This group is for successful unauthorized access to a system.
+Privileged Account Compromise
+A successful full compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access.
+Unprivileged Account Compromise
+A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. The intruded did not achieve to escale his privileges locally.
+Botnet member
+The compromised asset is also being part of a botnet. This is reserved mainly for public web servers. See malicious code in priority for workstations or internal server’s compromise. For example, phpmailer, etc…
+Domain Compromise
+The whole domain is compromised; this is commonly used for active directory and detected by a “pass the ticket” attack or a discovery of “ad dumps” files.
+Application Compromise
+An application is compromised; the attacker possess an uncontrolled access to data, server, and assets used by this application (CMDB, DB, Backend services, etc.).
+This group is for catching breach about controls given by the company or externals entities.
Regulator
+All lack about regulator rules (CSSF, GDPR, etc.).
+Standard
+All lack about standards certification of the company (ISO27000, NIS, ISAE3402, etc.).
+Security policy
+All lack about the internal security policy of the company.
+Other
+All lack that do not fit in one of previous categories should be put on this class.
++ + | ++cyber-threat-framework namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. + | +
Plan activity
+Associated numerical value="10"
+Conduct research & analysis
+Associated numerical value="11"
+Develop resources & capabilities
+Associated numerical value="12"
+Acquire victim & specific knowledge
+Associated numerical value="13"
+Complete preparations
+Associated numerical value="14"
+Deploy capability
+Associated numerical value="20"
+Interact with intended victim
+Associated numerical value="21"
+Exploit vulnerabilities
+Associated numerical value="22"
+Deliver malicious capabilities
+Associated numerical value="23"
+Establish controlled access
+Associated numerical value="30"
+Hide
+Associated numerical value="31"
+Expand presence
+Associated numerical value="32"
+Refine focus of activity
+Associated numerical value="33"
+Establish persistence
+Associated numerical value="34"
+Enable other operations
+Associated numerical value="40"
+Deny access
+Associated numerical value="41"
+Extract data
+Associated numerical value="42"
+Alter data and/or computer, network or system behavior
+Associated numerical value="43"
+Destroy HW/SW/data
+Associated numerical value="44"
+Exploitation of a vulnerability
When a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion. (https://cloudblogs.microsoft.com/microsoftsecure/2015/06/17/understanding-type-confusion-vulnerabilities-cve-2015-0336/)
+The format string exploit occurs when the submitted data of an input string leads to arbitrary read or write in the memory. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system. (https://www.owasp.org/index.php/Format_string_attack)
+In software, a stack overflow is type of buffer overflow that occurs if the call stack pointer exceeds the stack bound. (https://en.wikipedia.org/wiki/Stack_overflow)
+A heap overflow is a type of buffer overflow that occurs in the heap data area. (https://en.wikipedia.org/wiki/Heap_overflow)
+Heap spraying is a technique used in exploits to facilitate arbitrary code execution. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’s heap and fill the bytes in these blocks with the right values. (https://en.wikipedia.org/wiki/Heap_spraying)
+Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. (https://en.wikipedia.org/wiki/Fuzzing)
+The Return-Oriented Programming (ROP) is a computer security exploit technique in which the attacker uses control of the call stack to indirectly execute cherry-picked machine instructions or groups of machine instructions immediately prior to the return instruction in subroutines within the existing program code, in a way similar to the execution of a threaded code interpreter. (https://en.wikipedia.org/wiki/Return-oriented_programming)
+A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. (https://cwe.mitre.org/data/definitions/476.html)
+