IP address has been seeded with malware or other malicious code." + }, + { + "value": "wateringhole", + "expanded": "Wateringhole", + "description": "IP address is a wateringhole." + }, + { + "value": "cloud-infrastructure", + "expanded": "Cloud infrastructure", + "description": "IP address is part of cloud infrastructure." + }, + { + "value": "network-gateway", + "expanded": "Network gateway", + "description": "IP address is a network gateway." + }, + { + "value": "server", + "expanded": "Server", + "description": "IP address is a server of some type." + }, + { + "value": "dns-server", + "expanded": "Dns server", + "description": "IP address is a DNS server." + }, + { + "value": "smtp-server", + "expanded": "Smtp server", + "description": "IP address is a mail server." + }, + { + "value": "web-server", + "expanded": "Web server", + "description": "IP address is a web server." + }, + { + "value": "file-server", + "expanded": "File server", + "description": "IP address is a file server." + }, + { + "value": "database-server", + "expanded": "Database server", + "description": "IP address is a database server." + }, + { + "value": "security-appliance", + "expanded": "Security appliance", + "description": "IP address is a security appliance of some type." + }, + { + "value": "tor-node", + "expanded": "Tor node", + "description": "IP address is a node of the TOR anonymization system." + }, + { + "value": "sinkhole", + "expanded": "Sinkhole", + "description": "IP address is a sinkhole." + }, + { + "value": "router", + "expanded": "Router", + "description": "IP address is a router device." + } + ] + }, + { + "predicate": "maliciousness", + "entry": [ + { + "value": "non-malicious", + "expanded": "Non-malicious", + "description": "Non-malicious is not malicious or suspicious." + }, + { + "value": "suspicious", + "expanded": "Suspicious", + "description": "Suspicious is not non-malicious and not malicious." + }, + { + "value": "malicious", + "expanded": "Malicious", + "description": "Malicious is not non-malicious or suspicious." + } + ] + }, + { + "predicate": "malware-category", + "entry": [ + { + "value": "exploit-kit", + "expanded": "Exploit kit", + "description": "Toolkit used to attack vulnerabilities in systems." + }, + { + "value": "first-stage", + "expanded": "First stage", + "description": "Malware used in the initial phase of an attack and commonly used to retrieve a second stage." + }, + { + "value": "second-stage", + "expanded": "Second stage", + "description": "Typical more complex malware retrieved by first stage malware." + }, + { + "value": "scanner", + "expanded": "Scanner", + "description": "Malware used to look for common vulnerabilities or running software." + }, + { + "value": "downloader", + "expanded": "Downloader", + "description": "Malware used to retrieve additional malware or tools." + }, + { + "value": "proxy", + "expanded": "Proxy", + "description": "Malware used to proxy traffic on an infected host." + }, + { + "value": "reverse-proxy", + "expanded": "Reverse proxy", + "description": "If you choose this option please provide a description of what it is to the ALFRED PO." + }, + { + "value": "webshell", + "expanded": "Webshell", + "description": "Malware uploaded to a web server allowing remote access to an attacker." + }, + { + "value": "ransomware", + "expanded": "Ransomware", + "description": "Malware used to hold infected host's data hostage, typically through encryption until a payment is made to the attackers." + }, + { + "value": "adware", + "expanded": "Adware", + "description": "Malware used to display ads to the infected host." + }, + { + "value": "spyware", + "expanded": "Spyware", + "description": "Malware used to collect information from the infected host, such as credentials." + }, + { + "value": "virus", + "expanded": "Virus", + "description": "Malware that propogates by inserting a copy of itself into another program." + }, + { + "value": "worm", + "expanded": "Worm", + "description": "Standalone malware that propogates by copying itself.." + }, + { + "value": "trojan", + "expanded": "Trojan", + "description": "Malware that looks like legitimate software but hides malicious code." + }, + { + "value": "rootkit", + "expanded": "Rootkit", + "description": "Malware that can hide the existance of other malware by modifying operating system functions." + }, + { + "value": "keylogger", + "expanded": "Keylogger", + "description": "Malware that runs in the background, capturing keystrokes from a user unknowingly for exfiltration." + }, + { + "value": "browser-hijacker", + "expanded": "Browser hijacker", + "description": "Malware that re-directs or otherwise intercepts Internet browsing by the user." + } + ] + }, + { + "predicate": "misusage-type", + "entry": [ + { + "value": "unauthorized-usage", + "expanded": "Unauthorized usage", + "description": "Usage of the system or resource was without appropriate permission or authorization." + }, + { + "value": "misconfiguration", + "expanded": "Misconfiguration", + "description": "System or resource is misconfigured." + }, + { + "value": "lack-of-encryption", + "expanded": "Lack of encryption", + "description": "System or resources has insufficient encryption or no encryption." + }, + { + "value": "vulnerable-software", + "expanded": "Vulnerable software", + "description": "System or resource has software with known vulnerabilities." + }, + { + "value": "privilege-escalation", + "expanded": "Privilege escalation", + "description": "System or resource was exploited to gain higher privilege level." + }, + { + "value": "other", + "expanded": "Other", + "description": "Other." + } + ] + }, + { + "predicate": "mitigation-type", + "entry": [ + { + "value": "anti-virus", + "expanded": "Anti-virus", + "description": "Anti-Virus" + }, + { + "value": "content-filtering-system", + "expanded": "Content filtering system", + "description": "Content Filtering System" + }, + { + "value": "dynamic-defense", + "expanded": "Dynamic defense", + "description": "Dynamic Defense" + }, + { + "value": "insufficient-privileges", + "expanded": "Insufficient privileges", + "description": "Insufficient Privileges" + }, + { + "value": "ids", + "expanded": "Ids", + "description": "Intrusion Detection System" + }, + { + "value": "sink-hole-/-take-down-by-third-party", + "expanded": "Sink hole / take down by third party", + "description": "Sink Hole / Take Down by Third Party" + }, + { + "value": "isp", + "expanded": "Isp", + "description": "Internet Service Provider" + }, + { + "value": "invalid-credentials", + "expanded": "Invalid credentials", + "description": "Invalid Credentials" + }, + { + "value": "not-vulnerable", + "expanded": "Not vulnerable", + "description": "No mitigation was required because the system was not vulnerable to the attack." + }, + { + "value": "other", + "expanded": "Other", + "description": "Other" + }, + { + "value": "unknown", + "expanded": "Unknown", + "description": "Unknown" + }, + { + "value": "user", + "expanded": "User", + "description": "User" + } + ] + }, { "predicate": "origin", "entry": [ @@ -230,6 +645,161 @@ "description": "Other." } ] + }, + { + "predicate": "scan-type", + "entry": [ + { + "value": "open-port", + "expanded": "Open port", + "description": "Scan was looking for open ports corresponding to common applications or protocols." + }, + { + "value": "icmp", + "expanded": "Icmp", + "description": "Scan was attempting to enumerate devices through the ICMP protocol." + }, + { + "value": "os-fingerprinting", + "expanded": "Os fingerprinting", + "description": "Scan was looking for operating system information through unique characteristics in responses." + }, + { + "value": "web", + "expanded": "Web", + "description": "Scan was enumerating or otherwise traversing web hosts." + }, + { + "value": "other", + "expanded": "Other", + "description": "Other." + } + ] + }, + { + "predicate": "severity", + "entry": [ + { + "value": "reconnaissance", + "expanded": "Reconnaissance", + "description": "An actor attempted or succeeded in gaining information that may be used to identify and/or compromise systems or data." + }, + { + "value": "attempted-compromise", + "expanded": "Attempted compromise", + "description": "An actor attempted affecting the confidentiality, integrity or availability of a system." + }, + { + "value": "exploited", + "expanded": "Exploited", + "description": "A vulnerability was successfully exploited." + } + ] + }, + { + "predicate": "threat-vector", + "entry": [ + { + "value": "application:cms", + "expanded": "Application:cms", + "description": "Content Management System." + }, + { + "value": "application:bash", + "expanded": "Application:bash", + "description": "BASH script." + }, + { + "value": "application:acrobat-reader", + "expanded": "Application:acrobat reader", + "description": "Adobe Acrobat Reader." + }, + { + "value": "application:ms-excel", + "expanded": "Application:ms excel", + "description": "Microsoft Excel." + }, + { + "value": "application:other", + "expanded": "Application:other", + "description": "Other Application." + }, + { + "value": "language:sql", + "expanded": "Language:sql", + "description": "Structured Query Language." + }, + { + "value": "language:php", + "expanded": "Language:php", + "description": "PHP: Hypertext Preprocessor." + }, + { + "value": "language:javascript", + "expanded": "Language:javascript", + "description": "JavaScript." + }, + { + "value": "language:other", + "expanded": "Language:other", + "description": "Other Language." + }, + { + "value": "protocol:dns", + "expanded": "Protocol:dns", + "description": "Domain Name System." + }, + { + "value": "protocol:ftp", + "expanded": "Protocol:ftp", + "description": "File Transfer Protocol." + }, + { + "value": "protocol:http", + "expanded": "Protocol:http", + "description": "Hyper Text Transfer Protocol." + }, + { + "value": "protocol:icmp", + "expanded": "Protocol:icmp", + "description": "Internet Control Message Protocol." + }, + { + "value": "protocol:ntp", + "expanded": "Protocol:ntp", + "description": "Network Time Protocol." + }, + { + "value": "protocol:rdp", + "expanded": "Protocol:rdp", + "description": "Remote Desktop Protocol." + }, + { + "value": "protocol:smb", + "expanded": "Protocol:smb", + "description": "Server Message Block." + }, + { + "value": "protocol:snmp", + "expanded": "Protocol:snmp", + "description": "Simple Network Management Protocol." + }, + { + "value": "protocol:ssl", + "expanded": "Protocol:ssl", + "description": "Secure Sockets Layer." + }, + { + "value": "protocol:telnet", + "expanded": "Protocol:telnet", + "description": "Network Virtual Terminal Protocol." + }, + { + "value": "protocol:sip", + "expanded": "Protocol:sip", + "description": "Session Initiation Protocol." + } + ] } ] } diff --git a/tools/alfred_taxonomies.py b/tools/alfred_taxonomies.py index 7faed03..ea5ace3 100644 --- a/tools/alfred_taxonomies.py +++ b/tools/alfred_taxonomies.py @@ -70,11 +70,15 @@ for datatype in ontology['dataTypes']: cccs.predicates[predicate.predicate] = predicate -predicate_of_cccs = ['disclosure-type', 'origin', 'originating-organization', 'exploitation-technique'] -ignore = ['dos-type', 'report-state'] -skip_for_now = ['domain-category', 'email-type', 'ftp-type', 'host-category', 'ip-category', - 'maliciousness', 'malware-category', 'method-match', 'misusage-type', - 'mitigation-type', 'record-type', 'scan-type', 'severity', 'threat-vector'] +predicate_of_cccs = ['disclosure-type', 'origin', 'originating-organization', + 'exploitation-technique', 'domain-category', 'email-type', + 'ip-category', 'maliciousness', 'malware-category', 'misusage-type', + 'mitigation-type', 'scan-type', 'severity', 'threat-vector'] + +skip_for_now = [] + +ignore = ['dos-type', 'report-state', 'ftp-type', 'record-type', 'host-category', + 'method-match'] for propertytype in ontology['propertyTypes']: if 'accepts' in propertytype and propertytype['accepts']['name'] != 'list':