MISP Galaxies to STIX 2.0 mapping
MISP galaxies are exported in Attack Pattern, Course of Action, Malware, Threat Actor, Tool or Vulnerability objects.
Sometimes 2 different Galaxies are mapped into the same STIX 2.0 object, the following examples don’t show each Galaxy type, but only one for each resulting STIX object. If you want to see the complete mapping, the MISP Galaxies to STIX 2.0 mapping summary gives all the Galaxy types that are mapped into each STIX object type
Since not all the fields of the galaxies and their clusters are exported into STIX 2.0, the following examples are given with the fields that are exported only, if you want to have a look at the full definitions, you can visit the MISP Galaxies repository.
- Attack Pattern
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "T1134", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:privilege-escalation" ], "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/techniques/T1134" ] }, "default": false, "distribution": "0", "uuid": "e042a41b-5ecf-4f3a-8f1f-1b528c534772", "type": "mitre-attack-pattern", "value": "Access Token Manipulation - T1134", "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls." } ], "uuid": "c4e851fa-775f-11e7-8163-b774922098cd", "name": "Attack Pattern", "type": "mitre-attack-pattern", "description": "ATT&CK Tactic" } - STIX
{ "type": "attack-pattern", "id": "attack-pattern--e042a41b-5ecf-4f3a-8f1f-1b528c534772", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Access Token Manipulation", "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "labels": [ "misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "T1134" }, { "source_name": "url", "url": "https://attack.mitre.org/techniques/T1134" } ], "x_misp_mitre_platforms": [ "Windows" ] }
- MISP
- Branded Vulnerability
- MISP
{ "GalaxyCluster": [ { "meta": { "aliases": [ "CVE-2015-0235" ] }, "default": false, "distribution": "0", "uuid": "a1640081-aa8d-4070-84b2-d23e2ae82799", "type": "branded-vulnerability", "value": "Ghost", "description": "The GHOST vulnerability is a serious weakness in the Linux glibc library." } ], "uuid": "fda8c7c2-f45a-11e7-9713-e75dac0492df", "name": "Branded Vulnerability", "type": "branded-vulnerability", "description": "List of known vulnerabilities and exploits" } - STIX
{ "type": "vulnerability", "id": "vulnerability--a1640081-aa8d-4070-84b2-d23e2ae82799", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Ghost", "description": "The GHOST vulnerability is a serious weakness in the Linux glibc library.", "labels": [ "misp:galaxy-name=\"Branded Vulnerability\"", "misp:galaxy-type=\"branded-vulnerability\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2015-0235" } ] }
- MISP
- Course of Action
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "T1020", "refs": [ "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "https://attack.mitre.org/mitigations/T1020", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "default": false, "distribution": "0", "uuid": "2497ac92-e751-4391-82c6-1b86e34d0294", "type": "mitre-course-of-action", "value": "Automated Exfiltration Mitigation - T1020", "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network" } ], "uuid": "6fcb4472-6de4-11e7-b5f7-37771619e14e", "name": "Course of Action", "type": "mitre-course-of-action", "description": "ATT&CK Mitigation" } - STIX
{ "type": "course-of-action", "id": "course-of-action--2497ac92-e751-4391-82c6-1b86e34d0294", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Automated Exfiltration Mitigation", "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network", "labels": [ "misp:galaxy-name=\"Course of Action\"", "misp:galaxy-type=\"mitre-course-of-action\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "T1020" }, { "source_name": "url", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" }, { "source_name": "url", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" }, { "source_name": "url", "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" }, { "source_name": "url", "url": "https://attack.mitre.org/mitigations/T1020" }, { "source_name": "url", "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html" }, { "source_name": "url", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" } ] }
- MISP
- Intrusion Set
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "G0023", "refs": [ "https://attack.mitre.org/groups/G0023", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ], "synonyms": [ "APT16" ] }, "default": false, "distribution": "0", "uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", "type": "mitre-intrusion-set", "value": "APT16 - G0023", "description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations." } ], "uuid": "1023f364-7831-11e7-8318-43b5531983ab", "name": "Intrusion Set", "type": "mitre-intrusion-set", "description": "Name of ATT&CK Group" } - STIX
{ "type": "intrusion-set", "id": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "APT16", "description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.", "labels": [ "misp:galaxy-name=\"Intrusion Set\"", "misp:galaxy-type=\"mitre-intrusion-set\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "G0023" }, { "source_name": "url", "url": "https://attack.mitre.org/groups/G0023" }, { "source_name": "url", "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" } ] }
- MISP
- Malware
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "S0017", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0017", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ], "synonyms": [ "BISCUIT" ] }, "default": false, "distribution": "0", "uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", "type": "mitre-malware", "value": "BISCUIT - S0017", "description": "BISCUIT is a backdoor that has been used by APT1 since as early as 2007." } ], "uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4", "name": "Malware", "type": "mitre-malware", "description": "Name of ATT&CK software" } - STIX
{ "type": "malware", "id": "malware--b8eb28e4-48a6-40ae-951a-328714f75eda", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "BISCUIT", "description": "BISCUIT is a backdoor that has been used by APT1 since as early as 2007.", "labels": [ "misp:galaxy-name=\"Malware\"", "misp:galaxy-type=\"mitre-malware\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "S0017" }, { "source_name": "url", "url": "https://attack.mitre.org/software/S0017" }, { "source_name": "url", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" }, { "source_name": "url", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" } ], "x_misp_mitre_platforms": [ "Windows" ] }
- MISP
- STIX 2.0 Attack Pattern
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "CAPEC-163", "kill_chain": [ "mandiant-attack-lifecycle-model:initial-compromise" ], "synonyms": [ "Spear Phishing" ] }, "default": false, "distribution": "0", "uuid": "ef6eb51e-e601-5d4f-8aad-124c4f5507b0", "value": "Spear Phishing Attack Pattern used by admin@338", "description": "The preferred attack vector used by admin@338 is spear-phishing emails. Using content that is relevant to the target, these emails are designed to entice the target to open an attachment that contains the malicious PIVY server code.", "type": "stix-2.0-attack-pattern" } ], "description": "Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed.", "uuid": "2d018cbb-4236-53c8-aeba-0aa1b51e636e", "type": "stix-2.0-attack-pattern", "name": "STIX 2.0 Attack Pattern" } - STIX
{ "type": "attack-pattern", "id": "attack-pattern--ef6eb51e-e601-5d4f-8aad-124c4f5507b0", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Spear Phishing Attack Pattern used by admin@338", "description": "The preferred attack vector used by admin@338 is spear-phishing emails. Using content that is relevant to the target, these emails are designed to entice the target to open an attachment that contains the malicious PIVY server code.", "kill_chain_phases": [ { "kill_chain_name": "mandiant-attack-lifecycle-model", "phase_name": "initial-compromise" } ], "labels": [ "misp:galaxy-name=\"STIX 2.0 Attack Pattern\"", "misp:galaxy-type=\"stix-2.0-attack-pattern\"" ], "external_references": [ { "source_name": "capec", "external_id": "CAPEC-163" } ], "x_misp_synonyms": [ "Spear Phishing" ] }
- MISP
- STIX 2.0 Campaign
- MISP
{ "GalaxyCluster": [ { "meta": { "synonyms": [ "Doppelganger" ], "last_seen": "2020-10-25T16:22:00Z", "objective": "manipulation" }, "default": false, "distribution": "0", "uuid": "0dd0896b-8834-5025-a4d4-c0f4bbf7d403", "value": "RRN", "description": "Active since 2008, this campaign mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors.", "type": "stix-2.0-campaign" } ], "description": "A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set.", "uuid": "3d29c2ad-cb5a-5173-8ef6-1afd3bd2ed34", "type": "stix-2.0-campaign", "name": "STIX 2.0 Campaign" } - STIX
{ "type": "campaign", "id": "campaign--0dd0896b-8834-5025-a4d4-c0f4bbf7d403", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "RRN", "description": "Active since 2008, this campaign mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors.", "aliases": [ "Doppelganger" ], "last_seen": "2020-10-25T16:22:00Z", "objective": "manipulation", "labels": [ "misp:galaxy-name=\"STIX 2.0 Campaign\"", "misp:galaxy-type=\"stix-2.0-campaign\"" ] }
- MISP
- STIX 2.0 Course of Action
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "T1203", "refs": [ "https://attack.mitre.org/mitigations/T1203" ] }, "default": false, "distribution": "0", "uuid": "58334ddd-728f-575a-a0df-b211ef74f679", "value": "Exploitation for Client Execution Mitigation", "description": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist", "type": "stix-2.0-course-of-action" } ], "description": "A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes.", "uuid": "e0b51d22-4971-5444-879c-317f5bfa959e", "type": "stix-2.0-course-of-action", "name": "STIX 2.0 Course of Action" } - STIX
{ "type": "course-of-action", "id": "course-of-action--58334ddd-728f-575a-a0df-b211ef74f679", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Exploitation for Client Execution Mitigation", "description": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist", "labels": [ "misp:galaxy-name=\"STIX 2.0 Course of Action\"", "misp:galaxy-type=\"stix-2.0-course-of-action\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "T1203" }, { "source_name": "url", "url": "https://attack.mitre.org/mitigations/T1203" } ] }
- MISP
- STIX 2.0 Intrusion Set
- MISP
{ "GalaxyCluster": [ { "meta": { "synonyms": [ "Comment Crew", "Comment Group", "Shady Rat" ], "goals": [ "Gather information on victims" ], "primary_motivation": "organizational-gain", "resource_level": "government" }, "default": false, "distribution": "0", "uuid": "86ddf25a-5c34-52c8-a9c3-07a06f3cc5d3", "value": "APT1", "description": "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.", "type": "stix-2.0-intrusion-set" } ], "description": "An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor.", "uuid": "7205e3fa-e1eb-5215-a68f-35ab2b4eb87d", "type": "stix-2.0-intrusion-set", "name": "STIX 2.0 Intrusion Set" } - STIX
{ "type": "intrusion-set", "id": "intrusion-set--86ddf25a-5c34-52c8-a9c3-07a06f3cc5d3", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "APT1", "description": "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.", "aliases": [ "Comment Crew", "Comment Group", "Shady Rat" ], "goals": [ "Gather information on victims" ], "resource_level": "government", "primary_motivation": "organizational-gain", "labels": [ "misp:galaxy-name=\"STIX 2.0 Intrusion Set\"", "misp:galaxy-type=\"stix-2.0-intrusion-set\"" ] }
- MISP
- STIX 2.0 Malware
- MISP
{ "GalaxyCluster": [ { "meta": { "labels": [ "backdoor", "dropper", "remote-access-trojan" ] }, "default": false, "distribution": "0", "uuid": "d7ec91c0-e001-5992-9258-b0147fc71014", "value": "MANITSME", "description": "This malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files.", "type": "stix-2.0-malware" } ], "description": "Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim.", "uuid": "5de9a83d-06f0-532b-bcf6-54eaf4db61c8", "type": "stix-2.0-malware", "name": "STIX 2.0 Malware" } - STIX
{ "type": "malware", "id": "malware--d7ec91c0-e001-5992-9258-b0147fc71014", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "MANITSME", "description": "This malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files.", "labels": [ "misp:galaxy-name=\"STIX 2.0 Malware\"", "misp:galaxy-type=\"stix-2.0-malware\"", "backdoor", "dropper", "remote-access-trojan" ] }
- MISP
- STIX 2.0 Threat Actor
- MISP
{ "GalaxyCluster": [ { "meta": { "synonyms": [ "Greenfield", "JackWang", "Wang Dong" ], "primary_motivation": "organizational-gain", "resource_level": "government", "roles": [ "malware-author", "agent", "infrastructure-operator" ], "labels": [ "nation-state", "spy" ] }, "default": false, "distribution": "0", "uuid": "68f82328-1545-54eb-9f75-bfc6967c172c", "value": "Ugly Gorilla", "description": "Ugly gorilla", "type": "stix-2.0-threat-actor" } ], "description": "Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time.", "uuid": "69073dcd-d569-5589-81a0-e1a36ec7c3f0", "type": "stix-2.0-threat-actor", "name": "STIX 2.0 Threat Actor" } - STIX
{ "type": "threat-actor", "id": "threat-actor--68f82328-1545-54eb-9f75-bfc6967c172c", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Ugly Gorilla", "description": "Ugly gorilla", "aliases": [ "Greenfield", "JackWang", "Wang Dong" ], "roles": [ "malware-author", "agent", "infrastructure-operator" ], "resource_level": "government", "primary_motivation": "organizational-gain", "labels": [ "misp:galaxy-name=\"STIX 2.0 Threat Actor\"", "misp:galaxy-type=\"stix-2.0-threat-actor\"", "nation-state", "spy" ] }
- MISP
- STIX 2.0 Tool
- MISP
{ "GalaxyCluster": [ { "meta": { "tool_version": "2.1.0", "refs": [ "http://www.foofus.net/fizzgig/fgdump/" ], "kill_chain": [ "mandiant-attack-lifecycle-model:escalate-privileges" ], "labels": [ "credential-exploitation" ] }, "default": false, "distribution": "0", "uuid": "8ad88bfb-1172-5149-8f15-10ef14fa5868", "value": "fgdump", "description": "Windows password hash dumper", "type": "stix-2.0-tool" } ], "description": "Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users.", "uuid": "77e81218-13f5-537a-acfa-caf14fbe1810", "type": "stix-2.0-tool", "name": "STIX 2.0 Tool" } - STIX
{ "type": "tool", "id": "tool--8ad88bfb-1172-5149-8f15-10ef14fa5868", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "fgdump", "description": "Windows password hash dumper", "kill_chain_phases": [ { "kill_chain_name": "mandiant-attack-lifecycle-model", "phase_name": "escalate-privileges" } ], "tool_version": "2.1.0", "labels": [ "misp:galaxy-name=\"STIX 2.0 Tool\"", "misp:galaxy-type=\"stix-2.0-tool\"", "credential-exploitation" ], "external_references": [ { "source_name": "url", "url": "http://www.foofus.net/fizzgig/fgdump/" } ] }
- MISP
- STIX 2.0 Vulnerability
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "CVE-2009-4324" }, "default": false, "distribution": "0", "uuid": "548bae32-76f7-5cbe-8154-df9ac92b29f5", "value": "CVE-2009-4324", "description": "Adobe acrobat PDF's used by admin@338", "type": "stix-2.0-vulnerability" } ], "description": "A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system.", "uuid": "90ec1934-1ab3-5f62-a526-53a5f7f61b90", "type": "stix-2.0-vulnerability", "name": "STIX 2.0 Vulnerability" } - STIX
{ "type": "vulnerability", "id": "vulnerability--548bae32-76f7-5cbe-8154-df9ac92b29f5", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "CVE-2009-4324", "description": "Adobe acrobat PDF's used by admin@338", "labels": [ "misp:galaxy-name=\"STIX 2.0 Vulnerability\"", "misp:galaxy-type=\"stix-2.0-vulnerability\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2009-4324" } ] }
- MISP
- STIX 2.1 Attack Pattern
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "CAPEC-163", "kill_chain": [ "mandiant-attack-lifecycle-model:initial-compromise" ], "synonyms": [ "Spear Phishing" ] }, "default": false, "distribution": "0", "uuid": "ef6eb51e-e601-5d4f-8aad-124c4f5507b0", "value": "Spear Phishing Attack Pattern used by admin@338", "description": "The preferred attack vector used by admin@338 is spear-phishing emails. Using content that is relevant to the target, these emails are designed to entice the target to open an attachment that contains the malicious PIVY server code.", "type": "stix-2.1-attack-pattern" } ], "description": "Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed.", "uuid": "2d018cbb-4236-53c8-aeba-0aa1b51e636e", "type": "stix-2.1-attack-pattern", "name": "STIX 2.1 Attack Pattern" } - STIX
{ "type": "attack-pattern", "id": "attack-pattern--ef6eb51e-e601-5d4f-8aad-124c4f5507b0", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Spear Phishing Attack Pattern used by admin@338", "description": "The preferred attack vector used by admin@338 is spear-phishing emails. Using content that is relevant to the target, these emails are designed to entice the target to open an attachment that contains the malicious PIVY server code.", "kill_chain_phases": [ { "kill_chain_name": "mandiant-attack-lifecycle-model", "phase_name": "initial-compromise" } ], "labels": [ "misp:galaxy-name=\"STIX 2.1 Attack Pattern\"", "misp:galaxy-type=\"stix-2.1-attack-pattern\"" ], "external_references": [ { "source_name": "capec", "external_id": "CAPEC-163" } ], "x_misp_synonyms": [ "Spear Phishing" ] }
- MISP
- STIX 2.1 Campaign
- MISP
{ "GalaxyCluster": [ { "meta": { "synonyms": [ "Doppelganger" ], "last_seen": "2020-10-25T16:22:00Z", "objective": "manipulation" }, "default": false, "distribution": "0", "uuid": "0dd0896b-8834-5025-a4d4-c0f4bbf7d403", "value": "RRN", "description": "Active since 2008, this campaign mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors.", "type": "stix-2.1-campaign" } ], "description": "A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set.", "uuid": "3d29c2ad-cb5a-5173-8ef6-1afd3bd2ed34", "type": "stix-2.1-campaign", "name": "STIX 2.1 Campaign" } - STIX
{ "type": "campaign", "id": "campaign--0dd0896b-8834-5025-a4d4-c0f4bbf7d403", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "RRN", "description": "Active since 2008, this campaign mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors.", "aliases": [ "Doppelganger" ], "last_seen": "2020-10-25T16:22:00Z", "objective": "manipulation", "labels": [ "misp:galaxy-name=\"STIX 2.1 Campaign\"", "misp:galaxy-type=\"stix-2.1-campaign\"" ] }
- MISP
- STIX 2.1 Course of Action
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "T1203", "refs": [ "https://attack.mitre.org/mitigations/T1203" ] }, "default": false, "distribution": "0", "uuid": "58334ddd-728f-575a-a0df-b211ef74f679", "value": "Exploitation for Client Execution Mitigation", "description": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist", "type": "stix-2.1-course-of-action" } ], "description": "A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes.", "uuid": "e0b51d22-4971-5444-879c-317f5bfa959e", "type": "stix-2.1-course-of-action", "name": "STIX 2.1 Course of Action" } - STIX
{ "type": "course-of-action", "id": "course-of-action--58334ddd-728f-575a-a0df-b211ef74f679", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Exploitation for Client Execution Mitigation", "description": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist", "labels": [ "misp:galaxy-name=\"STIX 2.1 Course of Action\"", "misp:galaxy-type=\"stix-2.1-course-of-action\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "T1203" }, { "source_name": "url", "url": "https://attack.mitre.org/mitigations/T1203" } ] }
- MISP
- STIX 2.1 Intrusion Set
- MISP
{ "GalaxyCluster": [ { "meta": { "synonyms": [ "Comment Crew", "Comment Group", "Shady Rat" ], "goals": [ "Gather information on victims" ], "primary_motivation": "organizational-gain", "resource_level": "government" }, "default": false, "distribution": "0", "uuid": "86ddf25a-5c34-52c8-a9c3-07a06f3cc5d3", "value": "APT1", "description": "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.", "type": "stix-2.1-intrusion-set" } ], "description": "An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor.", "uuid": "7205e3fa-e1eb-5215-a68f-35ab2b4eb87d", "type": "stix-2.1-intrusion-set", "name": "STIX 2.1 Intrusion Set" } - STIX
{ "type": "intrusion-set", "id": "intrusion-set--86ddf25a-5c34-52c8-a9c3-07a06f3cc5d3", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "APT1", "description": "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.", "aliases": [ "Comment Crew", "Comment Group", "Shady Rat" ], "goals": [ "Gather information on victims" ], "resource_level": "government", "primary_motivation": "organizational-gain", "labels": [ "misp:galaxy-name=\"STIX 2.1 Intrusion Set\"", "misp:galaxy-type=\"stix-2.1-intrusion-set\"" ] }
- MISP
- STIX 2.1 Malware
- MISP
{ "GalaxyCluster": [ { "meta": { "synonyms": [ "ManItsMe" ], "architecture_execution_envs": [ "x86-64" ], "capabilities": [ "accesses-remote-machines", "communicates-with-c2" ], "first_seen": "2020-10-25T16:22:00Z", "implementation_languages": [ "c++" ], "is_family": true, "malware_types": [ "backdoor", "dropper", "remote-access-trojan" ] }, "default": false, "distribution": "0", "uuid": "d7ec91c0-e001-5992-9258-b0147fc71014", "value": "MANITSME", "description": "This malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files.", "type": "stix-2.1-malware" } ], "description": "Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim.", "uuid": "5de9a83d-06f0-532b-bcf6-54eaf4db61c8", "type": "stix-2.1-malware", "name": "STIX 2.1 Malware" } - STIX
{ "type": "malware", "id": "malware--d7ec91c0-e001-5992-9258-b0147fc71014", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "MANITSME", "description": "This malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files.", "labels": [ "misp:galaxy-name=\"STIX 2.1 Malware\"", "misp:galaxy-type=\"stix-2.1-malware\"", "backdoor", "dropper", "remote-access-trojan" ], "first_seen": "2020-10-25T16:22:00Z", "x_misp_architecture_execution_envs": [ "x86-64" ], "x_misp_capabilities": [ "accesses-remote-machines", "communicates-with-c2" ], "x_misp_implementation_languages": [ "c++" ], "x_misp_is_family": true, "x_misp_synonyms": [ "ManItsMe" ] }
- MISP
- STIX 2.1 Threat Actor
- MISP
{ "GalaxyCluster": [ { "meta": { "synonyms": [ "Greenfield", "JackWang", "Wang Dong" ], "primary_motivation": "organizational-gain", "resource_level": "government", "roles": [ "malware-author", "agent", "infrastructure-operator" ], "threat_actor_types": [ "nation-state", "spy" ] }, "default": false, "distribution": "0", "uuid": "68f82328-1545-54eb-9f75-bfc6967c172c", "value": "Ugly Gorilla", "description": "Ugly gorilla", "type": "stix-2.1-threat-actor" } ], "description": "Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time.", "uuid": "69073dcd-d569-5589-81a0-e1a36ec7c3f0", "type": "stix-2.1-threat-actor", "name": "STIX 2.1 Threat Actor" } - STIX
{ "type": "threat-actor", "id": "threat-actor--68f82328-1545-54eb-9f75-bfc6967c172c", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Ugly Gorilla", "description": "Ugly gorilla", "aliases": [ "Greenfield", "JackWang", "Wang Dong" ], "roles": [ "malware-author", "agent", "infrastructure-operator" ], "resource_level": "government", "primary_motivation": "organizational-gain", "labels": [ "misp:galaxy-name=\"STIX 2.1 Threat Actor\"", "misp:galaxy-type=\"stix-2.1-threat-actor\"", "nation-state", "spy" ] }
- MISP
- STIX 2.1 Tool
- MISP
{ "GalaxyCluster": [ { "meta": { "tool_version": "2.1.0", "refs": [ "http://www.foofus.net/fizzgig/fgdump/" ], "kill_chain": [ "mandiant-attack-lifecycle-model:escalate-privileges" ], "tool_types": [ "credential-exploitation" ] }, "default": false, "distribution": "0", "uuid": "8ad88bfb-1172-5149-8f15-10ef14fa5868", "value": "fgdump", "description": "Windows password hash dumper", "type": "stix-2.1-tool" } ], "description": "Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users.", "uuid": "77e81218-13f5-537a-acfa-caf14fbe1810", "type": "stix-2.1-tool", "name": "STIX 2.1 Tool" } - STIX
{ "type": "tool", "id": "tool--8ad88bfb-1172-5149-8f15-10ef14fa5868", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "fgdump", "description": "Windows password hash dumper", "kill_chain_phases": [ { "kill_chain_name": "mandiant-attack-lifecycle-model", "phase_name": "escalate-privileges" } ], "tool_version": "2.1.0", "labels": [ "misp:galaxy-name=\"STIX 2.1 Tool\"", "misp:galaxy-type=\"stix-2.1-tool\"", "credential-exploitation" ], "external_references": [ { "source_name": "url", "url": "http://www.foofus.net/fizzgig/fgdump/" } ] }
- MISP
- STIX 2.1 Vulnerability
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "CVE-2009-4324" }, "default": false, "distribution": "0", "uuid": "548bae32-76f7-5cbe-8154-df9ac92b29f5", "value": "CVE-2009-4324", "description": "Adobe acrobat PDF's used by admin@338", "type": "stix-2.1-vulnerability" } ], "description": "A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system.", "uuid": "90ec1934-1ab3-5f62-a526-53a5f7f61b90", "type": "stix-2.1-vulnerability", "name": "STIX 2.1 Vulnerability" } - STIX
{ "type": "vulnerability", "id": "vulnerability--548bae32-76f7-5cbe-8154-df9ac92b29f5", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "CVE-2009-4324", "description": "Adobe acrobat PDF's used by admin@338", "labels": [ "misp:galaxy-name=\"STIX 2.1 Vulnerability\"", "misp:galaxy-type=\"stix-2.1-vulnerability\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2009-4324" } ] }
- MISP
- Sector
- MISP
{ "GalaxyCluster": [ { "meta": {}, "default": false, "distribution": "0", "uuid": "75597b7f-54e8-4f14-88c9-e81485ece483", "type": "sector", "value": "IT - Security" } ], "uuid": "e1bb134c-ae4d-11e7-8aa9-f78a37325439", "name": "Sector", "type": "sector", "description": "Activity sectors" } - STIX
{ "type": "identity", "id": "identity--75597b7f-54e8-4f14-88c9-e81485ece483", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "IT - Security", "description": "Activity sectors", "identity_class": "class", "labels": [ "misp:galaxy-name=\"Sector\"", "misp:galaxy-type=\"sector\"" ] }
- MISP
- Threat Actor
- MISP
{ "GalaxyCluster": [ { "meta": { "cfr-type-of-incident": [ "Denial of service" ], "synonyms": [ "Ghambar" ] }, "default": false, "distribution": "0", "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "type": "threat-actor", "value": "Cutting Kitten", "description": "These convincing profiles form a self-referenced network of seemingly established LinkedIn users." } ], "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", "name": "Threat Actor", "type": "threat-actor", "description": "Threat actors are characteristics of malicious actors." } - STIX
{ "type": "threat-actor", "id": "threat-actor--11e17436-6ede-4733-8547-4ce0254ea19e", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Cutting Kitten", "description": "These convincing profiles form a self-referenced network of seemingly established LinkedIn users.", "aliases": [ "Ghambar" ], "labels": [ "misp:galaxy-name=\"Threat Actor\"", "misp:galaxy-type=\"threat-actor\"" ], "x_misp_cfr-type-of-incident": [ "Denial of service" ] }
- MISP
- Tool
- MISP
{ "GalaxyCluster": [ { "meta": { "external_id": "S0106", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0106", "https://technet.microsoft.com/en-us/library/bb490880.aspx", "https://technet.microsoft.com/en-us/library/bb490886.aspx", "https://technet.microsoft.com/en-us/library/cc755121.aspx", "https://technet.microsoft.com/en-us/library/cc771049.aspx" ], "synonyms": [ "cmd", "cmd.exe" ] }, "default": false, "distribution": "0", "uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "type": "mitre-tool", "value": "cmd - S0106", "description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities." } ], "uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649", "name": "Tool", "type": "mitre-tool", "description": "Name of ATT&CK software" } - STIX
{ "type": "tool", "id": "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "cmd", "description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.", "labels": [ "misp:galaxy-name=\"Tool\"", "misp:galaxy-type=\"mitre-tool\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "S0106" }, { "source_name": "url", "url": "https://attack.mitre.org/software/S0106" }, { "source_name": "url", "url": "https://technet.microsoft.com/en-us/library/bb490880.aspx" }, { "source_name": "url", "url": "https://technet.microsoft.com/en-us/library/bb490886.aspx" }, { "source_name": "url", "url": "https://technet.microsoft.com/en-us/library/cc755121.aspx" }, { "source_name": "url", "url": "https://technet.microsoft.com/en-us/library/cc771049.aspx" } ], "x_misp_mitre_platforms": [ "Windows" ], "x_misp_synonyms": [ "cmd.exe" ] }
- MISP
The other detailed mappings
For more detailed mappings, click on one of the link below: