diff --git a/README.md b/README.md index 1909451..229a8b1 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# README +# README ## OASIS TC Open Repository: tac-ontology @@ -16,7 +16,14 @@ The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to crea *Additions to Statement of Purpose* -*The TC may include additional content as descriptive text, reflecting project status, milestones, releases, modifications to statement of purpose, etc. +*The TC may include additional content as descriptive text, reflecting project status, milestones, releases, modifications to statement of purpose, etc. + +## Documentation + +[The STIX 2.1 Ontology](./docs/ontologies/stix/stix-ontology-readme.md) +[The TAC Ontology](./docs/ontologies/tac/tac-ontology-readme.md) +[The TAL Ontology](./docs/ontologies/tal/tal-ontology-readme.md) + ## Maintainers @@ -28,9 +35,9 @@ Initially, the TC members have designated one or more persons to serve as Mainta Vasileios Mavroeidis, vasileim@ifi.uio.no, Vasileios-Mavroeidis, University of Oslo -Ryan Hohimer, ryan.hohimer@darklight.ai, rhohimer, Darklight Inc. +Ryan Hohimer, ryan.hohimer@semanticarts.com, rhohimer, Semantic Arts Inc. + -Paul Patrick, ppatrick@darklight.ai, CyberDaedalus00, Darklight Inc. ## About OASIS TC Open Repositories diff --git a/catalog-v001.xml b/catalog-v001.xml new file mode 100644 index 0000000..dbb664f --- /dev/null +++ b/catalog-v001.xml @@ -0,0 +1,63 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/ontologies/stix/stix-ontology-readme.md b/docs/ontologies/stix/stix-ontology-readme.md new file mode 100644 index 0000000..709d4cd --- /dev/null +++ b/docs/ontologies/stix/stix-ontology-readme.md @@ -0,0 +1,4 @@ +# STIX 2.1 Ontology _(not the STIX 2.1 specification)_ + +## The STIX 2.1 Ontology +The STIX 2.1 Ontology is based on the STIX 2.1 Standard Specification. It is a binding of the specification in formal ontological language. \ No newline at end of file diff --git a/docs/ontologies/tac/tac-ontology-readme.md b/docs/ontologies/tac/tac-ontology-readme.md new file mode 100644 index 0000000..a3db8ba --- /dev/null +++ b/docs/ontologies/tac/tac-ontology-readme.md @@ -0,0 +1,4 @@ +# The Threat Actor Context (TAC) Ontology + +## TAC Ontology +The TAC Ontology is an extension of the STIX 2.1 Ontology (aka stix.owl). \ No newline at end of file diff --git a/docs/ontologies/tal/competitor-heritage.png b/docs/ontologies/tal/competitor-heritage.png new file mode 100644 index 0000000..ee1dbb5 Binary files /dev/null and b/docs/ontologies/tal/competitor-heritage.png differ diff --git a/docs/ontologies/tal/tal-ontology-readme.md b/docs/ontologies/tal/tal-ontology-readme.md new file mode 100644 index 0000000..7893220 --- /dev/null +++ b/docs/ontologies/tal/tal-ontology-readme.md @@ -0,0 +1,11 @@ +# The Threat Agent Library + +## The TAL Ontology +The Threat Agent Library is a contribution from Intel Corp. It is an extension of the TAC Ontology. As stated before: + +### STIX 2.1 Standard Specification is extended by the STIX Ontology (stix.owl) +### STIX Ontology is extended by the TAC Ontology (tac.owl) +### TAC Ontology is extended by the TAL Ontology (ta-library.owl) + + +![Heritage of a TAL Competitor](competitor-heritage.png) diff --git a/health-agent-lib/catalog-v001.xml b/health-agent-lib/catalog-v001.xml new file mode 100644 index 0000000..2d36ecd --- /dev/null +++ b/health-agent-lib/catalog-v001.xml @@ -0,0 +1,61 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/health-agent-lib/hal-library.owl b/health-agent-lib/hal-library.owl new file mode 100644 index 0000000..385fde9 --- /dev/null +++ b/health-agent-lib/hal-library.owl @@ -0,0 +1,66 @@ + + + + + + + + + +]> + + + + The Health Care Threat Actor Library is and extending ontology of the Threat Agent Library from Intel.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/knowledgebase-examples/apt1-bcc.ttl b/knowledgebase-examples/apt1-bcc.ttl new file mode 100644 index 0000000..80d6124 --- /dev/null +++ b/knowledgebase-examples/apt1-bcc.ttl @@ -0,0 +1,1347 @@ +@prefix example: . +@prefix fx: . +@prefix owl: . +@prefix rdf: . +@prefix rdfs: . +@prefix stix: . +@prefix xsd: . +@prefix xyz: . + +stix:ExternalReference-4d686c74-4694-46e3-a7c8-c621f91b9763 + a stix:StixObject ; + stix:source_name "lslsass" ; + stix:url "http://www.truesec.se" ; + . + +stix:ExternalReference-5607e771-932f-4a16-8f91-f588cd6888d3 + a stix:StixObject ; + stix:source_name "pwdump7" ; + stix:url "http://www.tarasco.org/security/pwdump_7/" ; + . + +stix:ExternalReference-5a5791ff-82bd-472f-a4c9-a46ad7f86be0 + a stix:StixObject ; + stix:source_name "gsecdump" ; + stix:url "http://www.truesec.se" ; + . + +stix:ExternalReference-7ac7a8ec-7de5-4a0d-87fd-d4719a8424c6 + a stix:StixObject ; + stix:description "spear phishing" ; + stix:external-id "CAPEC-163" ; + stix:source_name "capec" ; + . + +stix:ExternalReference-7ec52cf2-d6bc-4e58-9b72-dc847e9ae31e + a stix:StixObject ; + stix:source_name "mimikatz" ; + stix:url "http://blog.gentilkiwi.com/mimikatz" ; + . + +stix:ExternalReference-f51760fb-d00d-43df-8ae8-2a5b2fddca57 + a stix:StixObject ; + stix:source_name "pass-the-hash toolkit" ; + stix:url "http://oss.coresecurity.com/projects/pshtoolkit.htm" ; + . + +stix:ExternalReference-fbcae96f-6f0e-46f5-ad78-463d320b6219 + a stix:StixObject ; + stix:source_name "fgdump" ; + stix:url "http://www.foofus.net/fizzgig/fgdump/" ; + . + +stix:KillChainPhase-086982fc-52bc-4348-9efa-05d4f21e7887 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-115f3970-2ec7-41d9-bfeb-4ae6af9348cd + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-1fa91ebf-cbe6-405b-8505-cb3a94068f00 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-4ffe816d-1299-4755-b051-736aa0fdb41f + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "complete-mission" ; + . + +stix:KillChainPhase-50dabf71-d5b3-4331-9842-2d520725bda8 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-6238957b-50c1-4b22-87b6-c3a4cbf9a66a + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "initial-compromise" ; + . + +stix:KillChainPhase-731e8fe7-e6b9-4b0c-9409-5ff45bab266f + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-734c65d1-9447-4e24-ac91-6aa236d882ed + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-8744e75c-a658-4d18-98bc-e3af2e1466e2 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-8797b1af-7dd8-4422-bcbc-ea055041e735 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "internal-recon" ; + . + +stix:KillChainPhase-8a16cec9-9683-4616-b73f-52cd2379990c + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-90226c7d-5db6-4edd-8397-862f483cb440 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "move-laterally" ; + . + +stix:KillChainPhase-ab5907f8-d9aa-4b8d-bf1a-d5f436c213e5 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-b6a6d1f7-006f-47db-b33e-28f38bdcbaef + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "maintain-presence" ; + . + +stix:KillChainPhase-b9dca787-2fd8-43a6-848b-011cdb86928f + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-bc693e69-aa3e-48f6-8894-b9b8b0a70b4a + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-bcdca901-5f5a-45a5-8b02-024d96c68c65 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "complete-mission" ; + . + +stix:KillChainPhase-bce0274c-bd48-45b2-b52c-5707fa98f6e3 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-cacf23a3-3581-4e89-83d3-8047f9da005d + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-dfd987a0-4aa9-4c9f-8fbc-5d2522324a91 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "complete-mission" ; + . + +stix:KillChainPhase-ed279c70-9ecc-4ef6-a3d6-15053ddc1f10 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-ef7ad8dd-c46f-49e2-8970-f04507699ff9 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-f3c00de1-9a80-4a3a-ac92-feacb2fd2bab + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:alias + a owl:DatatypeProperty ; + . + +stix:created + a owl:DatatypeProperty ; + . + +stix:description + a owl:DatatypeProperty ; + . + +stix:external-id + a owl:DatatypeProperty ; + . + +stix:external_reference + a owl:ObjectProperty ; + . + +stix:first_seen + a owl:DatatypeProperty ; + . + +stix:id + a owl:DatatypeProperty ; + . + +stix:identity_class + a owl:DatatypeProperty ; + . + +stix:indicator_types + a owl:DatatypeProperty ; + . + +stix:kill_chain_name + a owl:DatatypeProperty ; + . + +stix:kill_chain_phase + a owl:ObjectProperty ; + . + +stix:kill_chain_phase_name + a owl:DatatypeProperty ; + . + +stix:kill_chain_phases + a owl:DatatypeProperty ; + . + +stix:malware_types + a owl:DatatypeProperty ; + . + +stix:modified + a owl:DatatypeProperty ; + . + +stix:name + a owl:DatatypeProperty ; + . + +stix:pattern + a owl:DatatypeProperty ; + . + +stix:pattern_type + a owl:DatatypeProperty ; + . + +stix:primary_motivation + a owl:DatatypeProperty ; + . + +stix:relationship_type + a owl:DatatypeProperty ; + . + +stix:resource_level + a owl:DatatypeProperty ; + . + +stix:roles + a owl:DatatypeProperty ; + . + +stix:sectors + a owl:DatatypeProperty ; + . + +stix:source_name + a owl:DatatypeProperty ; + . + +stix:source_ref + a owl:ObjectProperty ; + . + +stix:spec_version + a owl:DatatypeProperty ; + . + +stix:target_ref + a owl:ObjectProperty ; + . + +stix:tool_types + a owl:DatatypeProperty ; + . + +stix:type + a owl:DatatypeProperty ; + . + +stix:url + a owl:DatatypeProperty ; + . + +stix:valid_from + a owl:DatatypeProperty ; + . + +example:attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Similar to other APT groups we track, once APT1 finds files of interest they pack them into archive files before stealing them. APT intruders most commonly use the RAR archiving utility for this task and ensure that the archives are password protected. Sometimes APT1 intruders use batch scripts to assist them in the process. After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. Many times their RAR files are so large that the attacker splits them into chunks before transferring them. Unlike most other APT groups we track, APT1 uses two email-stealing utilities that we believe are unique to APT1. The first, GETMAIL, was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive ('PST') files. The GETMAIL utility allows APT1 intruders the flexibility to take only the emails between dates of their choice. In one case, we observed an APT1 intruder return to a compromised system once a week for four weeks in a row to steal only the past week’s emails. Whereas GETMAIL steals email in Outlook archive files, the second utility, MAPIGET, was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server. In order to operate successfully, MAPIGET requires username/password combinations that the Exchange server will accept. MAPIGET extracts email from specified accounts into text files (for the email body) and separate attachments, if there are any." ; + stix:id "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4" ; + stix:kill_chain_phase stix:KillChainPhase-dfd987a0-4aa9-4c9f-8fbc-5d2522324a91 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Completing the Mission" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Once an APT intruder has a foothold inside the network and a set of legitimate credentials, it is simple for the intruder to move around the network undetected. They can connect to shared resources on other systems. They can execute commands on other systems using the publicly available 'psexec' tool from Microsoft Sysinternals or the built-in Windows Task Scheduler ('at.exe')." ; + stix:id "attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767" ; + stix:kill_chain_phase stix:KillChainPhase-90226c7d-5db6-4edd-8397-862f483cb440 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Lateral Movement" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed. In almost every case, APT backdoors initiate outbound connections to the intruder’s 'command and control' (C2) server. While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT, the vast majority of the time they use what appear to be their own custom backdoors. APT1’s backdoors are in two categories: 'Beachhead Backdoors' and 'Standard Backdoors.' Beachhead Backdoors offer the attacker a toe-hold to perform simple tasks like retrieve files, gather basic system information and trigger the execution of other more significant capabilities such as a standard backdoor. APT1’s beachhead backdoors are usually what we call WEBC2 backdoors. WEBC2 backdoors are probably the most well-known kind of APT1 backdoor, and are the reason why some security companies refer to APT1 as the Comment Crew. A WEBC2 backdoor is designed to retrieve a webpage from a C2 server. It expects the webpage to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. WEBC2 backdoors are often packaged with spear phishing emails. Once installed, APT1 intruders have the option to tell victim systems to download and execute additional malicious software of their choice. The standard, non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol (to blend in with legitimate web traffic) or a custom protocol that the malware authors designed themselves. The BISCUIT backdoor (so named for the command “bdkzt”) is an illustrative example of the range of commands that APT1 has built into its “standard” backdoors. APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently. Some APT backdoors attempt to mimic legitimate Internet traffic other than the HTTP protocol. When network defenders see the communications between these backdoors and their C2 servers, they might easily dismiss them as legitimate network traffic. Additionally, many of APT1’s backdoors use SSL encryption so that communications are hidden in an encrypted SSL tunnel." ; + stix:id "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49" ; + stix:kill_chain_phase stix:KillChainPhase-bce0274c-bd48-45b2-b52c-5707fa98f6e3 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Establishing a Foothold" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "As with most other APT groups, spear phishing is APT1’s most commonly used technique. The spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples’ names — names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel. The files they use contain malicious executables that install a custom APT1 backdoor that we call WEBC2-TABLE." ; + stix:external_reference stix:ExternalReference-7ac7a8ec-7de5-4a0d-87fd-d4719a8424c6 ; + stix:id "attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b" ; + stix:kill_chain_phase stix:KillChainPhase-6238957b-50c1-4b22-87b6-c3a4cbf9a66a ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Initial Compromise" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "In the Internal Reconnaissance stage, the intruder collects information about the victim environment. Like most APT (and non-APT) intruders, APT1 primarily uses built-in operating system commands to explore a compromised system and its networked environment. Although they usually simply type these commands into a command shell, sometimes intruders may use batch scripts to speed up the process." ; + stix:id "attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d" ; + stix:kill_chain_phase stix:KillChainPhase-8797b1af-7dd8-4422-bcbc-ea055041e735 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Internal Reconnaisance" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "In this stage, the intruder takes actions to ensure continued, long-term control over key systems in the network environment from outside of the network. APT1 does this in three ways: Install new backdoors on multiple systems, use legitimate VPN credentials, and log in to web portals." ; + stix:id "attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7" ; + stix:kill_chain_phase stix:KillChainPhase-b6a6d1f7-006f-47db-b33e-28f38bdcbaef ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Maintain Presence" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Escalating privileges involves acquiring items (most often usernames and passwords) that will allow access to more resources within the network. APT1 predominantly uses publicly available tools to dump password hashes from victim systems in order to obtain legitimate user credentials." ; + stix:id "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827" ; + stix:kill_chain_phase stix:KillChainPhase-731e8fe7-e6b9-4b0c-9409-5ff45bab266f ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Privilege Escalation" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "dota" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:identity--a9119a87-6576-46af-bfd7-4fbe55926671 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--a9119a87-6576-46af-bfd7-4fbe55926671" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "JackWang" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:identity--e88ab115-7768-4630-baa3-3d49a7d946ea + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--e88ab115-7768-4630-baa3-3d49a7d946ea" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Wang Dong" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Mei Qiang" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-cacf23a3-3581-4e89-83d3-8047f9da005d ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '223.166.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "FQDN msnhome.org" ; + stix:pattern "[domain-name:value = 'msnhome.org']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix E MD5 hash '00dbb9e1c09dbdafb360f3163ba5a3de'" ; + stix:pattern "[file:hashes.md5 = '00dbb9e1c09dbdafb360f3163ba5a3de']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--2173d108-5714-42fd-8213-4f3790259fda + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--2173d108-5714-42fd-8213-4f3790259fda" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-f3c00de1-9a80-4a3a-ac92-feacb2fd2bab ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '112.64.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "FQDN hugesoft.org" ; + stix:pattern "[domain-name:value = 'hugesoft.org']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--745e1537-b4f3-49da-9f64-df6b1b5df190 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--745e1537-b4f3-49da-9f64-df6b1b5df190" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix E MD5 hash '002325a0a67fded0381b5648d7fe9b8e'" ; + stix:pattern "[file:hashes.md5 = '002325a0a67fded0381b5648d7fe9b8e']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "FQDN arrowservice.net" ; + stix:pattern "[domain-name:value = 'arrowservice.net']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-8744e75c-a658-4d18-98bc-e3af2e1466e2 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '139.226.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix E MD5 hash '001dd76872d80801692ff942308c64e6'" ; + stix:pattern "[file:hashes.md5 = '001dd76872d80801692ff942308c64e6']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--b3b6b540-d838-41e2-853b-005056c00008 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--b3b6b540-d838-41e2-853b-005056c00008" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix F SSL Certificate for serial number '(Negative)4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28'" ; + stix:pattern "[x509-certificate:issuer = 'CN=WEBMAIL' AND x509-certificate:serial_number = '4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--b3b7035e-d838-41e2-8d38-005056c00008 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--b3b7035e-d838-41e2-8d38-005056c00008" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix F SSL Certificate for serial number '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c'" ; + stix:pattern "[x509-certificate:issuer = 'CN=LM-68AB71FBD8F5' AND x509-certificate:serial_number = '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-1fa91ebf-cbe6-405b-8505-cb3a94068f00 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '58.246.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a + a stix:StixObject ; + stix:alias + "Comment Crew" , + "Comment Group" , + "Shady Rat" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006." ; + stix:first_seen "2006-06-01T18:13:15.684Z"^^xsd:dateTime ; + stix:id "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "APT1" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:spec_version "2.1" ; + stix:type "intrusion-set" ; + . + +example:malware--0f01c5a3-f516-4450-9381-4dd9f2279411 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands." ; + stix:id "malware--0f01c5a3-f516-4450-9381-4dd9f2279411" ; + stix:kill_chain_phase stix:KillChainPhase-bc693e69-aa3e-48f6-8894-b9b8b0a70b4a ; + stix:malware_types + "backdoor" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "WEBC2 Backdoor" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--2485b844-4efe-4343-84c8-eb33312dd56f + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "This malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files." ; + stix:id "malware--2485b844-4efe-4343-84c8-eb33312dd56f" ; + stix:malware_types + "backdoor" , + "dropper" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "MANITSME" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--33159b98-3264-4e10-a968-d67975b6272f + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "When APT1 attackers are not using WEBC2, they require a “command and control” (C2) user interface so they can issue commands to the backdoor. This interface sometimes runs on their personal attack system, which is typically in Shanghai. In these instances, when a victim backdoor makes contact with a hop, the communications need to be forwarded from the hop to the intruder’s Shanghai system so the backdoor can talk to the C2 server software. We have observed 767 separate instances in which APT1 intruders used the publicly available “HUC Packet Transmit Tool” or HTRAN on a hopThe HTRAN utility is merely a middle-man, facilitating connections between the victim and the attacker who is using the hop point." ; + stix:id "malware--33159b98-3264-4e10-a968-d67975b6272f" ; + stix:kill_chain_phase stix:KillChainPhase-086982fc-52bc-4348-9efa-05d4f21e7887 ; + stix:malware_types + "backdoor" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HUC Packet Transmit Tool (HTRAN)" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands." ; + stix:id "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0" ; + stix:malware_types + "backdoor" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "WEBC2-UGX" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Malware family that contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, etc." ; + stix:id "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca" ; + stix:malware_types + "backdoor" , + "keylogger" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "BANGAT" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--fb490cdb-6760-41eb-a79b-0b930a50c017 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Malware family that contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, etc." ; + stix:id "malware--fb490cdb-6760-41eb-a79b-0b930a50c017" ; + stix:malware_types + "backdoor" , + "keylogger" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "AURIGA" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--ce45f721-af14-4fc0-938c-000c16186418 ; + stix:type "relationship" ; + . + +example:relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--806a8f83-4913-4216-bb19-02b48ae25da5 ; + stix:type "relationship" ; + . + +example:relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9 ; + stix:type "relationship" ; + . + +example:relationship--306ce398-f708-47f9-88a1-38aa5b9985fc + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--306ce398-f708-47f9-88a1-38aa5b9985fc" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca ; + stix:type "relationship" ; + . + +example:relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--4215b0e5-928e-4b2a-9b5f-64819f287f48 ; + stix:type "relationship" ; + . + +example:relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0 ; + stix:type "relationship" ; + . + +example:relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--2173d108-5714-42fd-8213-4f3790259fda ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--44686fda-311c-4cdb-abef-80e922e7a3fb + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--44686fda-311c-4cdb-abef-80e922e7a3fb" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--98fd8dc1-6cc7-4908-899f-07473f55149a ; + stix:type "relationship" ; + . + +example:relationship--61f4fd3b-f581-4497-9149-e624c317287b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--61f4fd3b-f581-4497-9149-e624c317287b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--2485b844-4efe-4343-84c8-eb33312dd56f ; + stix:type "relationship" ; + . + +example:relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2 ; + stix:type "relationship" ; + . + +example:relationship--71e6832f-17ee-42fd-938d-c7f881be2028 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--71e6832f-17ee-42fd-938d-c7f881be2028" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b ; + stix:type "relationship" ; + . + +example:relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--7cede760-b866-490e-ad5b-1df34bc14f8d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--7cede760-b866-490e-ad5b-1df34bc14f8d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--81827b05-8c20-4247-b5d8-674295a1c611 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--81827b05-8c20-4247-b5d8-674295a1c611" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--0f01c5a3-f516-4450-9381-4dd9f2279411 ; + stix:type "relationship" ; + . + +example:relationship--8668d82a-1c97-4bea-a367-e391b025e00e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--8668d82a-1c97-4bea-a367-e391b025e00e" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--94624865-2709-443f-9b4c-2891985fd69b ; + stix:type "relationship" ; + . + +example:relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e ; + stix:type "relationship" ; + . + +example:relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--fb490cdb-6760-41eb-a79b-0b930a50c017 ; + stix:type "relationship" ; + . + +example:relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--e88ab115-7768-4630-baa3-3d49a7d946ea ; + stix:type "relationship" ; + . + +example:relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c ; + stix:type "relationship" ; + . + +example:relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--266b12f2-aa16-4607-809e-f2d33eebb52e ; + stix:type "relationship" ; + . + +example:relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa ; + stix:type "relationship" ; + . + +example:relationship--d84cf283-93be-4ca7-890d-76c63eff3636 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--d84cf283-93be-4ca7-890d-76c63eff3636" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca ; + stix:type "relationship" ; + . + +example:relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d ; + stix:type "relationship" ; + . + +example:relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--a9119a87-6576-46af-bfd7-4fbe55926671 ; + stix:type "relationship" ; + . + +example:report--e33ffe07-2f4c-48d8-b0af-ee2619d765cf + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the 'Advanced Persistent Threat' (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that 'The Chinese government may authorize this activity, but theres no way to determine the extent of its involvement.' Now, three years later, we have the evidence required to change our assessment. The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them. Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as 'APT1' and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1's operations compelled us to write this report. The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1's activities is incomplete, we have analyzed the group's intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1's attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others. Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate." ; + stix:id "report--e33ffe07-2f4c-48d8-b0af-ee2619d765cf" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "APT1: Exposing One of China's Cyber Espionage Units" ; + stix:spec_version "2.1" ; + stix:type "report" ; + . + +example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 + a stix:StixObject ; + stix:alias + "Raith" , + "Rodney" , + "dota" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "SuperHard" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles "malware-author" ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 + a stix:StixObject ; + stix:alias + "Greenfield" , + "JackWang" , + "Wang Dong" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Ugly Gorilla" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles + "agent" , + "infrastructure-operator" , + "malware-author" + ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--94624865-2709-443f-9b4c-2891985fd69b + a stix:StixObject ; + stix:alias + "Military Unit Cover Designator (MUCD) 61398" , + "PLA GSD's 3rd Department, 2nd Bureau" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Unit 61398 functions as the Third Department's premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence." ; + stix:id "threat-actor--94624865-2709-443f-9b4c-2891985fd69b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Unit 61398" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles "agent" ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d + a stix:StixObject ; + stix:alias "CPC" ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description " The CPC is the ultimate authority in Mainland China and tasks the PLA to commit cyber espionage and data theft against organizations around the world." ; + stix:id "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Communist Party of China" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles + "director" , + "sponsor" + ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636 + a stix:StixObject ; + stix:alias + "Raith" , + "Rodney" , + "dota" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "DOTA" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles + "agent" , + "infrastructure-operator" + ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Obtains password hashes from the Windows registry, including the SAM file, cached domain credentials, and LSA secrets" ; + stix:external_reference stix:ExternalReference-5a5791ff-82bd-472f-a4c9-a46ad7f86be0 ; + stix:id "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2" ; + stix:kill_chain_phase stix:KillChainPhase-ed279c70-9ecc-4ef6-a3d6-15053ddc1f10 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "gsecdump" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--266b12f2-aa16-4607-809e-f2d33eebb52e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Allows an intruder to “pass” a password hash (without knowing the original password) to log in to systems" ; + stix:external_reference stix:ExternalReference-f51760fb-d00d-43df-8ae8-2a5b2fddca57 ; + stix:id "tool--266b12f2-aa16-4607-809e-f2d33eebb52e" ; + stix:kill_chain_phase stix:KillChainPhase-ab5907f8-d9aa-4b8d-bf1a-d5f436c213e5 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "pass-the-hash toolkit" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--4215b0e5-928e-4b2a-9b5f-64819f287f48 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Dumps password hashes from the Windows registry" ; + stix:id "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48" ; + stix:kill_chain_phase stix:KillChainPhase-50dabf71-d5b3-4331-9842-2d520725bda8 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "pwdumpX" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Dump active logon session password hashes from the lsass process" ; + stix:external_reference stix:ExternalReference-4d686c74-4694-46e3-a7c8-c621f91b9763 ; + stix:id "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9" ; + stix:kill_chain_phase stix:KillChainPhase-734c65d1-9447-4e24-ac91-6aa236d882ed ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "lslsass" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "A utility primarily used for dumping password hashes" ; + stix:external_reference stix:ExternalReference-7ec52cf2-d6bc-4e58-9b72-dc847e9ae31e ; + stix:id "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa" ; + stix:kill_chain_phase stix:KillChainPhase-b9dca787-2fd8-43a6-848b-011cdb86928f ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "mimikatz" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--806a8f83-4913-4216-bb19-02b48ae25da5 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "MAPIGET was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server." ; + stix:id "tool--806a8f83-4913-4216-bb19-02b48ae25da5" ; + stix:kill_chain_phase stix:KillChainPhase-4ffe816d-1299-4755-b051-736aa0fdb41f ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "MAPIGET" ; + stix:spec_version "2.1" ; + stix:tool_types "information-gathering" ; + stix:type "tool" ; + . + +example:tool--98fd8dc1-6cc7-4908-899f-07473f55149a + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Dumps password hashes from the Windows registry" ; + stix:external_reference stix:ExternalReference-5607e771-932f-4a16-8f91-f588cd6888d3 ; + stix:id "tool--98fd8dc1-6cc7-4908-899f-07473f55149a" ; + stix:kill_chain_phase stix:KillChainPhase-115f3970-2ec7-41d9-bfeb-4ae6af9348cd ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "pwdump7" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "GETMAIL was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive (“PST”) files." ; + stix:id "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e" ; + stix:kill_chain_phase stix:KillChainPhase-bcdca901-5f5a-45a5-8b02-024d96c68c65 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "GETMAIL" ; + stix:spec_version "2.1" ; + stix:tool_types "information-gathering" ; + stix:type "tool" ; + . + +example:tool--ce45f721-af14-4fc0-938c-000c16186418 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "This program extracts cached password hashes from a system’s registry." ; + stix:id "tool--ce45f721-af14-4fc0-938c-000c16186418" ; + stix:kill_chain_phase stix:KillChainPhase-8a16cec9-9683-4616-b73f-52cd2379990c ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "cachedump" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Windows password hash dumper" ; + stix:external_reference stix:ExternalReference-fbcae96f-6f0e-46f5-ad78-463d320b6219 ; + stix:id "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c" ; + stix:kill_chain_phase stix:KillChainPhase-ef7ad8dd-c46f-49e2-8970-f04507699ff9 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "fgdump" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + diff --git a/knowledgebase-examples/catalog-v001.xml b/knowledgebase-examples/catalog-v001.xml new file mode 100644 index 0000000..06713e3 --- /dev/null +++ b/knowledgebase-examples/catalog-v001.xml @@ -0,0 +1,61 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/knowledgebase-examples/hal-example.owl b/knowledgebase-examples/hal-example.owl new file mode 100644 index 0000000..7baf00b --- /dev/null +++ b/knowledgebase-examples/hal-example.owl @@ -0,0 +1,45 @@ + + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/knowledgebase-examples/tal-kb-example.owl b/knowledgebase-examples/tal-kb-example.owl new file mode 100644 index 0000000..a7b086c --- /dev/null +++ b/knowledgebase-examples/tal-kb-example.owl @@ -0,0 +1,53 @@ + + + + + + + + + +]> + + + + + + + + + + team + + + + + rebenge + individual + personal-gain + competitor, government-spy + + + + + malware-analysis + suspicious-activity + unspecified + + + + + twitter + + + \ No newline at end of file diff --git a/security-playbook/security-playbook.owl b/security-playbook/security-playbook.owl new file mode 100644 index 0000000..a9eb523 --- /dev/null +++ b/security-playbook/security-playbook.owl @@ -0,0 +1,263 @@ + + + + + + + + +]> + + + + An ontology for encapsulating security playbooks and their metadata. This ontology (security-playbook.owl) is based on the metadata template for security playbooks provided at: https://github.com/Vasileios-Mavroeidis/coa-playbook-metadata + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + user-definition-01 + + + user-definition-02 + + + + + + + + + + + + + + + executable + + + template + + + + + + + + + + + + + + + user-definition-01 + + + user-definition-02 + + + + + + + + + + + + + + + attack + + + detection + + + investigation + + + mitigation + + + notification + + + prevention + + + remediation + + + + + + + + + + + + + + + + + + + + + impact + An integer that represents the impact the playbook has on the organization from 0 to 100. A value of 0 means specifically undefined. Values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive would have a low impact value of 1, whereas a playbook that performs changes such as adding rules into a firewall would have a higher impact value. + + + + + + 0 + + + 100 + + + + + + + + organization_type + The type of organization that the playbook is intended for. This can be an industry sector. + + + + + + playbook + The whole playbook in its native format (e.g., CACAO JSON - Stringified). Security playbook producers and consumers of playbooks use this property to share and retrieve playbooks. + + + + + + playbook_abstraction + Identifies the playbook abstraction level. + + + + + + + + + + + + + + + The whole playbook encoded in base64. Security playbook producers and consumers of playbooks use this property to share and retrieve playbooks. + + + + + + playbook_standard + Identification of the playbook standard (e.g., CACAO). + + + + + + playbook_type + The security-focused operational functions the playbook addresses. A playbook may account for multiple types (e.g., detection and investigation). + + + + + + + + + + + + + + + priority + An integer that represents the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Values range from 1, the highest priority, to a value of 100, the lowest. + + + + + + + 0 + + + 100 + + + + + + + + severity + An integer that represents the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Values range from 1, the lowest severity, to a value of 100, the highest. + + + + + + + 0 + + + 100 + + + + + + + \ No newline at end of file diff --git a/stix/bundle-object/bundle.owl b/stix/bundle-object/bundle.owl new file mode 100644 index 0000000..15fcc67 --- /dev/null +++ b/stix/bundle-object/bundle.owl @@ -0,0 +1,69 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + STIX Bundle Object + A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and the objects contained within the Bundle are not considered related by virtue of being in the same Bundle. \n\n A STIX Bundle Object is not a STIX Object but makes use of the type and id Common Properties. A Bundle is transient, and implementations SHOULD NOT assume that other implementations will treat it as a persistent object or keep any custom properties found on the bundle itself. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing bundle. + + + + id + An identifier for this Bundle. The id property for the Bundle is designed to help tools that may need it for processing, however, tools are not required to store or track it. Tools that consume STIX should not rely on the ability to refer to bundles by ID. + + + + + id_string + An identifier for this Bundle. The id property for the Bundle is designed to help tools that may need it for processing, however, tools are not required to store or track it. Tools that consume STIX should not rely on the ability to refer to bundles by ID. + + + + + objects + Specifies a set of one or more STIX Objects. Objects in this list MUST be a STIX Object. + + + + + type + The type property identifies the type of object. The value of this property MUST be bundle. + + + + \ No newline at end of file diff --git a/stix/catalog-v001.xml b/stix/catalog-v001.xml new file mode 100644 index 0000000..1268d81 --- /dev/null +++ b/stix/catalog-v001.xml @@ -0,0 +1,98 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/catalog-v001.xml.huh b/stix/catalog-v001.xml.huh new file mode 100644 index 0000000..f518c20 --- /dev/null +++ b/stix/catalog-v001.xml.huh @@ -0,0 +1,101 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/catalog-v001.xml.save b/stix/catalog-v001.xml.save new file mode 100644 index 0000000..7ffab8e --- /dev/null +++ b/stix/catalog-v001.xml.save @@ -0,0 +1,54 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl new file mode 100644 index 0000000..71488eb --- /dev/null +++ b/stix/core-objects/common-properties.owl @@ -0,0 +1,281 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + STIX Cyber-Observable Object + Objects that represent observed facts about a network or host that may be used and related to higher level intelligence to form a more complete understanding of the threat landscape. + + + + + STIX Domain Object + Higher Level Intelligence Objects that represent behaviors and constructs that threat analysts would typically create or work with while understanding the threat landscape. + + + + + STIX Meta Object + A STIX Object that provides the necessary glue and associated metadata to enrich or extend STIX Core Objects to support user and system workflows. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + STIX Object + STIX Domain Objects (SDOs) and Relationship Objects (SROs) all share a common set of properties which provide core capabilities such as versioning and data markings (representing how data can be shared and used). All STIX Cyber-observable Objects (SCOs) likewise share a common set of properties that are applicable for all SCOs. Similarly, STIX Meta Objects (SMOs) use some but not all of the common properties. + + + + + STIX Relationship Object + Objects that connect STIX Domain Objects together, STIX Cyber-observable Objects together, and connect STIX Domain Objects and STIX Cyber-observable Objects together to form a more complete understanding of the threat landscape. + + + + categorizedBy + the categorized by property specifies the instance of a category + + + + + confidence + The confidence property identifies the confidence that the creator has in the correctness of their data. The confidence value MUST be a number in the range of 0-100. \n\n Appendix A contains a table of normative mappings to other confidence scales that MUST be used when presenting the confidence value in one of those scales. \n\n If the confidence property is not present, then the confidence of the content is unspecified. + + + + + created + The created property represents the time at which the object was originally created. The object creator can use the time it deems most appropriate as the time the object was created. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise. The created property MUST NOT be changed when creating a new version of the object. See section 3.6 for further definition of versioning. + + + + + created_by_ref + The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. \n\n If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. + + + + + created_by_ref_string + The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. \n\n If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. + + + + + defanged + This property defines whether or not the data contained within the object has been defanged. The default value for this property is false. This property MUST NOT be used on any STIX Objects other than SCOs. + + + + + extensions + Specifies any extensions of the object, as a dictionary. \n\n Dictionary keys SHOULD be the id of a STIX Extension object or the name of a predefined object extension found in this specification, depending on the type of extension being used. \n\n The corresponding dictionary values MUST contain the contents of the extension instance. \n\n Each extension dictionary MAY contain the property extension_type. The value of this property MUST come from the extension-type-enum enumeration. If the extension_type property is not present, then this is a predefined extension which does not use the extension facility described in section 7.3. When this extension facility is used the extension_type property MUST be present. + + + + + external_references + The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. + + + + + granular_markings + The granular_markings property specifies a list of granular markings applied to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. + + + + + id + The id property uniquely identifies this object. For objects that support versioning, all objects with the same id are considered different versions of the same object and the version of the object is identified by its modified property. + + + + + labels + The labels property specifies a set of terms used to describe this object. The terms are user-defined or trust-group defined and their meaning is outside the scope of this specification and MAY be ignored. \n\n Where an object has a specific property defined in the specification for characterizing subtypes of that object, the labels property MUST NOT be used for that purpose. \n\n For example, the Malware SDO has a property malware_types that contains a list of Malware subtypes (dropper, RAT, etc.). In this example, the labels property cannot be used to describe these Malware subtypes. + + + + + lang + The lang property identifies the language of the text content in this object. When present, it MUST be a language code conformant to [RFC5646]. If the property is not present, then the language of the content is en (English). \n\n This property SHOULD be present if the object type contains translatable text properties (e.g. name, description). \n\n The language of individual fields in this object MAY be overridden by the lang property in granular markings (see section 7.2.3). + + + + + modified + The modified property is only used by STIX Objects that support versioning and represents the time that this particular version of the object was last modified. \n\n The object creator can use the time it deems most appropriate as the time this version of the object was modified. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise. \n\n If the created property is defined, then the value of the modified property for a given object version MUST be later than or equal to the value of the created property. \n\n Object creators MUST set the modified property when creating a new version of an object if the created property was set. \n\n See section 3.6 for further definition of versioning. + + + + + name + Specifies the name used to identity the entity. + + + + + object_marking_refs + The object_marking_refs property specifies a list of id properties of marking-definition objects that apply to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. + + + + + object_marking_refs_string + The object_marking_refs_string property specifies a list of id properties of marking-definition objects that apply to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. + + + + + revoked + The revoked property is only used by STIX Objects that support versioning and indicates whether the object has been revoked. \n\n Revoked objects are no longer considered valid by the object creator. Revoking an object is permanent; future versions of the object with this id MUST NOT be created. \n\n The default value of this property is false. \n\n See section 3.6 for further definition of versioning. + + + + + spec_version + The version of the STIX specification used to represent this object. \n\n The value of this property MUST be 2.1 for STIX Objects defined according to this specification. \n\n If objects are found where this property is not present, the implicit value for all STIX Objects other than SCOs is 2.0. Since SCOs are now top-level objects in STIX 2.1, the default value for SCOs is 2.1. + + + + + type + The type property identifies the type of STIX Object. The value of the type property MUST be the name of one of the types of STIX Objects defined in sections 4, 5, 6, and 7 (e.g., indicator) or the name of a Custom Object as defined by section 11.2. + + + + \ No newline at end of file diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl new file mode 100644 index 0000000..afb574c --- /dev/null +++ b/stix/core-objects/data-types.owl @@ -0,0 +1,192 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + Dictionary + A dictionary captures an arbitrary set of key/value pairs. Dictionary keys MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. \n\n Empty dictionaries are prohibited in STIX and MUST NOT be used as a substitute for omitting the property if it is optional. If the property is required, the dictionary MUST be present and MUST have at least one key-value pair. \n\n dictionary values MUST be valid property base types. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + External Reference + External references are used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing external-reference. + + + + + + + + + + + + + + + + + Hash + Represents a cryptographic hashes, as a special set of key/value pairs. + + + + + + + + + + + + + + + + + Kill Chain Phase + The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing kill-chain-phase. + + + + + + + description + A human readable description. + + + + + dictionary_key + Specifies a unique identifer for some item of data. The key MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). A key identifier MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. + + + + + dictionary_value + A key value is the data that is associated with the key identified. The values MUST be valid property base types. + + + + + + + + + external_id + An identifier for the external reference content. + + + + + external_references + Specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. + + + + + hash_algorithm + Represents the cryptographic hash algorithm used.\n\nThe name of the cryptographic hash algorithm used SHOULD come from one of the values defined in the hash-algorithm-ov open vocabulary. + + + + hash_value + Represents the cryptographic hash value. + + + + + hashes + Specifies a dictionary of hashes for the contents of the url. This SHOULD be provided when the url property is present. \n\n Dictionary keys MUST come from one of the entries listed in the hash-algorithm-ov open vocabulary. \n\n As stated in Section 2.7, to ensure interoperability, a SHA-256 hash SHOULD be included whenever possible. + + + + + + + identifier + An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way. A deterministic identifier means that the identifier generated by more than one producer for the exact same STIX Object using the same namespace, "ID Contributing Properties", and UUID method will have the exact same identifier value. \n\n All identifiers, excluding those used in the deprecated Cyber Observable Container, MUST follow the form object-type--UUID, where object-type is the exact value (all type names are lowercase strings, by definition) from the type property of the object being identified or referenced and where the UUID MUST be an RFC 4122-compliant UUID [RFC4122]. + + + + + kill_chain_name + The name of the kill chain. The value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators. + + + + + phase_name + The name of the phase in the kill chain. The value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators. + + + + + source_name + The name of the source that the external-reference is defined within (system, registry, organization, etc.). + + + + + url + A URL reference to an external resource [RFC3986]. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/artifact/artifact.owl b/stix/core-objects/sco/artifact/artifact.owl new file mode 100644 index 0000000..355d504 --- /dev/null +++ b/stix/core-objects/sco/artifact/artifact.owl @@ -0,0 +1,115 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Artifact + The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. One of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. + + + + + + + + artifact + + + + + + + + + + + decryption_key + Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive. This property MUST NOT be present when the encryption_algorithm property is absent. + + + + + encryption algorithm + If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in. The value of this property MUST come from the encryption-algorithm-enum enumeration. If both mime_type and encryption_algorithm are included, this signifies that the artifact represents an encrypted archive. + + + + hashes + Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. + + + + + mime_type + Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. + + + + + payload_bin + Specifies the binary data contained in the artifact as a base64-encoded string. This property MUST NOT be present if url is provided. + + + + + url + The value of this property MUST be a valid URL that resolves to the unencoded content. This property MUST NOT be present if payload_bin is provided. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/autonomus-system/autonomous-system.owl b/stix/core-objects/sco/autonomus-system/autonomous-system.owl new file mode 100644 index 0000000..495093e --- /dev/null +++ b/stix/core-objects/sco/autonomus-system/autonomous-system.owl @@ -0,0 +1,76 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + AutonomousSystem + This object represents the properties of an Autonomous System (AS). + + + + + + + + autonomous-system + + + + + + + + name + Specifies the name of the AS. + + + + + number + Specifies the number assigned to the AS. Such assignments are typically performed by a Regional Internet Registry (RIR). + + + + + rir + Specifies the name of the Regional Internet Registry (RIR) that assigned the number to the AS. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/directory/directory.owl b/stix/core-objects/sco/directory/directory.owl new file mode 100644 index 0000000..71bff94 --- /dev/null +++ b/stix/core-objects/sco/directory/directory.owl @@ -0,0 +1,134 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Directory Object + The Directory object represents the properties common to a file system directory. + + + + + + + + directory + + + + + + + + atime + Specifies the date/time the directory was last accessed. + + + + + contains_refs + Specifies a list of references to other File and/or Directory objects contained within the directory. The objects referenced in this list MUST be of type file or directory. + + + + + + + + + + + + + + contains_refs_id + Specifies a list of references to other File and/or Directory objects contained within the directory. The objects referenced in this list MUST be of type file or directory. + + + + + ctime + Specifies the date/time the directory was created. + + + + + mtime + Specifies the date/time the directory was last written to/modified. + + + + + path + Specifies the path, as originally observed, to the directory on the file system. + + + + + path_enc + Specifies the observed encoding for the path. The value MUST be specified if the path is stored in a non-Unicode encoding. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry [Character Sets]. If the preferred MIME name for a character set is defined, this value MUST be used; if it is not defined, then the Name value from the registry MUST be used instead. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/domain-name/domain-name.owl b/stix/core-objects/sco/domain-name/domain-name.owl new file mode 100644 index 0000000..f568524 --- /dev/null +++ b/stix/core-objects/sco/domain-name/domain-name.owl @@ -0,0 +1,89 @@ + + + + + + +]> + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + Domain Name + The Domain Name object represents the properties of a network domain name. + + + + + + + + domain-name + + + + + + + + resolved_to_refs + Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). + + + + + + + + + + + + + + + + resolved_to_refs_id + Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). + + + + + value + Specifies the value of the domain name. The value of this property MUST conform to [RFC1034], and each domain and sub-domain contained within the domain name MUST conform to [RFC5890]. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/email-address/email-address.owl b/stix/core-objects/sco/email-address/email-address.owl new file mode 100644 index 0000000..db405b0 --- /dev/null +++ b/stix/core-objects/sco/email-address/email-address.owl @@ -0,0 +1,91 @@ + + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Email Address Object + The Email Address object represents a single email address. + + + + + + + + email-addr + + + + + + + + belongs_to_ref + Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. + + + + + belongs_to_ref_id + Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. + + + + + display_name + Specifies a single email display name, i.e., the name that is displayed to the human user of a mail application. This property corresponds to the display-name construction in section 3.4 of [RFC5322], for example, Jane Smith. + + + + + value + Specifies the value of the email address. This MUST NOT include the display name. This property corresponds to the addr-spec construction in section 3.4 of [RFC5322], for example, jane.smith@example.com. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/email-message/email-message.owl b/stix/core-objects/sco/email-message/email-message.owl new file mode 100644 index 0000000..4fed757 --- /dev/null +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -0,0 +1,350 @@ + + + + + + + +]> + + + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + EmailMessage + The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs. Header field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. + + + + + + + + email-message + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Email MIME Component Type + Specifies one component of a multi-part email body. There is no property to capture the value of the "Content-Transfer-Encoding" header field, since the body MUST be decoded before being represented in the body property. One of body OR body_raw_ref MUST be included. + + + + additional header fields + Specifies any other header fields (except for date, received_lines, content_type, from_ref, sender_ref, to_refs, cc_refs, bcc_refs, and subject) found in the email message, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single header field or names/values of a header field that occurs more than once. Each dictionary key SHOULD be a case-preserved version of the header field name. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. + + + + bcc_refs + Specifies the mailboxes that are "BCC:" recipients of the email message. As per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized. The objects referenced in this list MUST be of type email-address. + + + + + bcc_refs_string + Specifies the mailboxes that are "BCC:" recipients of the email message. As per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized. The objects referenced in this list MUST be of type email-address. + + + + + body + + + + + body_multipart + Specifies a list of the MIME parts that make up the email body. This property MUST NOT be used if is_multipart is false. + + + + + body_raw_ref + Specifies the contents of non-textual MIME parts, that is those whose content_type does not start with text/, as a reference to an Artifact object or File object. The object referenced in this property MUST be of type artifact or file. For use cases where conveying the actual data contained in the MIME part is of primary importance, artifact SHOULD be used. Otherwise, for use cases where conveying metadata about the file-like properties of the MIME part is of primary importance, file SHOULD be used. + + + + + + body_raw_ref_string + Specifies the contents of non-textual MIME parts, that is those whose content_type does not start with text/, as a reference to an Artifact object or File object. The object referenced in this property MUST be of type artifact or file. For use cases where conveying the actual data contained in the MIME part is of primary importance, artifact SHOULD be used. Otherwise, for use cases where conveying metadata about the file-like properties of the MIME part is of primary importance, file SHOULD be used. + + + + + cc_refs + Specifies the mailboxes that are "CC:" recipients of the email message. The objects referenced in this list MUST be of type email-address. + + + + + cc_refs_string + Specifies the mailboxes that are "CC:" recipients of the email message. The objects referenced in this list MUST be of type email-address. + + + + + content_disposition + Specifies the value of the "Content-Disposition" header field of the MIME part. + + + + + content_type + + + + + date + Specifies the date/time that the email message was sent. + + + + + from_ref + Specifies the value of the "From:" header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message. The object referenced in this property MUST be of type email-address. + + + + + from_ref_string + Specifies the value of the "From:" header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message. The object referenced in this property MUST be of type email-address. + + + + + is_multipart + Indicates whether the email body contains multiple MIME parts. + + + + + message_id + Specifies the Message-ID field of the email message. + + + + + raw_email_ref + Specifies the raw binary contents of the email message, including both the headers and body, as a reference to an Artifact object. The object referenced in this property MUST be of type artifact. + + + + + raw_email_ref_string + Specifies the raw binary contents of the email message, including both the headers and body, as a reference to an Artifact object. The object referenced in this property MUST be of type artifact. + + + + + received_lines + Specifies one or more "Received" header fields that may be included in the email headers. List values MUST appear in the same order as present in the email message. + + + + + sender_ref + Specifies the value of the "Sender" field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. The object referenced in this property MUST be of type email-address. + + + + + sender_ref_string + Specifies the value of the "Sender" field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. The object referenced in this property MUST be of type email-address. + + + + + subject + Specifies the subject of the email message. + + + + + to_refs + Specifies the mailboxes that are "To:" recipients of the email message. The objects referenced in this list MUST be of type email-address. + + + + + to_refs_string + Specifies the mailboxes that are "To:" recipients of the email message. The objects referenced in this list MUST be of type email-address. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl new file mode 100644 index 0000000..8e617f0 --- /dev/null +++ b/stix/core-objects/sco/file/file.owl @@ -0,0 +1,968 @@ + + + + + + +]> + + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + Alternate Data Stream Type + The Alternate Data Stream type represents an NTFS alternate data stream. + + + + + + + + + + + + + + + + + + + + + + + Archive File Extension + The Archive File extension specifies a default extension for capturing properties specific to archive files. The key for this extension when used in the extensions dictionary MUST be archive-ext. Note that this predefined extension does not use the extension facility described in section 7.3. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + File + The File object represents the properties of a file. A File object MUST contain at least one of hashes or name. + + + + + + + + file + + + + + + + + + + + + + + + + + + + + + + + + NTFS File Extension + The NTFS file extension specifies a default extension for capturing properties specific to the storage of the file on the NTFS file system. The key for this extension when used in the extensions dictionary MUST be ntfs-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the NTFS File Extension MUST contain at least one property from this extension. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PDF File Extension + The PDF file extension specifies a default extension for capturing properties specific to PDF files. The key for this extension when used in the extensions dictionary MUST be pdf-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the PDF File Extension MUST contain at least one property from this extension. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Raster Image File Extension + The Raster Image file extension specifies a default extension for capturing properties specific to raster image files. The key for this extension when used in the extensions dictionary MUST be raster-image-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Raster Image File Extension MUST contain at least one property from this extension. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows PE Optional Header Type + The Windows PE Optional Header type represents the properties of the PE optional header. An object using the Windows PE Optional Header Type MUST contain at least one property from this type. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows PE Section Type + The Windows PE Section type specifies metadata about a PE file section. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows PE Binary File Extension + The Windows PE Binary File extension specifies a default extension for capturing properties specific to Windows portable executable (PE) files. The key for this extension when used in the extensions dictionary MUST be windows-pebinary-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Windows™ PE Binary File Extension MUST contain at least one property other than the required pe_type property from this extension. + + + + address_of_entry_point + Specifies the address of the entry point relative to the image base when the executable is loaded into memory. + + + + + alternate_data_streams + Specifies a list of NTFS alternate data streams that exist for the file. + + + + + atime + Specifies the date/time the file was last accessed. + + + + + base_of_code + Specifies the address that is relative to the image base of the beginning-of-code section when it is loaded into memory. + + + + + base_of_data + base_of_data + + + + + bits_per_pixel + Specifies the sum of bits used for each color channel in the image file, and thus the total number of pixels used for expressing the color depth of the image. + + + + + characteristics_hex + Specifies the flags that indicate the file's characteristics. + + + + + checksum_hex + Specifies the checksum of the PE binary. + + + + + comment + Specifies a comment included as part of the archive file. + + + + + contains_refs + + + + + contains_refs_string + + + + + content_ref + Specifies the content of the file, represented as an Artifact object. The object referenced in this property MUST be of type artifact. + + + + + content_ref_string + Specifies the content of the file, represented as an Artifact object. The object referenced in this property MUST be of type artifact. + + + + + ctime + Specifies the date/time the file was created. + + + + + dll_characteristics_hex + Specifies the flags that characterize the PE binary. + + + + + document_info_dict + Specifies details of the PDF document information dictionary (DID), which includes properties like the document creation data and producer, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the corresponding entry in the document information dictionary without the prepended forward slash, e.g., Title. The corresponding value for the key MUST be the value specified for the document information dictionary entry, as a string. + + + + + entropy + Specifies the calculated entropy for the section, as calculated using the Shannon algorithm (https://en.wiktionary.org/wiki/Shannon_entropy). The size of each input character is defined as a byte, resulting in a possible range of 0 through 8. + + + + + exif_tags + Specifies the set of EXIF tags found in the image file, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single EXIF tag. Accordingly, each dictionary key MUST be a case-preserved version of the EXIF tag name, e.g., XResolution. Each dictionary value MUST be either an integer (for int* EXIF datatypes) or a string (for all other EXIF datatypes). + + + + + file_alignment + Specifies the factor (in bytes) that is used to align the raw data of sections in the image file. + + + + + + + + image_base + Specifies the preferred address of the first byte of the image when loaded into memory. + + + + + image_height + Specifies the height of the image in the image file, in pixels. + + + + + image_width + Specifies the width of the image in the image file, in pixels. + + + + + imphash + Specifies the special import hash, or 'imphash', calculated for the PE Binary based on its imported libraries and functions. For more information on the imphash algorithm, see the original article by Mandiant/FireEye [FireEye 2014]. + + + + + is_optimized + Specifies whether the PDF file has been optimized. + + + + + loader_flags_hex + Specifies the reserved loader flags. + + + + + machine_hex + Specifies the type of target machine. + + + + + magic_hex + Specifies the hex value that indicates the type of the PE binary. + + + + + magic_number_hex + Specifies the hexadecimal constant ("magic number") associated with a specific file format that corresponds to the file, if applicable. + + + + + major_image_version + Specifies the major version number of the image. + + + + + major_linker_version + Specifies the linker major version number. + + + + + major_os_version + Specifies the major version number of the required operating system. + + + + + major_subsystem_version + Specifies the major version number of the subsystem. + + + + + mime_type + Specifies the MIME type name specified for the file, e.g., application/msword. Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types].Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. + + + + + minor_image_version + Specifies the minor version number of the image. + + + + + minor_linker_version + Specifies the linker minor version number. + + + + + minor_os_version + Specifies the minor version number of the required operating system. + + + + + minor_subsystem_version + Specifies the minor version number of the subsystem. + + + + + mtime + Specifies the date/time the file was last written to/modified. + + + + + name + + + + + name_enc + Specifies the observed encoding for the name of the file. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry [Character Sets]. If the value from the Preferred MIME Name column for a character set is defined, this value MUST be used; if it is not defined, then the value from the Name column in the registry MUST be used instead. This property allows for the capture of the original text encoding for the file name, which may be forensically relevant; for example, a file on an NTFS volume whose name was created using the windows-1251 encoding, commonly used for languages based on Cyrillic script. + + + + + number_of_rva_and_sizes + Specifies the number of data-directory entries in the remainder of the optional header. + + + + + number_of_sections + Specifies the number of sections in the PE binary, as a non-negative integer. + + + + + number_of_symbols + Specifies the number of entries in the symbol table of the PE binary, as a non-negative integer. + + + + + optional_header + Specifies the PE optional header of the PE binary. When used, at least one property from the windows-pe-optional-header-type MUST be included. + + + + + parent_directory_ref + Specifies the parent directory of the file, as a reference to a Directory object. The object referenced in this property MUST be of type directory. + + + + + parent_directory_ref_string + Specifies the parent directory of the file, as a reference to a Directory object. The object referenced in this property MUST be of type directory. + + + + + pdfid0 + Specifies the first file identifier found for the PDF file. + + + + + pdfid1 + Specifies the second file identifier found for the PDF file. + + + + + pe_type + Specifies the type of the PE binary. This is an open vocabulary and values SHOULD come from the windows-pebinary-type-ov open vocabulary. + + + + pointer_to_symbol_table_hex + Specifies the file offset of the COFF symbol table. + + + + + section_alignment + Specifies the alignment (in bytes) of PE sections when they are loaded into memory. + + + + + sections + Specifies metadata about the sections in the PE file. + + + + + sid + Specifies the security ID (SID) value assigned to the file. + + + + + size + + + + + size_of_code + Specifies the size of the code (text) section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. + + + + + size_of_headers + Specifies the combined size of the MS-DOS, PE header, and section headers, rounded up to a multiple of the value specified in the file_alignment header. The value of this property MUST NOT be negative.. + + + + + size_of_heap_commit + Specifies the size of the local heap space to commit, in bytes. The value of this property MUST NOT be negative. + + + + + size_of_heap_reserve + Specifies the size of the local heap space to reserve, in bytes. The value of this property MUST NOT be negative. + + + + + size_of_image + Specifies the size of the image in bytes, including all headers, as the image is loaded in memory. The value of this property MUST NOT be negative. + + + + + size_of_initialized_data + Specifies the size of the initialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. + + + + + size_of_optional_header + Specifies the size of the optional header of the PE binary. The value of this property MUST NOT be negative. + + + + + size_of_stack_commit + Specifies the size of the stack to commit, in bytes. The value of this property MUST NOT be negative. + + + + + size_of_stack_reserve + Specifies the size of the stack to reserve, in bytes. The value of this property MUST NOT be negative. + + + + + size_of_uninitialized_data + Specifies the size of the uninitialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. + + + + + subsystem_hex + Specifies the subsystem (e.g., GUI, device driver, etc.) that is required to run this image. + + + + + time_date_stamp + Specifies the time when the PE binary was created. The timestamp value MUST be precise to the second. + + + + + version + Specifies the decimal version number of the string from the PDF header that specifies the version of the PDF specification to which the PDF file conforms. E.g., 1.4. + + + + + win32_version_value_hex + Specifies the reserved win32 version value. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/ipv4-address/ipv4-address.owl b/stix/core-objects/sco/ipv4-address/ipv4-address.owl new file mode 100644 index 0000000..059004c --- /dev/null +++ b/stix/core-objects/sco/ipv4-address/ipv4-address.owl @@ -0,0 +1,89 @@ + + + + + + +]> + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IPv4 Address Object + The IPv4 Address object represents one or more IPv4 addresses expressed using CIDR notation. + + + + belongs_to_refs + Specifies a list of references to one or more autonomous systems (AS) that the IPv4 address belongs to. The objects referenced in this list MUST be of type autonomous-system. + + + + + belongs_to_refs_string + Specifies a list of references to one or more autonomous systems (AS) that the IPv4 address belongs to. The objects referenced in this list MUST be of type autonomous-system. + + + + + resolved_to_refs + Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4 address resolves to. The objects referenced in this list MUST be of type mac-addr. + + + + + resolved_to_refs_string + Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4 address resolves to. The objects referenced in this list MUST be of type mac-addr. + + + + + value + Specifies the values of one or more IPv4 addresses expressed using CIDR notation. If a given IPv4 Address object represents a single IPv4 address, the CIDR /32 suffix MAY be omitted. Example: 10.2.4.5/24 + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/ipv6-address/ipv6-address.owl b/stix/core-objects/sco/ipv6-address/ipv6-address.owl new file mode 100644 index 0000000..68bfcfc --- /dev/null +++ b/stix/core-objects/sco/ipv6-address/ipv6-address.owl @@ -0,0 +1,89 @@ + + + + + + +]> + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IPv6 Address Object + The IPv6 Address object represents one or more IPv6 addresses expressed using CIDR notation. + + + + belongs_to_refs + Specifies a list of references to one or more autonomous systems (AS) that the IPv6 address belongs to. The objects referenced in this list MUST be of type autonomous-system. + + + + + belongs_to_refs_string + Specifies a list of references to one or more autonomous systems (AS) that the IPv6 address belongs to. The objects referenced in this list MUST be of type autonomous-system. + + + + + resolved_to_refs + Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv6 address resolves to. The objects referenced in this list MUST be of type mac-addr. + + + + + resolved_to_refs_string + Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv6 address resolves to. The objects referenced in this list MUST be of type mac-addr. + + + + + value + Specifies the values of one or more IPv6 addresses expressed using CIDR notation. If a given IPv6 Address object represents a single IPv6 address, the CIDR /128 suffix MAY be omitted. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/mac-address/mac-address.owl b/stix/core-objects/sco/mac-address/mac-address.owl new file mode 100644 index 0000000..934d826 --- /dev/null +++ b/stix/core-objects/sco/mac-address/mac-address.owl @@ -0,0 +1,39 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + MAC Address Object + The MAC Address object represents a single Media Access Control (MAC) address. + + + + value + Specifies the value of a single MAC address. The MAC address value MUST be represented as a single colon-delimited, lowercase MAC-48 address, which MUST include leading zeros for each octet. Example: 00:00:ab:cd:ef:01 + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/mutex/mutex.owl b/stix/core-objects/sco/mutex/mutex.owl new file mode 100644 index 0000000..da24804 --- /dev/null +++ b/stix/core-objects/sco/mutex/mutex.owl @@ -0,0 +1,39 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + Mutex Object + The Mutex object represents the properties of a mutual exclusion (mutex) object. + + + + name + Specifies the name of the mutex object. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/network-traffic/network-traffic.owl b/stix/core-objects/sco/network-traffic/network-traffic.owl new file mode 100644 index 0000000..415fceb --- /dev/null +++ b/stix/core-objects/sco/network-traffic/network-traffic.owl @@ -0,0 +1,562 @@ + + + + + + +]> + + + + + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + HTTP Request Extension + The HTTP request extension specifies a default extension for capturing network traffic properties specific to HTTP requests. The key for this extension when used in the extensions dictionary MUST be http-request-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is http. + + + + + + + + + + + + + + + + + ICMP Extension + The ICMP extension specifies a default extension for capturing network traffic properties specific to ICMP. The key for this extension when used in the extensions dictionary MUST be icmp-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is icmp. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Network Traffic + The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood. To allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization's network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a Network Traffic object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Network Socket Extension + The Network Socket extension specifies a default extension for capturing network traffic properties associated with network sockets. The key for this extension when used in the extensions dictionary MUST be socket-ext. Note that this predefined extension does not use the extension facility described in section 7.3. + + + + + + + + + + + + + + + + + TCP Extension + The TCP extension specifies a default extension for capturing network traffic properties specific to TCP. The key for this extension when used in the extensions dictionary MUST be tcp-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is tcp. An object using the TCP Extension MUST contain at least one property from this extension. + + + + address_family + Specifies the address family (AF_*) that the socket is configured for. The values of this property MUST come from the network-socket-address-family-enum enumeration. + + + + dst_byte_count + Specifies the number of bytes, as a positive integer, sent from the destination to the source. + + + + + dst_flags_hex + Specifies the destination TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property). If the start and end times of the traffic are not specified, this property SHOULD be interpreted as the union of all TCP flags observed over the entirety of the network traffic being reported upon. + + + + + dst_packets + Specifies the number of packets, as a positive integer, sent from the destination to the source. + + + + + dst_payload_ref + Specifies the bytes sent from the destination to the source. The object referenced in this property MUST be of type artifact. + + + + + dst_payload_ref_string + Specifies the bytes sent from the destination to the source. The object referenced in this property MUST be of type artifact. + + + + + dst_port + Specifies the destination port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. + + + + + + 65535 + + + + + + + + dst_ref + Specifies the destination of the network traffic, as a reference to a Cyber-observable Object. The object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + + + + + + + + + + + + + + + + + + dst_ref_string + Specifies the destination of the network traffic, as a reference to a Cyber-observable Object. The object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + + + + + encapsulated_by_ref + Links to another network-traffic object which encapsulates this object. The object referenced in this property MUST be of type network-traffic. + + + + + encapsulated_by_ref_string + Links to another network-traffic object which encapsulates this object. The object referenced in this property MUST be of type network-traffic. + + + + + encapsulates_refs + Links to other network-traffic objects encapsulated by this network-traffic object. The objects referenced in this property MUST be of type network-traffic. + + + + + encapsulates_refs_string + Links to other network-traffic objects encapsulated by this network-traffic object. The objects referenced in this property MUST be of type network-traffic. + + + + + end + Specifies the date/time the network traffic ended, if known. If the is_active property is true, then the end property MUST NOT be included. If this property and the start property are both defined, then this property MUST be greater than or equal to the timestamp in the start property. + + + + + icmp_code_hex + Specifies the ICMP code byte. + + + + + icmp_type_hex + Specifies the ICMP type byte. + + + + + ipfix + Specifies any IP Flow Information Export [IPFIX] data for the traffic, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single IPFIX element. Accordingly, each dictionary key SHOULD be a case-preserved version of the IPFIX element name, e.g., octetDeltaCount. Each dictionary value MUST be either an integer or a string, as well as a valid IPFIX property. + + + + + is_active + Indicates whether the network traffic is still ongoing. If the end property is provided, this property MUST be false. + + + + + is_blocking + Specifies whether the socket is in blocking mode. + + + + + is_listening + Specifies whether the socket is in listening mode. + + + + + message_body_data_ref + Specifies the data contained in the HTTP message body, if included. The object referenced in this property MUST be of type artifact. + + + + + message_body_data_ref_string + Specifies the data contained in the HTTP message body, if included. The object referenced in this property MUST be of type artifact. + + + + + message_body_length + Specifies the length of the HTTP message body, if included, in bytes. + + + + + + + + protocols + Specifies the protocols observed in the network traffic, along with their corresponding state. Protocols MUST be listed in low to high order, from outer to inner in terms of packet encapsulation. That is, the protocols in the outer level of the packet, such as IP, MUST be listed first. The protocol names SHOULD come from the service names defined in the Service Name column of the IANA Service Name and Port Number Registry [Port Numbers]. In cases where there is variance in the name of a network protocol not included in the IANA Registry, content producers should exercise their best judgement, and it is recommended that lowercase names be used for consistency with the IANA registry. If the protocol extension is present, the corresponding protocol value for that extension SHOULD be listed in this property. Example: ipv4, tcp, http + + + + + + + + request_method + Specifies the HTTP method portion of the HTTP request line, as a lowercase string. + + + + + request_value + Specifies the value (typically a resource path) portion of the HTTP request line. + + + + + request_version + Specifies the HTTP version portion of the HTTP request line, as a lowercase string. + + + + + socket_descriptor + Specifies the socket file descriptor value associated with the socket, as a non-negative integer. + + + + + socket_handle + Specifies the handle or inode value associated with the socket. + + + + + socket_type + Specifies the type of the socket. The values of this property MUST come from the network-socket-type-enum enumeration. + + + + src_type_count + Specifies the number of bytes, as a positive integer, sent from the source to the destination. + + + + + src_flags_hex + Specifies the source TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property). If the start and end times of the traffic are not specified, this property SHOULD be interpreted as the union of all TCP flags observed over the entirety of the network traffic being reported upon. + + + + + src_packets + Specifies the number of packets, as a positive integer, sent from the source to the destination. + + + + + src_payload_ref + Specifies the bytes sent from the source to the destination. The object referenced in this property MUST be of type artifact. + + + + + src_payload_ref_string + Specifies the bytes sent from the source to the destination. The object referenced in this property MUST be of type artifact. + + + + + src port + Specifies the source port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. + + + + + + 65535 + + + + + + + + src_ref + Specifies the source of the network traffic, as a reference to a Cyber-observable Object. The object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + + + + + + + + + + + + + + + + + + src_ref_string + Specifies the source of the network traffic, as a reference to a Cyber-observable Object. The object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + + + + + start + Specifies the date/time the network traffic was initiated, if known. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/process/process.owl b/stix/core-objects/sco/process/process.owl new file mode 100644 index 0000000..ea5aa7c --- /dev/null +++ b/stix/core-objects/sco/process/process.owl @@ -0,0 +1,400 @@ + + + + + + +]> + + + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Process + The Process object represents common properties of an instance of a computer program as executed on an operating system. A Process object MUST contain at least one property (other than type) from this object (or one of its extensions). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows Process Extension + The Windows Process extension specifies a default extension for capturing properties specific to Windows processes. The key for this extension when used in the extensions dictionary MUST be windows-process-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Windows Process Extension MUST contain at least one property from this extension. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows Service Extension + The Windows Service extension specifies a default extension for capturing properties specific to Windows services. The key for this extension when used in the extensions dictionary MUST be windows-service-ext. Note that this predefined extension does not use the extension facility described in section 7.3. As all properties of this extension are optional, at least one of the properties defined below MUST be included when using this extension. + + + + aslr_enabled + Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. + + + + + child_refs + Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process objects. The objects referenced in this list MUST be of type process. + + + + + child_refs_string + Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process objects. The objects referenced in this list MUST be of type process. + + + + + command_line + Specifies the full command line used in executing the process, including the process name (which may be specified individually via the image_ref.name property) and any arguments. + + + + + created_time + Specifies the date/time at which the process was created. + + + + + creator_user_ref + Specifies the user that created the process, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. + + + + + creator_user_ref_string + Specifies the user that created the process, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. + + + + + cwd + Specifies the current working directory of the process. + + + + + dep_enabled + Specifies whether Data Execution Prevention (DEP) is enabled for the process. + + + + + descriptions + Specifies the descriptions defined for the service. + + + + + display_name + Specifies the display name of the service in Windows GUI controls. + + + + + environment_variables + Specifies the list of environment variables associated with the process as a dictionary. Each key in the dictionary MUST be a case preserved version of the name of the environment variable, and each corresponding value MUST be the environment variable value as a string. + + + + + group_name + Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. + + + + + image_ref + Specifies the executable binary that was executed as the process image, as a reference to a File object. The object referenced in this property MUST be of type file. + + + + + image_ref_string + Specifies the executable binary that was executed as the process image, as a reference to a File object. The object referenced in this property MUST be of type file. + + + + + integrity_level + Specifies the Windows integrity level, or trustworthiness, of the process. The values of this property MUST come from the windows-integrity-level-enum enumeration. + + + + is_hidden + Specifies whether the process is hidden. + + + + + opened_connection_refs + Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic objects. The objects referenced in this list MUST be of type network-traffic. + + + + + opened_connection_refs_string + Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic objects. The objects referenced in this list MUST be of type network-traffic. + + + + + owner_sid + Specifies the Security ID (SID) value of the owner of the process. + + + + + parent_ref + Specifies the other process that spawned (i.e. is the parent of) this one, as a reference to a Process object. The object referenced in this property MUST be of type process. + + + + + parent_ref_string + Specifies the other process that spawned (i.e. is the parent of) this one, as a reference to a Process object. The object referenced in this property MUST be of type process. + + + + + pid + Specifies the Process ID, or PID, of the process. + + + + + priority + Specifies the current priority class of the process in Windows. This value SHOULD be a string that ends in _CLASS. + + + + + service_dll_refs + Specifies the DLLs loaded by the service, as a reference to one or more File objects. The objects referenced in this property MUST be of type file. + + + + + service_dll_refs_string + Specifies the DLLs loaded by the service, as a reference to one or more File objects. The objects referenced in this property MUST be of type file. + + + + + service_name + Specifies the name of the service. + + + + + service_status + Specifies the current status of the service. The values of this property MUST come from the windows-service-status-enum enumeration. + + + + service_type + Specifies the type of the service. The values of this property MUST come from the windows-service-type-enum enumeration. + + + + start_type + Specifies the start options defined for the service. The values of this property MUST come from the windows-service-start-type-enum enumeration. + + + + startup_info + Specifies the STARTUP_INFO struct used by the process, as a dictionary. Each name/value pair in the struct MUST be represented as a key/value pair in the dictionary, where each key MUST be a case-preserved version of the original name. For example, given a name of "lpDesktop" the corresponding key would be lpDesktop. + + + + + window_title + Specifies the title of the main window of the process. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/software/software.owl b/stix/core-objects/sco/software/software.owl new file mode 100644 index 0000000..a11503b --- /dev/null +++ b/stix/core-objects/sco/software/software.owl @@ -0,0 +1,100 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Software + The Software object represents high-level properties associated with software, including software products. + + + + cpe + Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary [NVD]. While the CPE dictionary does not contain entries for all software, whenever it does contain an identifier for a given instance of software, this property SHOULD be present. + + + + + languages + Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to [RFC5646]. + + + + + name + Specifies the name of the software. + + + + + swid + Specifies the Software Identification (SWID) Tags [SWID] entry for the software, if available. The tag attribute, tagId, a globally unique identifier, SHOULD be used as a proxy identifier of the tagged product. + + + + + vendor + Specifies the name of the vendor of the software. + + + + + version + Specifies the version of the software. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/url/url.owl b/stix/core-objects/sco/url/url.owl new file mode 100644 index 0000000..6daba29 --- /dev/null +++ b/stix/core-objects/sco/url/url.owl @@ -0,0 +1,39 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + URL Object + The URL object represents the properties of a uniform resource locator (URL). + + + + value + Specifies the value of the URL. The value of this property MUST conform to [RFC3986], more specifically section 1.1.3 with reference to the definition for "Uniform Resource Locator". + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/user-account/user-account.owl b/stix/core-objects/sco/user-account/user-account.owl new file mode 100644 index 0000000..b3a1635 --- /dev/null +++ b/stix/core-objects/sco/user-account/user-account.owl @@ -0,0 +1,909 @@ + + + + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + UNIX Account Extension + The UNIX account extension specifies a default extension for capturing the additional information for an account on a UNIX system. The key for this extension when used in the extensions dictionary MUST be unix-account-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the UNIX Account Extension MUST contain at least one property from this extension. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + User Account + The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. + + + + account_created + Specifies when the account was created. + + + + + account_expires + Specifies the expiration date of the account. + + + + + account_first_login + Specifies when the account was first accessed. + + + + + account_last_login + Specifies when the account was last accessed. + + + + + account_login + Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login. For example, in the case of a Unix account with user_id 0, the account_login might be "root". + + + + + account_type + Specifies the type of the account. This is an open vocabulary and values SHOULD come from the account-type-ov open vocabulary. + + + + + can_escalate_privs + Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account). + + + + + credential + Specifies a cleartext credential. This is only intended to be used in capturing metadata from malware analysis (e.g., a hard-coded domain administrator password that the malware attempts to use for lateral movement) and SHOULD NOT be used for sharing of PII. + + + + + credential_last_changed + Specifies when the account credential was last changed. + + + + + display_name + Specifies the display name of the account, to be shown in user interfaces, if applicable. On Unix, this is equivalent to the GECOS field. + + + + + gid + Specifies the primary group ID of the account. + + + + + groups + Specifies a list of names of groups that the account is a member of. + + + + + home_dir + Specifies the home directory of the account. + + + + + is_disabled + Specifies if the account is disabled. + + + + + is_privileged + Specifies that the account has elevated privileges (i.e., in the case of root on Unix or the Windows Administrator account). + + + + + is_service_account + Indicates that the account is associated with a network service or system process (daemon), not a specific individual. + + + + + shell + Specifies the account's command shell. + + + + + user_id + Specifies the identifier of the account. The format of the identifier depends on the system the user account is maintained in, and may be a numeric ID, a GUID, an account name, an email address, etc. The user_id property should be populated with whatever field is the unique identifier for the system the account is a member of. For example, on UNIX systems it would be populated with the UID. + + + + + + + + + + + + + + facebook-contains-uaov-rule + + true + + + + + + + + + + facebook + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ldap-contains-uaov-rule + + true + + + + + + + + + + ldap + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + nis-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + nis + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + openid-contains-uaov-rule + + true + + + + + + + + + + openid + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + radius-contains-uaov-rule + + true + + + + + + + + + + radius + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + skype-contains-uaov-rule + + true + + + + + + + + + + skype + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + tacacs-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + tacacs + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + twitter-contains-uaov-rule + + true + + + + + + + + + + twitter + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unix-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unix + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + windows-domain-contains-uaov-rule + + true + + + + + + + + + + windows-domain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + windows-local-contains-uaov-rule + + true + + + + + + + + + + windows-local + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl new file mode 100644 index 0000000..3ff1d10 --- /dev/null +++ b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl @@ -0,0 +1,140 @@ + + + + + + +]> + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows Registry Key Object + The Registry Key object represents the properties of a Windows registry key. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. + + + + + + + + + + + + + + + + + Windows Registry Value Type + The Windows Registry Value type captures the properties of a Windows Registry Key Value. As all properties of this type are optional, at least one of the properties defined below MUST be included when using this type. + + + + creator_user_ref + Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. + + + + + creator_user_ref_string + Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. + + + + + data + Specifies the data contained in the registry value. + + + + + data_type + Specifies the registry (REG_*) data type used in the registry value.\n\nThe values of this property MUST come from the windows-registry-datatype-enum enumeration. + + + + key + Specifies the full registry key including the hive. The value of the key, including the hive portion, SHOULD be case-preserved. The hive portion of the key MUST be fully expanded and not truncated; e.g., HKEY_LOCAL_MACHINE must be used instead of HKLM. + + + + + modified_time + Specifies the last date/time that the registry key was modified. + + + + + name + Specifies the name of the registry value. For specifying the default value in a registry key, an empty string MUST be used. + + + + + number_of_subkeys + Specifies the number of subkeys contained under the registry key. + + + + + values + Specifies the number of subkeys contained under the registry key. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl new file mode 100644 index 0000000..44c8bc1 --- /dev/null +++ b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl @@ -0,0 +1,375 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + X.509 Certificate Object + The X.509 Certificate object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509 [X.509]. An X.509 Certificate object MUST contain at least one object specific property (other than type) from this object. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + X.509 v3 Extensions Type + The X.509 v3 Extensions type captures properties associated with X.509 v3 extensions, which serve as a mechanism for specifying additional information such as alternative subject names. An object using the X.509 v3 Extensions type MUST contain at least one property from this type. Note that the use of the term "extensions" in this context refers to the X.509 v3 Extensions type and is not a STIX Cyber Observables extension. Therefore, it is a type that describes X.509 extensions. + + + + authority_key_identifier + Specifies the identifier that provides a means of identifying the public key corresponding to the private key used to sign a certificate. Also equivalent to the object ID (OID) value of 2.5.29.35. + + + + + basic_constraints + Specifies a multi-valued extension which indicates whether a certificate is a CA certificate. The first (mandatory) name is CA followed by TRUE or FALSE. If CA is TRUE, then an optional pathlen name followed by a non-negative value can be included. Also equivalent to the object ID (OID) value of 2.5.29.19. + + + + + certificate_policies + Specifies a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers. Also equivalent to the object ID (OID) value of 2.5.29.32. + + + + + crl_distribution_points + Specifies how CRL information is obtained. Also equivalent to the object ID (OID) value of 2.5.29.31. + + + + + extended_key_usage + Specifies a list of usages indicating purposes for which the certificate public key can be used for. Also equivalent to the object ID (OID) value of 2.5.29.37. + + + + + inhibit_any_policy + Specifies the number of additional certificates that may appear in the path before anyPolicy is no longer permitted. Also equivalent to the object ID (OID) value of 2.5.29.54. + + + + + is_self_signed + Specifies whether the certificate is self-signed, i.e., whether it is signed by the same entity whose identity it certifies. + + + + + issuer + Specifies the name of the Certificate Authority that issued the certificate. + + + + + issuer_alternative_name + Specifies the additional identities to be bound to the issuer of the certificate. Also equivalent to the object ID (OID) value of 2.5.29.18. + + + + + key_usage + Specifies a multi-valued extension consisting of a list of names of the permitted key usages. Also equivalent to the object ID (OID) value of 2.5.29.15. + + + + + name_constraints + Specifies a namespace within which all subject names in subsequent certificates in a certification path MUST be located. Also equivalent to the object ID (OID) value of 2.5.29.30. + + + + + policy_constraints + Specifies any constraints on path validation for certificates issued to CAs. Also equivalent to the object ID (OID) value of 2.5.29.36. + + + + + policy_mappings + Specifies one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates whether the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. Also equivalent to the object ID (OID) value of 2.5.29.33. + + + + + private_key_usage_period_not_after + Specifies the date on which the validity period ends for the private key, if it is different from the validity period of the certificate. + + + + + private_key_usage_period_not_before + Specifies the date on which the validity period begins for the private key, if it is different from the validity period of the certificate. + + + + + serial_number + Specifies the unique identifier for the certificate, as issued by a specific Certificate Authority. + + + + + signature_algorithm + Specifies the name of the algorithm used to sign the certificate. + + + + + subject + Specifies the name of the entity associated with the public key stored in the subject public key field of the certificate. + + + + + subject_alternative_name + Specifies the additional identities to be bound to the subject of the certificate. Also equivalent to the object ID (OID) value of 2.5.29.17. + + + + + subject_directory_attributes + Specifies the identification attributes (e.g., nationality) of the subject. Also equivalent to the object ID (OID) value of 2.5.29.9. + + + + + subject_key_identifier + Specifies the identifier that provides a means of identifying certificates that contain a particular public key. Also equivalent to the object ID (OID) value of 2.5.29.14. + + + + + subject_public_key_algorithm + Specifies the name of the algorithm with which to encrypt data being sent to the subject. + + + + + subject_public_key_exponent + Specifies the exponent portion of the subject's public RSA key, as an integer. + + + + + subject_public_key_modulus + Specifies the modulus portion of the subject's public RSA key. + + + + + validity_not_after + Specifies the date on which the certificate validity period ends. + + + + + validity_not_before + Specifies the date on which the certificate validity period begins. + + + + + version + Specifies the version of the encoded certificate. + + + + + x509_v3_extensions + Specifies any standard X.509 v3 extensions that may be used in the certificate. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl new file mode 100644 index 0000000..48fe548 --- /dev/null +++ b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl @@ -0,0 +1,76 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + Attack Pattern + Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. + + + + + + + + attack-pattern + + + + + + + + aliases + Alternative names used to identify this Attack Pattern. + + + + + description + A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics. + + + + + name + A name used to identify the Attack Pattern. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/campaign/campaign.owl b/stix/core-objects/sdo/campaign/campaign.owl new file mode 100644 index 0000000..b5dea58 --- /dev/null +++ b/stix/core-objects/sdo/campaign/campaign.owl @@ -0,0 +1,108 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Campaign + A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set. Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign. Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.ey target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. + + + + + + + + campaign + + + + + + + + aliases + Alternative names used to identify this Campaign. + + + + + description + A description that provides more details and context about the Campaign, potentially including its purpose and its key characteristics. + + + + + + + + + + + + + name + A name used to identify the Campaign. + + + + + objective + Specifies the Campaign's primary goal, objective, desired outcome, or intended effect — what the Threat Actor or Intrusion Set hopes to accomplish with this Campaign. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/course-of-action/course-of-action.owl b/stix/core-objects/sdo/course-of-action/course-of-action.owl new file mode 100644 index 0000000..bca51dd --- /dev/null +++ b/stix/core-objects/sdo/course-of-action/course-of-action.owl @@ -0,0 +1,64 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + Course Of Action + Note: The Course of Action object in STIX 2.1 is a stub. It is included to support basic use cases (such as sharing prose courses of action) but does not support the ability to represent automated courses of action or contain properties to represent metadata about courses of action. Future STIX 2 releases will expand it to include these capabilities. A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. The Course of Action SDO contains a textual description of the action; a reserved action property also serves as a placeholder for future inclusion of machine automatable courses of action. + + + + + + + + course-of-action + + + + + + + + description + A description that provides more details and context about the Course of Action, potentially including its purpose and its key characteristics. + + + + + name + A name used to identify the Course of Action. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/grouping/catalog-v001.xml b/stix/core-objects/sdo/grouping/catalog-v001.xml new file mode 100644 index 0000000..f145293 --- /dev/null +++ b/stix/core-objects/sdo/grouping/catalog-v001.xml @@ -0,0 +1,7 @@ + + + + + + + diff --git a/stix/core-objects/sdo/grouping/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl new file mode 100644 index 0000000..07a2038 --- /dev/null +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -0,0 +1,286 @@ + + + + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Grouping + A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. A STIX Grouping object might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as a STIX Report object. For example, a Grouping could be used to characterize an ongoing investigation into a security event or incident. A Grouping object could also be used to assert that the referenced STIX Objects are related to an ongoing analysis process, such as when a threat analyst is collaborating with others in their trust community to examine a series of Campaigns and Indicators. The Grouping SDO contains a list of references to SDOs, SCOs, SROs, and SMOs, along with an explicit statement of the context shared by the content, a textual description, and the name of the grouping. + + + + + + + + grouping + + + + + + + + context + A short descriptor of the particular context shared by the content referenced by the Grouping. The value for this property SHOULD come from the grouping-context-ov open vocabulary. + + + + description + A description that provides more details and context about the Grouping, potentially including its purpose and its key characteristics. + + + + + name + A name used to identify the Grouping. + + + + + object_refs + Specifies the STIX Objects that are referred to by this Grouping. + + + + + object_refs_string + Specifies the STIX Objects that are referred to by this Grouping. + + + + + + + + + + + + + + malware-analayis-gcov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + malware-analysis + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + suspicious-activity-gcov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + suspicious-activity + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unspecified-gcov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unspecified + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/identity/identity.owl b/stix/core-objects/sdo/identity/identity.owl new file mode 100644 index 0000000..589548a --- /dev/null +++ b/stix/core-objects/sdo/identity/identity.owl @@ -0,0 +1,111 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Identity + Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. + + + + + + + + identity + + + + + + + + contact_information + The contact information (e-mail, phone number, etc.) for this Identity. No format for this information is currently defined by this specification. + + + + + description + A description that provides more details and context about the Identity, potentially including its purpose and its key characteristics. + + + + + identity_class + The type of entity that this Identity describes, e.g., an individual or organization. The value for this property SHOULD come from the identity-class-ov open vocabulary. + + + + name + The name of this Identity. When referring to a specific entity (e.g., an individual or organization), this property SHOULD contain the canonical name of the specific entity. + + + + + roles + The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. + + + + + sectors + The list of industry sectors that this Identity belongs to. The values for this property SHOULD come from the industry-sector-ov open vocabulary. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/incident/incident.owl b/stix/core-objects/sdo/incident/incident.owl new file mode 100644 index 0000000..039face --- /dev/null +++ b/stix/core-objects/sdo/incident/incident.owl @@ -0,0 +1,64 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + Incident + Note: The Incident object in STIX 2.1 is a stub. It is included to support basic use cases but does not contain properties to represent metadata about incidents. Future STIX 2 releases will expand it to include these capabilities. It is suggested that it is used as an extension point for an Incident object defined using the extension facility described in section 7.3. + + + + + + + + incident + + + + + + + + description + A description that provides more details and context about the Incident, potentially including its purpose and its key characteristics. + + + + + name + A name used to identify the Incident. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/indicator/indicator.owl b/stix/core-objects/sdo/indicator/indicator.owl new file mode 100644 index 0000000..90aa05f --- /dev/null +++ b/stix/core-objects/sdo/indicator/indicator.owl @@ -0,0 +1,138 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Indicator + Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. + + + + + + + + indicator + + + + + + + + + + + description + A description that provides more details and context about the Indicator, potentially including its purpose and its key characteristics. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. + + + + + indicator types + A set of categorizations for this indicator. The values for this property SHOULD come from the indicator-type-ov open vocabulary. + + + + name + A name used to identify the Indicator. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. + + + + + pattern + The detection pattern for this Indicator MAY be expressed as a STIX Pattern as specified in section 9 or another appropriate language such as SNORT, YARA, etc. + + + + + pattern_type + The pattern language used in this indicator. The value for this property SHOULD come from the pattern-type-ov open vocabulary. The value of this property MUST match the type of pattern data included in the pattern property. + + + + pattern_version + The version of the pattern language that is used for the data in the pattern property which MUST match the type of pattern data included in the pattern property. For patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used. For the STIX Pattern language, the default value is determined by the specification version of the object. For other languages, the default value SHOULD be the latest version of the patterning language at the time of this object's creation. + + + + + valid_from + The time from which this Indicator is considered a valid indicator of the behaviors it is related or represents. + + + + + valid_until + The time at which this Indicator should no longer be considered a valid indicator of the behaviors it is related to or represents. If the valid_until property is omitted, then there is no constraint on the latest time for which the Indicator is valid. This MUST be greater than the timestamp in the valid_from property. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/infrastructure/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl new file mode 100644 index 0000000..594e729 --- /dev/null +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -0,0 +1,111 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Infrastructure + The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure. + + + + + + + + infrastructure + + + + + + + + + + + aliases + Alternative names used to identify this Infrastructure. + + + + + description + A description that provides more details and context about the Infrastructure, potentially including its purpose, how it is being used, how it relates to other intelligence activities captured in related objects, and its key characteristics. + + + + + + + + + infrastructure_types + The type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. + + + + + + + + name + A name or characterizing text used to identify the Infrastructure. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/intrusion-set/.DS_Store b/stix/core-objects/sdo/intrusion-set/.DS_Store new file mode 100644 index 0000000..f887bb2 Binary files /dev/null and b/stix/core-objects/sdo/intrusion-set/.DS_Store differ diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl new file mode 100644 index 0000000..ce0a2c4 --- /dev/null +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -0,0 +1,1694 @@ + + + + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Intrusion Set + An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state. + + + + + + + + intrusion-set + + + + + + + + aliases + Alternative names used to identify this Intrusion Set. + + + + + description + A description that provides more details and context about the Intrusion Set, potentially including its purpose and its key characteristics. + + + + + + + + + goals + The high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. Another example: to gain information about latest merger and IPO information from ACME Bank. + + + + + + + + + name + A name used to identify this Intrusion Set. + + + + + primary_motivation + The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + + + + resource_level + This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. + + + + secondary_motivations + The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + + + + + + + + + + + + + + + + accidental-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredictable-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredictable + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredictable-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredictable + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + club-arlov-intrusion-set-rule + Rule to recognize "club" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + club + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + contest-arlov-intrusion-set-rule + Rule to recognize "contest" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + contest + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + government-arlov-intrusion-set-rule + Rule to recognize "government" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + government + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + individual-arlov-intrustion-set-rule + Rule to recognize "individual" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + individual + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-arlov-intrusion-set-rule + Rule to recognize "organization" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + organization + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + team-arlov-intrusion-set-rule + Rule to recognize "team" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + team + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/location/.DS_Store b/stix/core-objects/sdo/location/.DS_Store new file mode 100644 index 0000000..c5cbbc0 Binary files /dev/null and b/stix/core-objects/sdo/location/.DS_Store differ diff --git a/stix/core-objects/sdo/location/location.owl b/stix/core-objects/sdo/location/location.owl new file mode 100644 index 0000000..9c36142 --- /dev/null +++ b/stix/core-objects/sdo/location/location.owl @@ -0,0 +1,184 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Location + A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. \n\n Locations are primarily used to give context to other SDOs. For example, a Location could be used in a relationship to describe that the Bourgeois Swallow intrusion set originates from Eastern Europe. \n\n The Location SDO can be related to an Identity or Intrusion Set to indicate that the identity or intrusion set is located in that location. It can also be related from a malware or attack pattern to indicate that they target victims in that location. The Location object describes geographic areas, not governments, even in cases where that area might have a government. For example, a Location representing the United States describes the United States as a geographic area, not the federal government of the United States. \n\n At least one of the following properties/sets of properties MUST be provided: region, country, latitude and longitude. \n\n When a combination of properties is provided (e.g. a region and a latitude and longitude) the more precise properties are what the location describes. In other words, if a location contains both a region of northern-america and a country of us, then the location describes the United States, not all of North America. In cases where a latitude and longitude are specified without a precision, the location describes the most precise other value. \n\n If precision is specified, then the datum for latitude and longitude MUST be WGS 84 [WGS84]. Organizations specifying a designated location using latitude and longitude SHOULD specify the precision which is appropriate for the scope of the location being identified. The scope is defined by the boundary as outlined by the precision around the coordinates. + + + + + + + + location + + + + + + + + administrative_area + The state, province, or other sub-national administrative area that this Location describes. This property SHOULD contain a valid ISO 3166-2 Code [ISO3166-2]. + + + + + building details + Specifies additional details about the location within a building including things like floor, room, etc. + + + + + city + The city that this Location describes. + + + + + country + The country that this Location describes. This property SHOULD contain a valid ISO 3166-1 ALPHA-2 Code [ISO3166-1]. + + + + + description + A textual description of the Location. + + + + + latitude + The latitude of the Location in decimal degrees. Positive numbers describe latitudes north of the equator, and negative numbers describe latitudes south of the equator. The value of this property MUST be between -90.0 and 90.0, inclusive. If the longitude property is present, this property MUST be present. + + + + + longitude + The longitude of the Location in decimal degrees. Positive numbers describe longitudes east of the prime meridian and negative numbers describe longitudes west of the prime meridian. The value of this property MUST be between -180.0 and 180.0, inclusive. If the latitude property is present, this property MUST be present. + + + + + name + A name used to identify the Location. + + + + + network details + Specifies additional details about this network location including things like wiring closet, rack number, rack location, and VLANs. + + + + + postal_code + The postal code for this Location. + + + + + precision + Defines the precision of the coordinates specified by the latitude and longitude properties. This is measured in meters. The actual Location may be anywhere up to precision meters from the defined point. If this property is not present, then the precision is unspecified. If this property is present, the latitude and longitude properties MUST be present. + + + + + region + The region that this Location describes. The value for this property SHOULD come from the region-ov open vocabulary. + + + + street_address + The street address that this Location describes. This property includes all aspects or parts of the street address. For example, some addresses may have multiple lines including a mailstop or apartment number. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/malware-analysis/.DS_Store b/stix/core-objects/sdo/malware-analysis/.DS_Store new file mode 100644 index 0000000..13df802 Binary files /dev/null and b/stix/core-objects/sdo/malware-analysis/.DS_Store differ diff --git a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl new file mode 100644 index 0000000..4311e6b --- /dev/null +++ b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl @@ -0,0 +1,282 @@ + + + + + + +]> + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Malware Analysis + Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. One of result or analysis_sco_refs properties MUST be provided. + + + + analysis_definition_version + The version of the analysis definitions used by the analysis tool (including AV tools). + + + + + analysis_ended + The date and time that the malware analysis ended. + + + + + analysis_engine_version + The version of the analysis engine or product (including AV engines) that was used to perform the analysis. + + + + + analysis_sco_refs + This property contains the references to the STIX Cyber-observable Objects that were captured during the analysis process. + + + + + analysis_sco_refs_string + This property contains the references to the STIX Cyber-observable Objects that were captured during the analysis process. + + + + + analysis_started + The date and time that the malware analysis was initiated. + + + + + configuration_version + The named configuration of additional product configuration parameters for this analysis run. For example, when a product is configured to do full depth analysis of Window™ PE files. This configuration may have a named version and that named version can be captured in this property. This will ensure additional runs can be configured in the same way. + + + + + host_vm_ref + A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. + + + + + host_vm_ref_string + A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. + + + + + installed_software_refs + Any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family. The value of this property MUST be the identifier for a SCO software object. + + + + + installed_software_refs_string + Any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family. The value of this property MUST be the identifier for a SCO software object. + + + + + modules + The specific analysis modules that were used and configured in the product during this analysis run. For example, configuring a product to support analysis of Dridex. + + + + + operating_system_ref + The operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + operating_system_ref_string + The operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + product + The name of the analysis engine or product that was used. Product names SHOULD be all lowercase with words separated by a dash "-". For cases where the name of a product cannot be specified, a value of "anonymized" MUST be used. + + + + + result + The classification result as determined by the scanner or tool analysis process. The value for this property SHOULD come from the malware-result-ov open vocabulary. + + + + + result_name + The classification result or name assigned to the malware instance by the scanner tool. + + + + + sample_ref + This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) + + + + + sample_ref_string + This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) + + + + + submitted + The date and time that the malware was first submitted for scanning or analysis. This value will stay constant while the scanned date can change. For example, when Malware was submitted to a virus analysis tool. + + + + + version + The version of the analysis product that was used to perform the analysis. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/malware/malware.owl b/stix/core-objects/sdo/malware/malware.owl new file mode 100644 index 0000000..5b693d1 --- /dev/null +++ b/stix/core-objects/sdo/malware/malware.owl @@ -0,0 +1,235 @@ + + + + + + +]> + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Malware + Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim. The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO. The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides. To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. + + + + + + + + malware + + + + + + + + aliases + Alternative names used to identify this malware or malware family. + + + + + analysis_defintion_version + Specifies the version of the analysis definitions used by the analysis tool (including AV tools). + + + + + analysis_engine_version + Specifies the version of the analysis engine or product (including AV engines) that was used to perform the analysis. + + + + + architecture_execution_envs + The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. + + + + capabilities + Any of the capabilities identified for the malware instance or family. The values for this property SHOULD come from the malware-capabilities-ov open vocabulary. + + + + description + A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics. + + + + + + + + + implementation_languages + The programming language(s) used to implement the malware instance or family. The values for this property SHOULD come from the implementation-language-ov open vocabulary. + + + + is_family + Specifies whether the object represents a malware family (if true) or a malware instance (if false). + + + + + + + + + malware_types + A set of categorizations for the malware being described. The values for this property SHOULD come from the malware-type-ov open vocabulary. + + + + name + A name used to identify the malware instance or family, as specified by the producer of the SDO. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead. + + + + + operating_system_ref_string + The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + operating_system_ref + The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + + + + sample_refs + The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. + + + + + + + + + + + + + + sample_refs_string + The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/note/.DS_Store b/stix/core-objects/sdo/note/.DS_Store new file mode 100644 index 0000000..2c0643c Binary files /dev/null and b/stix/core-objects/sdo/note/.DS_Store differ diff --git a/stix/core-objects/sdo/note/note.owl b/stix/core-objects/sdo/note/note.owl new file mode 100644 index 0000000..0ae41ba --- /dev/null +++ b/stix/core-objects/sdo/note/note.owl @@ -0,0 +1,94 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Note + A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum. Because Notes are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Note. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. + + + + + + + + note + + + + + + + + abstract + A brief summary of the note content. + + + + + authors + The name of the author(s) of this note (e.g., the analyst(s) that created it). + + + + + content + The content of the note. + + + + + object_refs + The STIX Objects that the note is being applied to. + + + + + object_refs_string + The STIX Objects that the note is being applied to. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/observed-data/.DS_Store b/stix/core-objects/sdo/observed-data/.DS_Store new file mode 100644 index 0000000..f79aae7 Binary files /dev/null and b/stix/core-objects/sdo/observed-data/.DS_Store differ diff --git a/stix/core-objects/sdo/observed-data/observed-data.owl b/stix/core-objects/sdo/observed-data/observed-data.owl new file mode 100644 index 0000000..5cc1a25 --- /dev/null +++ b/stix/core-objects/sdo/observed-data/observed-data.owl @@ -0,0 +1,110 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Observed Data + Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). For example, Observed Data can capture information about an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply the raw information without any context for what it means. \n\n Observed Data can capture that a piece of information was seen one or more times. Meaning, it can capture both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the number_observed property is 1 the Observed Data represents a single entity. When the number_observed property is greater than 1, the Observed Data represents several instances of an entity potentially collected over a period of time. If a time window is known, that can be captured using the first_observed and last_observed properties. When used to collect aggregate data, it is likely that some properties in the SCO (e.g., timestamp properties) will be omitted because they would differ for each of the individual observations. \n\n Observed Data may be used by itself (without relationships) to convey raw data collected from any source including analyst reports, sandboxes, and network and host-based detection tools. An intelligence producer conveying Observed Data SHOULD include as much context (e.g. SCOs) as possible that supports the use of the observed data set in systems expecting to utilize the Observed Data for improved security. This includes all SCOs that matched on an Indicator pattern and are represented in the collected observed event (or events) being conveyed in the Observed Data object. For example, a firewall could emit a single Observed Data instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an Observed Data instance every ten minutes with an IP address and an appropriate number_observed value to indicate the number of times that IP address was observed in that window. A sandbox could emit an Observed Data instance containing a file hash that it discovered. \n\n Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. For example, the Sighting Relationship object, can relate an Indicator, Malware, or other SDO to a specific Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).\n\nTo support backwards compatibility, related SCOs can still be specified using the objects properties, Either the objects property or the object_refs property MUST be provided, but both MUST NOT be present at the same time. + + + + + + + + observed-data + + + + + + + + first_observed + The beginning of the time window during which the data was seen. + + + + + last_observed + The end of the time window during which the data was seen. This MUST be greater than or equal to the timestamp in the first_observed property. + + + + + number_observed + The number of times that each Cyber-observable object represented in the objects or object_ref property was seen. If present, this MUST be an integer between 1 and 999,999,999 inclusive. If the number_observed property is greater than 1, the data contained in the objects or object_refs property was seen multiple times. In these cases, object creators MAY omit properties of the SCO (such as timestamps) that are specific to a single instance of that observed data. + + + + + object_refs + A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. + + + + + + object_refs_string + A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/opinion/.DS_Store b/stix/core-objects/sdo/opinion/.DS_Store new file mode 100644 index 0000000..5d249ee Binary files /dev/null and b/stix/core-objects/sdo/opinion/.DS_Store differ diff --git a/stix/core-objects/sdo/opinion/opinion.owl b/stix/core-objects/sdo/opinion/opinion.owl new file mode 100644 index 0000000..1380622 --- /dev/null +++ b/stix/core-objects/sdo/opinion/opinion.owl @@ -0,0 +1,88 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + Opinion + An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. \n\n For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community. \n\n Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. + + + + + + + + opinion + + + + + + + + authors + The name of the author(s) of this Opinion (e.g., the analyst(s) that created it). + + + + + explanation + An explanation of why the producer has this Opinion. For example, if an Opinion of strongly-disagree is given, the explanation can contain an explanation of why the Opinion producer disagrees and what evidence they have for their disagreement. + + + + + object_refs + The STIX Objects that the Opinion is being applied to. + + + + + object_refs_string + The STIX Objects that the Opinion is being applied to. + + + + + opinion + The opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. The values of this property MUST come from the opinion-enum enumeration. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/report/.DS_Store b/stix/core-objects/sdo/report/.DS_Store new file mode 100644 index 0000000..a2610f4 Binary files /dev/null and b/stix/core-objects/sdo/report/.DS_Store differ diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl new file mode 100644 index 0000000..e4140e3 --- /dev/null +++ b/stix/core-objects/sdo/report/report.owl @@ -0,0 +1,106 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Report + Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. + + + + + + + + report + + + + + + + + description + A description that provides more details and context about the Report, potentially including its purpose and its key characteristics. + + + + + name + A name used to identify the Report. + + + + + object_refs + Specifies the STIX Objects that are referred to by this Report. + + + + + object_refs_string + Specifies the STIX Objects that are referred to by this Report. + + + + + published + The date that this Report object was officially published by the creator of this report. The publication date (public release, legal release, etc.) may be different than the date the report was created or shared internally (the date in the created property). + + + + + report_types + The primary type(s) of content found in this report. The values for this property SHOULD come from the report-type-ov open vocabulary. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/threat-actor/.DS_Store b/stix/core-objects/sdo/threat-actor/.DS_Store new file mode 100644 index 0000000..02fbe6e Binary files /dev/null and b/stix/core-objects/sdo/threat-actor/.DS_Store differ diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl new file mode 100644 index 0000000..2795986 --- /dev/null +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -0,0 +1,2446 @@ + + + + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Threat Actor + Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time. \n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets. \n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. + + + + + + + + threat-actor + + + + + + + + aliases + A list of other names that this Threat Actor is believed to use. + + + + + description + A description that provides more details and context about the Threat Actor, potentially including its purpose and its key characteristics. + + + + + + + + + goals + The high-level goals of this Threat Actor, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. + + + + + + + + + name + A name used to identify this Threat Actor or Threat Actor group. + + + + + personal_motivations + The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Personal motivation, which is independent of the organization's goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization's motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation's objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance. The values for this property SHOULD come from the attack-motivation-ov open vocabulary. + + + + primary_motivation + The primary reason, motivation, or purpose behind this Threat Actor. The motivation is why the Threat Actor wishes to achieve the goal (what they are trying to achieve). For example, a Threat Actor with a goal to disrupt the finance sector in a country might be motivated by ideological hatred of capitalism. The value for this property SHOULD come from the attack-motivation-ov open vocabulary. + + + + resource_level + The organizational level at which this Threat Actor typically works, which in turn determines the resources available to this Threat Actor for use in an attack. This attribute is linked to the sophistication property — a specific resource level implies that the Threat Actor has access to at least a specific sophistication level. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. + + + + roles + A list of roles the Threat Actor plays. The values for this property SHOULD come from the threat-actor-role-ov open vocabulary. + + + + secondary_motivations + This property specifies the secondary reasons, motivations, or purposes behind this Threat Actor. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance. The value for this property SHOULD come from the attack-motivation-ov open vocabulary. + + + + sophistication + The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. The value for this property SHOULD come from the threat-actor-sophistication-ov open vocabulary. + + + + threat_actor_types + The type(s) of this threat actor. The values for this property SHOULD come from the threat-actor-type-ov open vocabulary. + + + + + + + + + + + + + + + + accidental-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + competitor-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + competitor + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + crime-syndicate-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + crime-syndicate + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + criminal-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + criminal + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + hacker-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + hacker + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-accidental-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-disgruntled-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-disgruntled + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + nation-state-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + nation-state + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sensationalist-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + sensationalist + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + spy-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + spy + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + terrorist-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + terrorist + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unknown-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unknown + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredicatable-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredicatable + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredicatable-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredicatable + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + activist-contains-tatov-rule + Rule to recognize the "activist" STIX open vocabulary term in the threat-actor-types ov + true + + + + + + + + + + + + + + + + + + + + + + + + + + + activist + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + club-arlov-rule + Rule to recognize the term "club" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + club + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + contest-arlov-rule + Rule to recognize the term "contest" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + contest + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + government-arlov-rule + Rule to recognize the term "government" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + government + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + individual-arlov-rule + Rule to recognize the term "individual" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + individual + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-arlov-rule + Rule to recognize the term "organization" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + organization + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + team-arlov-rule + Rule to recognize the term "team" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + team + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/tool/tool.owl b/stix/core-objects/sdo/tool/tool.owl new file mode 100644 index 0000000..7063928 --- /dev/null +++ b/stix/core-objects/sdo/tool/tool.owl @@ -0,0 +1,106 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Tool + Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. \n\nThe Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool. \n\nThis SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterize tools used as part of a course of action in response to an attack. + + + + + + + + tool + + + + + + + + aliases + Alternative names used to identify this Tool. + + + + + description + A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics. + + + + + + + + name + The name used to identify the Tool. + + + + + tool_types + The kind(s) of tool(s) being described. The values for this property SHOULD come from the tool-type-ov open vocabulary. + + + + tool_version + The version identifier associated with the Tool. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/vulnerability/vulnerability.owl b/stix/core-objects/sdo/vulnerability/vulnerability.owl new file mode 100644 index 0000000..8e330a3 --- /dev/null +++ b/stix/core-objects/sdo/vulnerability/vulnerability.owl @@ -0,0 +1,64 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + Vulnerability + A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system. \n\nCVE is a list of information security vulnerabilities and exposures that provides common names for publicly known problems [CVE]. For example, if a piece of malware exploits CVE-2015-12345, a Malware object could be linked to a Vulnerability object that references CVE-2015-12345. \n\nThe Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process. + + + + + + + + vulnerability + + + + + + + + description + A description that provides more details and context about the Vulnerability, potentially including its purpose and its key characteristics. + + + + + name + A name used to identify the Vulnerability. + + + + \ No newline at end of file diff --git a/stix/core-objects/sro/relationship/.DS_Store b/stix/core-objects/sro/relationship/.DS_Store new file mode 100644 index 0000000..8d9ce81 Binary files /dev/null and b/stix/core-objects/sro/relationship/.DS_Store differ diff --git a/stix/core-objects/sro/relationship/relationship-types.owl b/stix/core-objects/sro/relationship/relationship-types.owl new file mode 100644 index 0000000..99a3540 --- /dev/null +++ b/stix/core-objects/sro/relationship/relationship-types.owl @@ -0,0 +1,108 @@ + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sro/relationship/relationship.owl b/stix/core-objects/sro/relationship/relationship.owl new file mode 100644 index 0000000..e7ff103 --- /dev/null +++ b/stix/core-objects/sro/relationship/relationship.owl @@ -0,0 +1,140 @@ + + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Relationship + The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". \n\n STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition. \n\n STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a user-defined relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a user-defined name they determined) to indicate more detail. \n\n Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that campaign. While some analysts might want all of the source data and think that shortcuts are misleading, in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details. In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is. For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX. + + + + + + + + relationship + + + + + + + + description + A description that provides more details and context about the Relationship, potentially including its purpose and its key characteristics. + + + + + relationship_type + The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a-z (lowercase ASCII), 0-9, and hyphen (-). + + + + + source_ref + The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + + + + source_ref_string + The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + + + + + start_time + This optional timestamp represents the earliest time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the start_time property is defined, then this represents an estimate by the producer of the intelligence of the earliest time at which relationship will be asserted to be true. If it is not specified, then the earliest time at which the relationship between the objects exists is not defined. + + + + + stop_time + The latest time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the stop_time property is defined, then this represents an estimate by the producer of the intelligence of the latest time at which relationship will be asserted to be true. If start_time and stop_time are both defined, then stop_time MUST be later than the start_time value. If stop_time is not specified, then the latest time at which the relationship between the objects exists is either not known, not disclosed, or has no defined stop time. + + + + + target_ref + The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + + + + target_ref_id + The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sro/sighting/.DS_Store b/stix/core-objects/sro/sighting/.DS_Store new file mode 100644 index 0000000..ad531e7 Binary files /dev/null and b/stix/core-objects/sro/sighting/.DS_Store differ diff --git a/stix/core-objects/sro/sighting/sighting.owl b/stix/core-objects/sro/sighting/sighting.owl new file mode 100644 index 0000000..36e3ebe --- /dev/null +++ b/stix/core-objects/sro/sighting/sighting.owl @@ -0,0 +1,180 @@ + + + + + + +]> + + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Sighting + A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". + + + + + + + + sighting + + + + + + + + count + If present, this MUST be an integer between 0 and 999,999,999 inclusive and represents the number of times the SDO referenced by the sighting_of_ref property was sighted. Observed Data has a similar property called number_observed, which refers to the number of times the data was observed. These counts refer to different concepts and are distinct. For example, a single sighting of a DDoS bot might have many millions of observations of the network traffic that it generates. Thus, the Sighting count would be 1 (the bot was observed once) but the Observed Data number_observed would be much higher. As another example, a sighting with a count of 0 can be used to express that an indicator was not seen at all. + + + + + description + A description that provides more details and context about the Sighting. + + + + + + + + + + + + + observed_data_refs + A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting. For example, a Sighting of an Indicator with an IP address could include the Observed Data for the network connection that the Indicator was used to detect. This property MUST reference only Observed Data SDOs. + + + + + observed_data_refs_string + A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting. For example, a Sighting of an Indicator with an IP address could include the Observed Data for the network connection that the Indicator was used to detect. This property MUST reference only Observed Data SDOs. + + + + + sighting_of_ref + An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. + + + + + sighting_of_ref_string + An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. + + + + + summary + The summary property indicates whether the Sighting should be considered summary data. Summary data is an aggregation of previous Sightings reports and should not be considered primary source data. Default value is false. + + + + + where_sighted_refs + A list of ID references to the Identity or Location objects describing the entities or types of entities that saw the sighting. Omitting the where_sighted_refs property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs. This property MUST reference only Identity or Location SDOs. + + + + + + + + + + + + + + where_sighted_refs_string + A list of ID references to the Identity or Location objects describing the entities or types of entities that saw the sighting. Omitting the where_sighted_refs_string property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs_string. This property MUST reference only Identity or Location SDOs. + + + + \ No newline at end of file diff --git a/stix/meta-objects/data-marking/data-marking.owl b/stix/meta-objects/data-marking/data-marking.owl new file mode 100644 index 0000000..b5c3052 --- /dev/null +++ b/stix/meta-objects/data-marking/data-marking.owl @@ -0,0 +1,188 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Granular Marking Type + The granular-marking type defines how the marking-definition object referenced by the marking_ref property or a language specified by the lang property applies to a set of content identified by the list of selectors in the selectors property. + + + + + + + + + + + + + + + + + + + + + + + + Marking Definition + Represents a specific marking. Data markings typically represent handling or sharing requirements for data and are applied in the object_marking_refs and granular_markings properties on Objects. + + + + + + + + + + + Statement Marking Object Type + The Statement marking type defines the representation of a textual marking statement (e.g., copyright, terms of use, etc.) in a definition. The value of the definition_type property MUST be statement when using this marking type. Statement markings are generally not machine-readable, and this specification does not define any behavior or actions based on their values. \n\n Content may be marked with multiple statements of use. In other words, the same content can be marked both with a statement saying "Copyright 2019" and a statement saying, "Terms of use are ..." and both statements apply. + + + + + + + + + + + TLP Marking Object Type + The TLP marking type defines how you would represent a Traffic Light Protocol (TLP) marking in a definition property. The value of the definition_type property MUST be tlp when using this marking type. + + + + definition + Specifies a reference to the marking-definition object that describes the marking.\n\nIf the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present.@[en-US} + + + + + + definition_type + Specifies the type of Marking Definition. + + + + + statement + + + tlp + + + + + + + + + + + marking_ref + Specifies a reference to the marking-definition object that describes the marking.\n\nIf the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present.@[en-US} + + + + + marking_ref_string + Specifies an identifier to the marking-definition object that describes the marking.\n\nIf the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present. + + + + + name + A name used to identify the Marking Definition. + + + + + selectors + Specifies a list of selectors for content contained within the Object in which this property appears.\n\nThe marking-definition referenced in the marking_ref property is applied to the content selected by the selectors in this list.\n\nThe [RFC5646] language code specified by the lang property is applied to the content selected by the selectors in this list. + + + + + statement + A Statement (e.g., copyright, terms of use) applied to the content marked by this marking definition. + + + + + tlp + The TLP level [TLP] of the content marked by this marking definition. + + + + + amber + + + green + + + red + + + white + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/meta-objects/extension-definition/extension-definition.owl b/stix/meta-objects/extension-definition/extension-definition.owl new file mode 100644 index 0000000..53ae67f --- /dev/null +++ b/stix/meta-objects/extension-definition/extension-definition.owl @@ -0,0 +1,87 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Extension Definition + The STIX Extension Definition object allows producers of threat intelligence to extend existing STIX objects or to create entirely new STIX objects in a standardized way. This object contains detailed information about the extension and any additional properties and or objects that it defines. This extension mechanism MUST NOT be used to redefine existing standardized objects or properties. + + + + description + A detailed explanation of what data the extension conveys and how it is intended to be used. \n\n While the description property is optional this property SHOULD be populated. \n\n Note that the schema property is the normative definition of the extension, and this property, if present, is for documentation purposes only. + + + + + extension_properties + This property contains the list of new property names that are added to an object by an extension. \n\n This property MUST only be used when the extension_types property includes a value of toplevel-property-extension. In other words, when new properties are being added at the top-level of an existing object. + + + + + extension_types + This property specifies one or more extension types contained within this extension. \n\n The values for this property MUST come from the extension-type-enum enumeration. \n\n When this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. + + + + schema + The normative definition of the extension, either as a URL or as plain text explaining the definition. \n\n A URL SHOULD point to a JSON schema or a location that contains information about the schema. \n\n NOTE: It is recommended that an external reference be provided to the comprehensive documentation of the extension-definition. + + + + + version + The version of this extension. Producers of STIX extensions are encouraged to follow standard semantic versioning procedures where the version number follows the pattern, MAJOR.MINOR.PATCH. This will allow consumers to distinguish between the three different levels of compatibility typically identified by such versioning strings. \n\n As with all STIX Objects, changing a STIX extension definition could involve STIX versioning. See section 3.6.2 for more information on versioning an object versus creating a new one. + + + + \ No newline at end of file diff --git a/stix/meta-objects/language-content/language-content.owl b/stix/meta-objects/language-content/language-content.owl new file mode 100644 index 0000000..2c46572 --- /dev/null +++ b/stix/meta-objects/language-content/language-content.owl @@ -0,0 +1,70 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + Language Content + The Language Content object represents text content for STIX Objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation. \n\n Language Content contains two important sets of properties: \n\n The object_ref and object_modified properties specify the target object that the language content applies to. \n\n For example, to provide additional language content for a Campaign, the object_ref property should be set to the id of the Campaign and the object_modified property set to its modified time. Most relationships in STIX are not specific to a particular version of a STIX object, but because language content provides the translation of specific text, the object_modified property is necessary to provide that specificity. \n\n The content property is a dictionary which maps to properties in the target object in order to provide a translation of them. + + + + contents + The contents property contains the actual Language Content (translation). \n\n The keys in the dictionary MUST be RFC 5646 language codes for which language content is being provided [RFC5646]. The values each consist of a dictionary that mirrors the properties in the target object (identified by object_ref and object_modified). For example, to provide a translation of the name property on the target object the key in the dictionary would be name. \n\n For each key in the nested dictionary: \n\n If the original property is a string, the corresponding property in the language content object MUST contain a string with the content for that property in the language of the top-level key. \n\n If the original property is a list, the corresponding property in the translation object must also be a list. Each item in this list recursively maps to the item at the same position in the list contained in the target object. The lists MUST have the same length. \n\n In the event that translations are only provided for some list items, the untranslated list items MUST be represented by an empty string (""). This indicates to a consumer of the Language Content object that they should interpolate the translated list items in the Language Content object with the corresponding (untranslated) list items from the original object as indicated by the object_ref property. \n\n If the original property is an object (including dictionaries), the corresponding location in the translation object must also be an object. Each key/value field in this object recursively maps to the object with the same key in the original. \n\n The translation object MAY contain only a subset of the translatable fields of the original. Keys that point to non-translatable properties in the target or to properties that do not exist in the target object MUST be ignored. + + + + + object_modified + The object_modified property identifies the modified time of the object that this Language Content applies to. It MUST be an exact match for the modified time of the STIX Object being referenced. + + + + + object_ref + The object_ref property identifies the id of the object that this Language Content applies to. It MUST be the identifier for a STIX Object. + + + + + object_ref_string + The object_ref property identifies the id of the object that this Language Content applies to. It MUST be the identifier for a STIX Object. + + + + \ No newline at end of file diff --git a/stix/stix.owl b/stix/stix.owl new file mode 100644 index 0000000..321e9e4 --- /dev/null +++ b/stix/stix.owl @@ -0,0 +1,70 @@ + + + + + + + +]> + + + + This ontology is the master ontology for the STIX 2.1.0. It imports all the various STIX ontologies files to create an unified ontology based on the various component ontologies that make up STIX. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 2.1.0 + + + \ No newline at end of file diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl new file mode 100644 index 0000000..adf4eb1 --- /dev/null +++ b/stix/vocabularies/vocabularies.owl @@ -0,0 +1,336 @@ + + + + + + +]> + + + + STIX Vocabulary + Some STIX properties are defined using open vocabularies or enumerations. Enumerations and open vocabularies are defined in STIX in order to enhance interoperability by increasing the likelihood that different entities use the same exact string to represent the same concept. If used consistently, open vocabularies make it less likely that one entity refers to the energy sector as "Energy" and another as "Energy Sector", thereby making comparison and correlation easier. \n\n While using predefined values from STIX vocabularies is strongly encouraged, in some cases this may not be feasible. To address this, producers are permitted to use values outside of the open vocabulary. In the case of enumerations, producers are required to use only the values defined within the STIX specification. \n\n STIX open vocabularies and enumerations are defined in section 10. Properties that are defined as open vocabularies identify a suggested vocabulary from that section. For example, the Threat Actor sophistication property, as defined in section 4.17, uses the Threat Actor Sophistication vocabulary as defined in section 10.25. + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/tac/README.md b/tac/README.md new file mode 100644 index 0000000..02af7ce --- /dev/null +++ b/tac/README.md @@ -0,0 +1,19 @@ +# Threat Actor Context Technical Committee Repository + +The *OASIS Threat Actor Context Technical Committee* (TAC-TC) is chartered to create an ontology for expressing the rich context around Threat Actors. The OASIS TAC-TC is a separate Technical Committee from the OASIS CTI-TC, it will *embrace and extend* the CTI-TC's release of the STIX 2.1 standard. + +This repositiory is for TAC-TC members to collaborate on the development of the ontologies necessary for supporting Threat Analysts to assert facts into a graph knowledgebase and formally reason over those facts. + +## TAC Semantic Graph Importing STIX Semantic Extension Graph (tac.owl) + +This third layer of representation will add the concepts of the TAC-TC members. + +1. tac.owl (main ontology) +2. stix.owl (stix ontology) +3. open-concepts.owl (consepts created outside of TAC TC. Not imported.) + +## Editing Style and Syntax Normalization + +Developers have their own preferences when in comes to ontology editors and writing styles. +This causes dificulties in managing a common repository used by multiple ontology contributors. +To resolve the problem, all ontology content submitted and persisted in the TAC ontology repository must be ***Normalized*** with a utility called the **RDF Toolkit**. This utility puts the submitted content into a standardized form. It removes any stylistic differences between contributors. diff --git a/tac/candidate-concepts.owl b/tac/candidate-concepts.owl new file mode 100644 index 0000000..c1726bc --- /dev/null +++ b/tac/candidate-concepts.owl @@ -0,0 +1,295 @@ + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + goal + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The outcome of the attacker activity + attack activity outcome + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/tac/catalog-v001.xml b/tac/catalog-v001.xml new file mode 100644 index 0000000..4bc8c75 --- /dev/null +++ b/tac/catalog-v001.xml @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tac/tac-objects/adversary.owl b/tac/tac-objects/adversary.owl new file mode 100644 index 0000000..1564e06 --- /dev/null +++ b/tac/tac-objects/adversary.owl @@ -0,0 +1,30 @@ + + + + + + + + + +]> + + + + + + + There has been some ambiguity with respect to the differentiation of stix:IntrusionSet and stix:ThreatActor. They are different, and the tac:Adversary class is intended to clarify the differences. + + + \ No newline at end of file diff --git a/tac/tac-objects/tac-objects.owl b/tac/tac-objects/tac-objects.owl new file mode 100644 index 0000000..4977e48 --- /dev/null +++ b/tac/tac-objects/tac-objects.owl @@ -0,0 +1,24 @@ + + + + + + + +]> + + + + + + + + \ No newline at end of file diff --git a/tac/tac-properties/tac-properties.owl b/tac/tac-properties/tac-properties.owl new file mode 100644 index 0000000..084f495 --- /dev/null +++ b/tac/tac-properties/tac-properties.owl @@ -0,0 +1,80 @@ + + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/tac/tac.owl b/tac/tac.owl new file mode 100644 index 0000000..d5a616b --- /dev/null +++ b/tac/tac.owl @@ -0,0 +1,37 @@ + + + + + + + + + +]> + + + + Concepts that have been developed and approved at a committee level by the OASIS Threat Actor Context Technical Committee are called TAC TC concepts. TAC TC concepts are incorporated as import statements into the main tac.owl file and thus are part of the core ontology. + + + + + + + + + + + + + \ No newline at end of file diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml new file mode 100644 index 0000000..b40bb11 --- /dev/null +++ b/threat-agent-lib/catalog-v001.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/threat-agent-lib/ta-library.owl b/threat-agent-lib/ta-library.owl new file mode 100644 index 0000000..4af7e67 --- /dev/null +++ b/threat-agent-lib/ta-library.owl @@ -0,0 +1,1319 @@ + + + + + + + + +]> + + + + Intel authored the conceptual notions captured in this ontological representation. Intel retains the copyright on the original work, which was published in open format in the 2007 time frame. Tim Casey and Intel Corporation were the orignal sources that inspired the members of the OASIS TAC-TC to capture and expand it in a formal ontology langauge, W3C's Ontology Web Language (OWL). https://pdfs.semanticscholar.org/391e/70510353ba762fa1580a6d9c002eefd2d86b.pdf https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/understanding-cyberthreat-motivations-to-improve-defense-paper.pdf + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/utilities/json-dl-contexts/stix-2.1/stix2-1_context.json b/utilities/json-dl-contexts/stix-2.1/stix2-1_context.json new file mode 100644 index 0000000..fc11ebe --- /dev/null +++ b/utilities/json-dl-contexts/stix-2.1/stix2-1_context.json @@ -0,0 +1,270 @@ + "@context": { + + "xsd": "http://www.w3.org/2001/XMLSchema#", + "stix-ns": "http://docs.oasis-open.org/cti/ns/stix#", + "adversary-ns": "http://docs.oasis-open.org/cti/ns/stix/adversary#", + "attack-ns": "http://attack.mitre.org/ns/attack#", + "identity-ns": "http://docs.oasis-open.org/cti/ns/stix/identity#", + "indicator-ns": "http://docs.oasis-open.org/cti/ns/stix/indicator#", + "malware-ns": "http://docs.oasis-open.org/cti/ns/stix/malware#", + "marking-ns": "http://docs.oasis-open.org/cti/ns/data-marking#", + "tool-ns": "http://docs.oasis-open.org/cti/ns/stix/tool#", + "relationship-ns": "http://docs.oasis-open.org/cti/ns/stix/relationship#", + "kb": "http://myKnowledgeGraph.com/kb#", + "@base": "http://myKnowledgeGraph.com/kb", + + "objects": "@graph", + "id": "@id", + "type": "@type", + + "threat-actor": "stix-ns:ThreatActor", + "intrusion-set": "stix-ns:IntrusionSet", + "indicator": "stix-ns:Indicator", + "identity": "stix-ns:Identity", + "malware": "stix-ns:Malware", + "report": "stix-ns:Report", + "tool": "stix-ns:Tool", + "relationship": "stix-ns:Relationship", + "attack-pattern": "stix-ns:AttackPattern", + "marking-definition": "marking-ns:MarkingDefinition", + "course-of-action": "stix-ns:CourseOfAction", + + "aliases":{ + "@id": "stix-ns:aliases", + "@type": "xsd:string" + }, + "contact_information": { + "@id": "identity-ns:contact_information", + "@type": "xsd:string" + }, + "created": { + "@id": "stix-ns:created", + "@type": "xsd:dateTime" + }, + "description": { + "@id": "stix-ns:description", + "@type": "xsd:string" + }, + "first_seen": { + "@id": "stix-ns:first_seen", + "@type": "xsd:dateTime" + }, + "identity_class": { + "@id": "identity-ns:identity_class", + "@type": "xsd:string" + }, + "is_family": { + "@id": "malware-ns:is_family", + "@type": "xsd:boolean" + }, + "labels": { + "@id": "stix-ns:labels", + "@type": "xsd:string" + }, + "last_seen": { + "@id": "stix-ns:last_seen", + "@type": "xsd:dateTime" + }, + "malware_types": { + "@id": "malware-ns:malware_types", + "@type": "xsd:string" + }, + "modified": { + "@id": "stix-ns:modified", + "@type": "xsd:dateTime" + }, + "name": { + "@id": "stix-ns:name", + "@type": "xsd:string" + }, + "pattern": { + "@id": "indicator-ns:pattern", + "@type": "xsd:string" + }, + "pattern_type": { + "@id": "indicator-ns:pattern_type", + "@type": "xsd:string" + }, + "primary_motivation":{ + "@id": "adversary-ns:primary_motivation", + "@type": "xsd:string" + }, + "relationship_type": { + "@id": "relationship-ns:relationship_type", + "@type": "xsd:string" + }, + "resource_level": { + "@id": "adversary-ns:resource_level", + "@type": "xsd:string" + }, + "roles": { + "@id": "adversary-ns:roles", + "@type": "xsd:string" + }, + "sectors": { + "@id": "identity-ns:sectors", + "@type": "xsd:string" + }, + "spec_version": { + "@id": "stix-ns:spec_version", + "@type": "xsd:string" + }, + "threat_actor_types": { + "@id": "adversary-ns:threat_actor_types", + "@type": "xsd:string" + }, + "tool_types": { + "@id": "tool-ns:tool_types", + "@type": "xsd:string" + }, + "valid_from": { + "@id": "stix-ns:valid_from", + "@type": "xsd:dateTime" + }, + + "source_name": { + "@id": "stix-ns:source-name", + "@type": "xsd:string" + }, + "url": { + "@id": "stix-ns:url", + "@type": "xsd:anyURI" + }, + "external_id": { + "@id": "stix-ns:external_id", + "@type": "xsd:string" + }, + + + "hashes": { + "@id": "stix-ns:hashes", + "@type": "@id" + }, + + + + "external_references": { + "@id": "stix-ns:external_references", + "@type": "@id" + }, + + + "object_marking_refs": { + "@id": "marking-ns:object_marking_refs", + "@type": "@id" + }, + "source_ref": { + "@id": "relationship-ns:source_ref", + "@type": "@id" + }, + "target_ref": { + "@id": "relationship-ns:target_ref", + "@type": "@id" + }, + "object_ref": { + "@id": "stix-ns:object_ref", + "@type": "@id" + }, + "object_modified": { + "@id": "stix-ns:object_modified", + "@type": "xsd:dateTime" + }, + + + "x_mitre_contents": { + "@id": "attack-ns:x_mitre_contents", + "@type": "stix-ns:StixObject" + }, + "x_mitre_contributors": { + "@id": "attack-ns:x_mitre_contributors", + "@type": "xsd:string" + }, + "x_mitre_modified_by_ref": { + "@id": "relationship-ns:x_mitre_modified_by_ref", + "@type": "@id" + }, + "x_mitre_domains": { + "@id": "attack-ns:x_mitre_domains", + "@type": "xsd:string" + }, + "x_mitre_detection": { + "@id": "attack-ns:x_mitre_detection", + "@type": "xsd:string" + }, + "x_mitre_is_subtechnique": { + "@id": "attack-ns:x_mitre_is_subtechnique", + "@type": "xsd:boolean" + }, + "x_mitre_platforms": { + "@id": "attack-ns:x_mitre_platforms", + "@type": "xsd:string" + }, + "x_mitre_permissions_required": { + "@id": "attack-ns:x_mitre_permissions_required", + "@type": "xsd:string" + }, + "x_mitre_data_sources": { + "@id": "attack-ns:x_mitre_data_sources", + "@type": "xsd:string" + }, + "x_mitre_version": { + "@id": "attack-ns:x_mitre_version", + "@type": "xsd:string" + }, + "x_mitre_attack_spec_version": { + "@id": "attack-ns:x_mitre_attack_spec_version", + "@type": "xsd:string" + }, + + "x-mitre-matrix": "attack-ns:Matrix", + "x-mitre-tactic": "attack-ns:Tactic", + "x-mitre-data-component": "attack-ns:DataComponent", + "x-mitre-data-source": "attack-ns:DataSource", + + "x_mitre_data_source_ref": { + "@id": "attack-ns:x_mitre_data_source_ref", + "@type": "@id" + }, + "tactic_refs": { + "@id": "attack-ns:tactic_refs", + "@type": "@id" + }, + "x_mitre_collection_layers": { + "@id": "attack-ns:x_mitre_collection_layers", + "@type": "xsd:string" + }, + "x_mitre_shortname": { + "@id": "attack-ns:x_mitre_shortname", + "@type": "xsd:string" + }, + "x_mitre_deprecated": { + "@id": "attack-ns:x_mitre_deprecated", + "@type": "xsd:boolean" + }, + "x_mitre_defense_bypassed": { + "@id": "attack-ns:x_mitre_defense_bypassed", + "@type": "xsd:string" + }, + "x_mitre_effective_permissions": { + "@id": "attack-ns:x_mitre_effective_permissions", + "@type": "xsd:string" + }, + "x_mitre_impact_type": { + "@id": "attack-ns:x_mitre_impact_type", + "@type": "xsd:string" + }, + "x_mitre_network_requirements": { + "@id": "attack-ns:x_mitre_network_requirements", + "@type": "xsd:boolean" + }, + "x_mitre_remote_support": { + "@id": "attack-ns:x_mitre_remote_support", + "@type": "xsd:boolean" + }, + "x_mitre_system_requirements": { + "@id": "attack-ns:x_mitre_system_requirements", + "@type": "xsd:string" + } + + + }, \ No newline at end of file diff --git a/utilities/sparql-anything/input/apt1.json b/utilities/sparql-anything/input/apt1.json new file mode 100644 index 0000000..d3f235f --- /dev/null +++ b/utilities/sparql-anything/input/apt1.json @@ -0,0 +1,1206 @@ +{ + "type": "bundle", + "id": "bundle--cf20f99b-3ed2-4a9f-b4f1-d660a7fc8241", + "objects": [ + { + "type": "intrusion-set", + "spec_version": "2.1", + "id": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "APT1", + "description": "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.", + "first_seen": "2006-06-01T18:13:15.684Z", + "resource_level": "government", + "primary_motivation": "organizational-gain", + "aliases": [ + "Comment Crew", + "Comment Group", + "Shady Rat" + ] + }, + { + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Ugly Gorilla", + "threat_actor_types": [ + "nation-state", + "spy" + ], + "roles": [ + "malware-author", + "agent", + "infrastructure-operator" + ], + "resource_level": "government", + "aliases": [ + "Greenfield", + "JackWang", + "Wang Dong" + ], + "primary_motivation": "organizational-gain" + }, + { + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "DOTA", + "threat_actor_types": [ + "nation-state", + "spy" + ], + "aliases": [ + "dota", + "Rodney", + "Raith" + ], + "resource_level": "government", + "roles": [ + "agent", + "infrastructure-operator" + ], + "primary_motivation": "organizational-gain" + }, + { + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "SuperHard", + "threat_actor_types": [ + "nation-state" + ], + "sophistication": "expert", + "aliases": [ + "dota", + "Rodney", + "Raith" + ], + "resource_level": "government", + "roles": [ + "malware-author" + ], + "primary_motivation": "organizational-gain" + }, + { + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Communist Party of China", + "description": " The CPC is the ultimate authority in Mainland China and tasks the PLA to commit cyber espionage and data theft against organizations around the world.", + "threat_actor_types": [ + "nation-state" + ], + "resource_level": "government", + "roles": [ + "sponsor", + "director" + ], + "aliases": [ + "CPC" + ], + "primary_motivation": "organizational-gain" + }, + { + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--94624865-2709-443f-9b4c-2891985fd69b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Unit 61398", + "description": "Unit 61398 functions as the Third Department's premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence.", + "threat_actor_types": [ + "nation-state" + ], + "resource_level": "government", + "roles": [ + "agent" + ], + "aliases": [ + "PLA GSD's 3rd Department, 2nd Bureau", + "Military Unit Cover Designator (MUCD) 61398" + ], + "primary_motivation": "organizational-gain" + }, + { + "type": "identity", + "spec_version": "2.1", + "id": "identity--a9119a87-6576-46af-bfd7-4fbe55926671", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "JackWang", + "identity_class": "individual", + "sectors": [ + "government-national" + ], + "contact_information": "uglygorilla@163.com" + }, + { + "type": "identity", + "spec_version": "2.1", + "id": "identity--e88ab115-7768-4630-baa3-3d49a7d946ea", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Wang Dong", + "identity_class": "individual", + "sectors": [ + "government-national" + ], + "contact_information": "uglygorilla@163.com" + }, + { + "type": "identity", + "spec_version": "2.1", + "id": "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "dota", + "identity_class": "individual", + "sectors": [ + "government-national" + ], + "contact_information": "dota.d013@gmail.com" + }, + { + "type": "identity", + "spec_version": "2.1", + "id": "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Mei Qiang", + "identity_class": "individual", + "sectors": [ + "government-national" + ], + "contact_information": "mei_qiang_82@sohu.com" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "HTRAN Hop Point Accessor", + "description": "Test description.", + "pattern": "[ipv4-addr:value = '223.166.0.0/15']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "HTRAN Hop Point Accessor", + "description": "Test description.", + "pattern": "[ipv4-addr:value = '58.246.0.0/15']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--2173d108-5714-42fd-8213-4f3790259fda", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "HTRAN Hop Point Accessor", + "description": "Test description.", + "pattern": "[ipv4-addr:value = '112.64.0.0/15']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "HTRAN Hop Point Accessor", + "description": "Test description.", + "pattern": "[ipv4-addr:value = '139.226.0.0/15']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "FQDN hugesoft.org", + "description": "Test description.", + "pattern": "[domain-name:value = 'hugesoft.org']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "FQDN arrowservice.net", + "description": "Test description.", + "pattern": "[domain-name:value = 'arrowservice.net']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "FQDN msnhome.org", + "description": "Test description.", + "pattern": "[domain-name:value = 'msnhome.org']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Appendix E MD5 hash '001dd76872d80801692ff942308c64e6'", + "description": "Test description.", + "pattern": "[file:hashes.md5 = '001dd76872d80801692ff942308c64e6']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--745e1537-b4f3-49da-9f64-df6b1b5df190", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Appendix E MD5 hash '002325a0a67fded0381b5648d7fe9b8e'", + "description": "Test description.", + "pattern": "[file:hashes.md5 = '002325a0a67fded0381b5648d7fe9b8e']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Appendix E MD5 hash '00dbb9e1c09dbdafb360f3163ba5a3de'", + "description": "Test description.", + "pattern": "[file:hashes.md5 = '00dbb9e1c09dbdafb360f3163ba5a3de']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--b3b6b540-d838-41e2-853b-005056c00008", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Appendix F SSL Certificate for serial number '(Negative)4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28'", + "description": "Test description.", + "pattern": "[x509-certificate:issuer = 'CN=WEBMAIL' AND x509-certificate:serial_number = '4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--b3b7035e-d838-41e2-8d38-005056c00008", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Appendix F SSL Certificate for serial number '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c'", + "description": "Test description.", + "pattern": "[x509-certificate:issuer = 'CN=LM-68AB71FBD8F5' AND x509-certificate:serial_number = '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": false, + "id": "malware--2485b844-4efe-4343-84c8-eb33312dd56f", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "MANITSME", + "malware_types": [ + "backdoor", + "dropper", + "remote-access-trojan" + ], + "description": "This malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files." + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": false, + "id": "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "WEBC2-UGX", + "malware_types": [ + "backdoor", + "remote-access-trojan" + ], + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands." + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": false, + "id": "malware--0f01c5a3-f516-4450-9381-4dd9f2279411", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "WEBC2 Backdoor", + "malware_types": [ + "backdoor", + "remote-access-trojan" + ], + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": false, + "id": "malware--33159b98-3264-4e10-a968-d67975b6272f", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "HUC Packet Transmit Tool (HTRAN)", + "malware_types": [ + "backdoor", + "remote-access-trojan" + ], + "description": "When APT1 attackers are not using WEBC2, they require a “command and control” (C2) user interface so they can issue commands to the backdoor. This interface sometimes runs on their personal attack system, which is typically in Shanghai. In these instances, when a victim backdoor makes contact with a hop, the communications need to be forwarded from the hop to the intruder’s Shanghai system so the backdoor can talk to the C2 server software. We have observed 767 separate instances in which APT1 intruders used the publicly available “HUC Packet Transmit Tool” or HTRAN on a hopThe HTRAN utility is merely a middle-man, facilitating connections between the victim and the attacker who is using the hop point.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": true, + "id": "malware--fb490cdb-6760-41eb-a79b-0b930a50c017", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "AURIGA", + "malware_types": [ + "backdoor", + "keylogger" + ], + "description": "Malware family that contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, etc." + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": false, + "id": "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "BANGAT", + "malware_types": [ + "backdoor", + "keylogger" + ], + "description": "Malware family that contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, etc." + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--ce45f721-af14-4fc0-938c-000c16186418", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "cachedump", + "tool_types": [ + "credential-exploitation" + ], + "description": "This program extracts cached password hashes from a system’s registry.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "fgdump", + "tool_types": [ + "credential-exploitation" + ], + "description": "Windows password hash dumper", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "fgdump", + "url": "http://www.foofus.net/fizzgig/fgdump/" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "gsecdump", + "tool_types": [ + "credential-exploitation" + ], + "description": "Obtains password hashes from the Windows registry, including the SAM file, cached domain credentials, and LSA secrets", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "gsecdump", + "url": "http://www.truesec.se" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "lslsass", + "tool_types": [ + "credential-exploitation" + ], + "description": "Dump active logon session password hashes from the lsass process", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "lslsass", + "url": "http://www.truesec.se" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "mimikatz", + "tool_types": [ + "credential-exploitation" + ], + "description": "A utility primarily used for dumping password hashes", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "mimikatz", + "url": "http://blog.gentilkiwi.com/mimikatz" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--266b12f2-aa16-4607-809e-f2d33eebb52e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "pass-the-hash toolkit", + "tool_types": [ + "credential-exploitation" + ], + "description": "Allows an intruder to “pass” a password hash (without knowing the original password) to log in to systems", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "pass-the-hash toolkit", + "url": "http://oss.coresecurity.com/projects/pshtoolkit.htm" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--98fd8dc1-6cc7-4908-899f-07473f55149a", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "pwdump7", + "tool_types": [ + "credential-exploitation" + ], + "description": "Dumps password hashes from the Windows registry", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "pwdump7", + "url": "http://www.tarasco.org/security/pwdump_7/" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "pwdumpX", + "tool_types": [ + "credential-exploitation" + ], + "description": "Dumps password hashes from the Windows registry", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "GETMAIL", + "tool_types": [ + "information-gathering" + ], + "description": "GETMAIL was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive (“PST”) files.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "complete-mission" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--806a8f83-4913-4216-bb19-02b48ae25da5", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "MAPIGET", + "tool_types": [ + "information-gathering" + ], + "description": "MAPIGET was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "complete-mission" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Initial Compromise", + "description": "As with most other APT groups, spear phishing is APT1’s most commonly used technique. The spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples’ names — names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel. The files they use contain malicious executables that install a custom APT1 backdoor that we call WEBC2-TABLE.", + "external_references": [ + { + "source_name": "capec", + "description": "spear phishing", + "external_id": "CAPEC-163" + } + ], + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "initial-compromise" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Establishing a Foothold", + "description": "APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed. In almost every case, APT backdoors initiate outbound connections to the intruder’s 'command and control' (C2) server. While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT, the vast majority of the time they use what appear to be their own custom backdoors. APT1’s backdoors are in two categories: 'Beachhead Backdoors' and 'Standard Backdoors.' Beachhead Backdoors offer the attacker a toe-hold to perform simple tasks like retrieve files, gather basic system information and trigger the execution of other more significant capabilities such as a standard backdoor. APT1’s beachhead backdoors are usually what we call WEBC2 backdoors. WEBC2 backdoors are probably the most well-known kind of APT1 backdoor, and are the reason why some security companies refer to APT1 as the Comment Crew. A WEBC2 backdoor is designed to retrieve a webpage from a C2 server. It expects the webpage to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. WEBC2 backdoors are often packaged with spear phishing emails. Once installed, APT1 intruders have the option to tell victim systems to download and execute additional malicious software of their choice. The standard, non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol (to blend in with legitimate web traffic) or a custom protocol that the malware authors designed themselves. The BISCUIT backdoor (so named for the command “bdkzt”) is an illustrative example of the range of commands that APT1 has built into its “standard” backdoors. APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently. Some APT backdoors attempt to mimic legitimate Internet traffic other than the HTTP protocol. When network defenders see the communications between these backdoors and their C2 servers, they might easily dismiss them as legitimate network traffic. Additionally, many of APT1’s backdoors use SSL encryption so that communications are hidden in an encrypted SSL tunnel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Privilege Escalation", + "description": "Escalating privileges involves acquiring items (most often usernames and passwords) that will allow access to more resources within the network. APT1 predominantly uses publicly available tools to dump password hashes from victim systems in order to obtain legitimate user credentials.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Internal Reconnaisance", + "description": "In the Internal Reconnaissance stage, the intruder collects information about the victim environment. Like most APT (and non-APT) intruders, APT1 primarily uses built-in operating system commands to explore a compromised system and its networked environment. Although they usually simply type these commands into a command shell, sometimes intruders may use batch scripts to speed up the process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "internal-recon" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Lateral Movement", + "description": "Once an APT intruder has a foothold inside the network and a set of legitimate credentials, it is simple for the intruder to move around the network undetected. They can connect to shared resources on other systems. They can execute commands on other systems using the publicly available 'psexec' tool from Microsoft Sysinternals or the built-in Windows Task Scheduler ('at.exe').", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "move-laterally" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Maintain Presence", + "description": "In this stage, the intruder takes actions to ensure continued, long-term control over key systems in the network environment from outside of the network. APT1 does this in three ways: Install new backdoors on multiple systems, use legitimate VPN credentials, and log in to web portals.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "maintain-presence" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Completing the Mission", + "description": "Similar to other APT groups we track, once APT1 finds files of interest they pack them into archive files before stealing them. APT intruders most commonly use the RAR archiving utility for this task and ensure that the archives are password protected. Sometimes APT1 intruders use batch scripts to assist them in the process. After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. Many times their RAR files are so large that the attacker splits them into chunks before transferring them. Unlike most other APT groups we track, APT1 uses two email-stealing utilities that we believe are unique to APT1. The first, GETMAIL, was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive ('PST') files. The GETMAIL utility allows APT1 intruders the flexibility to take only the emails between dates of their choice. In one case, we observed an APT1 intruder return to a compromised system once a week for four weeks in a row to steal only the past week’s emails. Whereas GETMAIL steals email in Outlook archive files, the second utility, MAPIGET, was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server. In order to operate successfully, MAPIGET requires username/password combinations that the Exchange server will accept. MAPIGET extracts email from specified accounts into text files (for the email body) and separate attachments, if there are any.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "complete-mission" + } + ] + }, + { + "type": "report", + "spec_version": "2.1", + "id": "report--e33ffe07-2f4c-48d8-b0af-ee2619d765cf", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "APT1: Exposing One of China's Cyber Espionage Units", + "report_types": [ + "threat-report", + "threat-actor" + ], + "published": "2013-02-19T00:00:00.000000Z", + "description": "Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the 'Advanced Persistent Threat' (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that 'The Chinese government may authorize this activity, but theres no way to determine the\textent of its involvement.' Now, three years later, we have the evidence required to change our assessment. The details\twe have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them. Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as 'APT1' and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1's operations compelled us to write this report. The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1's activities is incomplete, we have analyzed the group's intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1's attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others. Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.", + "object_refs": [ + "attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b", + "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49", + "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d", + "attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767", + "attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7", + "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4", + "identity--a9119a87-6576-46af-bfd7-4fbe55926671", + "identity--e88ab115-7768-4630-baa3-3d49a7d946ea", + "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca", + "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b", + "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5", + "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0", + "indicator--2173d108-5714-42fd-8213-4f3790259fda", + "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4", + "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba", + "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d", + "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e", + "indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691", + "indicator--745e1537-b4f3-49da-9f64-df6b1b5df190", + "indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd", + "indicator--b3b6b540-d838-41e2-853b-005056c00008", + "indicator--b3b7035e-d838-41e2-8d38-005056c00008", + "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", + "malware--2485b844-4efe-4343-84c8-eb33312dd56f", + "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0", + "malware--0f01c5a3-f516-4450-9381-4dd9f2279411", + "malware--33159b98-3264-4e10-a968-d67975b6272f", + "malware--fb490cdb-6760-41eb-a79b-0b930a50c017", + "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca", + "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636", + "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21", + "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d", + "threat-actor--94624865-2709-443f-9b4c-2891985fd69b", + "tool--ce45f721-af14-4fc0-938c-000c16186418", + "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c", + "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2", + "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9", + "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa", + "tool--266b12f2-aa16-4607-809e-f2d33eebb52e", + "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48", + "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e", + "tool--806a8f83-4913-4216-bb19-02b48ae25da5", + "tool--98fd8dc1-6cc7-4908-899f-07473f55149a", + "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7", + "relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c", + "relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e", + "relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0", + "relationship--d84cf283-93be-4ca7-890d-76c63eff3636", + "relationship--71e6832f-17ee-42fd-938d-c7f881be2028", + "relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3", + "relationship--306ce398-f708-47f9-88a1-38aa5b9985fc", + "relationship--8668d82a-1c97-4bea-a367-e391b025e00e", + "relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023", + "relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3", + "relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b", + "relationship--61f4fd3b-f581-4497-9149-e624c317287b", + "relationship--7cede760-b866-490e-ad5b-1df34bc14f8d", + "relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3", + "relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc", + "relationship--81827b05-8c20-4247-b5d8-674295a1c611", + "relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c", + "relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8", + "relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6", + "relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28", + "relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e", + "relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d", + "relationship--44686fda-311c-4cdb-abef-80e922e7a3fb", + "relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4", + "relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d", + "relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1", + "relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa", + "relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01", + "relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "target_ref": "malware--2485b844-4efe-4343-84c8-eb33312dd56f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "target_ref": "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "target_ref": "identity--a9119a87-6576-46af-bfd7-4fbe55926671" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "target_ref": "identity--e88ab115-7768-4630-baa3-3d49a7d946ea" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--d84cf283-93be-4ca7-890d-76c63eff3636", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636", + "target_ref": "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--71e6832f-17ee-42fd-938d-c7f881be2028", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21", + "target_ref": "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21", + "target_ref": "malware--fb490cdb-6760-41eb-a79b-0b930a50c017" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--306ce398-f708-47f9-88a1-38aa5b9985fc", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21", + "target_ref": "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8668d82a-1c97-4bea-a367-e391b025e00e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", + "target_ref": "threat-actor--94624865-2709-443f-9b4c-2891985fd69b" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", + "target_ref": "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", + "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49", + "target_ref": "malware--0f01c5a3-f516-4450-9381-4dd9f2279411" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--61f4fd3b-f581-4497-9149-e624c317287b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49", + "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--7cede760-b866-490e-ad5b-1df34bc14f8d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5", + "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0", + "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--2173d108-5714-42fd-8213-4f3790259fda", + "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--81827b05-8c20-4247-b5d8-674295a1c611", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4", + "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--ce45f721-af14-4fc0-938c-000c16186418" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--266b12f2-aa16-4607-809e-f2d33eebb52e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--44686fda-311c-4cdb-abef-80e922e7a3fb", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--98fd8dc1-6cc7-4908-899f-07473f55149a" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4", + "target_ref": "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4", + "target_ref": "tool--806a8f83-4913-4216-bb19-02b48ae25da5" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba", + "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d", + "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e", + "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" + } + ] +} diff --git a/utilities/sparql-anything/mappings/apt1.sparql b/utilities/sparql-anything/mappings/apt1.sparql new file mode 100644 index 0000000..d7251ba --- /dev/null +++ b/utilities/sparql-anything/mappings/apt1.sparql @@ -0,0 +1,173 @@ +PREFIX xyz: +PREFIX rdf: +PREFIX fx: +PREFIX hohimer: +PREFIX stix: +PREFIX xsd: + +CONSTRUCT { + + + ?object_iri a ?stixType ; + stix:alias ?alias; + stix:id ?id; + stix:type ?type; + stix:spec_version ?spec_version; + stix:created ?dt_created; + stix:modified ?dt_modified; + stix:name ?name; + stix:description ?description; + stix:first_seen ?dt_first_seen; + stix:resource_level ?resource_level; + stix:primary_motivation ?primary_motivation; + stix:roles ?role_list; + stix:identity_class ?identity_class; + stix:sectors ?sector_list; +# stix:contact_information ?contact_information_string; + stix:pattern_type ?pattern_type; + stix:pattern ?pattern; + stix:indicator_types ?indicator_list; + stix:valid_from ?dt_valid_from; + stix:kill_chain_phases ?chains; + stix:tool_types ?tool_types_list; + stix:relationship_type ?relationship_type; + stix:source_ref ?source_ref_iri; + stix:target_ref ?target_ref_iri; + . + + + ?object_iri stix:external_reference ?exref_iri . + ?exref_iri stix:source_name ?ex_ref_source_name . + ?exref_iri stix:url ?ex_ref_url . + ?exref_iri stix:description ?ex_ref_description . + ?exref_iri stix:external-id ?ex_ref_external_id . + + + + +} +WHERE { + SERVICE { + fx:properties fx:location "./apt1.json" . + + + # root array of objects + ?root xyz:objects ?objects . + + # individual objects from the objects array + ?objects ?object_slot ?object . + + # the type and id of the object + ?object xyz:type ?type . + ?object xyz:id ?id . + + + ### OPTIONAL ### + # aliases + OPTIONAL { + ?object xyz:aliases ?aliases . + ?aliases fx:anySlot ?alias . + } + + # contact_information + OPTIONAL {?object xyz:contact_information ?contact_information .} + BIND(xsd:string(?contact_information) AS ?contact_information_string ) + + # created + OPTIONAL {?object xyz:created ?created . } + + # description + OPTIONAL {?object xyz:description ?description . } + + # external_references + OPTIONAL { + ?object xyz:external_references ?external_references . + ?external_references fx:anySlot ?external_reference . + ?external_reference xyz:source_name ?ex_ref_source_name . + OPTIONAL { ?external_reference xyz:description ?ex_ref_description . } + OPTIONAL { ?external_reference xyz:external_id ?ex_ref_external_id . } + OPTIONAL { ?external_reference xyz:url ?ex_ref_url . } + BIND (IRI(CONCAT("http://docs.oasis-open.org/cti/ns/stix#ExternalReference-", STRUUID() )) AS ?exref_iri ) . + } + + # first_seen + OPTIONAL {?object xyz:first_seen ?first_seen . } + + # identity_class + OPTIONAL {?object xyz:identity_class ?identity_class .} + + # indicator_types + OPTIONAL {?object xyz:indicator_types ?indicator_types . + ?indicator_types ?indicator_slot ?indicator_list . } + + # kill_chain_phases + OPTIONAL {?object xyz:kill_chain_phases ?kill_chain_phases . + ?kill_chain_phases ?kill_slot ?chain_list . + ?chain_list ?chain_slot ?chains . + } + + # modified + OPTIONAL {?object xyz:modified ?modified . } + + # name + OPTIONAL {?object xyz:name ?name . } + + # pattern + OPTIONAL {?object xyz:pattern ?pattern . } + + # pattern_type + OPTIONAL {?object xyz:pattern_type ?pattern_type . } + + # primary_motivation + OPTIONAL {?object xyz:primary_motivation ?primary_motivation . } + + # relationship_type + OPTIONAL {?object xyz:relationship_type ?relationship_type . } + + # resource_level + OPTIONAL {?object xyz:resource_level ?resource_level . } + + # roles + OPTIONAL {?object xyz:roles ?roles . + ?roles ?roles_slot ?role_list . } + + # sectors + OPTIONAL {?object xyz:sectors ?sectors . + ?sectors ?sectors_slot ?sector_list . } + + # source_ref + OPTIONAL {?object xyz:source_ref ?source_ref . } + + # spec_version + OPTIONAL {?object xyz:spec_version ?spec_version . } + + # target_ref + OPTIONAL {?object xyz:target_ref ?target_ref . } + + # tool_types + OPTIONAL {?object xyz:tool_types ?tool_types . + ?tool_types ?tool_types_slot ?tool_types_list . } + + # valid_from + OPTIONAL {?object xyz:valid_from ?valid_from . } + + } + + + # Reformat dates to allow ingestion into xsd:dateTime + BIND(xsd:dateTime(?created) AS ?dt_created ) + BIND(xsd:dateTime(?modified) AS ?dt_modified ) + BIND(xsd:dateTime(?first_seen) AS ?dt_first_seen ) + BIND(xsd:dateTime(?valid_from) AS ?dt_valid_from ) + + + # Form the IRI for the stixBundle + BIND(IRI(CONCAT("http://hohimer.net/ns/", ?id)) AS ?object_iri ) + BIND(IRI(CONCAT("http://hohimer.net/ns/", ?source_ref)) AS ?source_ref_iri ) + BIND(IRI(CONCAT("http://hohimer.net/ns/", ?target_ref)) AS ?target_ref_iri ) + + BIND( IF(?relationship_type = "uses", stix:uses, ?nothing ) AS ?relation_iri ) + + # Form the stix type of either stix:Bundle or stix:StixObject + BIND ((IF(?type = "bundle", IRI("http://docs.oasis-open.org/cti/ns/stix#Bundle"), IRI("http://docs.oasis-open.org/cti/ns/stix#StixObject"))) AS ?stixType ) +} diff --git a/utilities/sparql-anything/mappings/j2kb.sparql b/utilities/sparql-anything/mappings/j2kb.sparql new file mode 100644 index 0000000..4469a42 --- /dev/null +++ b/utilities/sparql-anything/mappings/j2kb.sparql @@ -0,0 +1,238 @@ +PREFIX xyz: +PREFIX rdf: +PREFIX fx: +PREFIX example: +PREFIX owl: +PREFIX stix: +PREFIX xsd: + +CONSTRUCT { + + ?object_iri a ?stixType ; + stix:id ?id; + stix:type ?type; + + stix:alias ?alias; +# stix:contact_information ?contact_information_string; + stix:created ?dt_created; + stix:description ?description; + stix:first_seen ?dt_first_seen; + stix:identity_class ?identity_class; + stix:kill_chain_phases ?chains; + stix:indicator_types ?indicator_list; + stix:malware_types ?malware_type; + stix:modified ?dt_modified; + stix:name ?name; + stix:resource_level ?resource_level; + stix:pattern_type ?pattern_type; + stix:pattern ?pattern; + stix:primary_motivation ?primary_motivation; + stix:relationship_type ?relationship_type; + stix:roles ?role_list; + stix:sectors ?sector_list; + stix:source_ref ?source_ref_iri; + stix:spec_version ?spec_version; + stix:target_ref ?target_ref_iri; + stix:tool_types ?tool_types_list; + stix:valid_from ?dt_valid_from; + . + +# ========================== + + stix:id a owl:DatatypeProperty . + stix:type a owl:DatatypeProperty . + + stix:alias a owl:DatatypeProperty . +# stix:contact_information a owl:DatatypeProperty . + stix:created a owl:DatatypeProperty . + stix:description a owl:DatatypeProperty . + stix:first_seen a owl:DatatypeProperty . + + stix:identity_class a owl:DatatypeProperty . + stix:kill_chain_phases a owl:DatatypeProperty . + + stix:indicator_types a owl:DatatypeProperty . + stix:malware_types a owl:DatatypeProperty . + stix:modified a owl:DatatypeProperty . + stix:name a owl:DatatypeProperty . + + stix:resource_level a owl:DatatypeProperty . + + stix:pattern_type a owl:DatatypeProperty . + stix:pattern a owl:DatatypeProperty . + stix:primary_motivation a owl:DatatypeProperty . + stix:relationship_type a owl:DatatypeProperty . + + stix:roles a owl:DatatypeProperty . + stix:sectors a owl:DatatypeProperty . + + stix:source_ref a owl:ObjectProperty . + stix:spec_version a owl:DatatypeProperty . + stix:target_ref a owl:ObjectProperty . + stix:tool_types a owl:DatatypeProperty . + stix:valid_from a owl:DatatypeProperty . + + stix:external_reference a owl:ObjectProperty . + stix:source_name a owl:DatatypeProperty . + stix:url a owl:DatatypeProperty . + stix:description a owl:DatatypeProperty . + stix:external-id a owl:DatatypeProperty . + + stix:kill_chain_phase a owl:ObjectProperty . + stix:kill_chain_name a owl:DatatypeProperty . + stix:kill_chain_phase_name a owl:DatatypeProperty . + +# ========================== + + + ?object_iri stix:external_reference ?exref_iri . + ?exref_iri a stix:StixObject . + ?exref_iri stix:source_name ?ex_ref_source_name . + ?exref_iri stix:url ?ex_ref_url . + ?exref_iri stix:description ?ex_ref_description . + ?exref_iri stix:external-id ?ex_ref_external_id . + + ?object_iri stix:kill_chain_phase ?kill_chain_phase_iri . + ?kill_chain_phase_iri a stix:StixObject . + ?kill_chain_phase_iri stix:kill_chain_name ?kill_name . + ?kill_chain_phase_iri stix:kill_chain_phase_name ?phase_name . + + + +} +WHERE { + SERVICE { + fx:properties fx:location "./apt1.json" . + + + # root array of objects + ?root xyz:objects ?objects . + + # individual objects from the objects array + ?objects ?object_slot ?object . + + # the type and id of the object + ?object xyz:type ?type . + ?object xyz:id ?id . + + + ### OPTIONAL ### + # aliases + OPTIONAL { + ?object xyz:aliases ?aliases . + ?aliases fx:anySlot ?alias . + } + + # contact_information + OPTIONAL {?object xyz:contact_information ?contact_information .} + BIND(xsd:string(?contact_information) AS ?contact_information_string ) + + # created + OPTIONAL {?object xyz:created ?created . } + + # description + OPTIONAL {?object xyz:description ?description . } + + # external_references + OPTIONAL { + ?object xyz:external_references ?external_references . + ?external_references fx:anySlot ?external_reference . + ?external_reference xyz:source_name ?ex_ref_source_name . + OPTIONAL { ?external_reference xyz:description ?ex_ref_description . } + OPTIONAL { ?external_reference xyz:external_id ?ex_ref_external_id . } + OPTIONAL { ?external_reference xyz:url ?ex_ref_url . } + BIND (IRI(CONCAT("http://docs.oasis-open.org/cti/ns/stix#ExternalReference-", STRUUID() )) AS ?exref_iri ) . + } + + # first_seen + OPTIONAL {?object xyz:first_seen ?first_seen . } + + # identity_class + OPTIONAL {?object xyz:identity_class ?identity_class .} + + # indicator_types + OPTIONAL {?object xyz:indicator_types ?indicator_types . + ?indicator_types ?indicator_slot ?indicator_list . } + + # kill_chain_phases + OPTIONAL { + ?object xyz:kill_chain_phases ?kill_chain_phases . + ?kill_chain_phases ?anySlot ?chain_list . + ?chain_list xyz:kill_chain_name ?kill_name . + OPTIONAL { ?chain_list xyz:phase_name ?phase_name . } + BIND (IRI(CONCAT("http://docs.oasis-open.org/cti/ns/stix#KillChainPhase-", STRUUID() )) AS ?kill_chain_phase_iri ) . + } + + # malware_types + OPTIONAL { + ?object xyz:malware_types ?malware_types . + ?malware_types ?malware_types_slot ?malware_type . + } + + # modified + OPTIONAL {?object xyz:modified ?modified . } + + # name + OPTIONAL {?object xyz:name ?name . } + + # pattern + OPTIONAL {?object xyz:pattern ?pattern . } + + # pattern_type + OPTIONAL {?object xyz:pattern_type ?pattern_type . } + + # primary_motivation + OPTIONAL {?object xyz:primary_motivation ?primary_motivation . } + + # relationship_type + OPTIONAL {?object xyz:relationship_type ?relationship_type . } + + # resource_level + OPTIONAL {?object xyz:resource_level ?resource_level . } + + # roles + OPTIONAL { + ?object xyz:roles ?roles . + ?roles ?roles_slot ?role_list . + } + + # sectors + OPTIONAL {?object xyz:sectors ?sectors . + ?sectors ?sectors_slot ?sector_list . } + + # source_ref + OPTIONAL {?object xyz:source_ref ?source_ref . } + + # spec_version + OPTIONAL {?object xyz:spec_version ?spec_version . } + + # target_ref + OPTIONAL {?object xyz:target_ref ?target_ref . } + + # tool_types + OPTIONAL {?object xyz:tool_types ?tool_types . + ?tool_types ?tool_types_slot ?tool_types_list . } + + # valid_from + OPTIONAL {?object xyz:valid_from ?valid_from . } + + } + + + # Reformat dates to allow ingestion into xsd:dateTime + BIND(xsd:dateTime(?created) AS ?dt_created ) + BIND(xsd:dateTime(?modified) AS ?dt_modified ) + BIND(xsd:dateTime(?first_seen) AS ?dt_first_seen ) + BIND(xsd:dateTime(?valid_from) AS ?dt_valid_from ) + + + # Form the IRI for the stixBundle + BIND(IRI(CONCAT("http://example/ns/", ?id)) AS ?object_iri ) + BIND(IRI(CONCAT("http://example/ns/", ?source_ref)) AS ?source_ref_iri ) + BIND(IRI(CONCAT("http://example/ns/", ?target_ref)) AS ?target_ref_iri ) + + BIND( IF(?relationship_type = "uses", stix:uses, ?nothing ) AS ?relation_iri ) + + # Form the stix type of either stix:Bundle or stix:StixObject + BIND ((IF(?type = "bundle", IRI("http://docs.oasis-open.org/cti/ns/stix#Bundle"), IRI("http://docs.oasis-open.org/cti/ns/stix#StixObject"))) AS ?stixType ) +}