For the threat actor cluster, I suggest the following additional fields that we use in our CTI db.
In our day to day activities, they are quite useful for filtering, statistics/trends, etc.

Field = Motive
Values = Cybercrime, Cyberwar, Espionage, Hacktivism, Hacktivism-Nationalists, Jihadism, Other, Unknown

Field = Type
Values = Indendent group, State or State-sponsored group, Individual, Other, Unknown

Field = First Seen
Value = Date

Field = Last Seen
Value = Date

That's the output of my new test case:

{                                          
  "4038c3bc-b559-45bb-bac1-9665a54dedf9": [
    "Malpedia|Bahamut (Android)",          
    "Malpedia|Bahamut (Windows)"           
  ],                                       
  "8a42a699-1746-498b-a558-e7113bb916c0": [
    "Malpedia|Cpuminer (Android)",         
    "Malpedia|Cpuminer (ELF)"              
  ],                                       
  "8269e779-db23-4c94-aafb-36ee94879417": [
    "Malpedia|DualToy (Android)",          
    "Malpedia|DualToy (iOS)",              
    "Malpedia|DualToy (Windows)"           
  ],
  "4305d59a-0d07-4021-a902-e7996378898b": [
    "Malpedia|FlexiSpy (Android)",         
    "Malpedia|FlexiSpy (symbian)",         
    "Malpedia|FlexiSpy (Windows)"          
  ],                                       
  "0caf0292-b01a-4439-b56f-c75b71900bc0": [
    "Malpedia|Lazarus (Android)",          
    "Malpedia|Lazarus (Windows)"           
  ],                                       
  "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf": [
    "Malpedia|X-Agent (Android)",          
    "Malpedia|X-Agent (ELF)",              
    "Malpedia|X-Agent (OS X)",             
    "Malpedia|X-Agent (Windows)"           
  ],
  "22ef1e56-7778-41d1-9b2b-737aa5bf9777": [
    "Malpedia|Retefe (Android)",
    "Malpedia|Retefe (Windows)"
  ],
  "479353aa-c6d7-47a7-b5f0-3f97fd904864": [
    "Malpedia|Erebus (ELF)",
    "Malpedia|Erebus (Windows)"
  ],                                       
  "17e12216-a303-4a00-8283-d3fe92d0934c": [
    "Malpedia|Mirai (ELF)",
    "Malpedia|Mirai (Windows)"
  ],
  "6d5a5357-4126-4950-b8c3-ee78b1172217": [
    "Malpedia|Mokes (ELF)",
    "Malpedia|Mokes (OS X)",
    "Malpedia|Mokes (Windows)"
  ],
  "47a8fedb-fd60-493a-9b7d-082bdb85621e": [
    "Malpedia|Wirenet (ELF)",
    "Malpedia|Wirenet (OS X)"
  ],
  "bc32df24-8e80-44bc-80b0-6a4d55661aa5": [
    "Malpedia|WireLurker (iOS)",
    "Malpedia|WireLurker (OS X)"
  ],
  "4b2ab902-811e-4b50-8510-43454d77d027": [
    "Malpedia|Crisis (OS X)",
    "Malpedia|Crisis (Windows)"
  ],
  "d674ffd2-1f27-403b-8fe9-b4af6e303e5c": [
    "Malpedia|Uroburos (OS X)",
    "Malpedia|Uroburos (Windows)"
  ],
  "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1": [
    "Malpedia|Winnti (OS X)",
    "Malpedia|Winnti (Windows)"
  ]
}

There are a few entries of different malwares with the same UUID, and this should be fixed asap (cc @koike). I can easily do it myself, but I don't know how the file is generated (not with the script in the repo, for sure).
Is it a problem if I manually give different UUIDs to the entries?

The validator kill the file is the Json is incorrect :)

• sponge clusters/tool.json
• jq .
  parse error: Expected another array element at line 363, column 9
• for dir in 'galaxies/*.json'
• cat galaxies/exploit-kit.json

$ls clusters/tool.json -lh
-rw-r--r-- 1 thanat0s thanat0s 0 Feb 25 09:31 clusters/tool.json

@iglocska Do you have any info on this one ?? In tools.json. I Can't found any "serious" report on it.

Within MISP --> List Galaxies there is a link called Update Galaxies. The user would expect that an execution would fetch an updated list of galaxies from the repository (but it don´t). How is it possible to update the galaxies? Thanks in advance!

https://www.research-collection.ethz.ch/bitstream/id/5647001/20190507_MB_HS_IRNV1_rev.pdf?sequence=1

Currently, there is a value "HiddenLynx" in the threat-actor.json but "Hidden Lynx" is also already listed under "Aurora Panda".
Therefore, the "HiddenLynx" key could be deleted and its symantec reference could be merged into "Aurora Panda".

actor "HummingBad" has synonym "Operation C-Major", but "Operation C-Major" is also a key of its own (without "HummingBad" as synonyms, so there is an asymmetry in naming).

I was also not able to find any documentation that indicates a connection between "HummingBad" and "Operation C-Major", so I would propose to delete that synonym for "HummingBad" and treat them individually.

I think these might be duplicates?

Lotus Blossom and Lotus Panda

Tailgater Team is defined twice in the threat-actors:

    {
      "value": "Aurora Panda",
      "refs": [
        "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
      ],
      "country": "CN",
      "synonyms": [
        "APT 17",
        "Deputy Dog",
        "Group 8",
        "APT17",
        "Hidden Lynx",
        "Tailgater Team"
      ]
    },
    {
      "value": "Axiom",
      "refs": [
        "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/",
        "http://williamshowalter.com/a-universal-windows-bootkit/"
      ],
      "country": "CN",
      "synonyms": [
        "Winnti Group",
        "Tailgater Team",
        "Group 72",
        "Group72",
        "Tailgater",
        "Ragebeast",
        "Blackfly"
      ]
    },```

https://github.com/rabobank-cdc/DeTTACT/blob/master/sample-data/techniques-administration-endpoints.yaml

Hello,

I am looking to see if you could further explain how this is integrated into MISP? I've not seen the concept of clusters till this repo, so not sure where to begin. Interested to start looking at this, looks very promising.

I am currently working on a new version of the MITRE ATT&CK to MISP-galaxy convertor.
(which should be in one script and should also suppor the relationships natively)

The issue I'm encountering is with the enterprise-attack, pre-attack and mobile-attack common entities. They are included in each "domain/phase", but are referred by the same uuid. (as they are the same object)

For example uuid bef4c620-0787-42a8-a96d-b7eb6e85917c. In the MITRE ATT&CK they are used in different bundles. (see below where count > 2)

~/Documents/Projects/MITRE-ATTACK$ fgrep -r -h '"id"' .  | fgrep -v bundle  | sed -E 's/\s+//' | sort | uniq -c  | sort -n | tail -n 14
      2 "id": "x-mitre-tactic--d90bd741-2edb-4e74-8a6f-435143ad7bbb",
      2 "id": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17",
      2 "id": "x-mitre-tactic--f30c2753-e6b2-4186-818d-99b8b1a0322b",
      2 "id": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813",
      3 "id": "tool--9de2308e-7bed-43a3-8e58-f194b3586700",
      3 "id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6",
      4 "id": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae",
      4 "id": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
      4 "id": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662",
      4 "id": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
      4 "id": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70",
      6 "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      6 "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
      9 "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168",

However MISP seems to have included this same object, split over different 'clusters':

~/Documents/Projects/misp-galaxy/clusters$ fgrep -R bef4c620-0787-42a8-a96d-b7eb6e85917c . 
./mitre-enterprise-attack-intrusion-set.json:      "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
./mitre-intrusion-set.json:        "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
./microsoft-activity-group.json:          "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
./mitre-mobile-attack-intrusion-set.json:      "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
./mitre-enterprise-attack-intrusion-set.new.json:            "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
./threat-actor.json:          "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
./mitre-pre-attack-intrusion-set.json:      "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",

This gives the impression that these objects are not identical, and will also break automagic correlations (and data-validation of unique uuids)

This was caused by the switch of the mitre-intrusion-set to separate clusters for enterprise-attack, mobile-attack.
My question is therefore: why exactly was everything moved to those 3 sub-clusters?
Shouldn't some "common" things be kept together? (like: malware, tool, intrusion-set)
While we could still split some others?

I know such a change would require implementation changes in MISP. But right now this seems wrong as we are breaking the UUID concept. Now you can't rely on a UUID to be unique.

Adding ISO reference to Preventive Measures galaxy and grouping by meta

CSV to misp galaxy converter to easily converting existing CSV file into a cluster.

The idea is the following, a simple python script to generate a cluster (JSON) from a CSV file. The parameter of the Python script might be the following:

-f 1:description -f 2:value -f 3:abcd

where the number is the field number in the CSV and the field name in the galaxy. Other field than "description" and "value" are considered as meta.

Add CFR.org metadata into the galaxy such as:

• suspected-victims
• type-of-incident -> Espionage
• suspected-state-sponsor -> Country code (to review with country)
• target-category -> Government, Civil society, Private sector
• victim-government-reaction -> Yes/No/Unknown
• policy-response -> Criminal charges
• suspected-state-sponsor-response -> Denial

https://www.cfr.org/interactive/cyber-operations/pla-unit-61398

Malpedia data is licensed under CC BY-NC-SA 3.0, see https://malpedia.caad.fkie.fraunhofer.de/usage/tos
But the malpedia data here is redistributed under CC0: https://github.com/MISP/misp-galaxy/blob/master/LICENSE.md

cc @danielplohmann

https://en.wikipedia.org/wiki/Remote_administration_tool
https://github.com/kevthehermit/RATDecoders

There are 3 entries with the same value: "Analyze organizational skillsets and deficiencies"
2 with this one: "Identify business relationships"
2 with "Acquire and/or use 3rd party infrastructure services"
3 with "Identify job postings and needs/gaps"
3 "Conduct social engineering"
3 "Identify supply chains"
2 "Obfuscate infrastructure"
2 "Connect to targets of interest"
2 "Determine 3rd party infrastructure services"
2 "Compromise 3rd party infrastructure to support delivery"
2 "Acquire or compromise 3rd party signing certificates"
3 "Acquire OSINT data sets and information"
2 "Acquire and/or use 3rd party software services"
2 "Dynamic DNS"

In at least one instance the name of the technique does not match that used in the MITRE API.
The galaxy lists "Registry Run Keys / Start Folder - T1060", whereas the API uses "Registry Run Keys / Startup Folder".

Should these two be merged?

https://github.com/MISP/misp-galaxy/blob/master/clusters/android.json#L2122
https://github.com/MISP/misp-galaxy/blob/master/clusters/android.json#L4280

atomic threat coverage - https://github.com/krakow2600/atomic-threat-coverage

https://en.wikipedia.org/wiki/Botnet 'Historical list of botnets'

https://twitter.com/cyb3rops/status/1034792495186628609

Adding new threat actors to the galaxies

Work environment

Current problem

We have detected that some threat actors from Mitre Attack are missing and we would like to add them to our current galaxies. Is there any way to do that?

Thanks in advance.

Because of 6210f27 all galaxy definitions now need a kill_chain_order, otherwise they will not load. See MISP/MISP#4198

There are two "Fund Transfer":

• https://github.com/MISP/misp-galaxy/blob/master/clusters/attck4fraud.json#L279
• https://github.com/MISP/misp-galaxy/blob/master/clusters/attck4fraud.json#L319

There are two "Account-Checking Services":

• https://github.com/MISP/misp-galaxy/blob/master/clusters/attck4fraud.json#L159
• https://github.com/MISP/misp-galaxy/blob/master/clusters/attck4fraud.json#L179

• Related
  --> Mirai
  --> Mirai Sora
  --> Mirai Owari

• dropped/dropped-by
  --> Fallout (exploit-kit) - dropped
  --> SmokeLoader (tool) - dropped-by

• dropped/dropped-by
  --> Fallout (exploit-kit) - dropped
  --> Kraken Cryptor Ransomware (ransomware -should be added-) - dropped-by

• dropped/dropped-by
  --> Fallout (exploit-kit) - dropped
  --> Smoke Loader (mitre-entreprise-malware) - dropped-by

• dropped/dropped-by
  --> Fallout (exploit-kit) - dropped
  --> GandCrab Ransomware (ransomware) - dropped-by

• dropped/dropped-by
  --> Fallout (exploit-kit) - dropped
  --> SAVEfiles (ransomware) - dropped-by

• uses/used-by
  --> APT28 (threat-actor) - uses
  --> LoJax (tool) - used-by

• variant-of
  --> BankBot (android)
  --> Razdel (android or banking - galaxy to choose)

find -name "*.json" -exec iconv -f UTF-8 {} -o /dev/null ;
iconv: illegal input sequence at position 499
iconv: illegal input sequence at position 2178
iconv: illegal input sequence at position 479
iconv: illegal input sequence at position 500
iconv: illegal input sequence at position 6374

$./chk_dup.py
Json load error in threat-actor.json
Json load error in tool.json
Json load error in preventive-measure.json
Json load error in microsoft-activity-group.json
Json load error in ransomware.json

Example in ransom
"description": "my-Little-Ransomware; AES(128); .已加密 .encrypted; ",
"description": "my-Little-Ransomware; AES(128); .已[mJ.[mF .encrypted; ",
2e e5 b7 b2 e5 8a a0 e5 af 86

Any correction recommendation ... ?? What is the file encoding supposed to be ??

How should we approach the situation where 2 entries in the threat-actors.json file should be merged to one single entry?
Both already have a uuid.
Example:

• Callisto
• Malware Reusers

I would like to propose the following update to the tool.json cluster specifically regarding xbash:

update description to:
"description": "Xbash is a malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed using Python and converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution. Xbash aimed on discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Linux based systems are targeted for ransomware and botnet capabilities. The ransomware targets and deletes linux databases and there is no evidence of any functionality that makes recovery even possible by payment the ransom. Where as, windows based systems are targeted for coinmining & self-propagating capabilities. Xbash spreads by attacking weak passwords and unpatched vulnerabilities.",

add the following refs:
https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/

Yo yo yo!
Jimbo from the "D" again -

So the taxonomies are coming out just fine.

Moving on to galaxies.

I was told that I need to place the galaxy data into two separate spots.
I used this reference to make an educated guess as to where:
https://www.misp-project.org/misp-training/3.2-misp-galaxy.pdf

My galaxy file was named test-galaxy.json

I placed this file into both the ./galaxy folder and the ./cluster folder

My ./galaxy folder .json looked like this:

{
"name": "TEST GALAXY",
"type": "test-galaxy",
"description": "This galaxy is to confirm that you can make test galaxies",
"version": 1,
"uuid": "5855933e-45e6-11e9-b210-d663bd873d93"
}

My ./clusters folder .json looked like this:

{
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"type": "tool",
"version": 1,
"name": "test-cluster",
"uuid": "623555c8-45ec-11e9-b210-d663bd873d93",
"authors": "James Palazzolo - LabyrINTh CIS",
"source": "MISP Project",
"values": [{
"description": "Test Value",
"meta": {
"refs": [
"https://thehackernews.com/search/label/Zusy%20Malware",
"http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/"
],
"synonyms": [
"Test Value",
"Testaroo",
"TinyTester"
],
"uuid": "9cccfede-45ec-11e9-b210-d663bd873d93",
"value": "Test Galaxy Value"
}
}]
}

Both files passed through jsonlint and I could have sworn I was following the schema correctly...
MISP did recognize the galaxy:

However, I now have two issues.

First issue: I removed the .json file from both ./galaxy folder and the ./clusters folder. When I hit update galaxies it's still there lol...

How do I purge this from the list?

Second issue: it recognized the galaxy but none of the cluster information was attributed over and so the galaxy values were empty. What am I doing wrong here?

I'm sure it's something simple -

Jimbo

Source: https://malpedia.caad.fkie.fraunhofer.de/

Waiting for authorization 👼
https://twitter.com/adulau/status/1048142123726454784

With more an more galaxies appearing more and more duplicate entries appear in the different galaxies.
This leads to inconsistency in the labeling of the data and confusion of the user.

Examples:

• galaxy ransomware: Cryptowall, Locky
• galaxy tool: Cryptowall, Locky

I believe these issues should be tackled before merging pull-requests.

This issue is also for talking about:

• for what things do we want to create new galaxies?
• finding solutions to move entries tagged in an old galaxy to the new one. For example: "tool:locky" to "ransomware:locky"

https://github.com/CheckPointSW/MacOS-MalwarePedia/

Based from https://github.com/Concinnity-Risks/LogisticalBudget/blob/master/scorecards.py#L75

Need to define a prefix.

Set up the score characteristics

#
score_descriptions = {
    "team_size": "Estimated Organisation Size",
    "resource_cost": "Estimated Infrastructure Spend",
    "time_cost": "Estimated Time Investment",
    "logistical_budget": "Logistical Budget"
};

For example:

• a relation that is uses should be also made used-by automagically.

A thing that is missing in the relationship definitions is such a reverse-mapping that could be used automagically.

...to avoid confusion when adding a galaxy to an event...

I presume this is a spelling mistake in place of the "Retail" sector?

Where should this one go?

Galaxy of security vendors

StrongPity threat actor versus PROMETHIUM and NEODYMIUM?

There are two "Retail" entries:

• https://github.com/MISP/misp-galaxy/blob/master/clusters/sector.json#L306
• https://github.com/MISP/misp-galaxy/blob/master/clusters/sector.json#L310

What is the ISO followed by the threat_actors file in clusters? ISO3166?

Sometimes, there are names like "Russia" or like "Russian Federation".

Shouldn't it be using the same name or convert everything to ISO 3166-1 alpha 2?

    {                                                                           
      "value": "ELECTRUM",                                                      
      "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
      "meta": {                                                                 
        "refs": [                                                               
          "https://dragos.com/adversaries.html",                                
          "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf"
        ],                                                                      
        "mode-of-operation": "Electric grid disruption and long-term persistence",
        "since": "2016",                                                        
        "capabilities": "CRASHOVERRIDE",                                        
        "victimology": "Ukraine, Electric Utilities",                           
        "synonyms": [                                                           
          "Sandworm"                                                            
        ]                                                                       
      },                                                                        
      "uuid": "a2d44915-6cff-43cf-8a53-f4850058ad05"                            
    },                                                                          

and

    {                                                                           
      "value": "ELECTRUM",                                                      
      "description": "Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comp
      "meta": {                                                                 
        "refs": [                                                               
          "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",         
          "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
          "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf"
        ],                                                                      
        "synonyms": [                                                           
          "Sandworm"                                                            
        ]                                                                       
      },                                                                        
      "uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c"                            
    },