{
  "namespace": "adversary",
  "description": "An overview and description of the adversary infrastructure",
  "version": 6,
  "predicates": [
    {
      "value": "infrastructure-status",
      "expanded": "Infrastructure Status"
    },
    {
      "value": "infrastructure-action",
      "expanded": "Infrastructure Action"
    },
    {
      "value": "infrastructure-state",
      "expanded": "Infrastructure State"
    },
    {
      "value": "infrastructure-type",
      "expanded": "Infrastructure Type"
    }
  ],
  "values": [
    {
      "predicate": "infrastructure-status",
      "entry": [
        {
          "value": "unknown",
          "expanded": "Infrastructure ownership and status is unknown"
        },
        {
          "value": "compromised",
          "expanded": "Infrastructure compromised by or in the benefit of the adversary"
        },
        {
          "value": "own-and-operated",
          "expanded": "Infrastructure own and operated by the adversary"
        }
      ]
    },
    {
      "predicate": "infrastructure-action",
      "entry": [
        {
          "value": "passive-only",
          "expanded": "Only passive requests shall be performed to avoid detection by the adversary"
        },
        {
          "value": "take-down",
          "expanded": "Take down requests can be performed in order to deactivate the adversary infrastructure"
        },
        {
          "value": "monitoring-active",
          "expanded": "Monitoring requests are ongoing on the adversary infrastructure"
        },
        {
          "value": "pending-law-enforcement-request",
          "expanded": "Law enforcement requests are ongoing on the adversary infrastructure"
        },
        {
          "value": "sinkholed",
          "expanded": "Infrastructure of the adversary is sinkholed and information is collected"
        }
      ]
    },
    {
      "predicate": "infrastructure-state",
      "entry": [
        {
          "value": "unknown",
          "expanded": "Infrastructure state is unknown or cannot be evaluated"
        },
        {
          "value": "active",
          "expanded": "Infrastructure state is active and actively used by the adversary"
        },
        {
          "value": "down",
          "expanded": "Infrastructure state is known to be down"
        }
      ]
    },
    {
      "predicate": "infrastructure-type",
      "entry": [
        {
          "value": "unknown",
          "expanded": "Infrastructure usage by the adversary is unknown"
        },
        {
          "value": "proxy",
          "expanded": "Infrastructure used as proxy between the target and the adversary"
        },
        {
          "value": "drop-zone",
          "expanded": "Infrastructure used by the adversary to store information related to his campaigns"
        },
        {
          "value": "exploit-distribution-point",
          "expanded": "Infrastructure used to distribute exploit towards target(s)"
        },
        {
          "value": "vpn",
          "expanded": "Infrastructure used by the adversary as Virtual Private Network to hide activities and reduce the traffic analysis surface"
        },
        {
          "value": "panel",
          "expanded": "Panel used by the adversary to control or maintain his infrastructure"
        },
        {
          "value": "tds",
          "expanded": "Traffic Distribution Systems including exploit delivery or/and web monetization channels"
        },
        {
          "value": "c2",
          "expanded": "C2 infrastructure without known specific type."
        }
      ]
    }
  ]
}