diff --git a/health-agent-lib/catalog-v001.xml b/health-agent-lib/catalog-v001.xml
new file mode 100644
index 0000000..8cd5331
--- /dev/null
+++ b/health-agent-lib/catalog-v001.xml
@@ -0,0 +1,61 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/health-agent-lib/hal-example.owl b/health-agent-lib/hal-example.owl
new file mode 100644
index 0000000..43c7574
--- /dev/null
+++ b/health-agent-lib/hal-example.owl
@@ -0,0 +1,27 @@
+
+
+
+
+
+
+
+
+
+]>
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/health-agent-lib/hal-library.owl b/health-agent-lib/hal-library.owl
new file mode 100644
index 0000000..9620e5b
--- /dev/null
+++ b/health-agent-lib/hal-library.owl
@@ -0,0 +1,63 @@
+
+
+
+
+
+
+
+
+
+]>
+
+
+
+ The Health Care Threat Actor Library is and extending ontology of the Threat Agent Library from Intel.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml
index 0d0a1d8..daf6df5 100644
--- a/threat-agent-lib/catalog-v001.xml
+++ b/threat-agent-lib/catalog-v001.xml
@@ -53,8 +53,10 @@
-
-
-
+
+
+
+
+
diff --git a/threat-agent-lib/ta-library.owl b/threat-agent-lib/ta-library.owl
index 07f47f2..2f3218a 100644
--- a/threat-agent-lib/ta-library.owl
+++ b/threat-agent-lib/ta-library.owl
@@ -161,18 +161,38 @@
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -193,6 +213,10 @@
+
+
+
+
diff --git a/utilities/json-dl-contexts/tac-kb-example.owl b/utilities/json-dl-contexts/tac-kb-example.owl
deleted file mode 100644
index 74d7e47..0000000
--- a/utilities/json-dl-contexts/tac-kb-example.owl
+++ /dev/null
@@ -1,23 +0,0 @@
-
-
-
-
-
-
-]>
-
-
-
- The TAC ontology is a knowledge representation framework focused on comprehensively representing the context around adversaries. The project comprises a set of concept definitions and their relationships encoded in Web Ontology Language (OWL) that altogether harmonise into what we call the Threat Actor Context ontology.
-
-
-
-
-
\ No newline at end of file
diff --git a/utilities/sparql-anything/input/apt1.json b/utilities/sparql-anything/input/apt1.json
new file mode 100644
index 0000000..d3f235f
--- /dev/null
+++ b/utilities/sparql-anything/input/apt1.json
@@ -0,0 +1,1206 @@
+{
+ "type": "bundle",
+ "id": "bundle--cf20f99b-3ed2-4a9f-b4f1-d660a7fc8241",
+ "objects": [
+ {
+ "type": "intrusion-set",
+ "spec_version": "2.1",
+ "id": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "APT1",
+ "description": "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.",
+ "first_seen": "2006-06-01T18:13:15.684Z",
+ "resource_level": "government",
+ "primary_motivation": "organizational-gain",
+ "aliases": [
+ "Comment Crew",
+ "Comment Group",
+ "Shady Rat"
+ ]
+ },
+ {
+ "type": "threat-actor",
+ "spec_version": "2.1",
+ "id": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Ugly Gorilla",
+ "threat_actor_types": [
+ "nation-state",
+ "spy"
+ ],
+ "roles": [
+ "malware-author",
+ "agent",
+ "infrastructure-operator"
+ ],
+ "resource_level": "government",
+ "aliases": [
+ "Greenfield",
+ "JackWang",
+ "Wang Dong"
+ ],
+ "primary_motivation": "organizational-gain"
+ },
+ {
+ "type": "threat-actor",
+ "spec_version": "2.1",
+ "id": "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "DOTA",
+ "threat_actor_types": [
+ "nation-state",
+ "spy"
+ ],
+ "aliases": [
+ "dota",
+ "Rodney",
+ "Raith"
+ ],
+ "resource_level": "government",
+ "roles": [
+ "agent",
+ "infrastructure-operator"
+ ],
+ "primary_motivation": "organizational-gain"
+ },
+ {
+ "type": "threat-actor",
+ "spec_version": "2.1",
+ "id": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "SuperHard",
+ "threat_actor_types": [
+ "nation-state"
+ ],
+ "sophistication": "expert",
+ "aliases": [
+ "dota",
+ "Rodney",
+ "Raith"
+ ],
+ "resource_level": "government",
+ "roles": [
+ "malware-author"
+ ],
+ "primary_motivation": "organizational-gain"
+ },
+ {
+ "type": "threat-actor",
+ "spec_version": "2.1",
+ "id": "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Communist Party of China",
+ "description": " The CPC is the ultimate authority in Mainland China and tasks the PLA to commit cyber espionage and data theft against organizations around the world.",
+ "threat_actor_types": [
+ "nation-state"
+ ],
+ "resource_level": "government",
+ "roles": [
+ "sponsor",
+ "director"
+ ],
+ "aliases": [
+ "CPC"
+ ],
+ "primary_motivation": "organizational-gain"
+ },
+ {
+ "type": "threat-actor",
+ "spec_version": "2.1",
+ "id": "threat-actor--94624865-2709-443f-9b4c-2891985fd69b",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Unit 61398",
+ "description": "Unit 61398 functions as the Third Department's premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence.",
+ "threat_actor_types": [
+ "nation-state"
+ ],
+ "resource_level": "government",
+ "roles": [
+ "agent"
+ ],
+ "aliases": [
+ "PLA GSD's 3rd Department, 2nd Bureau",
+ "Military Unit Cover Designator (MUCD) 61398"
+ ],
+ "primary_motivation": "organizational-gain"
+ },
+ {
+ "type": "identity",
+ "spec_version": "2.1",
+ "id": "identity--a9119a87-6576-46af-bfd7-4fbe55926671",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "JackWang",
+ "identity_class": "individual",
+ "sectors": [
+ "government-national"
+ ],
+ "contact_information": "uglygorilla@163.com"
+ },
+ {
+ "type": "identity",
+ "spec_version": "2.1",
+ "id": "identity--e88ab115-7768-4630-baa3-3d49a7d946ea",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Wang Dong",
+ "identity_class": "individual",
+ "sectors": [
+ "government-national"
+ ],
+ "contact_information": "uglygorilla@163.com"
+ },
+ {
+ "type": "identity",
+ "spec_version": "2.1",
+ "id": "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "dota",
+ "identity_class": "individual",
+ "sectors": [
+ "government-national"
+ ],
+ "contact_information": "dota.d013@gmail.com"
+ },
+ {
+ "type": "identity",
+ "spec_version": "2.1",
+ "id": "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Mei Qiang",
+ "identity_class": "individual",
+ "sectors": [
+ "government-national"
+ ],
+ "contact_information": "mei_qiang_82@sohu.com"
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "HTRAN Hop Point Accessor",
+ "description": "Test description.",
+ "pattern": "[ipv4-addr:value = '223.166.0.0/15']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "establish-foothold"
+ }
+ ]
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "HTRAN Hop Point Accessor",
+ "description": "Test description.",
+ "pattern": "[ipv4-addr:value = '58.246.0.0/15']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "establish-foothold"
+ }
+ ]
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--2173d108-5714-42fd-8213-4f3790259fda",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "HTRAN Hop Point Accessor",
+ "description": "Test description.",
+ "pattern": "[ipv4-addr:value = '112.64.0.0/15']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "establish-foothold"
+ }
+ ]
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "HTRAN Hop Point Accessor",
+ "description": "Test description.",
+ "pattern": "[ipv4-addr:value = '139.226.0.0/15']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "establish-foothold"
+ }
+ ]
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "FQDN hugesoft.org",
+ "description": "Test description.",
+ "pattern": "[domain-name:value = 'hugesoft.org']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z"
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "FQDN arrowservice.net",
+ "description": "Test description.",
+ "pattern": "[domain-name:value = 'arrowservice.net']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z"
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "FQDN msnhome.org",
+ "description": "Test description.",
+ "pattern": "[domain-name:value = 'msnhome.org']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z"
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Appendix E MD5 hash '001dd76872d80801692ff942308c64e6'",
+ "description": "Test description.",
+ "pattern": "[file:hashes.md5 = '001dd76872d80801692ff942308c64e6']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z"
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--745e1537-b4f3-49da-9f64-df6b1b5df190",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Appendix E MD5 hash '002325a0a67fded0381b5648d7fe9b8e'",
+ "description": "Test description.",
+ "pattern": "[file:hashes.md5 = '002325a0a67fded0381b5648d7fe9b8e']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z"
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Appendix E MD5 hash '00dbb9e1c09dbdafb360f3163ba5a3de'",
+ "description": "Test description.",
+ "pattern": "[file:hashes.md5 = '00dbb9e1c09dbdafb360f3163ba5a3de']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z"
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--b3b6b540-d838-41e2-853b-005056c00008",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Appendix F SSL Certificate for serial number '(Negative)4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28'",
+ "description": "Test description.",
+ "pattern": "[x509-certificate:issuer = 'CN=WEBMAIL' AND x509-certificate:serial_number = '4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z"
+ },
+ {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "pattern_type": "stix",
+ "id": "indicator--b3b7035e-d838-41e2-8d38-005056c00008",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Appendix F SSL Certificate for serial number '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c'",
+ "description": "Test description.",
+ "pattern": "[x509-certificate:issuer = 'CN=LM-68AB71FBD8F5' AND x509-certificate:serial_number = '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c']",
+ "indicator_types": [
+ "malicious-activity"
+ ],
+ "valid_from": "2015-05-15T09:12:16.432678Z"
+ },
+ {
+ "type": "malware",
+ "spec_version": "2.1",
+ "is_family": false,
+ "id": "malware--2485b844-4efe-4343-84c8-eb33312dd56f",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "MANITSME",
+ "malware_types": [
+ "backdoor",
+ "dropper",
+ "remote-access-trojan"
+ ],
+ "description": "This malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files."
+ },
+ {
+ "type": "malware",
+ "spec_version": "2.1",
+ "is_family": false,
+ "id": "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "WEBC2-UGX",
+ "malware_types": [
+ "backdoor",
+ "remote-access-trojan"
+ ],
+ "description": "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands."
+ },
+ {
+ "type": "malware",
+ "spec_version": "2.1",
+ "is_family": false,
+ "id": "malware--0f01c5a3-f516-4450-9381-4dd9f2279411",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "WEBC2 Backdoor",
+ "malware_types": [
+ "backdoor",
+ "remote-access-trojan"
+ ],
+ "description": "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "establish-foothold"
+ }
+ ]
+ },
+ {
+ "type": "malware",
+ "spec_version": "2.1",
+ "is_family": false,
+ "id": "malware--33159b98-3264-4e10-a968-d67975b6272f",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "HUC Packet Transmit Tool (HTRAN)",
+ "malware_types": [
+ "backdoor",
+ "remote-access-trojan"
+ ],
+ "description": "When APT1 attackers are not using WEBC2, they require a “command and control” (C2) user interface so they can issue commands to the backdoor. This interface sometimes runs on their personal attack system, which is typically in Shanghai. In these instances, when a victim backdoor makes contact with a hop, the communications need to be forwarded from the hop to the intruder’s Shanghai system so the backdoor can talk to the C2 server software. We have observed 767 separate instances in which APT1 intruders used the publicly available “HUC Packet Transmit Tool” or HTRAN on a hopThe HTRAN utility is merely a middle-man, facilitating connections between the victim and the attacker who is using the hop point.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "establish-foothold"
+ }
+ ]
+ },
+ {
+ "type": "malware",
+ "spec_version": "2.1",
+ "is_family": true,
+ "id": "malware--fb490cdb-6760-41eb-a79b-0b930a50c017",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "AURIGA",
+ "malware_types": [
+ "backdoor",
+ "keylogger"
+ ],
+ "description": "Malware family that contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, etc."
+ },
+ {
+ "type": "malware",
+ "spec_version": "2.1",
+ "is_family": false,
+ "id": "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "BANGAT",
+ "malware_types": [
+ "backdoor",
+ "keylogger"
+ ],
+ "description": "Malware family that contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, etc."
+ },
+ {
+ "type": "tool",
+ "spec_version": "2.1",
+ "id": "tool--ce45f721-af14-4fc0-938c-000c16186418",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "cachedump",
+ "tool_types": [
+ "credential-exploitation"
+ ],
+ "description": "This program extracts cached password hashes from a system’s registry.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "escalate-privileges"
+ }
+ ]
+ },
+ {
+ "type": "tool",
+ "spec_version": "2.1",
+ "id": "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "fgdump",
+ "tool_types": [
+ "credential-exploitation"
+ ],
+ "description": "Windows password hash dumper",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "escalate-privileges"
+ }
+ ],
+ "external_references": [
+ {
+ "source_name": "fgdump",
+ "url": "http://www.foofus.net/fizzgig/fgdump/"
+ }
+ ]
+ },
+ {
+ "type": "tool",
+ "spec_version": "2.1",
+ "id": "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "gsecdump",
+ "tool_types": [
+ "credential-exploitation"
+ ],
+ "description": "Obtains password hashes from the Windows registry, including the SAM file, cached domain credentials, and LSA secrets",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "escalate-privileges"
+ }
+ ],
+ "external_references": [
+ {
+ "source_name": "gsecdump",
+ "url": "http://www.truesec.se"
+ }
+ ]
+ },
+ {
+ "type": "tool",
+ "spec_version": "2.1",
+ "id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "lslsass",
+ "tool_types": [
+ "credential-exploitation"
+ ],
+ "description": "Dump active logon session password hashes from the lsass process",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "escalate-privileges"
+ }
+ ],
+ "external_references": [
+ {
+ "source_name": "lslsass",
+ "url": "http://www.truesec.se"
+ }
+ ]
+ },
+ {
+ "type": "tool",
+ "spec_version": "2.1",
+ "id": "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "mimikatz",
+ "tool_types": [
+ "credential-exploitation"
+ ],
+ "description": "A utility primarily used for dumping password hashes",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "escalate-privileges"
+ }
+ ],
+ "external_references": [
+ {
+ "source_name": "mimikatz",
+ "url": "http://blog.gentilkiwi.com/mimikatz"
+ }
+ ]
+ },
+ {
+ "type": "tool",
+ "spec_version": "2.1",
+ "id": "tool--266b12f2-aa16-4607-809e-f2d33eebb52e",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "pass-the-hash toolkit",
+ "tool_types": [
+ "credential-exploitation"
+ ],
+ "description": "Allows an intruder to “pass” a password hash (without knowing the original password) to log in to systems",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "escalate-privileges"
+ }
+ ],
+ "external_references": [
+ {
+ "source_name": "pass-the-hash toolkit",
+ "url": "http://oss.coresecurity.com/projects/pshtoolkit.htm"
+ }
+ ]
+ },
+ {
+ "type": "tool",
+ "spec_version": "2.1",
+ "id": "tool--98fd8dc1-6cc7-4908-899f-07473f55149a",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "pwdump7",
+ "tool_types": [
+ "credential-exploitation"
+ ],
+ "description": "Dumps password hashes from the Windows registry",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "escalate-privileges"
+ }
+ ],
+ "external_references": [
+ {
+ "source_name": "pwdump7",
+ "url": "http://www.tarasco.org/security/pwdump_7/"
+ }
+ ]
+ },
+ {
+ "type": "tool",
+ "spec_version": "2.1",
+ "id": "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "pwdumpX",
+ "tool_types": [
+ "credential-exploitation"
+ ],
+ "description": "Dumps password hashes from the Windows registry",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "escalate-privileges"
+ }
+ ]
+ },
+ {
+ "type": "tool",
+ "spec_version": "2.1",
+ "id": "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "GETMAIL",
+ "tool_types": [
+ "information-gathering"
+ ],
+ "description": "GETMAIL was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive (“PST”) files.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "complete-mission"
+ }
+ ]
+ },
+ {
+ "type": "tool",
+ "spec_version": "2.1",
+ "id": "tool--806a8f83-4913-4216-bb19-02b48ae25da5",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "MAPIGET",
+ "tool_types": [
+ "information-gathering"
+ ],
+ "description": "MAPIGET was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "complete-mission"
+ }
+ ]
+ },
+ {
+ "type": "attack-pattern",
+ "spec_version": "2.1",
+ "id": "attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Initial Compromise",
+ "description": "As with most other APT groups, spear phishing is APT1’s most commonly used technique. The spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples’ names — names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel. The files they use contain malicious executables that install a custom APT1 backdoor that we call WEBC2-TABLE.",
+ "external_references": [
+ {
+ "source_name": "capec",
+ "description": "spear phishing",
+ "external_id": "CAPEC-163"
+ }
+ ],
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "initial-compromise"
+ }
+ ]
+ },
+ {
+ "type": "attack-pattern",
+ "spec_version": "2.1",
+ "id": "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Establishing a Foothold",
+ "description": "APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed. In almost every case, APT backdoors initiate outbound connections to the intruder’s 'command and control' (C2) server. While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT, the vast majority of the time they use what appear to be their own custom backdoors. APT1’s backdoors are in two categories: 'Beachhead Backdoors' and 'Standard Backdoors.' Beachhead Backdoors offer the attacker a toe-hold to perform simple tasks like retrieve files, gather basic system information and trigger the execution of other more significant capabilities such as a standard backdoor. APT1’s beachhead backdoors are usually what we call WEBC2 backdoors. WEBC2 backdoors are probably the most well-known kind of APT1 backdoor, and are the reason why some security companies refer to APT1 as the Comment Crew. A WEBC2 backdoor is designed to retrieve a webpage from a C2 server. It expects the webpage to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. WEBC2 backdoors are often packaged with spear phishing emails. Once installed, APT1 intruders have the option to tell victim systems to download and execute additional malicious software of their choice. The standard, non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol (to blend in with legitimate web traffic) or a custom protocol that the malware authors designed themselves. The BISCUIT backdoor (so named for the command “bdkzt”) is an illustrative example of the range of commands that APT1 has built into its “standard” backdoors. APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently. Some APT backdoors attempt to mimic legitimate Internet traffic other than the HTTP protocol. When network defenders see the communications between these backdoors and their C2 servers, they might easily dismiss them as legitimate network traffic. Additionally, many of APT1’s backdoors use SSL encryption so that communications are hidden in an encrypted SSL tunnel.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "establish-foothold"
+ }
+ ]
+ },
+ {
+ "type": "attack-pattern",
+ "spec_version": "2.1",
+ "id": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Privilege Escalation",
+ "description": "Escalating privileges involves acquiring items (most often usernames and passwords) that will allow access to more resources within the network. APT1 predominantly uses publicly available tools to dump password hashes from victim systems in order to obtain legitimate user credentials.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "escalate-privileges"
+ }
+ ]
+ },
+ {
+ "type": "attack-pattern",
+ "spec_version": "2.1",
+ "id": "attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Internal Reconnaisance",
+ "description": "In the Internal Reconnaissance stage, the intruder collects information about the victim environment. Like most APT (and non-APT) intruders, APT1 primarily uses built-in operating system commands to explore a compromised system and its networked environment. Although they usually simply type these commands into a command shell, sometimes intruders may use batch scripts to speed up the process.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "internal-recon"
+ }
+ ]
+ },
+ {
+ "type": "attack-pattern",
+ "spec_version": "2.1",
+ "id": "attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Lateral Movement",
+ "description": "Once an APT intruder has a foothold inside the network and a set of legitimate credentials, it is simple for the intruder to move around the network undetected. They can connect to shared resources on other systems. They can execute commands on other systems using the publicly available 'psexec' tool from Microsoft Sysinternals or the built-in Windows Task Scheduler ('at.exe').",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "move-laterally"
+ }
+ ]
+ },
+ {
+ "type": "attack-pattern",
+ "spec_version": "2.1",
+ "id": "attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Maintain Presence",
+ "description": "In this stage, the intruder takes actions to ensure continued, long-term control over key systems in the network environment from outside of the network. APT1 does this in three ways: Install new backdoors on multiple systems, use legitimate VPN credentials, and log in to web portals.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "maintain-presence"
+ }
+ ]
+ },
+ {
+ "type": "attack-pattern",
+ "spec_version": "2.1",
+ "id": "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "Completing the Mission",
+ "description": "Similar to other APT groups we track, once APT1 finds files of interest they pack them into archive files before stealing them. APT intruders most commonly use the RAR archiving utility for this task and ensure that the archives are password protected. Sometimes APT1 intruders use batch scripts to assist them in the process. After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. Many times their RAR files are so large that the attacker splits them into chunks before transferring them. Unlike most other APT groups we track, APT1 uses two email-stealing utilities that we believe are unique to APT1. The first, GETMAIL, was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive ('PST') files. The GETMAIL utility allows APT1 intruders the flexibility to take only the emails between dates of their choice. In one case, we observed an APT1 intruder return to a compromised system once a week for four weeks in a row to steal only the past week’s emails. Whereas GETMAIL steals email in Outlook archive files, the second utility, MAPIGET, was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server. In order to operate successfully, MAPIGET requires username/password combinations that the Exchange server will accept. MAPIGET extracts email from specified accounts into text files (for the email body) and separate attachments, if there are any.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mandiant-attack-lifecycle-model",
+ "phase_name": "complete-mission"
+ }
+ ]
+ },
+ {
+ "type": "report",
+ "spec_version": "2.1",
+ "id": "report--e33ffe07-2f4c-48d8-b0af-ee2619d765cf",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "name": "APT1: Exposing One of China's Cyber Espionage Units",
+ "report_types": [
+ "threat-report",
+ "threat-actor"
+ ],
+ "published": "2013-02-19T00:00:00.000000Z",
+ "description": "Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the 'Advanced Persistent Threat' (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that 'The Chinese government may authorize this activity, but theres no way to determine the\textent of its involvement.' Now, three years later, we have the evidence required to change our assessment. The details\twe have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them. Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as 'APT1' and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1's operations compelled us to write this report. The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1's activities is incomplete, we have analyzed the group's intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1's attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others. Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.",
+ "object_refs": [
+ "attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b",
+ "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49",
+ "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827",
+ "attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d",
+ "attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767",
+ "attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7",
+ "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4",
+ "identity--a9119a87-6576-46af-bfd7-4fbe55926671",
+ "identity--e88ab115-7768-4630-baa3-3d49a7d946ea",
+ "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca",
+ "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b",
+ "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5",
+ "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0",
+ "indicator--2173d108-5714-42fd-8213-4f3790259fda",
+ "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4",
+ "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba",
+ "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d",
+ "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e",
+ "indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691",
+ "indicator--745e1537-b4f3-49da-9f64-df6b1b5df190",
+ "indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd",
+ "indicator--b3b6b540-d838-41e2-853b-005056c00008",
+ "indicator--b3b7035e-d838-41e2-8d38-005056c00008",
+ "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a",
+ "malware--2485b844-4efe-4343-84c8-eb33312dd56f",
+ "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0",
+ "malware--0f01c5a3-f516-4450-9381-4dd9f2279411",
+ "malware--33159b98-3264-4e10-a968-d67975b6272f",
+ "malware--fb490cdb-6760-41eb-a79b-0b930a50c017",
+ "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca",
+ "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65",
+ "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636",
+ "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21",
+ "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d",
+ "threat-actor--94624865-2709-443f-9b4c-2891985fd69b",
+ "tool--ce45f721-af14-4fc0-938c-000c16186418",
+ "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c",
+ "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2",
+ "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9",
+ "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa",
+ "tool--266b12f2-aa16-4607-809e-f2d33eebb52e",
+ "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48",
+ "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e",
+ "tool--806a8f83-4913-4216-bb19-02b48ae25da5",
+ "tool--98fd8dc1-6cc7-4908-899f-07473f55149a",
+ "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7",
+ "relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c",
+ "relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e",
+ "relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0",
+ "relationship--d84cf283-93be-4ca7-890d-76c63eff3636",
+ "relationship--71e6832f-17ee-42fd-938d-c7f881be2028",
+ "relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3",
+ "relationship--306ce398-f708-47f9-88a1-38aa5b9985fc",
+ "relationship--8668d82a-1c97-4bea-a367-e391b025e00e",
+ "relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023",
+ "relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3",
+ "relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b",
+ "relationship--61f4fd3b-f581-4497-9149-e624c317287b",
+ "relationship--7cede760-b866-490e-ad5b-1df34bc14f8d",
+ "relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3",
+ "relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc",
+ "relationship--81827b05-8c20-4247-b5d8-674295a1c611",
+ "relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c",
+ "relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8",
+ "relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6",
+ "relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28",
+ "relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e",
+ "relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d",
+ "relationship--44686fda-311c-4cdb-abef-80e922e7a3fb",
+ "relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4",
+ "relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d",
+ "relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1",
+ "relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa",
+ "relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01",
+ "relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b"
+ ]
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65",
+ "target_ref": "malware--2485b844-4efe-4343-84c8-eb33312dd56f"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65",
+ "target_ref": "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "attributed-to",
+ "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65",
+ "target_ref": "identity--a9119a87-6576-46af-bfd7-4fbe55926671"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "attributed-to",
+ "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65",
+ "target_ref": "identity--e88ab115-7768-4630-baa3-3d49a7d946ea"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--d84cf283-93be-4ca7-890d-76c63eff3636",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "attributed-to",
+ "source_ref": "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636",
+ "target_ref": "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--71e6832f-17ee-42fd-938d-c7f881be2028",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "attributed-to",
+ "source_ref": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21",
+ "target_ref": "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21",
+ "target_ref": "malware--fb490cdb-6760-41eb-a79b-0b930a50c017"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--306ce398-f708-47f9-88a1-38aa5b9985fc",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21",
+ "target_ref": "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--8668d82a-1c97-4bea-a367-e391b025e00e",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "attributed-to",
+ "source_ref": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a",
+ "target_ref": "threat-actor--94624865-2709-443f-9b4c-2891985fd69b"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "attributed-to",
+ "source_ref": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a",
+ "target_ref": "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "attributed-to",
+ "source_ref": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a",
+ "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49",
+ "target_ref": "malware--0f01c5a3-f516-4450-9381-4dd9f2279411"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--61f4fd3b-f581-4497-9149-e624c317287b",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49",
+ "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--7cede760-b866-490e-ad5b-1df34bc14f8d",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "indicates",
+ "source_ref": "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5",
+ "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "indicates",
+ "source_ref": "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0",
+ "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "indicates",
+ "source_ref": "indicator--2173d108-5714-42fd-8213-4f3790259fda",
+ "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--81827b05-8c20-4247-b5d8-674295a1c611",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "indicates",
+ "source_ref": "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4",
+ "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827",
+ "target_ref": "tool--ce45f721-af14-4fc0-938c-000c16186418"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827",
+ "target_ref": "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827",
+ "target_ref": "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827",
+ "target_ref": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827",
+ "target_ref": "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827",
+ "target_ref": "tool--266b12f2-aa16-4607-809e-f2d33eebb52e"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--44686fda-311c-4cdb-abef-80e922e7a3fb",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827",
+ "target_ref": "tool--98fd8dc1-6cc7-4908-899f-07473f55149a"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827",
+ "target_ref": "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4",
+ "target_ref": "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "uses",
+ "source_ref": "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4",
+ "target_ref": "tool--806a8f83-4913-4216-bb19-02b48ae25da5"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "indicates",
+ "source_ref": "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba",
+ "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "indicates",
+ "source_ref": "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d",
+ "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65"
+ },
+ {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b",
+ "created": "2015-05-15T09:12:16.432Z",
+ "modified": "2015-05-15T09:12:16.432Z",
+ "relationship_type": "indicates",
+ "source_ref": "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e",
+ "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65"
+ }
+ ]
+}
diff --git a/utilities/sparql-anything/apt1.sparql b/utilities/sparql-anything/mappings/apt1.sparql
similarity index 100%
rename from utilities/sparql-anything/apt1.sparql
rename to utilities/sparql-anything/mappings/apt1.sparql
diff --git a/utilities/sparql-anything/mappings/j2kb.sparql b/utilities/sparql-anything/mappings/j2kb.sparql
new file mode 100644
index 0000000..4469a42
--- /dev/null
+++ b/utilities/sparql-anything/mappings/j2kb.sparql
@@ -0,0 +1,238 @@
+PREFIX xyz:
+PREFIX rdf:
+PREFIX fx:
+PREFIX example:
+PREFIX owl:
+PREFIX stix:
+PREFIX xsd:
+
+CONSTRUCT {
+
+ ?object_iri a ?stixType ;
+ stix:id ?id;
+ stix:type ?type;
+
+ stix:alias ?alias;
+# stix:contact_information ?contact_information_string;
+ stix:created ?dt_created;
+ stix:description ?description;
+ stix:first_seen ?dt_first_seen;
+ stix:identity_class ?identity_class;
+ stix:kill_chain_phases ?chains;
+ stix:indicator_types ?indicator_list;
+ stix:malware_types ?malware_type;
+ stix:modified ?dt_modified;
+ stix:name ?name;
+ stix:resource_level ?resource_level;
+ stix:pattern_type ?pattern_type;
+ stix:pattern ?pattern;
+ stix:primary_motivation ?primary_motivation;
+ stix:relationship_type ?relationship_type;
+ stix:roles ?role_list;
+ stix:sectors ?sector_list;
+ stix:source_ref ?source_ref_iri;
+ stix:spec_version ?spec_version;
+ stix:target_ref ?target_ref_iri;
+ stix:tool_types ?tool_types_list;
+ stix:valid_from ?dt_valid_from;
+ .
+
+# ==========================
+
+ stix:id a owl:DatatypeProperty .
+ stix:type a owl:DatatypeProperty .
+
+ stix:alias a owl:DatatypeProperty .
+# stix:contact_information a owl:DatatypeProperty .
+ stix:created a owl:DatatypeProperty .
+ stix:description a owl:DatatypeProperty .
+ stix:first_seen a owl:DatatypeProperty .
+
+ stix:identity_class a owl:DatatypeProperty .
+ stix:kill_chain_phases a owl:DatatypeProperty .
+
+ stix:indicator_types a owl:DatatypeProperty .
+ stix:malware_types a owl:DatatypeProperty .
+ stix:modified a owl:DatatypeProperty .
+ stix:name a owl:DatatypeProperty .
+
+ stix:resource_level a owl:DatatypeProperty .
+
+ stix:pattern_type a owl:DatatypeProperty .
+ stix:pattern a owl:DatatypeProperty .
+ stix:primary_motivation a owl:DatatypeProperty .
+ stix:relationship_type a owl:DatatypeProperty .
+
+ stix:roles a owl:DatatypeProperty .
+ stix:sectors a owl:DatatypeProperty .
+
+ stix:source_ref a owl:ObjectProperty .
+ stix:spec_version a owl:DatatypeProperty .
+ stix:target_ref a owl:ObjectProperty .
+ stix:tool_types a owl:DatatypeProperty .
+ stix:valid_from a owl:DatatypeProperty .
+
+ stix:external_reference a owl:ObjectProperty .
+ stix:source_name a owl:DatatypeProperty .
+ stix:url a owl:DatatypeProperty .
+ stix:description a owl:DatatypeProperty .
+ stix:external-id a owl:DatatypeProperty .
+
+ stix:kill_chain_phase a owl:ObjectProperty .
+ stix:kill_chain_name a owl:DatatypeProperty .
+ stix:kill_chain_phase_name a owl:DatatypeProperty .
+
+# ==========================
+
+
+ ?object_iri stix:external_reference ?exref_iri .
+ ?exref_iri a stix:StixObject .
+ ?exref_iri stix:source_name ?ex_ref_source_name .
+ ?exref_iri stix:url ?ex_ref_url .
+ ?exref_iri stix:description ?ex_ref_description .
+ ?exref_iri stix:external-id ?ex_ref_external_id .
+
+ ?object_iri stix:kill_chain_phase ?kill_chain_phase_iri .
+ ?kill_chain_phase_iri a stix:StixObject .
+ ?kill_chain_phase_iri stix:kill_chain_name ?kill_name .
+ ?kill_chain_phase_iri stix:kill_chain_phase_name ?phase_name .
+
+
+
+}
+WHERE {
+ SERVICE {
+ fx:properties fx:location "./apt1.json" .
+
+
+ # root array of objects
+ ?root xyz:objects ?objects .
+
+ # individual objects from the objects array
+ ?objects ?object_slot ?object .
+
+ # the type and id of the object
+ ?object xyz:type ?type .
+ ?object xyz:id ?id .
+
+
+ ### OPTIONAL ###
+ # aliases
+ OPTIONAL {
+ ?object xyz:aliases ?aliases .
+ ?aliases fx:anySlot ?alias .
+ }
+
+ # contact_information
+ OPTIONAL {?object xyz:contact_information ?contact_information .}
+ BIND(xsd:string(?contact_information) AS ?contact_information_string )
+
+ # created
+ OPTIONAL {?object xyz:created ?created . }
+
+ # description
+ OPTIONAL {?object xyz:description ?description . }
+
+ # external_references
+ OPTIONAL {
+ ?object xyz:external_references ?external_references .
+ ?external_references fx:anySlot ?external_reference .
+ ?external_reference xyz:source_name ?ex_ref_source_name .
+ OPTIONAL { ?external_reference xyz:description ?ex_ref_description . }
+ OPTIONAL { ?external_reference xyz:external_id ?ex_ref_external_id . }
+ OPTIONAL { ?external_reference xyz:url ?ex_ref_url . }
+ BIND (IRI(CONCAT("http://docs.oasis-open.org/cti/ns/stix#ExternalReference-", STRUUID() )) AS ?exref_iri ) .
+ }
+
+ # first_seen
+ OPTIONAL {?object xyz:first_seen ?first_seen . }
+
+ # identity_class
+ OPTIONAL {?object xyz:identity_class ?identity_class .}
+
+ # indicator_types
+ OPTIONAL {?object xyz:indicator_types ?indicator_types .
+ ?indicator_types ?indicator_slot ?indicator_list . }
+
+ # kill_chain_phases
+ OPTIONAL {
+ ?object xyz:kill_chain_phases ?kill_chain_phases .
+ ?kill_chain_phases ?anySlot ?chain_list .
+ ?chain_list xyz:kill_chain_name ?kill_name .
+ OPTIONAL { ?chain_list xyz:phase_name ?phase_name . }
+ BIND (IRI(CONCAT("http://docs.oasis-open.org/cti/ns/stix#KillChainPhase-", STRUUID() )) AS ?kill_chain_phase_iri ) .
+ }
+
+ # malware_types
+ OPTIONAL {
+ ?object xyz:malware_types ?malware_types .
+ ?malware_types ?malware_types_slot ?malware_type .
+ }
+
+ # modified
+ OPTIONAL {?object xyz:modified ?modified . }
+
+ # name
+ OPTIONAL {?object xyz:name ?name . }
+
+ # pattern
+ OPTIONAL {?object xyz:pattern ?pattern . }
+
+ # pattern_type
+ OPTIONAL {?object xyz:pattern_type ?pattern_type . }
+
+ # primary_motivation
+ OPTIONAL {?object xyz:primary_motivation ?primary_motivation . }
+
+ # relationship_type
+ OPTIONAL {?object xyz:relationship_type ?relationship_type . }
+
+ # resource_level
+ OPTIONAL {?object xyz:resource_level ?resource_level . }
+
+ # roles
+ OPTIONAL {
+ ?object xyz:roles ?roles .
+ ?roles ?roles_slot ?role_list .
+ }
+
+ # sectors
+ OPTIONAL {?object xyz:sectors ?sectors .
+ ?sectors ?sectors_slot ?sector_list . }
+
+ # source_ref
+ OPTIONAL {?object xyz:source_ref ?source_ref . }
+
+ # spec_version
+ OPTIONAL {?object xyz:spec_version ?spec_version . }
+
+ # target_ref
+ OPTIONAL {?object xyz:target_ref ?target_ref . }
+
+ # tool_types
+ OPTIONAL {?object xyz:tool_types ?tool_types .
+ ?tool_types ?tool_types_slot ?tool_types_list . }
+
+ # valid_from
+ OPTIONAL {?object xyz:valid_from ?valid_from . }
+
+ }
+
+
+ # Reformat dates to allow ingestion into xsd:dateTime
+ BIND(xsd:dateTime(?created) AS ?dt_created )
+ BIND(xsd:dateTime(?modified) AS ?dt_modified )
+ BIND(xsd:dateTime(?first_seen) AS ?dt_first_seen )
+ BIND(xsd:dateTime(?valid_from) AS ?dt_valid_from )
+
+
+ # Form the IRI for the stixBundle
+ BIND(IRI(CONCAT("http://example/ns/", ?id)) AS ?object_iri )
+ BIND(IRI(CONCAT("http://example/ns/", ?source_ref)) AS ?source_ref_iri )
+ BIND(IRI(CONCAT("http://example/ns/", ?target_ref)) AS ?target_ref_iri )
+
+ BIND( IF(?relationship_type = "uses", stix:uses, ?nothing ) AS ?relation_iri )
+
+ # Form the stix type of either stix:Bundle or stix:StixObject
+ BIND ((IF(?type = "bundle", IRI("http://docs.oasis-open.org/cti/ns/stix#Bundle"), IRI("http://docs.oasis-open.org/cti/ns/stix#StixObject"))) AS ?stixType )
+}