misp-taxonomies/dark-web/machinetag.json

511 lines
18 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"namespace": "dark-web",
"expanded": "Dark Web",
"description": "Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.",
"version": 6,
"predicates": [
{
"value": "topic",
"description": "Topic associated with the materials tagged",
"expanded": "Topic"
},
{
"value": "motivation",
"description": "Motivation with the materials tagged",
"expanded": "Motivation"
},
{
"value": "structure",
"description": "Structure of the materials tagged",
"expanded": "Structure"
},
{
"value": "service",
"description": "Information related to an Dark-Web service",
"expanded": "Service"
},
{
"value": "content",
"description": "Identifiable entities and information contained in a Dark-Web service",
"expanded": "Content"
}
],
"values": [
{
"predicate": "topic",
"entry": [
{
"value": "drugs-narcotics",
"expanded": "drugsNarcotics",
"description": "Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g. proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without lawful accessibility)."
},
{
"value": "electronics",
"expanded": "electronics",
"description": "Electronics and high tech materials, described or to sell for example."
},
{
"value": "finance",
"expanded": "finance",
"description": "Any monetary/currency/exchangeable materials. Includes carding, Paypal etc."
},
{
"value": "finance-crypto",
"expanded": "cryptoFinance",
"description": "Any monetary/currency/exchangeable materials based on cryptocurrencies. Includes Bitcoin, Litecoin etc."
},
{
"value": "credit-card",
"expanded": "creditCard",
"description": "Credit cards and payments materials"
},
{
"value": "cash-in",
"expanded": "cashIn",
"description": "Buying parts of assets, conversion from liquid assets, currency, etc."
},
{
"value": "cash-out",
"expanded": "cashOut",
"description": "Selling parts of assets, conversion to liquid assets, currency, etc."
},
{
"value": "escrow",
"expanded": "escrow",
"description": "Third party keeping assets in behalf of two other parties making a transactions."
},
{
"value": "hacking",
"expanded": "hacking",
"description": "Materials relating to the illegal access to or alteration of data and/or electronic services."
},
{
"value": "identification-credentials",
"expanded": "identificationCredentials",
"description": "Materials used for providing/establishing identification with third parties. Examples include passports, driver licenses and login credentials."
},
{
"value": "intellectual-property-copyright-materials",
"expanded": "intellectualPropertyCopyrightMaterials",
"description": "Otherwise lawful materials stored, transferred or made available without consent of their legal rights holders."
},
{
"value": "pornography-adult",
"expanded": "pornographyAdult",
"description": "Lawful, ethical pornography (i.e. involving only consenting adults)."
},
{
"value": "pornography-child-exploitation",
"expanded": "pornographyChild(ChildExploitation)",
"description": "Child abuse materials (aka child pornography), including 'fantasy' fiction materials, CGI. Also includes the provision/offering of child abuse materials and/or activities"
},
{
"value": "pornography-illicit-or-illegal",
"expanded": "pornographyIllicitOrIllegal",
"description": "Illegal pornography NOT including children/child abuse. Includes bestiality, stolen/revenge porn, hidden cameras etc."
},
{
"value": "search-engine-index",
"expanded": "searchEngineIndex",
"description": "Site providing links/references to other sites/services. Referred to as a nexus by (Moore and Rid, 2016)"
},
{
"value": "unclear",
"expanded": "unclear",
"description": "Unable to completely establish topic of material."
},
{
"value": "extremism",
"expanded": "extremism",
"description": "Illegal or of concern levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes."
},
{
"value": "violence",
"expanded": "violence",
"description": "Materials relating to violence against persons or property."
},
{
"value": "weapons",
"expanded": "weapons",
"description": "Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients."
},
{
"value": "softwares",
"expanded": "softwares",
"description": "Illegal or armful software distribution"
},
{
"value": "counteir-feit-materials",
"expanded": "counterFeitMaterials",
"description": "Fake identification papers."
},
{
"value": "gambling",
"expanded": "gambling",
"description": "Games involving money"
},
{
"value": "library",
"expanded": "library",
"description": "Library or list of books"
},
{
"value": "other-not-illegal",
"expanded": "otherNotIllegal",
"description": "Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors."
},
{
"value": "legitimate",
"expanded": "legitimate",
"description": "Legitimate websites"
},
{
"value": "chat",
"expanded": "chatsPlatforms",
"description": "Chats space or equivalent, which are not forums"
},
{
"value": "mixer",
"expanded": "mixer",
"description": "Anonymization tools for crypto-currencies transactions"
},
{
"value": "mystery-box",
"expanded": "mysteryBox",
"description": "Mystery Box seller"
},
{
"value": "anonymizer",
"expanded": "anonymizer",
"description": "Anonymization tools"
},
{
"value": "vpn-provider",
"expanded": "vpnProvider",
"description": "Provides VPN services and related"
},
{
"value": "email-provider",
"expanded": "emailProvider",
"description": "Provides e-mail services and related"
},
{
"value": "ponies",
"expanded": "ponies",
"description": "self-explanatory. It's ponies"
},
{
"value": "games",
"expanded": "games",
"description": "Flash or online games"
},
{
"value": "parody",
"expanded": "parodyOrJoke",
"description": "Meme, Parody, Jokes, Trolling, ..."
},
{
"value": "whistleblower",
"expanded": "whistleblower",
"description": "Exposition and sharing of confidential information with protection of the witness in mind"
},
{
"value": "ransomware-group",
"expanded": "ransomwareGroup",
"description": "Ransomware group PR or leak website"
}
]
},
{
"predicate": "motivation",
"entry": [
{
"value": "education-training",
"expanded": "educationTraining",
"description": "Materials providing instruction - e.g. how to guides"
},
{
"value": "wiki",
"expanded": "wiki",
"description": "Wiki pages, documentation and information display"
},
{
"value": "forum",
"expanded": "forum",
"description": "Sites specifically designed for multiple users to communicate as peers"
},
{
"value": "file-sharing",
"expanded": "fileSharing",
"description": "General file sharing, typically (but not limited to) movie/image sharing"
},
{
"value": "hosting",
"expanded": "hosting",
"description": "Hosting providers, e-mails, websites, file-storage etc."
},
{
"value": "ddos-services",
"expanded": "ddosServices",
"description": "Stresser, Booter, DDoSer, DDoS as a Service provider, DDoS tools, etc."
},
{
"value": "general",
"expanded": "general",
"description": "Materials not covered by the other motivations. Typically, materials of a nature not of interest to law enforcement. For example, personal biography sites."
},
{
"value": "information-sharing-reportage",
"expanded": "InformationSharingReportage",
"description": "Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are covered by Recruitment/Advocacy."
},
{
"value": "scam",
"expanded": "scam",
"description": "Intentional confidence trick to fraud people or group of people"
},
{
"value": "political-speech",
"expanded": "politicalSpeech",
"description": "Political, activism, without extremism."
},
{
"value": "conspirationist",
"expanded": "conspirationist",
"description": "Conspirationist content, fake news, etc."
},
{
"value": "hate-speech",
"expanded": "hateSpeech",
"description": "Racism, violent, hate... speech."
},
{
"value": "religious",
"expanded": "religious",
"description": "Religious, faith, doctrinal related content."
},
{
"value": "marketplace-for-sale",
"expanded": "marketplaceForSale",
"description": "Services/goods for sale, regardless of means of payment."
},
{
"value": "smuggling",
"expanded": "smuggling",
"description": "Information or trading of wild animals, prohibited goods, ... "
},
{
"value": "recruitment-advocacy",
"expanded": "recruitmentAdvocacy",
"description": "Propaganda"
},
{
"value": "system-placeholder",
"expanded": "systemPlaceholder",
"description": "Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2"
},
{
"value": "unclear",
"expanded": "unclear",
"description": "Unable to completely establish motivation of material."
}
]
},
{
"predicate": "structure",
"entry": [
{
"value": "incomplete",
"expanded": "incomplete",
"description": "Websites and pages that are unable to load completely properly"
},
{
"value": "captcha",
"expanded": "captcha",
"description": "Captchas and solvers elements"
},
{
"value": "login-forms",
"expanded": "loginForms",
"description": "Authentication pages, login page, login forms that block access to an internal part of a website."
},
{
"value": "contact-forms",
"expanded": "contactForms",
"description": "Forms to perform a contact request, send an e-mail, fill information, enter a password, ..."
},
{
"value": "encryption-keys",
"expanded": "encryptionKeys",
"description": "e.g. PGP Keys, passwords, ..."
},
{
"value": "police-notice",
"expanded": "policeNotice",
"description": "Closed websites, with police-equivalent banners"
},
{
"value": "legal-statement",
"expanded": "legalStatement",
"description": "RGPD statement, Privacy-policy, guidelines of a websites or forum..."
},
{
"value": "test",
"expanded": "test",
"description": "Test websites without any real consequences or effects"
},
{
"value": "videos",
"expanded": "videos",
"description": "Videos and streaming"
},
{
"value": "ransomware-post",
"expanded": "ransomwarePost",
"description": "Ransomware post published by a ransomware group"
},
{
"value": "unclear",
"expanded": "unclear",
"description": "Unable to completely establish structure of material."
}
]
},
{
"predicate": "service",
"entry": [
{
"value": "url",
"expanded": "url",
"description": "Uniform Resource Locator (URL) of a dark-web. The url should indicate a protocol (http), a hostname (www.example.com), and a file name (index.html). Example: http://www.example.com/index.html"
},
{
"value": "content-type",
"expanded": "contentType",
"description": "Content-Type representaton headerused to indicate the original media type of the resource (prior to any content encoding applied for sending). https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type"
},
{
"value": "path",
"expanded": "path",
"description": "The URL path is the string of information that comes after the top level domain name "
},
{
"value": "detection-date",
"expanded": "detectionDate",
"description": "Date in which the dark-web was detected. The date should be in ISO 8601 format. Example: 2019-01-01T00:00:00Z"
},
{
"value": "network-protocol",
"expanded": "networkProtocol",
"description": "Network protocol used to access the dark-web site (e.g., HTTP, HTTPS)"
},
{
"value": "port",
"expanded": "port",
"description": "Port number where the dark-web service is being offered"
},
{
"value": "network",
"expanded": "network",
"description": "Overlay network (darknet) that host the service or content"
},
{
"value": "found-at",
"expanded": "foundAt",
"description": "Domain or service where the dark-web where found at"
}
]
},
{
"predicate": "content",
"entry": [
{
"value": "sha1sum",
"expanded": "sha1sum",
"description": "SHA-1 (Secure Hash Algorithm 1) hash of the HTML or objectName content"
},
{
"value": "sha256sum",
"expanded": "sha256sum",
"description": "SHA-256 hash of the HTML or objectName content"
},
{
"value": "ssdeep",
"expanded": "ssdeep",
"description": "ssdeep fuzzy hash of the HTML or objectName content"
},
{
"value": "language",
"expanded": "language",
"description": "Detected language of the service in ISO 6391 Code. Example: en"
},
{
"value": "html",
"expanded": "html",
"description": "HyperText Markup Language (HTML) used in a website"
},
{
"value": "css",
"expanded": "css",
"description": "CSS (Cascading Style Sheets) used in a dark-web site"
},
{
"value": "text",
"expanded": "text",
"description": "Content of the dark-web service without HTML tags"
},
{
"value": "page-title",
"expanded": "pageTitle",
"description": "HTML <title> tag content of a dark-web site"
},
{
"value": "phone-number",
"expanded": "phoneNumber",
"description": "Phone number identified in the dark-web site"
},
{
"value": "creditCard",
"expanded": "creditCard",
"description": "Credit card identified in the dark-web site"
},
{
"value": "email",
"expanded": "email",
"description": "Email address identified in the dark-web site"
},
{
"value": "pgp-public-key-block",
"expanded": "pgpPublicKeyBlock",
"description": "PGP public key block identified in the dark-web site"
},
{
"value": "country",
"expanded": "country",
"description": "Associated country detected on the code of the dark-web site, following ISO 3166-1 alpha-2"
},
{
"value": "company-name",
"expanded": "companyName",
"description": "Company name identified in a dark-web site"
},
{
"value": "company-link",
"expanded": "companyLink",
"description": "Company link identified in a dark-web site"
},
{
"value": "victim-address",
"expanded": "victimAddress",
"description": "Business address identified in a dark-web site"
},
{
"value": "victim-TLD",
"expanded": "victimTLD",
"description": "Business Top Level Domain (TLD) of a company identified in a dark-web site"
}
]
}
]
}