Merge branch 'master' of github.com:MISP/misp-taxonomies
commit
c2a2931d32
115
MANIFEST.json
115
MANIFEST.json
|
@ -5,6 +5,11 @@
|
|||
"name": "accessnow",
|
||||
"description": "Access Now"
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "action-taken",
|
||||
"description": "Action taken."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "admiralty-scale",
|
||||
|
@ -40,6 +45,11 @@
|
|||
"name": "cssa",
|
||||
"description": ""
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "ddos",
|
||||
"description": "Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "de-vs",
|
||||
|
@ -55,6 +65,11 @@
|
|||
"name": "diamond-model",
|
||||
"description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "DML",
|
||||
"description": "The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program."
|
||||
},
|
||||
{
|
||||
"version": 3,
|
||||
"name": "dni-ism",
|
||||
|
@ -100,6 +115,11 @@
|
|||
"name": "europol-incident",
|
||||
"description": "EUROPOL class of incident taxonomy."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "event-assessment",
|
||||
"description": "A series of assessment predicates describing the event assessment performed to make judgement(s) under a certain level of uncertainty."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "fr-classif",
|
||||
|
@ -160,85 +180,50 @@
|
|||
"name": "PAP",
|
||||
"description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used."
|
||||
},
|
||||
{
|
||||
"version": 3,
|
||||
"name": "tlp",
|
||||
"description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. Extended with TLP:EX:CHR."
|
||||
},
|
||||
{
|
||||
"version": 2,
|
||||
"name": "veris",
|
||||
"description": "Vocabulary for Event Recording and Incident Sharing (VERIS)."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "stealth_malware",
|
||||
"description": "Classification based on malware stealth techniques."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "targeted-threat-index",
|
||||
"description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "stix-ttp",
|
||||
"description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX"
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "accessnow",
|
||||
"description": "AccessNow Taxonomy"
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "passivetotal",
|
||||
"description": "Tags for RiskIQ's passivetotal service"
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "vocabulaire-des-probabilites-estimatives",
|
||||
"description": "Vocabulaire des probabilités estimatives"
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "DML",
|
||||
"description": "The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "action-taken",
|
||||
"description": "Action taken"
|
||||
},
|
||||
{
|
||||
"version": 2,
|
||||
"name": "analyst-assessment",
|
||||
"description": "A series of assessment predicates describing the analyst capabilities to perform analysis. These assessment can be assigned by the analyst him/herself or by another party evaluating the analyst."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "binary-class",
|
||||
"description": "Custom taxonomy for types of binary file."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "ddos",
|
||||
"description": "Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "event-assessment",
|
||||
"description": "A series of assessment predicates describing the event assessment performed to make judgement(s) under a certain level of uncertainty."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "rt_event_status",
|
||||
"description": "Status of events used in Request Tracker."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "stealth_malware",
|
||||
"description": "Classification based on malware stealth techniques."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "stix-ttp",
|
||||
"description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX"
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "targeted-threat-index",
|
||||
"description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman."
|
||||
},
|
||||
{
|
||||
"version": 3,
|
||||
"name": "tlp",
|
||||
"description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. Extended with TLP:EX:CHR."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "tor",
|
||||
"description": "Taxonomy to describe Tor network infrastructure"
|
||||
},
|
||||
{
|
||||
"version": 2,
|
||||
"name": "veris",
|
||||
"description": "Vocabulary for Event Recording and Incident Sharing (VERIS)."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "vocabulaire-des-probabilites-estimatives",
|
||||
"description": "Vocabulaire des probabilités estimatives"
|
||||
}
|
||||
],
|
||||
"path": "machinetag.json",
|
||||
|
|
|
@ -11,4 +11,5 @@ do
|
|||
done
|
||||
|
||||
cat schema.json | jq . | sponge schema.json
|
||||
cat schema_mapping.json | jq . | sponge schema_mapping.json
|
||||
cat MANIFEST.json | jq . | sponge MANIFEST.json
|
||||
|
|
|
@ -47,7 +47,6 @@
|
|||
},
|
||||
"ransomware": {
|
||||
"values": [
|
||||
"veris:action:malware:variety=\"Ransomware\"",
|
||||
"ecsirt:malicious-code=\"ransomware\"",
|
||||
"enisa:nefarious-activity-abuse=\"ransomware\"",
|
||||
"malware_classification:malware-category=\"Ransomware\"",
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
{
|
||||
"$schema": "http://json-schema.org/schema#",
|
||||
"title": "Validator for the mapping in misp-taxonomies",
|
||||
"id": "https://www.github.com/MISP/misp-taxonomies/schema_mapping.json",
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"patternProperties": {
|
||||
"^.*$": {
|
||||
"properties": {
|
||||
"values": {
|
||||
"type": "array",
|
||||
"uniqueItems": true,
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,35 +0,0 @@
|
|||
# Stealth Malware Taxonomy
|
||||
|
||||
## Malware Types
|
||||
|
||||
All malware samples should be classified into one of the categories listed in the table below.
|
||||
|
||||
<dl>
|
||||
<dt>Type 0</dt>
|
||||
<dd>No OS or system compromise. The malware runs as a normal user process using only official API calls.<dd>
|
||||
|
||||
<dt>Type I</dt>
|
||||
<dd>The malware modifies constant sections of the kernel and/or processes such as code sections.<dd>
|
||||
|
||||
<dt>Type II</dt>
|
||||
<dd>The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections.<dd>
|
||||
|
||||
<dt>Type III</dt>
|
||||
<dd>The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques.<dd>
|
||||
</dl>
|
||||
|
||||
# Machine-parsable Stealth Malware Taxonomy
|
||||
|
||||
The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
|
||||
along with their human-readable description. The software can use both
|
||||
representation on the user-interface and store the tag as machine-parsable.
|
||||
|
||||
~~~~
|
||||
stealth_malware:type="II"
|
||||
~~~~
|
||||
|
||||
Based on:
|
||||
|
||||
https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf
|
||||
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
{
|
||||
"namespace": "stealth_malware",
|
||||
"description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
|
||||
"version": 1,
|
||||
"refs": [
|
||||
"https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf"
|
||||
],
|
||||
"predicates": [
|
||||
{
|
||||
"value": "type",
|
||||
"expanded": "Stealth technique type"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "type",
|
||||
"entry": [
|
||||
{
|
||||
"value": "0",
|
||||
"expanded": "No OS or system compromise. The malware runs as a normal user process using only official API calls."
|
||||
},
|
||||
{
|
||||
"value": "I",
|
||||
"expanded": "The malware modifies constant sections of the kernel and/or processes such as code sections."
|
||||
},
|
||||
{
|
||||
"value": "II",
|
||||
"expanded": "The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections."
|
||||
},
|
||||
{
|
||||
"value": "III",
|
||||
"expanded": "The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques."
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -15,7 +15,7 @@ fi
|
|||
directories=`ls -d */ | wc -w`
|
||||
manifest_entries=`cat MANIFEST.json | jq '.taxonomies | length'`
|
||||
|
||||
if ! [ $directories -eq $manifest_entries ]; then
|
||||
if ! [ $((directories-2)) -eq $manifest_entries ]; then
|
||||
echo "MANIFEST isn't up-to-date."
|
||||
exit 1
|
||||
fi
|
||||
|
@ -27,3 +27,4 @@ do
|
|||
echo ''
|
||||
done
|
||||
|
||||
jsonschema -i mapping/mapping.json schema_mapping.json
|
||||
|
|
Loading…
Reference in New Issue