Properly fix manifest.
parent
8d4bc5fc26
commit
e89715212c
115
MANIFEST.json
115
MANIFEST.json
|
@ -5,6 +5,11 @@
|
||||||
"name": "accessnow",
|
"name": "accessnow",
|
||||||
"description": "Access Now"
|
"description": "Access Now"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"version": 1,
|
||||||
|
"name": "action-taken",
|
||||||
|
"description": "Action taken."
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"version": 1,
|
"version": 1,
|
||||||
"name": "admiralty-scale",
|
"name": "admiralty-scale",
|
||||||
|
@ -40,6 +45,11 @@
|
||||||
"name": "cssa",
|
"name": "cssa",
|
||||||
"description": ""
|
"description": ""
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"version": 1,
|
||||||
|
"name": "ddos",
|
||||||
|
"description": "Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too."
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"version": 1,
|
"version": 1,
|
||||||
"name": "de-vs",
|
"name": "de-vs",
|
||||||
|
@ -55,6 +65,11 @@
|
||||||
"name": "diamond-model",
|
"name": "diamond-model",
|
||||||
"description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack."
|
"description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack."
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"version": 1,
|
||||||
|
"name": "DML",
|
||||||
|
"description": "The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program."
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"version": 3,
|
"version": 3,
|
||||||
"name": "dni-ism",
|
"name": "dni-ism",
|
||||||
|
@ -100,6 +115,11 @@
|
||||||
"name": "europol-incident",
|
"name": "europol-incident",
|
||||||
"description": "EUROPOL class of incident taxonomy."
|
"description": "EUROPOL class of incident taxonomy."
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"version": 1,
|
||||||
|
"name": "event-assessment",
|
||||||
|
"description": "A series of assessment predicates describing the event assessment performed to make judgement(s) under a certain level of uncertainty."
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"version": 1,
|
"version": 1,
|
||||||
"name": "fr-classif",
|
"name": "fr-classif",
|
||||||
|
@ -160,85 +180,50 @@
|
||||||
"name": "PAP",
|
"name": "PAP",
|
||||||
"description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used."
|
"description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used."
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"version": 3,
|
|
||||||
"name": "tlp",
|
|
||||||
"description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. Extended with TLP:EX:CHR."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 2,
|
|
||||||
"name": "veris",
|
|
||||||
"description": "Vocabulary for Event Recording and Incident Sharing (VERIS)."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 1,
|
|
||||||
"name": "stealth_malware",
|
|
||||||
"description": "Classification based on malware stealth techniques."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 1,
|
|
||||||
"name": "targeted-threat-index",
|
|
||||||
"description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 1,
|
|
||||||
"name": "stix-ttp",
|
|
||||||
"description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 1,
|
|
||||||
"name": "accessnow",
|
|
||||||
"description": "AccessNow Taxonomy"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"version": 1,
|
"version": 1,
|
||||||
"name": "passivetotal",
|
"name": "passivetotal",
|
||||||
"description": "Tags for RiskIQ's passivetotal service"
|
"description": "Tags for RiskIQ's passivetotal service"
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"version": 1,
|
|
||||||
"name": "vocabulaire-des-probabilites-estimatives",
|
|
||||||
"description": "Vocabulaire des probabilités estimatives"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 1,
|
|
||||||
"name": "DML",
|
|
||||||
"description": "The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 1,
|
|
||||||
"name": "action-taken",
|
|
||||||
"description": "Action taken"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 2,
|
|
||||||
"name": "analyst-assessment",
|
|
||||||
"description": "A series of assessment predicates describing the analyst capabilities to perform analysis. These assessment can be assigned by the analyst him/herself or by another party evaluating the analyst."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 1,
|
|
||||||
"name": "binary-class",
|
|
||||||
"description": "Custom taxonomy for types of binary file."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 1,
|
|
||||||
"name": "ddos",
|
|
||||||
"description": "Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"version": 1,
|
|
||||||
"name": "event-assessment",
|
|
||||||
"description": "A series of assessment predicates describing the event assessment performed to make judgement(s) under a certain level of uncertainty."
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"version": 1,
|
"version": 1,
|
||||||
"name": "rt_event_status",
|
"name": "rt_event_status",
|
||||||
"description": "Status of events used in Request Tracker."
|
"description": "Status of events used in Request Tracker."
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"version": 1,
|
||||||
|
"name": "stealth_malware",
|
||||||
|
"description": "Classification based on malware stealth techniques."
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"version": 1,
|
||||||
|
"name": "stix-ttp",
|
||||||
|
"description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"version": 1,
|
||||||
|
"name": "targeted-threat-index",
|
||||||
|
"description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman."
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"version": 3,
|
||||||
|
"name": "tlp",
|
||||||
|
"description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. Extended with TLP:EX:CHR."
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"version": 1,
|
"version": 1,
|
||||||
"name": "tor",
|
"name": "tor",
|
||||||
"description": "Taxonomy to describe Tor network infrastructure"
|
"description": "Taxonomy to describe Tor network infrastructure"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"version": 2,
|
||||||
|
"name": "veris",
|
||||||
|
"description": "Vocabulary for Event Recording and Incident Sharing (VERIS)."
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"version": 1,
|
||||||
|
"name": "vocabulaire-des-probabilites-estimatives",
|
||||||
|
"description": "Vocabulaire des probabilités estimatives"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"path": "machinetag.json",
|
"path": "machinetag.json",
|
||||||
|
|
|
@ -1,35 +0,0 @@
|
||||||
# Stealth Malware Taxonomy
|
|
||||||
|
|
||||||
## Malware Types
|
|
||||||
|
|
||||||
All malware samples should be classified into one of the categories listed in the table below.
|
|
||||||
|
|
||||||
<dl>
|
|
||||||
<dt>Type 0</dt>
|
|
||||||
<dd>No OS or system compromise. The malware runs as a normal user process using only official API calls.<dd>
|
|
||||||
|
|
||||||
<dt>Type I</dt>
|
|
||||||
<dd>The malware modifies constant sections of the kernel and/or processes such as code sections.<dd>
|
|
||||||
|
|
||||||
<dt>Type II</dt>
|
|
||||||
<dd>The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections.<dd>
|
|
||||||
|
|
||||||
<dt>Type III</dt>
|
|
||||||
<dd>The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques.<dd>
|
|
||||||
</dl>
|
|
||||||
|
|
||||||
# Machine-parsable Stealth Malware Taxonomy
|
|
||||||
|
|
||||||
The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
|
|
||||||
along with their human-readable description. The software can use both
|
|
||||||
representation on the user-interface and store the tag as machine-parsable.
|
|
||||||
|
|
||||||
~~~~
|
|
||||||
stealth_malware:type="II"
|
|
||||||
~~~~
|
|
||||||
|
|
||||||
Based on:
|
|
||||||
|
|
||||||
https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf
|
|
||||||
|
|
||||||
|
|
|
@ -1,37 +0,0 @@
|
||||||
{
|
|
||||||
"namespace": "stealth_malware",
|
|
||||||
"description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
|
|
||||||
"version": 1,
|
|
||||||
"refs": [
|
|
||||||
"https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf"
|
|
||||||
],
|
|
||||||
"predicates": [
|
|
||||||
{
|
|
||||||
"value": "type",
|
|
||||||
"expanded": "Stealth technique type"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"values": [
|
|
||||||
{
|
|
||||||
"predicate": "type",
|
|
||||||
"entry": [
|
|
||||||
{
|
|
||||||
"value": "0",
|
|
||||||
"expanded": "No OS or system compromise. The malware runs as a normal user process using only official API calls."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"value": "I",
|
|
||||||
"expanded": "The malware modifies constant sections of the kernel and/or processes such as code sections."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"value": "II",
|
|
||||||
"expanded": "The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"value": "III",
|
|
||||||
"expanded": "The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques."
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
|
@ -15,7 +15,7 @@ fi
|
||||||
directories=`ls -d */ | wc -w`
|
directories=`ls -d */ | wc -w`
|
||||||
manifest_entries=`cat MANIFEST.json | jq '.taxonomies | length'`
|
manifest_entries=`cat MANIFEST.json | jq '.taxonomies | length'`
|
||||||
|
|
||||||
if ! [ $directories -eq $manifest_entries ]; then
|
if ! [ $((directories-2)) -eq $manifest_entries ]; then
|
||||||
echo "MANIFEST isn't up-to-date."
|
echo "MANIFEST isn't up-to-date."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in New Issue