122 lines
3.5 KiB
JSON
122 lines
3.5 KiB
JSON
{
|
|
"namespace": "adversary",
|
|
"description": "An overview and description of the adversary infrastructure",
|
|
"version": 6,
|
|
"predicates": [
|
|
{
|
|
"value": "infrastructure-status",
|
|
"expanded": "Infrastructure Status"
|
|
},
|
|
{
|
|
"value": "infrastructure-action",
|
|
"expanded": "Infrastructure Action"
|
|
},
|
|
{
|
|
"value": "infrastructure-state",
|
|
"expanded": "Infrastructure State"
|
|
},
|
|
{
|
|
"value": "infrastructure-type",
|
|
"expanded": "Infrastructure Type"
|
|
}
|
|
],
|
|
"values": [
|
|
{
|
|
"predicate": "infrastructure-status",
|
|
"entry": [
|
|
{
|
|
"value": "unknown",
|
|
"expanded": "Infrastructure ownership and status is unknown"
|
|
},
|
|
{
|
|
"value": "compromised",
|
|
"expanded": "Infrastructure compromised by or in the benefit of the adversary"
|
|
},
|
|
{
|
|
"value": "own-and-operated",
|
|
"expanded": "Infrastructure own and operated by the adversary"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "infrastructure-action",
|
|
"entry": [
|
|
{
|
|
"value": "passive-only",
|
|
"expanded": "Only passive requests shall be performed to avoid detection by the adversary"
|
|
},
|
|
{
|
|
"value": "take-down",
|
|
"expanded": "Take down requests can be performed in order to deactivate the adversary infrastructure"
|
|
},
|
|
{
|
|
"value": "monitoring-active",
|
|
"expanded": "Monitoring requests are ongoing on the adversary infrastructure"
|
|
},
|
|
{
|
|
"value": "pending-law-enforcement-request",
|
|
"expanded": "Law enforcement requests are ongoing on the adversary infrastructure"
|
|
},
|
|
{
|
|
"value": "sinkholed",
|
|
"expanded": "Infrastructure of the adversary is sinkholed and information is collected"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "infrastructure-state",
|
|
"entry": [
|
|
{
|
|
"value": "unknown",
|
|
"expanded": "Infrastructure state is unknown or cannot be evaluated"
|
|
},
|
|
{
|
|
"value": "active",
|
|
"expanded": "Infrastructure state is active and actively used by the adversary"
|
|
},
|
|
{
|
|
"value": "down",
|
|
"expanded": "Infrastructure state is known to be down"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "infrastructure-type",
|
|
"entry": [
|
|
{
|
|
"value": "unknown",
|
|
"expanded": "Infrastructure usage by the adversary is unknown"
|
|
},
|
|
{
|
|
"value": "proxy",
|
|
"expanded": "Infrastructure used as proxy between the target and the adversary"
|
|
},
|
|
{
|
|
"value": "drop-zone",
|
|
"expanded": "Infrastructure used by the adversary to store information related to his campaigns"
|
|
},
|
|
{
|
|
"value": "exploit-distribution-point",
|
|
"expanded": "Infrastructure used to distribute exploit towards target(s)"
|
|
},
|
|
{
|
|
"value": "vpn",
|
|
"expanded": "Infrastructure used by the adversary as Virtual Private Network to hide activities and reduce the traffic analysis surface"
|
|
},
|
|
{
|
|
"value": "panel",
|
|
"expanded": "Panel used by the adversary to control or maintain his infrastructure"
|
|
},
|
|
{
|
|
"value": "tds",
|
|
"expanded": "Traffic Distribution Systems including exploit delivery or/and web monetization channels"
|
|
},
|
|
{
|
|
"value": "c2",
|
|
"expanded": "C2 infrastructure without known specific type."
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|