MISP Galaxies to STIX 2.1 mapping
MISP galaxies are exported in Attack Pattern
, Course of Action
, Malware
, Threat Actor
, Tool
or Vulnerability
objects.
Sometimes 2 different Galaxies are mapped into the same STIX 2.1 object, the following examples don’t show each Galaxy type, but only one for each resulting STIX object. If you want to see the complete mapping, the MISP Galaxies to STIX 2.0 mapping summary gives all the Galaxy types that are mapped into each STIX object type
Since not all the fields of the galaxies and their clusters are exported into STIX 2.1, the following examples are given with the fields that are exported only, if you want to have a look at the full definitions, you can visit the MISP Galaxies repository.
- Attack Pattern
- MISP
{ "uuid": "c4e851fa-775f-11e7-8163-b774922098cd", "name": "Attack Pattern", "type": "mitre-attack-pattern", "description": "ATT&CK Tactic", "GalaxyCluster": [ { "uuid": "e042a41b-5ecf-4f3a-8f1f-1b528c534772", "type": "mitre-attack-pattern", "value": "Access Token Manipulation - T1134", "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.", "meta": { "external_id": "T1134", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:privilege-escalation" ], "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/techniques/T1134" ] } } ] }
- STIX
- Attack Pattern
{ "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e042a41b-5ecf-4f3a-8f1f-1b528c534772", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Access Token Manipulation", "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "labels": [ "misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "T1134" }, { "source_name": "url", "url": "https://attack.mitre.org/techniques/T1134" } ], "x_misp_mitre_platforms": [ "Windows" ] }
- Attack Pattern
- MISP
- Branded Vulnerability
- MISP
{ "uuid": "fda8c7c2-f45a-11e7-9713-e75dac0492df", "name": "Branded Vulnerability", "type": "branded-vulnerability", "description": "List of known vulnerabilities and exploits", "GalaxyCluster": [ { "uuid": "a1640081-aa8d-4070-84b2-d23e2ae82799", "type": "branded-vulnerability", "value": "Ghost", "description": "The GHOST vulnerability is a serious weakness in the Linux glibc library.", "meta": { "aliases": [ "CVE-2015-0235" ] } } ] }
- STIX
- Vulnerability
{ "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--a1640081-aa8d-4070-84b2-d23e2ae82799", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Ghost", "description": "The GHOST vulnerability is a serious weakness in the Linux glibc library.", "labels": [ "misp:galaxy-name=\"Branded Vulnerability\"", "misp:galaxy-type=\"branded-vulnerability\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2015-0235" } ] }
- Vulnerability
- MISP
- Country
- MISP
{ "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2aee4c1", "type": "country", "name": "Country", "description": "Country meta information", "GalaxyCluster": [ { "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2535745", "type": "country", "value": "sweden", "description": "Sweden", "meta": { "Capital": "Stockholm", "Continent": "EU", "CurrencyCode": "SEK", "CurrencyName": "Krona", "ISO": "SE", "ISO3": "SWE", "Languages": "sv-SE,se,sma,fi-SE", "Population": "9828655", "tld": ".se" } } ] }
- STIX
- Location
{ "type": "location", "spec_version": "2.1", "id": "location--84668357-5a8c-4bdd-9f0f-6b50b2535745", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Sweden", "description": "Country meta information | sweden", "country": "SE", "labels": [ "misp:galaxy-name=\"Country\"", "misp:galaxy-type=\"country\"" ], "x_misp_Capital": "Stockholm", "x_misp_Continent": "EU", "x_misp_CurrencyCode": "SEK", "x_misp_CurrencyName": "Krona", "x_misp_ISO": "SE", "x_misp_ISO3": "SWE", "x_misp_Languages": "sv-SE,se,sma,fi-SE", "x_misp_Population": "9828655", "x_misp_tld": ".se" }
- Location
- MISP
- Course of Action
- MISP
{ "uuid": "6fcb4472-6de4-11e7-b5f7-37771619e14e", "name": "Course of Action", "type": "mitre-course-of-action", "description": "ATT&CK Mitigation", "GalaxyCluster": [ { "uuid": "2497ac92-e751-4391-82c6-1b86e34d0294", "type": "mitre-course-of-action", "value": "Automated Exfiltration Mitigation - T1020", "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network", "meta": { "external_id": "T1020", "refs": [ "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "https://attack.mitre.org/mitigations/T1020", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] } } ] }
- STIX
- Course of Action
{ "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--2497ac92-e751-4391-82c6-1b86e34d0294", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Automated Exfiltration Mitigation", "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network", "labels": [ "misp:galaxy-name=\"Course of Action\"", "misp:galaxy-type=\"mitre-course-of-action\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "T1020" }, { "source_name": "url", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" }, { "source_name": "url", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" }, { "source_name": "url", "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" }, { "source_name": "url", "url": "https://attack.mitre.org/mitigations/T1020" }, { "source_name": "url", "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html" }, { "source_name": "url", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" } ] }
- Course of Action
- MISP
- Intrusion Set
- MISP
{ "uuid": "1023f364-7831-11e7-8318-43b5531983ab", "name": "Intrusion Set", "type": "mitre-intrusion-set", "description": "Name of ATT&CK Group", "GalaxyCluster": [ { "uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", "type": "mitre-intrusion-set", "value": "APT16 - G0023", "description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.", "meta": { "external_id": "G0023", "refs": [ "https://attack.mitre.org/groups/G0023", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ], "synonyms": [ "APT16" ] } } ] }
- STIX
- Intrusion Set
{ "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "APT16", "description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.", "aliases": [ "APT16" ], "labels": [ "misp:galaxy-name=\"Intrusion Set\"", "misp:galaxy-type=\"mitre-intrusion-set\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "G0023" }, { "source_name": "url", "url": "https://attack.mitre.org/groups/G0023" }, { "source_name": "url", "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" } ] }
- Intrusion Set
- MISP
- Malware
- MISP
{ "uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4", "name": "Malware", "type": "mitre-malware", "description": "Name of ATT&CK software", "GalaxyCluster": [ { "uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", "type": "mitre-malware", "value": "BISCUIT - S0017", "description": "BISCUIT is a backdoor that has been used by APT1 since as early as 2007.", "meta": { "external_id": "S0017", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0017", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ], "synonyms": [ "BISCUIT" ] } } ] }
- STIX
- Malware
{ "type": "malware", "spec_version": "2.1", "id": "malware--b8eb28e4-48a6-40ae-951a-328714f75eda", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "BISCUIT", "description": "BISCUIT is a backdoor that has been used by APT1 since as early as 2007.", "is_family": false, "aliases": [ "BISCUIT" ], "labels": [ "misp:galaxy-name=\"Malware\"", "misp:galaxy-type=\"mitre-malware\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "S0017" }, { "source_name": "url", "url": "https://attack.mitre.org/software/S0017" }, { "source_name": "url", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" }, { "source_name": "url", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" } ], "x_misp_mitre_platforms": [ "Windows" ] }
- Malware
- MISP
- Regions UN M49
- MISP
{ "uuid": "d151a79a-e029-11e9-9409-f3e0cf3d93aa", "name": "Regions UN M49", "type": "region", "description": "Regions based on UN M49", "GalaxyCluster": [ { "uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", "type": "region", "value": "154 - Northern Europe", "description": "Nothern Europe", "meta": { "subregion": [ "830 - Channel Islands", "248 - \u00c5land Islands", "208 - Denmark", "233 - Estonia", "234 - Faroe Islands", "246 - Finland", "352 - Iceland", "372 - Ireland", "833 - Isle of Man", "428 - Latvia", "440 - Lithuania", "578 - Norway", "744 - Svalbard and Jan Mayen Islands", "752 - Sweden", "826 - United Kingdom of Great Britain and Northern Ireland" ] } } ] }
- STIX
- Location
{ "type": "location", "spec_version": "2.1", "id": "location--f93cb275-0366-4ecc-abf0-a17928d1e177", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Northern Europe", "description": "Regions based on UN M49 | Nothern Europe", "region": "northern-europe", "labels": [ "misp:galaxy-name=\"Regions UN M49\"", "misp:galaxy-type=\"region\"" ], "x_misp_subregion": [ "830 - Channel Islands", "248 - Åland Islands", "208 - Denmark", "233 - Estonia", "234 - Faroe Islands", "246 - Finland", "352 - Iceland", "372 - Ireland", "833 - Isle of Man", "428 - Latvia", "440 - Lithuania", "578 - Norway", "744 - Svalbard and Jan Mayen Islands", "752 - Sweden", "826 - United Kingdom of Great Britain and Northern Ireland" ] }
- Location
- MISP
- Sector
- MISP
{ "uuid": "e1bb134c-ae4d-11e7-8aa9-f78a37325439", "name": "Sector", "type": "sector", "description": "Activity sectors", "GalaxyCluster": [ { "uuid": "75597b7f-54e8-4f14-88c9-e81485ece483", "type": "sector", "value": "IT - Security" } ] }
- STIX
- Identity
{ "type": "identity", "spec_version": "2.1", "id": "identity--75597b7f-54e8-4f14-88c9-e81485ece483", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "IT - Security", "description": "Activity sectors", "identity_class": "class", "labels": [ "misp:galaxy-name=\"Sector\"", "misp:galaxy-type=\"sector\"" ] }
- Identity
- MISP
- Threat Actor
- MISP
{ "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", "name": "Threat Actor", "type": "threat-actor", "description": "Threat actors are characteristics of malicious actors.", "GalaxyCluster": [ { "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "type": "threat-actor", "value": "Cutting Kitten", "description": "These convincing profiles form a self-referenced network of seemingly established LinkedIn users.", "meta": { "cfr-type-of-incident": [ "Denial of service" ], "synonyms": [ "Ghambar" ] } } ] }
- STIX
- Threat Actor
{ "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--11e17436-6ede-4733-8547-4ce0254ea19e", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Cutting Kitten", "description": "These convincing profiles form a self-referenced network of seemingly established LinkedIn users.", "aliases": [ "Ghambar" ], "labels": [ "misp:galaxy-name=\"Threat Actor\"", "misp:galaxy-type=\"threat-actor\"" ], "x_misp_cfr-type-of-incident": [ "Denial of service" ] }
- Threat Actor
- MISP
- Tool
- MISP
{ "uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649", "name": "Tool", "type": "mitre-tool", "description": "Name of ATT&CK software", "GalaxyCluster": [ { "uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "type": "mitre-tool", "value": "cmd - S0106", "description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.", "meta": { "external_id": "S0106", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0106", "https://technet.microsoft.com/en-us/library/bb490880.aspx", "https://technet.microsoft.com/en-us/library/bb490886.aspx", "https://technet.microsoft.com/en-us/library/cc755121.aspx", "https://technet.microsoft.com/en-us/library/cc771049.aspx" ], "synonyms": [ "cmd", "cmd.exe" ] } } ] }
- STIX
- Tool
{ "type": "tool", "spec_version": "2.1", "id": "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "cmd", "description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.", "aliases": [ "cmd", "cmd.exe" ], "labels": [ "misp:galaxy-name=\"Tool\"", "misp:galaxy-type=\"mitre-tool\"" ], "external_references": [ { "source_name": "mitre-attack", "external_id": "S0106" }, { "source_name": "url", "url": "https://attack.mitre.org/software/S0106" }, { "source_name": "url", "url": "https://technet.microsoft.com/en-us/library/bb490880.aspx" }, { "source_name": "url", "url": "https://technet.microsoft.com/en-us/library/bb490886.aspx" }, { "source_name": "url", "url": "https://technet.microsoft.com/en-us/library/cc755121.aspx" }, { "source_name": "url", "url": "https://technet.microsoft.com/en-us/library/cc771049.aspx" } ], "x_misp_mitre_platforms": [ "Windows" ] }
- Tool
- MISP
The other detailed mappings
For more detailed mappings, click on one of the link below: