MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-taxonomies/cccs/machinetag.json

236 lines
7.3 KiB
JSON
Raw Blame History

{
"namespace": "cccs",
"description": "Internal taxonomy for CCCS.",
"version": 1,
"expanded": "CCCS",
"predicates": [
{
"value": "event",
"expanded": "Event type",
"description": "Type of event associated to the internal reference"
},
{
"value": "disclosure-type",
"expanded": "Disclosure type",
"description": "Type of information being disclosed."
},
{
"value": "exploitation-technique",
"expanded": "Exploitation technique",
"description": "The technique used to remotely exploit a GoC system."
},
{
"value": "origin",
"expanded": "Origin",
"description": "Where the request originated from."
},
{
"value": "originating-organization",
"expanded": "Originating organization",
"description": "Origin of a signature."
}
],
"values": [
{
"predicate": "event",
"entry": [
{
"value": "beacon",
"expanded": "Beacon",
"description": "A host infected with malware is connecting to threat actor owned infrastructure."
},
{
"value": "browser-based-exploitation",
"expanded": "Browser based exploitation",
"description": "A browser component is being exploited in order to infect a host."
},
{
"value": "dos",
"expanded": "Dos",
"description": "An attack in which the goal is to disrupt access to a host or resource."
},
{
"value": "email",
"expanded": "Email",
"description": "Malicious emails sent to a department (baiting, content delivery, phishing)."
},
{
"value": "exfiltration",
"expanded": "Exfiltration",
"description": "Unauthorized transfer of data from a target's network to a location a threat actor controls."
},
{
"value": "generic-event",
"expanded": "Generic event",
"description": "Represents a collection of virtually identical events within a range of time."
},
{
"value": "improper-usage",
"expanded": "Improper usage",
"description": "Technology used in a way that compromises security or violates policy."
},
{
"value": "malware-artifacts",
"expanded": "Malware artifacts",
"description": "Signs of the presence of malware observed on a host."
},
{
"value": "malware-download",
"expanded": "Malware download",
"description": "Malware was transferred (downloaded/uploaded) to a host."
},
{
"value": "phishing",
"expanded": "Phishing",
"description": "Information or credentials disclosed to a threat actor."
},
{
"value": "remote-access",
"expanded": "Remote access",
"description": "A threat actor is attempting to or succeeding in remotely logging in to a host."
},
{
"value": "remote-exploitation",
"expanded": "Remote exploitation",
"description": "A threat actor is attempting to exploit vulnerabilities remotely."
},
{
"value": "scan",
"expanded": "Scan",
"description": "A threat actor is scanning the network."
},
{
"value": "scraping",
"expanded": "Scraping",
"description": "Represents a collection of virtually identical scraping events within a range of time."
},
{
"value": "traffic-interception",
"expanded": "Traffic interception",
"description": "Represents a collection of virtually identical traffic interception events within a range of time."
}
]
},
{
"predicate": "disclosure-type",
"entry": [
{
"value": "goc-credential-disclosure",
"expanded": "Goc credential disclosure",
"description": "Credentials for a GoC system or user were disclosed."
},
{
"value": "personal-credential-disclosure",
"expanded": "Personal credential disclosure",
"description": "Credentials not related to a GoC system or user were disclosed."
},
{
"value": "personal-information-disclosure",
"expanded": "Personal information disclosure",
"description": "Information about a person or persons was disclosed."
},
{
"value": "none",
"expanded": "None",
"description": "No information was disclosed."
},
{
"value": "other",
"expanded": "Other",
"description": "Information other than credentials and personal information was disclosed."
}
]
},
{
"predicate": "exploitation-technique",
"entry": [
{
"value": "sql-injection",
"expanded": "Sql injection",
"description": "Exploitation occurred due to malicious SQL queries being executed against a database."
},
{
"value": "directory-traversal",
"expanded": "Directory traversal",
"description": "Exploitation occurred through a directory traversal attack allowing access to a restricted directory."
},
{
"value": "remote-file-inclusion",
"expanded": "Remote file inclusion",
"description": "Exploitation occurred due to vulnerabilities allowing malicious files to be sent."
},
{
"value": "code-injection",
"expanded": "Code injection",
"description": "Exploitation occurred due to malicious code being injected."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "origin",
"entry": [
{
"value": "subscriber",
"expanded": "Subscriber",
"description": "Subscriber."
},
{
"value": "internet",
"expanded": "Internet",
"description": "Internet."
}
]
},
{
"predicate": "originating-organization",
"entry": [
{
"value": "cse",
"expanded": "Cse",
"description": "Communications Security Establishment."
},
{
"value": "nsa",
"expanded": "Nsa",
"description": "National Security Agency."
},
{
"value": "gchq",
"expanded": "Gchq",
"description": "Government Communications Headquarters."
},
{
"value": "asd",
"expanded": "Asd",
"description": "Australian Signals Directorate."
},
{
"value": "gcsb",
"expanded": "Gcsb",
"description": "Government Communications Security Bureau."
},
{
"value": "open-source",
"expanded": "Open source",
"description": "Originated from publically available information."
},
{
"value": "3rd-party",
"expanded": "3rd party",
"description": "Originated from a 3rd party organization."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink