From c7525b0260bb3611fa31b555f260c68496d53e48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 25 Jul 2017 14:51:53 +0200 Subject: [PATCH] Improve consistency when lising the predicates, remove duplicates * SeekmoSearchAssistant was here twice in ms-caro-malware-full * Mult was here twice in ms-caro-malware-full * CouponRuc was here twice in ms-caro-malware-full * mobile-malware was here twice in enisa * spear-phishing-attacks was here twice in enisa --- adversary/machinetag.json | 8 ++-- dni-ism/machinetag.json | 36 ++++++++--------- domain-abuse/machinetag.json | 10 ++--- ecsirt/machinetag.json | 32 +++++++-------- enisa/machinetag.json | 20 +++++----- iep/machinetag.json | 60 ++++++++++++++-------------- misp/machinetag.json | 10 ++--- ms-caro-malware-full/machinetag.json | 8 ++-- passivetotal/machinetag.json | 8 ++-- 9 files changed, 96 insertions(+), 96 deletions(-) diff --git a/adversary/machinetag.json b/adversary/machinetag.json index 75c0f80..a407997 100644 --- a/adversary/machinetag.json +++ b/adversary/machinetag.json @@ -8,16 +8,16 @@ "expanded": "Infrastructure Status" }, { - "value": "infrastructure-type", - "expanded": "Infrastructure Type" + "value": "infrastructure-action", + "expanded": "Infrastructure Action" }, { "value": "infrastructure-state", "expanded": "Infrastructure State" }, { - "value": "infrastructure-action", - "expanded": "Infrastructure Action" + "value": "infrastructure-type", + "expanded": "Infrastructure Type" } ], "values": [ diff --git a/dni-ism/machinetag.json b/dni-ism/machinetag.json index 9a6b5ac..219ebae 100644 --- a/dni-ism/machinetag.json +++ b/dni-ism/machinetag.json @@ -11,13 +11,21 @@ "value": "classification:us", "expanded": "ClassificationUS" }, + { + "value": "scicontrols", + "expanded": "SCIControls" + }, { "value": "complies:with", "expanded": "CompliesWith" }, { - "value": "dissem", - "expanded": "Dissem" + "value": "atomicenergymarkings", + "expanded": "atomicEnergyMarkings" + }, + { + "value": "notice", + "expanded": "Notice" }, { "value": "nonic", @@ -28,16 +36,8 @@ "expanded": "NonUSControls" }, { - "value": "notice", - "expanded": "Notice" - }, - { - "value": "scicontrols", - "expanded": "SCIControls" - }, - { - "value": "atomicenergymarkings", - "expanded": "atomicEnergyMarkings" + "value": "dissem", + "expanded": "Dissem" } ], "values": [ @@ -170,6 +170,7 @@ ] }, { + "predicate": "atomicenergymarkings", "entry": [ { "expanded": "RESTRICTED DATA", @@ -195,10 +196,10 @@ "expanded": "TRANSCLASSIFIED FOREIGN NUCLEAR INFORMATION", "value": "TFNI" } - ], - "predicate": "atomicenergymarkings" + ] }, { + "predicate": "notice", "entry": [ { "expanded": "FISA Warning statement", @@ -280,10 +281,10 @@ "expanded": "COMSEC Notice", "value": "COMSEC" } - ], - "predicate": "notice" + ] }, { + "predicate": "nonic", "entry": [ { "expanded": "NAVAL NUCLEAR PROPULSION INFORMATION", @@ -321,8 +322,7 @@ "expanded": "SENSITIVE SECURITY INFORMATION", "value": "SSI" } - ], - "predicate": "nonic" + ] }, { "predicate": "nonuscontrols", diff --git a/domain-abuse/machinetag.json b/domain-abuse/machinetag.json index 8ea4da5..b9f9d26 100644 --- a/domain-abuse/machinetag.json +++ b/domain-abuse/machinetag.json @@ -4,15 +4,15 @@ "description": "Domain Name Abuse - taxonomy to tag domain names used for cybercrime. Use europol-incident to tag abuse-activity", "version": 1, "predicates": [ - { - "value": "domain-access-method", - "description": "Domain Access - describes how the adversary has gained access to the domain name", - "expanded": "Domain access method" - }, { "value": "domain-status", "description": "Domain status - describes the registration status of the domain name", "expanded": "Domain status" + }, + { + "value": "domain-access-method", + "description": "Domain Access - describes how the adversary has gained access to the domain name", + "expanded": "Domain access method" } ], "values": [ diff --git a/ecsirt/machinetag.json b/ecsirt/machinetag.json index 7f08481..c4a6246 100644 --- a/ecsirt/machinetag.json +++ b/ecsirt/machinetag.json @@ -137,18 +137,30 @@ } ], "predicates": [ + { + "expanded": "Fraud", + "value": "fraud" + }, + { + "expanded": "Availability", + "value": "availability" + }, { "expanded": "Abusive Content", "value": "abusive-content" }, - { - "expanded": "Malicious Code", - "value": "malicious-code" - }, { "expanded": "Information Gathering", "value": "information-gathering" }, + { + "expanded": "Information Content Security", + "value": "information-content-security" + }, + { + "expanded": "Malicious Code", + "value": "malicious-code" + }, { "expanded": "Intrusion Attempts", "value": "intrusion-attempts" @@ -157,26 +169,14 @@ "expanded": "Intrusions", "value": "intrusions" }, - { - "expanded": "Availability", - "value": "availability" - }, { "expanded": "Information Security", "value": "information-security" }, - { - "expanded": "Information Content Security", - "value": "information-content-security" - }, { "expanded": "Vulnerable", "value": "vulnerable" }, - { - "expanded": "Fraud", - "value": "fraud" - }, { "expanded": "Other", "value": "other" diff --git a/enisa/machinetag.json b/enisa/machinetag.json index 318525c..31a0bb2 100644 --- a/enisa/machinetag.json +++ b/enisa/machinetag.json @@ -848,13 +848,13 @@ "description": "Threat of sophisticated, targeted attack which combine many attack techniques." }, { - "value": "mobile-malware", - "expanded": "Mobile malware", + "value": "mobile-malware-exfiltration", + "expanded": "Mobile malware (exfiltration)", "description": "Threat of mobile software that aims to gather information about a person or organization without their knowledge." }, { - "value": "spear-phishing-attacks", - "expanded": "Spear phishing attacks", + "value": "spear-phishing-attacks-targeted", + "expanded": "Spear phishing attacks (targeted)", "description": "Threat of attack focused on a single user or department within an organization, coming from someone within the company in a position of trust and requesting information such as login, IDs and passwords." }, { @@ -916,18 +916,18 @@ "expanded": "Eavesdropping/ Interception/ Hijacking", "value": "eavesdropping-interception-hijacking" }, - { - "description": "Threats of nefarious activities that require use of tools by the attacker. These attacks require installation of additional tools/software or performing additional steps on the victim's IT infrastructure/software.", - "expanded": "Nefarious Activity/ Abuse", - "value": "nefarious-activity-abuse" - }, { "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to legislation.", "expanded": "Legal", "value": "legal" + }, + { + "description": "Threats of nefarious activities that require use of tools by the attacker. These attacks require installation of additional tools/software or performing additional steps on the victim's IT infrastructure/software.", + "expanded": "Nefarious Activity/ Abuse", + "value": "nefarious-activity-abuse" } ], - "version": 201601, + "version": 20170725, "description": "The present threat taxonomy is an initial version that has been developed on the basis of available ENISA material. This material has been used as an ENISA-internal structuring aid for information collection and threat consolidation purposes. It emerged in the time period 2012-2015.", "expanded": "ENISA Threat Taxonomy", "namespace": "enisa" diff --git a/iep/machinetag.json b/iep/machinetag.json index ce0eba6..5a1ff6b 100644 --- a/iep/machinetag.json +++ b/iep/machinetag.json @@ -3,36 +3,6 @@ "description": "Forum of Incident Response and Security Teams (FIRST) Information Exchange Policy (IEP) framework", "version": 2, "predicates": [ - { - "value": "id", - "expanded": "POLICY ID", - "description": "Provides a unique ID to identify a specific IEP implementation." - }, - { - "value": "version", - "expanded": "POLICY VERSION", - "description": "States the version of the IEP framework that has been used." - }, - { - "value": "name", - "expanded": "POLICY NAME", - "description": "This statement can be used to provide a name for an IEP implementation." - }, - { - "value": "start-date", - "expanded": "POLICY START DATE", - "description": "States the UTC date that the IEP is effective from." - }, - { - "value": "end-date", - "expanded": "POLICY END DATE", - "description": "States the UTC date that the IEP is effective until." - }, - { - "value": "reference", - "expanded": "POLICY REFERENCE", - "description": "This statement can be used to provide a URL reference to the specific IEP implementation." - }, { "value": "commercial-use", "expanded": "COMMERCIAL USE", @@ -82,6 +52,36 @@ "value": "unmodified-resale", "expanded": "UNMODIFIED RESALE", "description": "States whether the recipient MAY or MUST NOT resell the information received unmodified or in a semantically equivalent format." + }, + { + "value": "start-date", + "expanded": "POLICY START DATE", + "description": "States the UTC date that the IEP is effective from." + }, + { + "value": "end-date", + "expanded": "POLICY END DATE", + "description": "States the UTC date that the IEP is effective until." + }, + { + "value": "reference", + "expanded": "POLICY REFERENCE", + "description": "This statement can be used to provide a URL reference to the specific IEP implementation." + }, + { + "value": "name", + "expanded": "POLICY NAME", + "description": "This statement can be used to provide a name for an IEP implementation." + }, + { + "value": "version", + "expanded": "POLICY VERSION", + "description": "States the version of the IEP framework that has been used." + }, + { + "value": "id", + "expanded": "POLICY ID", + "description": "Provides a unique ID to identify a specific IEP implementation." } ], "values": [ diff --git a/misp/machinetag.json b/misp/machinetag.json index 621d2b8..feefe46 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -109,6 +109,11 @@ "expanded": "API related tag influencing the MISP behavior of the API.", "value": "api" }, + { + "description": "Expansion tag incluencing the MISP behavior using expansion modules", + "expanded": "Expansion", + "value": "expansion" + }, { "expanded": "Information related to the contributor.", "value": "contributor" @@ -125,11 +130,6 @@ "description": "Event with this tag should not be synced to other MISP instances", "expanded": "Should not sync", "value": "should-not-sync" - }, - { - "description": "Expansion tag incluencing the MISP behavior using expansion modules", - "expanded": "Expansion", - "value": "expansion" } ], "version": 4, diff --git a/ms-caro-malware-full/machinetag.json b/ms-caro-malware-full/machinetag.json index 197b1b5..43c7d78 100644 --- a/ms-caro-malware-full/machinetag.json +++ b/ms-caro-malware-full/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "ms-caro-malware-full", "description": "Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology. Based on https://www.microsoft.com/en-us/security/portal/mmpc/shared/malwarenaming.aspx, https://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx, https://www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx, and http://www.caro.org/definitions/index.html. Malware families are extracted from Microsoft SIRs since 2008 based on https://www.microsoft.com/security/sir/archive/default.aspx and https://www.microsoft.com/en-us/security/portal/threat/threats.aspx. Note that SIRs do NOT include all Microsoft malware families.", - "version": 1, + "version": 2, "predicates": [ { "value": "malware-type", @@ -687,7 +687,7 @@ "expanded": "2008 - A detection for the DameWare Mini Remote Control tools. This program was detected by definitions prior to 1.147.1889.0 as it violated the guidelines by which Microsoft identified unwanted software. Based on analysis using current guidelines, the program does not have unwanted behaviors. Microsoft has released definition 1.147.1889.0 which no longer detects this program." }, { - "value": "SeekmoSearchAssistant", + "value": "SeekmoSearchAssistant_Repack", "expanded": "2008 - A detection that is triggered by modified (that is, edited and re-packed) remote control programs based on DameWare Mini Remote Control, a commercial software product" }, { @@ -1611,7 +1611,7 @@ "expanded": "2012 VOL13 - A malicious program that affects mobile devices running the Android operating system. It may be bundled with clean applications, and is capable of allowing a remote attacker to gain access to the mobile device." }, { - "value": "Mult", + "value": "Mult_JS", "expanded": "2012 VOL13 - A generic detection for various exploits written in the JavaScript language." }, { @@ -2107,7 +2107,7 @@ "expanded": "2015 VOL19 - A detection for the Superfish VisualDiscovery advertising program that was preinstalled on some Lenovo laptops sold in 2014 and 2015. It installs a compromised trusted root certificate on the computer, which can be used to conduct man-in-the-middle attacks on the computer." }, { - "value": "CouponRuc", + "value": "CouponRuc_new", "expanded": "2015 VOL19 - A browser modifier that changes browser settings and may also modify some computer and Internet settings." }, { diff --git a/passivetotal/machinetag.json b/passivetotal/machinetag.json index fd90fc3..4a3b52c 100644 --- a/passivetotal/machinetag.json +++ b/passivetotal/machinetag.json @@ -12,13 +12,13 @@ "value": "ever-comprimised", "expanded": "Ever Comprimised?" }, - { - "value": "class", - "expanded": "Classification" - }, { "value": "dynamic-dns", "expanded": "Dynamic DNS" + }, + { + "value": "class", + "expanded": "Classification" } ], "values": [