misp-galaxy

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default knowledge base (such as Threat Actors, Tools, Ransomware, ATT&CK matrixes) available in MISP galaxy but those can be overwritten, replaced, updated, forked and shared as you wish.

Existing clusters and vocabularies can be used as-is or as a common knowledge base. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.

Galaxies can be also used to expressed existing matrix-like standards such as MITRE ATT&CK(tm) or custom ones.

The objective is to have a comment set of clusters for organizations starting analysis but that can be expanded to localized information (which is not shared) or additional information (that can be shared).

Available Galaxy - clusters

360.net Threat Actors

360.net Threat Actors - Known or estimated adversary groups as identified by 360.net.

Category: actor - source: https://apt.360.net/aptlist - total: 42 elements

[HTML] - [JSON]

Ammunitions

Ammunitions - Common ammunitions galaxy

Category: firearm - source: https://ammo.com/ - total: 409 elements

[HTML] - [JSON]

Android

Android - Android malware galaxy based on multiple open sources.

Category: tool - source: Open Sources - total: 433 elements

[HTML] - [JSON]

Azure Threat Research Matrix

Azure Threat Research Matrix - The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.

Category: atrm - source: https://github.com/microsoft/Azure-Threat-Research-Matrix - total: 90 elements

[HTML] - [JSON]

attck4fraud

attck4fraud - attck4fraud - Principles of MITRE ATT&CK in the fraud domain

Category: guidelines - source: Open Sources - total: 71 elements

[HTML] - [JSON]

Backdoor

Backdoor - A list of backdoor malware.

Category: tool - source: Open Sources - total: 28 elements

[HTML] - [JSON]

Banker

Banker - A list of banker malware.

Category: tool - source: Open Sources - total: 53 elements

[HTML] - [JSON]

Bhadra Framework

Bhadra Framework - Bhadra Threat Modeling Framework

Category: mobile - source: https://arxiv.org/pdf/2005.05110.pdf - total: 47 elements

[HTML] - [JSON]

Botnet

Botnet - botnet galaxy

Category: tool - source: MISP Project - total: 130 elements

[HTML] - [JSON]

Branded Vulnerability

Branded Vulnerability - List of known vulnerabilities and attacks with a branding

Category: vulnerability - source: Open Sources - total: 14 elements

[HTML] - [JSON]

Cert EU GovSector

Cert EU GovSector - Cert EU GovSector

Category: sector - source: CERT-EU - total: 6 elements

[HTML] - [JSON]

China Defence Universities Tracker

China Defence Universities Tracker - The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre.

Category: academic-institution - source: ASPI International Cyber Policy Centre - total: 159 elements

[HTML] - [JSON]

CONCORDIA Mobile Modelling Framework - Attack Pattern

CONCORDIA Mobile Modelling Framework - Attack Pattern - A list of Techniques in CONCORDIA Mobile Modelling Framework.

Category: cmtmf-attack-pattern - source: https://5g4iot.vlab.cs.hioa.no/ - total: 93 elements

[HTML] - [JSON]

Country

Country - Country meta information based on the database provided by geonames.org.

Category: country - source: MISP Project - total: 252 elements

[HTML] - [JSON]

Cryptominers

Cryptominers - A list of cryptominer and cryptojacker malware.

Category: Cryptominers - source: Open Source Intelligence - total: 5 elements

[HTML] - [JSON]

Actor Types

Actor Types - DISARM is a framework designed for describing and understanding disinformation incidents.

Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 33 elements

[HTML] - [JSON]

Countermeasures

Countermeasures - DISARM is a framework designed for describing and understanding disinformation incidents.

Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 139 elements

[HTML] - [JSON]

Detections

Detections - DISARM is a framework designed for describing and understanding disinformation incidents.

Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 94 elements

[HTML] - [JSON]

Techniques

Techniques - DISARM is a framework designed for describing and understanding disinformation incidents.

Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 298 elements

[HTML] - [JSON]

Election guidelines

Election guidelines - Universal Development and Security Guidelines as Applicable to Election Technology.

Category: guidelines - source: Open Sources - total: 23 elements

[HTML] - [JSON]

Entity

Entity - Description of entities that can be involved in events.

Category: actor - source: MISP Project - total: 4 elements

[HTML] - [JSON]

Exploit-Kit

Exploit-Kit - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years

Category: tool - source: MISP Project - total: 52 elements

[HTML] - [JSON]

Firearms

Firearms - Common firearms galaxy

Category: firearm - source: https://www.impactguns.com - total: 5953 elements

[HTML] - [JSON]

FIRST DNS Abuse Techniques Matrix

FIRST DNS Abuse Techniques Matrix - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.

Category: first-dns - source: https://www.first.org/global/sigs/dns/ - total: 21 elements

[HTML] - [JSON]

GSMA MoTIF

GSMA MoTIF - Mobile Threat Intelligence Framework (MoTIF) Principles.

Category: attack-pattern - source: https://www.gsma.com/solutions-and-impact/technologies/security/latest-news/establishing-motif-the-mobile-threat-intelligence-framework/ - total: 50 elements

[HTML] - [JSON]

Intelligence Agencies

Intelligence Agencies - List of intelligence agencies

Category: Intelligence Agencies - source: https://en.wikipedia.org/wiki/List_of_intelligence_agencies - total: 436 elements

[HTML] - [JSON]

INTERPOL DWVA Taxonomy

INTERPOL DWVA Taxonomy - This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.

Category: dwva - source: https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/ - total: 94 elements

[HTML] - [JSON]

Malpedia

Malpedia - Malware galaxy cluster based on Malpedia.

Category: tool - source: Malpedia - total: 3038 elements

[HTML] - [JSON]

Microsoft Activity Group actor

Microsoft Activity Group actor - Activity groups as described by Microsoft

Category: actor - source: MISP Project - total: 79 elements

[HTML] - [JSON]

Misinformation Pattern

Misinformation Pattern - AM!TT Technique

Category: misinformation-pattern - source: https://github.com/misinfosecproject/amitt_framework - total: 61 elements

[HTML] - [JSON]

MITRE ATLAS Attack Pattern

MITRE ATLAS Attack Pattern - MITRE ATLAS Attack Pattern - Adversarial Threat Landscape for Artificial-Intelligence Systems

Category: attack-pattern - source: https://github.com/mitre-atlas/atlas-navigator-data - total: 82 elements

[HTML] - [JSON]

MITRE ATLAS Course of Action

MITRE ATLAS Course of Action - MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems

Category: course-of-action - source: https://github.com/mitre-atlas/atlas-navigator-data - total: 20 elements

[HTML] - [JSON]

Attack Pattern

Attack Pattern - ATT&CK tactic

Category: attack-pattern - source: