From 5a5df727497b07bb91ac46bdd5619b015ce37622 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Wed, 16 Aug 2023 15:24:03 -0700 Subject: [PATCH] updating issue-53-reference-implementation branch --- health-agent-lib/catalog-v001.xml | 10 +- knowledgebase-examples/apt1-bcc.ttl | 1347 +++++++++++++++++ knowledgebase-examples/catalog-v001.xml | 61 + .../hal-example.owl | 2 + .../tal-kb-example.owl | 0 stix/catalog-v001.xml | 196 ++- stix/catalog-v001.xml.huh | 101 ++ stix/catalog-v001.xml.save | 54 + stix/core-objects/common-properties.owl | 4 +- stix/core-objects/data-types.owl | 2 +- stix/core-objects/sco/artifact/artifact.owl | 12 + .../autonomus-system/autonomous-system.owl | 29 +- stix/core-objects/sco/directory/directory.owl | 28 +- .../sco/domain-name/domain-name.owl | 29 +- .../sco/email-address/email-address.owl | 31 +- .../sco/email-message/email-message.owl | 15 +- stix/core-objects/sco/file/file.owl | 12 + .../sdo/attack-pattern/attack-pattern.owl | 12 + stix/core-objects/sdo/campaign/campaign.owl | 12 + .../sdo/course-of-action/course-of-action.owl | 12 + stix/core-objects/sdo/grouping/grouping.owl | 12 + stix/core-objects/sdo/identity/identity.owl | 12 + stix/core-objects/sdo/incident/incident.owl | 12 + stix/core-objects/sdo/indicator/indicator.owl | 12 + .../sdo/infrastructure/infrastructure.owl | 12 + .../sdo/intrusion-set/intrusion-set.owl | 12 + stix/core-objects/sdo/location/location.owl | 12 + stix/core-objects/sdo/malware/malware.owl | 12 + stix/core-objects/sdo/note/note.owl | 12 + .../sdo/observed-data/observed-data.owl | 16 +- stix/core-objects/sdo/opinion/opinion.owl | 12 + stix/core-objects/sdo/report/report.owl | 12 + stix/core-objects/sdo/tool/tool.owl | 12 + .../sdo/vulnerability/vulnerability.owl | 12 + .../sro/relationship/relationship.owl | 52 +- stix/core-objects/sro/sighting/sighting.owl | 12 + stix/stix.owl | 2 + tac/catalog-v001.xml | 6 +- threat-agent-lib/catalog-v001.xml | 13 +- 39 files changed, 2049 insertions(+), 177 deletions(-) create mode 100644 knowledgebase-examples/apt1-bcc.ttl create mode 100644 knowledgebase-examples/catalog-v001.xml rename {health-agent-lib => knowledgebase-examples}/hal-example.owl (89%) rename {threat-agent-lib => knowledgebase-examples}/tal-kb-example.owl (100%) create mode 100644 stix/catalog-v001.xml.huh create mode 100644 stix/catalog-v001.xml.save diff --git a/health-agent-lib/catalog-v001.xml b/health-agent-lib/catalog-v001.xml index 8cd5331..2d36ecd 100644 --- a/health-agent-lib/catalog-v001.xml +++ b/health-agent-lib/catalog-v001.xml @@ -4,7 +4,7 @@ - + @@ -50,12 +50,12 @@ - + - + - - + + diff --git a/knowledgebase-examples/apt1-bcc.ttl b/knowledgebase-examples/apt1-bcc.ttl new file mode 100644 index 0000000..80d6124 --- /dev/null +++ b/knowledgebase-examples/apt1-bcc.ttl @@ -0,0 +1,1347 @@ +@prefix example: . +@prefix fx: . +@prefix owl: . +@prefix rdf: . +@prefix rdfs: . +@prefix stix: . +@prefix xsd: . +@prefix xyz: . + +stix:ExternalReference-4d686c74-4694-46e3-a7c8-c621f91b9763 + a stix:StixObject ; + stix:source_name "lslsass" ; + stix:url "http://www.truesec.se" ; + . + +stix:ExternalReference-5607e771-932f-4a16-8f91-f588cd6888d3 + a stix:StixObject ; + stix:source_name "pwdump7" ; + stix:url "http://www.tarasco.org/security/pwdump_7/" ; + . + +stix:ExternalReference-5a5791ff-82bd-472f-a4c9-a46ad7f86be0 + a stix:StixObject ; + stix:source_name "gsecdump" ; + stix:url "http://www.truesec.se" ; + . + +stix:ExternalReference-7ac7a8ec-7de5-4a0d-87fd-d4719a8424c6 + a stix:StixObject ; + stix:description "spear phishing" ; + stix:external-id "CAPEC-163" ; + stix:source_name "capec" ; + . + +stix:ExternalReference-7ec52cf2-d6bc-4e58-9b72-dc847e9ae31e + a stix:StixObject ; + stix:source_name "mimikatz" ; + stix:url "http://blog.gentilkiwi.com/mimikatz" ; + . + +stix:ExternalReference-f51760fb-d00d-43df-8ae8-2a5b2fddca57 + a stix:StixObject ; + stix:source_name "pass-the-hash toolkit" ; + stix:url "http://oss.coresecurity.com/projects/pshtoolkit.htm" ; + . + +stix:ExternalReference-fbcae96f-6f0e-46f5-ad78-463d320b6219 + a stix:StixObject ; + stix:source_name "fgdump" ; + stix:url "http://www.foofus.net/fizzgig/fgdump/" ; + . + +stix:KillChainPhase-086982fc-52bc-4348-9efa-05d4f21e7887 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-115f3970-2ec7-41d9-bfeb-4ae6af9348cd + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-1fa91ebf-cbe6-405b-8505-cb3a94068f00 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-4ffe816d-1299-4755-b051-736aa0fdb41f + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "complete-mission" ; + . + +stix:KillChainPhase-50dabf71-d5b3-4331-9842-2d520725bda8 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-6238957b-50c1-4b22-87b6-c3a4cbf9a66a + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "initial-compromise" ; + . + +stix:KillChainPhase-731e8fe7-e6b9-4b0c-9409-5ff45bab266f + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-734c65d1-9447-4e24-ac91-6aa236d882ed + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-8744e75c-a658-4d18-98bc-e3af2e1466e2 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-8797b1af-7dd8-4422-bcbc-ea055041e735 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "internal-recon" ; + . + +stix:KillChainPhase-8a16cec9-9683-4616-b73f-52cd2379990c + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-90226c7d-5db6-4edd-8397-862f483cb440 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "move-laterally" ; + . + +stix:KillChainPhase-ab5907f8-d9aa-4b8d-bf1a-d5f436c213e5 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-b6a6d1f7-006f-47db-b33e-28f38bdcbaef + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "maintain-presence" ; + . + +stix:KillChainPhase-b9dca787-2fd8-43a6-848b-011cdb86928f + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-bc693e69-aa3e-48f6-8894-b9b8b0a70b4a + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-bcdca901-5f5a-45a5-8b02-024d96c68c65 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "complete-mission" ; + . + +stix:KillChainPhase-bce0274c-bd48-45b2-b52c-5707fa98f6e3 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-cacf23a3-3581-4e89-83d3-8047f9da005d + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-dfd987a0-4aa9-4c9f-8fbc-5d2522324a91 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "complete-mission" ; + . + +stix:KillChainPhase-ed279c70-9ecc-4ef6-a3d6-15053ddc1f10 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-ef7ad8dd-c46f-49e2-8970-f04507699ff9 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-f3c00de1-9a80-4a3a-ac92-feacb2fd2bab + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:alias + a owl:DatatypeProperty ; + . + +stix:created + a owl:DatatypeProperty ; + . + +stix:description + a owl:DatatypeProperty ; + . + +stix:external-id + a owl:DatatypeProperty ; + . + +stix:external_reference + a owl:ObjectProperty ; + . + +stix:first_seen + a owl:DatatypeProperty ; + . + +stix:id + a owl:DatatypeProperty ; + . + +stix:identity_class + a owl:DatatypeProperty ; + . + +stix:indicator_types + a owl:DatatypeProperty ; + . + +stix:kill_chain_name + a owl:DatatypeProperty ; + . + +stix:kill_chain_phase + a owl:ObjectProperty ; + . + +stix:kill_chain_phase_name + a owl:DatatypeProperty ; + . + +stix:kill_chain_phases + a owl:DatatypeProperty ; + . + +stix:malware_types + a owl:DatatypeProperty ; + . + +stix:modified + a owl:DatatypeProperty ; + . + +stix:name + a owl:DatatypeProperty ; + . + +stix:pattern + a owl:DatatypeProperty ; + . + +stix:pattern_type + a owl:DatatypeProperty ; + . + +stix:primary_motivation + a owl:DatatypeProperty ; + . + +stix:relationship_type + a owl:DatatypeProperty ; + . + +stix:resource_level + a owl:DatatypeProperty ; + . + +stix:roles + a owl:DatatypeProperty ; + . + +stix:sectors + a owl:DatatypeProperty ; + . + +stix:source_name + a owl:DatatypeProperty ; + . + +stix:source_ref + a owl:ObjectProperty ; + . + +stix:spec_version + a owl:DatatypeProperty ; + . + +stix:target_ref + a owl:ObjectProperty ; + . + +stix:tool_types + a owl:DatatypeProperty ; + . + +stix:type + a owl:DatatypeProperty ; + . + +stix:url + a owl:DatatypeProperty ; + . + +stix:valid_from + a owl:DatatypeProperty ; + . + +example:attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Similar to other APT groups we track, once APT1 finds files of interest they pack them into archive files before stealing them. APT intruders most commonly use the RAR archiving utility for this task and ensure that the archives are password protected. Sometimes APT1 intruders use batch scripts to assist them in the process. After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. Many times their RAR files are so large that the attacker splits them into chunks before transferring them. Unlike most other APT groups we track, APT1 uses two email-stealing utilities that we believe are unique to APT1. The first, GETMAIL, was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive ('PST') files. The GETMAIL utility allows APT1 intruders the flexibility to take only the emails between dates of their choice. In one case, we observed an APT1 intruder return to a compromised system once a week for four weeks in a row to steal only the past week’s emails. Whereas GETMAIL steals email in Outlook archive files, the second utility, MAPIGET, was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server. In order to operate successfully, MAPIGET requires username/password combinations that the Exchange server will accept. MAPIGET extracts email from specified accounts into text files (for the email body) and separate attachments, if there are any." ; + stix:id "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4" ; + stix:kill_chain_phase stix:KillChainPhase-dfd987a0-4aa9-4c9f-8fbc-5d2522324a91 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Completing the Mission" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Once an APT intruder has a foothold inside the network and a set of legitimate credentials, it is simple for the intruder to move around the network undetected. They can connect to shared resources on other systems. They can execute commands on other systems using the publicly available 'psexec' tool from Microsoft Sysinternals or the built-in Windows Task Scheduler ('at.exe')." ; + stix:id "attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767" ; + stix:kill_chain_phase stix:KillChainPhase-90226c7d-5db6-4edd-8397-862f483cb440 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Lateral Movement" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed. In almost every case, APT backdoors initiate outbound connections to the intruder’s 'command and control' (C2) server. While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT, the vast majority of the time they use what appear to be their own custom backdoors. APT1’s backdoors are in two categories: 'Beachhead Backdoors' and 'Standard Backdoors.' Beachhead Backdoors offer the attacker a toe-hold to perform simple tasks like retrieve files, gather basic system information and trigger the execution of other more significant capabilities such as a standard backdoor. APT1’s beachhead backdoors are usually what we call WEBC2 backdoors. WEBC2 backdoors are probably the most well-known kind of APT1 backdoor, and are the reason why some security companies refer to APT1 as the Comment Crew. A WEBC2 backdoor is designed to retrieve a webpage from a C2 server. It expects the webpage to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. WEBC2 backdoors are often packaged with spear phishing emails. Once installed, APT1 intruders have the option to tell victim systems to download and execute additional malicious software of their choice. The standard, non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol (to blend in with legitimate web traffic) or a custom protocol that the malware authors designed themselves. The BISCUIT backdoor (so named for the command “bdkzt”) is an illustrative example of the range of commands that APT1 has built into its “standard” backdoors. APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently. Some APT backdoors attempt to mimic legitimate Internet traffic other than the HTTP protocol. When network defenders see the communications between these backdoors and their C2 servers, they might easily dismiss them as legitimate network traffic. Additionally, many of APT1’s backdoors use SSL encryption so that communications are hidden in an encrypted SSL tunnel." ; + stix:id "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49" ; + stix:kill_chain_phase stix:KillChainPhase-bce0274c-bd48-45b2-b52c-5707fa98f6e3 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Establishing a Foothold" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "As with most other APT groups, spear phishing is APT1’s most commonly used technique. The spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples’ names — names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel. The files they use contain malicious executables that install a custom APT1 backdoor that we call WEBC2-TABLE." ; + stix:external_reference stix:ExternalReference-7ac7a8ec-7de5-4a0d-87fd-d4719a8424c6 ; + stix:id "attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b" ; + stix:kill_chain_phase stix:KillChainPhase-6238957b-50c1-4b22-87b6-c3a4cbf9a66a ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Initial Compromise" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "In the Internal Reconnaissance stage, the intruder collects information about the victim environment. Like most APT (and non-APT) intruders, APT1 primarily uses built-in operating system commands to explore a compromised system and its networked environment. Although they usually simply type these commands into a command shell, sometimes intruders may use batch scripts to speed up the process." ; + stix:id "attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d" ; + stix:kill_chain_phase stix:KillChainPhase-8797b1af-7dd8-4422-bcbc-ea055041e735 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Internal Reconnaisance" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "In this stage, the intruder takes actions to ensure continued, long-term control over key systems in the network environment from outside of the network. APT1 does this in three ways: Install new backdoors on multiple systems, use legitimate VPN credentials, and log in to web portals." ; + stix:id "attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7" ; + stix:kill_chain_phase stix:KillChainPhase-b6a6d1f7-006f-47db-b33e-28f38bdcbaef ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Maintain Presence" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Escalating privileges involves acquiring items (most often usernames and passwords) that will allow access to more resources within the network. APT1 predominantly uses publicly available tools to dump password hashes from victim systems in order to obtain legitimate user credentials." ; + stix:id "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827" ; + stix:kill_chain_phase stix:KillChainPhase-731e8fe7-e6b9-4b0c-9409-5ff45bab266f ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Privilege Escalation" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "dota" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:identity--a9119a87-6576-46af-bfd7-4fbe55926671 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--a9119a87-6576-46af-bfd7-4fbe55926671" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "JackWang" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:identity--e88ab115-7768-4630-baa3-3d49a7d946ea + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--e88ab115-7768-4630-baa3-3d49a7d946ea" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Wang Dong" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Mei Qiang" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-cacf23a3-3581-4e89-83d3-8047f9da005d ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '223.166.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "FQDN msnhome.org" ; + stix:pattern "[domain-name:value = 'msnhome.org']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix E MD5 hash '00dbb9e1c09dbdafb360f3163ba5a3de'" ; + stix:pattern "[file:hashes.md5 = '00dbb9e1c09dbdafb360f3163ba5a3de']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--2173d108-5714-42fd-8213-4f3790259fda + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--2173d108-5714-42fd-8213-4f3790259fda" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-f3c00de1-9a80-4a3a-ac92-feacb2fd2bab ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '112.64.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "FQDN hugesoft.org" ; + stix:pattern "[domain-name:value = 'hugesoft.org']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--745e1537-b4f3-49da-9f64-df6b1b5df190 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--745e1537-b4f3-49da-9f64-df6b1b5df190" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix E MD5 hash '002325a0a67fded0381b5648d7fe9b8e'" ; + stix:pattern "[file:hashes.md5 = '002325a0a67fded0381b5648d7fe9b8e']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "FQDN arrowservice.net" ; + stix:pattern "[domain-name:value = 'arrowservice.net']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-8744e75c-a658-4d18-98bc-e3af2e1466e2 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '139.226.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix E MD5 hash '001dd76872d80801692ff942308c64e6'" ; + stix:pattern "[file:hashes.md5 = '001dd76872d80801692ff942308c64e6']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--b3b6b540-d838-41e2-853b-005056c00008 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--b3b6b540-d838-41e2-853b-005056c00008" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix F SSL Certificate for serial number '(Negative)4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28'" ; + stix:pattern "[x509-certificate:issuer = 'CN=WEBMAIL' AND x509-certificate:serial_number = '4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--b3b7035e-d838-41e2-8d38-005056c00008 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--b3b7035e-d838-41e2-8d38-005056c00008" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix F SSL Certificate for serial number '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c'" ; + stix:pattern "[x509-certificate:issuer = 'CN=LM-68AB71FBD8F5' AND x509-certificate:serial_number = '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-1fa91ebf-cbe6-405b-8505-cb3a94068f00 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '58.246.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a + a stix:StixObject ; + stix:alias + "Comment Crew" , + "Comment Group" , + "Shady Rat" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006." ; + stix:first_seen "2006-06-01T18:13:15.684Z"^^xsd:dateTime ; + stix:id "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "APT1" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:spec_version "2.1" ; + stix:type "intrusion-set" ; + . + +example:malware--0f01c5a3-f516-4450-9381-4dd9f2279411 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands." ; + stix:id "malware--0f01c5a3-f516-4450-9381-4dd9f2279411" ; + stix:kill_chain_phase stix:KillChainPhase-bc693e69-aa3e-48f6-8894-b9b8b0a70b4a ; + stix:malware_types + "backdoor" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "WEBC2 Backdoor" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--2485b844-4efe-4343-84c8-eb33312dd56f + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "This malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files." ; + stix:id "malware--2485b844-4efe-4343-84c8-eb33312dd56f" ; + stix:malware_types + "backdoor" , + "dropper" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "MANITSME" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--33159b98-3264-4e10-a968-d67975b6272f + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "When APT1 attackers are not using WEBC2, they require a “command and control” (C2) user interface so they can issue commands to the backdoor. This interface sometimes runs on their personal attack system, which is typically in Shanghai. In these instances, when a victim backdoor makes contact with a hop, the communications need to be forwarded from the hop to the intruder’s Shanghai system so the backdoor can talk to the C2 server software. We have observed 767 separate instances in which APT1 intruders used the publicly available “HUC Packet Transmit Tool” or HTRAN on a hopThe HTRAN utility is merely a middle-man, facilitating connections between the victim and the attacker who is using the hop point." ; + stix:id "malware--33159b98-3264-4e10-a968-d67975b6272f" ; + stix:kill_chain_phase stix:KillChainPhase-086982fc-52bc-4348-9efa-05d4f21e7887 ; + stix:malware_types + "backdoor" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HUC Packet Transmit Tool (HTRAN)" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands." ; + stix:id "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0" ; + stix:malware_types + "backdoor" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "WEBC2-UGX" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Malware family that contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, etc." ; + stix:id "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca" ; + stix:malware_types + "backdoor" , + "keylogger" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "BANGAT" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--fb490cdb-6760-41eb-a79b-0b930a50c017 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Malware family that contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, etc." ; + stix:id "malware--fb490cdb-6760-41eb-a79b-0b930a50c017" ; + stix:malware_types + "backdoor" , + "keylogger" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "AURIGA" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--ce45f721-af14-4fc0-938c-000c16186418 ; + stix:type "relationship" ; + . + +example:relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--806a8f83-4913-4216-bb19-02b48ae25da5 ; + stix:type "relationship" ; + . + +example:relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9 ; + stix:type "relationship" ; + . + +example:relationship--306ce398-f708-47f9-88a1-38aa5b9985fc + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--306ce398-f708-47f9-88a1-38aa5b9985fc" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca ; + stix:type "relationship" ; + . + +example:relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--4215b0e5-928e-4b2a-9b5f-64819f287f48 ; + stix:type "relationship" ; + . + +example:relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0 ; + stix:type "relationship" ; + . + +example:relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--2173d108-5714-42fd-8213-4f3790259fda ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--44686fda-311c-4cdb-abef-80e922e7a3fb + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--44686fda-311c-4cdb-abef-80e922e7a3fb" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--98fd8dc1-6cc7-4908-899f-07473f55149a ; + stix:type "relationship" ; + . + +example:relationship--61f4fd3b-f581-4497-9149-e624c317287b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--61f4fd3b-f581-4497-9149-e624c317287b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--2485b844-4efe-4343-84c8-eb33312dd56f ; + stix:type "relationship" ; + . + +example:relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2 ; + stix:type "relationship" ; + . + +example:relationship--71e6832f-17ee-42fd-938d-c7f881be2028 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--71e6832f-17ee-42fd-938d-c7f881be2028" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b ; + stix:type "relationship" ; + . + +example:relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--7cede760-b866-490e-ad5b-1df34bc14f8d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--7cede760-b866-490e-ad5b-1df34bc14f8d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--81827b05-8c20-4247-b5d8-674295a1c611 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--81827b05-8c20-4247-b5d8-674295a1c611" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--0f01c5a3-f516-4450-9381-4dd9f2279411 ; + stix:type "relationship" ; + . + +example:relationship--8668d82a-1c97-4bea-a367-e391b025e00e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--8668d82a-1c97-4bea-a367-e391b025e00e" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--94624865-2709-443f-9b4c-2891985fd69b ; + stix:type "relationship" ; + . + +example:relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e ; + stix:type "relationship" ; + . + +example:relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--fb490cdb-6760-41eb-a79b-0b930a50c017 ; + stix:type "relationship" ; + . + +example:relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--e88ab115-7768-4630-baa3-3d49a7d946ea ; + stix:type "relationship" ; + . + +example:relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c ; + stix:type "relationship" ; + . + +example:relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--266b12f2-aa16-4607-809e-f2d33eebb52e ; + stix:type "relationship" ; + . + +example:relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa ; + stix:type "relationship" ; + . + +example:relationship--d84cf283-93be-4ca7-890d-76c63eff3636 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--d84cf283-93be-4ca7-890d-76c63eff3636" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca ; + stix:type "relationship" ; + . + +example:relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d ; + stix:type "relationship" ; + . + +example:relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--a9119a87-6576-46af-bfd7-4fbe55926671 ; + stix:type "relationship" ; + . + +example:report--e33ffe07-2f4c-48d8-b0af-ee2619d765cf + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the 'Advanced Persistent Threat' (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that 'The Chinese government may authorize this activity, but theres no way to determine the extent of its involvement.' Now, three years later, we have the evidence required to change our assessment. The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them. Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as 'APT1' and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1's operations compelled us to write this report. The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1's activities is incomplete, we have analyzed the group's intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1's attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others. Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate." ; + stix:id "report--e33ffe07-2f4c-48d8-b0af-ee2619d765cf" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "APT1: Exposing One of China's Cyber Espionage Units" ; + stix:spec_version "2.1" ; + stix:type "report" ; + . + +example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 + a stix:StixObject ; + stix:alias + "Raith" , + "Rodney" , + "dota" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "SuperHard" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles "malware-author" ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 + a stix:StixObject ; + stix:alias + "Greenfield" , + "JackWang" , + "Wang Dong" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Ugly Gorilla" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles + "agent" , + "infrastructure-operator" , + "malware-author" + ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--94624865-2709-443f-9b4c-2891985fd69b + a stix:StixObject ; + stix:alias + "Military Unit Cover Designator (MUCD) 61398" , + "PLA GSD's 3rd Department, 2nd Bureau" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Unit 61398 functions as the Third Department's premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence." ; + stix:id "threat-actor--94624865-2709-443f-9b4c-2891985fd69b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Unit 61398" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles "agent" ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d + a stix:StixObject ; + stix:alias "CPC" ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description " The CPC is the ultimate authority in Mainland China and tasks the PLA to commit cyber espionage and data theft against organizations around the world." ; + stix:id "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Communist Party of China" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles + "director" , + "sponsor" + ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636 + a stix:StixObject ; + stix:alias + "Raith" , + "Rodney" , + "dota" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "DOTA" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles + "agent" , + "infrastructure-operator" + ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Obtains password hashes from the Windows registry, including the SAM file, cached domain credentials, and LSA secrets" ; + stix:external_reference stix:ExternalReference-5a5791ff-82bd-472f-a4c9-a46ad7f86be0 ; + stix:id "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2" ; + stix:kill_chain_phase stix:KillChainPhase-ed279c70-9ecc-4ef6-a3d6-15053ddc1f10 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "gsecdump" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--266b12f2-aa16-4607-809e-f2d33eebb52e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Allows an intruder to “pass” a password hash (without knowing the original password) to log in to systems" ; + stix:external_reference stix:ExternalReference-f51760fb-d00d-43df-8ae8-2a5b2fddca57 ; + stix:id "tool--266b12f2-aa16-4607-809e-f2d33eebb52e" ; + stix:kill_chain_phase stix:KillChainPhase-ab5907f8-d9aa-4b8d-bf1a-d5f436c213e5 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "pass-the-hash toolkit" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--4215b0e5-928e-4b2a-9b5f-64819f287f48 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Dumps password hashes from the Windows registry" ; + stix:id "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48" ; + stix:kill_chain_phase stix:KillChainPhase-50dabf71-d5b3-4331-9842-2d520725bda8 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "pwdumpX" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Dump active logon session password hashes from the lsass process" ; + stix:external_reference stix:ExternalReference-4d686c74-4694-46e3-a7c8-c621f91b9763 ; + stix:id "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9" ; + stix:kill_chain_phase stix:KillChainPhase-734c65d1-9447-4e24-ac91-6aa236d882ed ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "lslsass" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "A utility primarily used for dumping password hashes" ; + stix:external_reference stix:ExternalReference-7ec52cf2-d6bc-4e58-9b72-dc847e9ae31e ; + stix:id "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa" ; + stix:kill_chain_phase stix:KillChainPhase-b9dca787-2fd8-43a6-848b-011cdb86928f ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "mimikatz" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--806a8f83-4913-4216-bb19-02b48ae25da5 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "MAPIGET was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server." ; + stix:id "tool--806a8f83-4913-4216-bb19-02b48ae25da5" ; + stix:kill_chain_phase stix:KillChainPhase-4ffe816d-1299-4755-b051-736aa0fdb41f ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "MAPIGET" ; + stix:spec_version "2.1" ; + stix:tool_types "information-gathering" ; + stix:type "tool" ; + . + +example:tool--98fd8dc1-6cc7-4908-899f-07473f55149a + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Dumps password hashes from the Windows registry" ; + stix:external_reference stix:ExternalReference-5607e771-932f-4a16-8f91-f588cd6888d3 ; + stix:id "tool--98fd8dc1-6cc7-4908-899f-07473f55149a" ; + stix:kill_chain_phase stix:KillChainPhase-115f3970-2ec7-41d9-bfeb-4ae6af9348cd ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "pwdump7" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "GETMAIL was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive (“PST”) files." ; + stix:id "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e" ; + stix:kill_chain_phase stix:KillChainPhase-bcdca901-5f5a-45a5-8b02-024d96c68c65 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "GETMAIL" ; + stix:spec_version "2.1" ; + stix:tool_types "information-gathering" ; + stix:type "tool" ; + . + +example:tool--ce45f721-af14-4fc0-938c-000c16186418 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "This program extracts cached password hashes from a system’s registry." ; + stix:id "tool--ce45f721-af14-4fc0-938c-000c16186418" ; + stix:kill_chain_phase stix:KillChainPhase-8a16cec9-9683-4616-b73f-52cd2379990c ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "cachedump" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Windows password hash dumper" ; + stix:external_reference stix:ExternalReference-fbcae96f-6f0e-46f5-ad78-463d320b6219 ; + stix:id "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c" ; + stix:kill_chain_phase stix:KillChainPhase-ef7ad8dd-c46f-49e2-8970-f04507699ff9 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "fgdump" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + diff --git a/knowledgebase-examples/catalog-v001.xml b/knowledgebase-examples/catalog-v001.xml new file mode 100644 index 0000000..06713e3 --- /dev/null +++ b/knowledgebase-examples/catalog-v001.xml @@ -0,0 +1,61 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/health-agent-lib/hal-example.owl b/knowledgebase-examples/hal-example.owl similarity index 89% rename from health-agent-lib/hal-example.owl rename to knowledgebase-examples/hal-example.owl index 43c7574..9ca0bd5 100644 --- a/health-agent-lib/hal-example.owl +++ b/knowledgebase-examples/hal-example.owl @@ -21,7 +21,9 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> + + \ No newline at end of file diff --git a/threat-agent-lib/tal-kb-example.owl b/knowledgebase-examples/tal-kb-example.owl similarity index 100% rename from threat-agent-lib/tal-kb-example.owl rename to knowledgebase-examples/tal-kb-example.owl diff --git a/stix/catalog-v001.xml b/stix/catalog-v001.xml index 1388af9..1268d81 100644 --- a/stix/catalog-v001.xml +++ b/stix/catalog-v001.xml @@ -1,108 +1,98 @@ - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + -<<<<<<< HEAD - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -======= - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->>>>>>> 3b01ca5466b08dffd52abcbd6cc1aa73bcd136eb + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/catalog-v001.xml.huh b/stix/catalog-v001.xml.huh new file mode 100644 index 0000000..f518c20 --- /dev/null +++ b/stix/catalog-v001.xml.huh @@ -0,0 +1,101 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/catalog-v001.xml.save b/stix/catalog-v001.xml.save new file mode 100644 index 0000000..7ffab8e --- /dev/null +++ b/stix/catalog-v001.xml.save @@ -0,0 +1,54 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index 747d276..71488eb 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -15,8 +15,8 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - - + + 2.1.0 diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index 4984037..afb574c 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -15,7 +15,7 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - + 2.1.0 diff --git a/stix/core-objects/sco/artifact/artifact.owl b/stix/core-objects/sco/artifact/artifact.owl index a70e6ca..355d504 100644 --- a/stix/core-objects/sco/artifact/artifact.owl +++ b/stix/core-objects/sco/artifact/artifact.owl @@ -60,6 +60,18 @@ Artifact The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. One of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. + + + + + + + + artifact + + + + diff --git a/stix/core-objects/sco/autonomus-system/autonomous-system.owl b/stix/core-objects/sco/autonomus-system/autonomous-system.owl index cfccd32..495093e 100644 --- a/stix/core-objects/sco/autonomus-system/autonomous-system.owl +++ b/stix/core-objects/sco/autonomus-system/autonomous-system.owl @@ -7,6 +7,7 @@ ]> - AutonomousSystem - This object represents the properties of an Autonomous System (AS). + AutonomousSystem + This object represents the properties of an Autonomous System (AS). + + + + + + + + autonomous-system + + + + - name - Specifies the name of the AS. + name + Specifies the name of the AS. - number - Specifies the number assigned to the AS. Such assignments are typically performed by a Regional Internet Registry (RIR). + number + Specifies the number assigned to the AS. Such assignments are typically performed by a Regional Internet Registry (RIR). - rir - Specifies the name of the Regional Internet Registry (RIR) that assigned the number to the AS. + rir + Specifies the name of the Regional Internet Registry (RIR) that assigned the number to the AS. diff --git a/stix/core-objects/sco/directory/directory.owl b/stix/core-objects/sco/directory/directory.owl index 94b8795..71bff94 100644 --- a/stix/core-objects/sco/directory/directory.owl +++ b/stix/core-objects/sco/directory/directory.owl @@ -7,6 +7,7 @@ ]> - @@ -65,7 +65,19 @@ Directory Object - The Directory object represents the properties common to a file system directory. + The Directory object represents the properties common to a file system directory. + + + + + + + + directory + + + + @@ -80,10 +92,10 @@ - - + + @@ -108,14 +120,14 @@ - path - Specifies the path, as originally observed, to the directory on the file system. + path + Specifies the path, as originally observed, to the directory on the file system. - path_enc - Specifies the observed encoding for the path. The value MUST be specified if the path is stored in a non-Unicode encoding. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry [Character Sets]. If the preferred MIME name for a character set is defined, this value MUST be used; if it is not defined, then the Name value from the registry MUST be used instead. + path_enc + Specifies the observed encoding for the path. The value MUST be specified if the path is stored in a non-Unicode encoding. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry [Character Sets]. If the preferred MIME name for a character set is defined, this value MUST be used; if it is not defined, then the Name value from the registry MUST be used instead. diff --git a/stix/core-objects/sco/domain-name/domain-name.owl b/stix/core-objects/sco/domain-name/domain-name.owl index 5188abb..f568524 100644 --- a/stix/core-objects/sco/domain-name/domain-name.owl +++ b/stix/core-objects/sco/domain-name/domain-name.owl @@ -7,6 +7,7 @@ ]> - - @@ -42,13 +41,25 @@ - Domain Name - The Domain Name object represents the properties of a network domain name. + Domain Name + The Domain Name object represents the properties of a network domain name. + + + + + + + + domain-name + + + + - resolved_to_refs - Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). + resolved_to_refs + Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). @@ -64,13 +75,13 @@ - resolved_to_refs_id - Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). + resolved_to_refs_id + Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). - value + value Specifies the value of the domain name. The value of this property MUST conform to [RFC1034], and each domain and sub-domain contained within the domain name MUST conform to [RFC5890]. diff --git a/stix/core-objects/sco/email-address/email-address.owl b/stix/core-objects/sco/email-address/email-address.owl index 04caaa4..db405b0 100644 --- a/stix/core-objects/sco/email-address/email-address.owl +++ b/stix/core-objects/sco/email-address/email-address.owl @@ -4,13 +4,16 @@ + ]> @@ -45,25 +48,37 @@ - Email Address Object - The Email Address object represents a single email address. + Email Address Object + The Email Address object represents a single email address. + + + + + + + + email-addr + + + + - belongs_to_ref - Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. + belongs_to_ref + Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. - belongs_to_ref_id - Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. + belongs_to_ref_id + Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. - display_name - Specifies a single email display name, i.e., the name that is displayed to the human user of a mail application. This property corresponds to the display-name construction in section 3.4 of [RFC5322], for example, Jane Smith. + display_name + Specifies a single email display name, i.e., the name that is displayed to the human user of a mail application. This property corresponds to the display-name construction in section 3.4 of [RFC5322], for example, Jane Smith. diff --git a/stix/core-objects/sco/email-message/email-message.owl b/stix/core-objects/sco/email-message/email-message.owl index a774ca8..4fed757 100644 --- a/stix/core-objects/sco/email-message/email-message.owl +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -4,6 +4,7 @@ + ]> @@ -153,6 +155,18 @@ EmailMessage The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs. Header field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. + + + + + + + + email-message + + + + @@ -166,7 +180,6 @@ - diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl index 361078a..8e617f0 100644 --- a/stix/core-objects/sco/file/file.owl +++ b/stix/core-objects/sco/file/file.owl @@ -167,6 +167,18 @@ File The File object represents the properties of a file. A File object MUST contain at least one of hashes or name. + + + + + + + + file + + + + diff --git a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl index 2bfb353..48fe548 100644 --- a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl +++ b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl @@ -41,6 +41,18 @@ Attack Pattern Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. + + + + + + + + attack-pattern + + + + diff --git a/stix/core-objects/sdo/campaign/campaign.owl b/stix/core-objects/sdo/campaign/campaign.owl index 0c980d6..b5dea58 100644 --- a/stix/core-objects/sdo/campaign/campaign.owl +++ b/stix/core-objects/sdo/campaign/campaign.owl @@ -59,6 +59,18 @@ Campaign A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set. Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign. Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.ey target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. + + + + + + + + campaign + + + + diff --git a/stix/core-objects/sdo/course-of-action/course-of-action.owl b/stix/core-objects/sdo/course-of-action/course-of-action.owl index ebb2410..bca51dd 100644 --- a/stix/core-objects/sdo/course-of-action/course-of-action.owl +++ b/stix/core-objects/sdo/course-of-action/course-of-action.owl @@ -35,6 +35,18 @@ Course Of Action Note: The Course of Action object in STIX 2.1 is a stub. It is included to support basic use cases (such as sharing prose courses of action) but does not support the ability to represent automated courses of action or contain properties to represent metadata about courses of action. Future STIX 2 releases will expand it to include these capabilities. A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. The Course of Action SDO contains a textual description of the action; a reserved action property also serves as a placeholder for future inclusion of machine automatable courses of action. + + + + + + + + course-of-action + + + + diff --git a/stix/core-objects/sdo/grouping/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl index 8bbc213..07a2038 100644 --- a/stix/core-objects/sdo/grouping/grouping.owl +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -54,6 +54,18 @@ Grouping A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. A STIX Grouping object might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as a STIX Report object. For example, a Grouping could be used to characterize an ongoing investigation into a security event or incident. A Grouping object could also be used to assert that the referenced STIX Objects are related to an ongoing analysis process, such as when a threat analyst is collaborating with others in their trust community to examine a series of Campaigns and Indicators. The Grouping SDO contains a list of references to SDOs, SCOs, SROs, and SMOs, along with an explicit statement of the context shared by the content, a textual description, and the name of the grouping. + + + + + + + + grouping + + + + diff --git a/stix/core-objects/sdo/identity/identity.owl b/stix/core-objects/sdo/identity/identity.owl index f61d405..589548a 100644 --- a/stix/core-objects/sdo/identity/identity.owl +++ b/stix/core-objects/sdo/identity/identity.owl @@ -60,6 +60,18 @@ Identity Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. + + + + + + + + identity + + + + diff --git a/stix/core-objects/sdo/incident/incident.owl b/stix/core-objects/sdo/incident/incident.owl index 367a7ca..039face 100644 --- a/stix/core-objects/sdo/incident/incident.owl +++ b/stix/core-objects/sdo/incident/incident.owl @@ -35,6 +35,18 @@ Incident Note: The Incident object in STIX 2.1 is a stub. It is included to support basic use cases but does not contain properties to represent metadata about incidents. Future STIX 2 releases will expand it to include these capabilities. It is suggested that it is used as an extension point for an Incident object defined using the extension facility described in section 7.3. + + + + + + + + incident + + + + diff --git a/stix/core-objects/sdo/indicator/indicator.owl b/stix/core-objects/sdo/indicator/indicator.owl index 60dc5aa..90aa05f 100644 --- a/stix/core-objects/sdo/indicator/indicator.owl +++ b/stix/core-objects/sdo/indicator/indicator.owl @@ -72,6 +72,18 @@ Indicator Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. + + + + + + + + indicator + + + + diff --git a/stix/core-objects/sdo/infrastructure/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl index 9335734..594e729 100644 --- a/stix/core-objects/sdo/infrastructure/infrastructure.owl +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -60,6 +60,18 @@ Infrastructure The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure. + + + + + + + + infrastructure + + + + diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index bb534fd..ce0a2c4 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -84,6 +84,18 @@ Intrusion Set An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state. + + + + + + + + intrusion-set + + + + diff --git a/stix/core-objects/sdo/location/location.owl b/stix/core-objects/sdo/location/location.owl index 839c1e7..9c36142 100644 --- a/stix/core-objects/sdo/location/location.owl +++ b/stix/core-objects/sdo/location/location.owl @@ -90,6 +90,18 @@ Location A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. \n\n Locations are primarily used to give context to other SDOs. For example, a Location could be used in a relationship to describe that the Bourgeois Swallow intrusion set originates from Eastern Europe. \n\n The Location SDO can be related to an Identity or Intrusion Set to indicate that the identity or intrusion set is located in that location. It can also be related from a malware or attack pattern to indicate that they target victims in that location. The Location object describes geographic areas, not governments, even in cases where that area might have a government. For example, a Location representing the United States describes the United States as a geographic area, not the federal government of the United States. \n\n At least one of the following properties/sets of properties MUST be provided: region, country, latitude and longitude. \n\n When a combination of properties is provided (e.g. a region and a latitude and longitude) the more precise properties are what the location describes. In other words, if a location contains both a region of northern-america and a country of us, then the location describes the United States, not all of North America. In cases where a latitude and longitude are specified without a precision, the location describes the most precise other value. \n\n If precision is specified, then the datum for latitude and longitude MUST be WGS 84 [WGS84]. Organizations specifying a designated location using latitude and longitude SHOULD specify the precision which is appropriate for the scope of the location being identified. The scope is defined by the boundary as outlined by the precision around the coordinates. + + + + + + + + location + + + + diff --git a/stix/core-objects/sdo/malware/malware.owl b/stix/core-objects/sdo/malware/malware.owl index d0c6849..5b693d1 100644 --- a/stix/core-objects/sdo/malware/malware.owl +++ b/stix/core-objects/sdo/malware/malware.owl @@ -118,6 +118,18 @@ Malware Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim. The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO. The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides. To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. + + + + + + + + malware + + + + diff --git a/stix/core-objects/sdo/note/note.owl b/stix/core-objects/sdo/note/note.owl index c38b28e..0ae41ba 100644 --- a/stix/core-objects/sdo/note/note.owl +++ b/stix/core-objects/sdo/note/note.owl @@ -47,6 +47,18 @@ Note A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum. Because Notes are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Note. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. + + + + + + + + note + + + + diff --git a/stix/core-objects/sdo/observed-data/observed-data.owl b/stix/core-objects/sdo/observed-data/observed-data.owl index 46b9325..5cc1a25 100644 --- a/stix/core-objects/sdo/observed-data/observed-data.owl +++ b/stix/core-objects/sdo/observed-data/observed-data.owl @@ -42,7 +42,6 @@ - @@ -60,6 +59,18 @@ Observed Data Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). For example, Observed Data can capture information about an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply the raw information without any context for what it means. \n\n Observed Data can capture that a piece of information was seen one or more times. Meaning, it can capture both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the number_observed property is 1 the Observed Data represents a single entity. When the number_observed property is greater than 1, the Observed Data represents several instances of an entity potentially collected over a period of time. If a time window is known, that can be captured using the first_observed and last_observed properties. When used to collect aggregate data, it is likely that some properties in the SCO (e.g., timestamp properties) will be omitted because they would differ for each of the individual observations. \n\n Observed Data may be used by itself (without relationships) to convey raw data collected from any source including analyst reports, sandboxes, and network and host-based detection tools. An intelligence producer conveying Observed Data SHOULD include as much context (e.g. SCOs) as possible that supports the use of the observed data set in systems expecting to utilize the Observed Data for improved security. This includes all SCOs that matched on an Indicator pattern and are represented in the collected observed event (or events) being conveyed in the Observed Data object. For example, a firewall could emit a single Observed Data instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an Observed Data instance every ten minutes with an IP address and an appropriate number_observed value to indicate the number of times that IP address was observed in that window. A sandbox could emit an Observed Data instance containing a file hash that it discovered. \n\n Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. For example, the Sighting Relationship object, can relate an Indicator, Malware, or other SDO to a specific Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).\n\nTo support backwards compatibility, related SCOs can still be specified using the objects properties, Either the objects property or the object_refs property MUST be provided, but both MUST NOT be present at the same time. + + + + + + + + observed-data + + + + @@ -92,5 +103,8 @@ A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/opinion/opinion.owl b/stix/core-objects/sdo/opinion/opinion.owl index d2d0e75..1380622 100644 --- a/stix/core-objects/sdo/opinion/opinion.owl +++ b/stix/core-objects/sdo/opinion/opinion.owl @@ -42,6 +42,18 @@ Opinion An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. \n\n For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community. \n\n Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. + + + + + + + + opinion + + + + diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl index a757836..e4140e3 100644 --- a/stix/core-objects/sdo/report/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -54,6 +54,18 @@ Report Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. + + + + + + + + report + + + + diff --git a/stix/core-objects/sdo/tool/tool.owl b/stix/core-objects/sdo/tool/tool.owl index 66d550b..7063928 100644 --- a/stix/core-objects/sdo/tool/tool.owl +++ b/stix/core-objects/sdo/tool/tool.owl @@ -57,6 +57,18 @@ Tool Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. \n\nThe Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool. \n\nThis SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterize tools used as part of a course of action in response to an attack. + + + + + + + + tool + + + + diff --git a/stix/core-objects/sdo/vulnerability/vulnerability.owl b/stix/core-objects/sdo/vulnerability/vulnerability.owl index c34cf19..8e330a3 100644 --- a/stix/core-objects/sdo/vulnerability/vulnerability.owl +++ b/stix/core-objects/sdo/vulnerability/vulnerability.owl @@ -35,6 +35,18 @@ Vulnerability A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system. \n\nCVE is a list of information security vulnerabilities and exposures that provides common names for publicly known problems [CVE]. For example, if a piece of malware exploits CVE-2015-12345, a Malware object could be linked to a Vulnerability object that references CVE-2015-12345. \n\nThe Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process. + + + + + + + + vulnerability + + + + diff --git a/stix/core-objects/sro/relationship/relationship.owl b/stix/core-objects/sro/relationship/relationship.owl index 7355401..e7ff103 100644 --- a/stix/core-objects/sro/relationship/relationship.owl +++ b/stix/core-objects/sro/relationship/relationship.owl @@ -4,13 +4,16 @@ + ]> @@ -36,7 +39,6 @@ - @@ -61,7 +63,6 @@ - @@ -71,32 +72,42 @@ - Relationship - The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". \n\n STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition. \n\n STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a user-defined relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a user-defined name they determined) to indicate more detail. \n\n Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that campaign. While some analysts might want all of the source data and think that shortcuts are misleading, in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details. In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is. For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX. + Relationship + The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". \n\n STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition. \n\n STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a user-defined relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a user-defined name they determined) to indicate more detail. \n\n Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that campaign. While some analysts might want all of the source data and think that shortcuts are misleading, in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details. In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is. For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX. + + + + + + + + relationship + + + + - description - A description that provides more details and context about the Relationship, potentially including its purpose and its key characteristics. + description + A description that provides more details and context about the Relationship, potentially including its purpose and its key characteristics. - relationship_type - The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a-z (lowercase ASCII), 0-9, and hyphen (-). + relationship_type + The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a-z (lowercase ASCII), 0-9, and hyphen (-). - source_ref - The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - - + source_ref + The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - source_ref_string - The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + source_ref_string + The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). @@ -113,16 +124,17 @@ - target_ref - The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - - + target_ref + The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - target_ref_id - The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + target_ref_id + The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + + + \ No newline at end of file diff --git a/stix/core-objects/sro/sighting/sighting.owl b/stix/core-objects/sro/sighting/sighting.owl index cced023..36e3ebe 100644 --- a/stix/core-objects/sro/sighting/sighting.owl +++ b/stix/core-objects/sro/sighting/sighting.owl @@ -92,6 +92,18 @@ Sighting A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". + + + + + + + + sighting + + + + diff --git a/stix/stix.owl b/stix/stix.owl index 8c33fd4..321e9e4 100644 --- a/stix/stix.owl +++ b/stix/stix.owl @@ -4,6 +4,7 @@ + ]> diff --git a/tac/catalog-v001.xml b/tac/catalog-v001.xml index b264c66..4bc8c75 100644 --- a/tac/catalog-v001.xml +++ b/tac/catalog-v001.xml @@ -2,7 +2,7 @@ - + @@ -45,10 +45,10 @@ - + - + diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index daf6df5..61f2f36 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -2,7 +2,7 @@ - + @@ -48,15 +48,12 @@ - + - + - - - - - + +