From c26289197f5759356993c72357d6a1f8ccb1cc48 Mon Sep 17 00:00:00 2001 From: David Greenwood Date: Fri, 22 Nov 2024 07:31:14 +0000 Subject: [PATCH] versions to frameworks (#89) --- includes/extractions/lookup/config.yaml | 56 +++++++-------- includes/lookups/_generate_lookups.py | 67 +++++++++-------- .../{disarm_id.txt => disarm_id_v1_5.txt} | 0 .../{disarm_name.txt => disarm_name_v1_5.txt} | 0 ...atlas_id.txt => mitre_atlas_id_v4_5_2.txt} | 0 ...s_name.txt => mitre_atlas_name_v4_5_2.txt} | 0 ...mitre_attack_enterprise_aliases_v16_0.txt} | 49 +++++++++++++ ...t => mitre_attack_enterprise_id_v16_0.txt} | 70 ++++++++++++++++++ ...=> mitre_attack_enterprise_name_v16_0.txt} | 72 ++++++++++++++++++- ...txt => mitre_attack_ics_aliases_v16_0.txt} | 1 + ...s_id.txt => mitre_attack_ics_id_v16_0.txt} | 1 + ...me.txt => mitre_attack_ics_name_v16_0.txt} | 1 + ...d.txt => mitre_attack_mobile_id_v16_0.txt} | 1 - ...txt => mitre_attack_mobile_name_v16_0.txt} | 1 - ...e_capec_id.txt => mitre_capec_id_v3_9.txt} | 0 ...pec_name.txt => mitre_capec_name_v3_9.txt} | 0 ...itre_cwe_id.txt => mitre_cwe_id_v4_15.txt} | 0 ..._cwe_name.txt => mitre_cwe_name_v4_15.txt} | 0 18 files changed, 254 insertions(+), 65 deletions(-) rename includes/lookups/{disarm_id.txt => disarm_id_v1_5.txt} (100%) rename includes/lookups/{disarm_name.txt => disarm_name_v1_5.txt} (100%) rename includes/lookups/{mitre_atlas_id.txt => mitre_atlas_id_v4_5_2.txt} (100%) rename includes/lookups/{mitre_atlas_name.txt => mitre_atlas_name_v4_5_2.txt} (100%) rename includes/lookups/{mitre_attack_enterprise_aliases.txt => mitre_attack_enterprise_aliases_v16_0.txt} (94%) rename includes/lookups/{mitre_attack_enterprise_id.txt => mitre_attack_enterprise_id_v16_0.txt} (95%) rename includes/lookups/{mitre_attack_enterprise_name.txt => mitre_attack_enterprise_name_v16_0.txt} (96%) rename includes/lookups/{mitre_attack_ics_aliases.txt => mitre_attack_ics_aliases_v16_0.txt} (98%) rename includes/lookups/{mitre_attack_ics_id.txt => mitre_attack_ics_id_v16_0.txt} (99%) rename includes/lookups/{mitre_attack_ics_name.txt => mitre_attack_ics_name_v16_0.txt} (99%) rename includes/lookups/{mitre_attack_mobile_id.txt => mitre_attack_mobile_id_v16_0.txt} (99%) rename includes/lookups/{mitre_attack_mobile_name.txt => mitre_attack_mobile_name_v16_0.txt} (99%) rename includes/lookups/{mitre_capec_id.txt => mitre_capec_id_v3_9.txt} (100%) rename includes/lookups/{mitre_capec_name.txt => mitre_capec_name_v3_9.txt} (100%) rename includes/lookups/{mitre_cwe_id.txt => mitre_cwe_id_v4_15.txt} (100%) rename includes/lookups/{mitre_cwe_name.txt => mitre_cwe_name_v4_15.txt} (100%) diff --git a/includes/extractions/lookup/config.yaml b/includes/extractions/lookup/config.yaml index 9d39658..db8e537 100644 --- a/includes/extractions/lookup/config.yaml +++ b/includes/extractions/lookup/config.yaml @@ -20,9 +20,9 @@ lookup_country_alpha2: lookup_mitre_attack_enterprise_id: type: lookup name: 'MITRE ATT&CK Enterprise IDs' - description: 'Extracts MITRE ATT&CK Enterprise IDs from text. Currently uses v16.0' + description: 'Extracts MITRE ATT&CK Enterprise IDs from text. See lookup name for version used.' notes: 'ai_mitre_attack_enterprise also exists but beware of hallucinations' - file: 'lookups/mitre_attack_enterprise_id.txt' + file: 'lookups/mitre_attack_enterprise_id_v16_0.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -33,9 +33,9 @@ lookup_mitre_attack_enterprise_id: lookup_mitre_attack_enterprise_name: type: lookup name: 'MITRE ATT&CK Enterprise names' - description: 'Extracts MITRE ATT&CK Enterprise names from text. Currently uses v16.0' + description: 'Extracts MITRE ATT&CK Enterprise names from text. See lookup name for version used.' notes: 'ai_mitre_attack_enterprise also exists but beware of hallucinations' - file: 'lookups/mitre_attack_enterprise_name.txt' + file: 'lookups/mitre_attack_enterprise_name_v16_0.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -46,9 +46,9 @@ lookup_mitre_attack_enterprise_name: lookup_mitre_attack_mobile_id: type: lookup name: 'MITRE ATT&CK Mobile IDs' - description: 'Extracts MITRE ATT&CK Mobile IDs from text. Currently uses v16.0' + description: 'Extracts MITRE ATT&CK Mobile IDs from text. See lookup name for version used.' notes: 'ai_mitre_attack_mobile also exists but beware of hallucinations' - file: 'lookups/mitre_attack_mobile_id.txt' + file: 'lookups/mitre_attack_mobile_id_v16_0.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -59,9 +59,9 @@ lookup_mitre_attack_mobile_id: lookup_mitre_attack_mobile_name: type: lookup name: 'MITRE ATT&CK Mobile names' - description: 'Extracts MITRE ATT&CK Mobile names from text. Currently uses v16.0' + description: 'Extracts MITRE ATT&CK Mobile names from text. See lookup name for version used.' notes: 'ai_mitre_attack_mobile also exists but beware of hallucinations' - file: 'lookups/mitre_attack_mobile_name.txt' + file: 'lookups/mitre_attack_mobile_name_v16_0.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -72,9 +72,9 @@ lookup_mitre_attack_mobile_name: lookup_mitre_attack_ics_id: type: lookup name: 'MITRE ATT&CK ICS IDs' - description: 'Extracts MITRE ATT&CK ICS names from text. Currently uses v16.0' + description: 'Extracts MITRE ATT&CK ICS names from text. See lookup name for version used.' notes: 'ai_mitre_attack_ics also exists but beware of hallucinations' - file: 'lookups/mitre_attack_ics_id.txt' + file: 'lookups/mitre_attack_ics_id_v16_0.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -85,9 +85,9 @@ lookup_mitre_attack_ics_id: lookup_mitre_attack_ics_name: type: lookup name: 'MITRE ATT&CK ICS names' - description: 'Extracts MITRE ATT&CK ICS names from text. Currently uses v16.0' + description: 'Extracts MITRE ATT&CK ICS names from text. See lookup name for version used.' notes: 'ai_mitre_attack_ics also exists but beware of hallucinations' - file: 'lookups/mitre_attack_ics_name.txt' + file: 'lookups/mitre_attack_ics_name_v16_0.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -100,9 +100,9 @@ lookup_mitre_attack_ics_name: lookup_mitre_capec_id: type: lookup name: 'MITRE CAPEC IDs' - description: 'Extracts MITRE CAPEC IDs from text. Currently uses v3.9' + description: 'Extracts MITRE CAPEC IDs from text. See lookup name for version used.' notes: 'ai_mitre_capec also exists but beware of hallucinations' - file: 'lookups/mitre_capec_id.txt' + file: 'lookups/mitre_capec_id_v3_9.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -113,9 +113,9 @@ lookup_mitre_capec_id: lookup_mitre_capec_name: type: lookup name: 'MITRE CAPEC names' - description: 'Extracts MITRE CAPEC names from text. Currently uses v3.9' + description: 'Extracts MITRE CAPEC names from text. See lookup name for version used.' notes: 'ai_mitre_capec also exists but beware of hallucinations' - file: 'lookups/mitre_capec_name.txt' + file: 'lookups/mitre_capec_name_v3_9.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -128,9 +128,9 @@ lookup_mitre_capec_name: lookup_mitre_cwe_id: type: lookup name: MITRE CWE IDs - description: 'Extracts MITRE CWE IDs from text. Currently uses v4.15' + description: 'Extracts MITRE CWE IDs from text. See lookup name for version used.' notes: 'ai_mitre_cwe also exists but beware of hallucinations' - file: 'lookups/mitre_cwe_id.txt' + file: 'lookups/mitre_cwe_id_v4_15.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -141,9 +141,9 @@ lookup_mitre_cwe_id: lookup_mitre_cwe_name: type: lookup name: MITRE CWE names - description: 'Extracts MITRE CWE names from text. Currently uses v4.15' + description: 'Extracts MITRE CWE names from text. See lookup name for version used.' notes: 'ai_mitre_cwe also exists but beware of hallucinations' - file: 'lookups/mitre_cwe_name.txt' + file: 'lookups/mitre_cwe_name_v4_15.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -156,9 +156,9 @@ lookup_mitre_cwe_name: lookup_mitre_atlas_id: type: lookup name: MITRE ATLAS IDs - description: 'Extracts MITRE ATLAS IDs from text. Currently uses v4.5.2' + description: 'Extracts MITRE ATLAS IDs from text. See lookup name for version used.' notes: 'No corresponding AI version yet due to poor AI performance' - file: 'lookups/mitre_atlas_id.txt' + file: 'lookups/mitre_atlas_id_v4_5_2.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -169,9 +169,9 @@ lookup_mitre_atlas_id: lookup_mitre_atlas_name: type: lookup name: MITRE ATLAS names - description: 'Extracts MITRE ATLAS names from text. Currently uses v4.5.2' + description: 'Extracts MITRE ATLAS names from text. See lookup name for version used.' notes: 'No corresponding AI version yet due to poor AI performance' - file: 'lookups/mitre_atlas_name.txt' + file: 'lookups/mitre_atlas_name_v4_5_2.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -184,9 +184,9 @@ lookup_mitre_atlas_name: lookup_disarm_id: type: lookup name: DISARM IDs - description: 'Extracts DISARM IDs from text. Currently uses v1.5' + description: 'Extracts DISARM IDs from text. See lookup name for version used.' notes: 'No corresponding AI version yet due to poor AI performance' - file: 'lookups/disarm_id.txt' + file: 'lookups/disarm_id_v1_5.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC @@ -197,9 +197,9 @@ lookup_disarm_id: lookup_disarm_name: type: lookup name: DISARM IDs - description: 'Extracts DISARM names from text. Currently uses v1.5' + description: 'Extracts DISARM names from text. See lookup name for version used.' notes: 'No corresponding AI version yet due to poor AI performance' - file: 'lookups/disarm_name.txt' + file: 'lookups/disarm_name_v1_5.txt' created: 2020-01-01 modified: 2020-01-01 created_by: DOGESEC diff --git a/includes/lookups/_generate_lookups.py b/includes/lookups/_generate_lookups.py index 67a30e7..1bf5de8 100644 --- a/includes/lookups/_generate_lookups.py +++ b/includes/lookups/_generate_lookups.py @@ -3,16 +3,16 @@ # Connect to ArangoDB client = ArangoClient() -db = client.db('cti_knowledge_base_store_database', username='root', password='') +db = client.db('ctibutler_database', username='root', password='') # Get the directory where the script is located script_dir = os.path.dirname(os.path.abspath(__file__)) # Define queries and output files queries = { - "mitre_cwe_id.txt": """ + "mitre_cwe_id_v4_15.txt": """ FOR doc IN mitre_cwe_vertex_collection - FILTER doc._stix2arango_note == "v4.15" + FILTER doc._stix2arango_note == "version=4_15" AND IS_ARRAY(doc.external_references) AND doc.x_mitre_deprecated != true AND doc.revoked != true @@ -21,18 +21,18 @@ SORT reference.external_id ASC RETURN reference.external_id """, - "mitre_cwe_name.txt": """ + "mitre_cwe_name_v4_15.txt": """ FOR doc IN mitre_cwe_vertex_collection - FILTER doc._stix2arango_note == "v4.15" + FILTER doc._stix2arango_note == "version=4_15" AND IS_ARRAY(doc.external_references) AND doc.x_mitre_deprecated != true AND doc.revoked != true AND doc.type == "weakness" RETURN doc.name """, - "mitre_capec_id.txt": """ + "mitre_capec_id_v3_9.txt": """ FOR doc IN mitre_capec_vertex_collection - FILTER doc._stix2arango_note == "v3.9" + FILTER doc._stix2arango_note == "version=3_9" AND doc.x_mitre_deprecated != true AND doc.revoked != true AND IS_ARRAY(doc.external_references) @@ -41,17 +41,17 @@ SORT reference.external_id ASC RETURN reference.external_id """, - "mitre_capec_name.txt": """ + "mitre_capec_name_v3_9.txt": """ FOR doc IN mitre_capec_vertex_collection - FILTER doc._stix2arango_note == "v3.9" + FILTER doc._stix2arango_note == "version=3_9" AND doc.x_mitre_deprecated != true AND doc.revoked != true AND doc.type != "course-of-action" RETURN doc.name """, - "mitre_attack_enterprise_id.txt": """ + "mitre_attack_enterprise_id_v16_0.txt": """ FOR doc IN mitre_attack_enterprise_vertex_collection - FILTER doc._stix2arango_note == "v15.1" + FILTER doc._stix2arango_note == "version=16_0" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true @@ -61,20 +61,19 @@ SORT reference.external_id ASC RETURN reference.external_id """, - "mitre_attack_enterprise_name.txt": """ + "mitre_attack_enterprise_name_v16_0.txt": """ FOR doc IN mitre_attack_enterprise_vertex_collection - FILTER doc._stix2arango_note == "v15.1" + FILTER doc._stix2arango_note == "version=16_0" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true RETURN doc.name """, - "mitre_attack_enterprise_aliases.txt": """ + "mitre_attack_enterprise_aliases_v16_0.txt": """ FOR alias IN UNIQUE( FLATTEN( FOR doc IN mitre_attack_enterprise_vertex_collection - -FILTER doc._stix2arango_note == "v15.1" + FILTER doc._stix2arango_note == "version=16_0" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true @@ -84,9 +83,9 @@ ) RETURN alias """, - "mitre_attack_ics_id.txt": """ + "mitre_attack_ics_id_v16_0.txt": """ FOR doc IN mitre_attack_ics_vertex_collection - FILTER doc._stix2arango_note == "v15.1" + FILTER doc._stix2arango_note == "version=16_0" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true @@ -96,11 +95,11 @@ SORT reference.external_id ASC RETURN reference.external_id """, - "mitre_attack_ics_aliases.txt": """ + "mitre_attack_ics_aliases_v16_0.txt": """ FOR alias IN UNIQUE( FLATTEN( FOR doc IN mitre_attack_ics_vertex_collection - FILTER doc._stix2arango_note == "v15.1" + FILTER doc._stix2arango_note == "version=16_0" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true @@ -110,17 +109,17 @@ ) RETURN alias """, - "mitre_attack_ics_name.txt": """ + "mitre_attack_ics_name_v16_0.txt": """ FOR doc IN mitre_attack_ics_vertex_collection - FILTER doc._stix2arango_note == "v15.1" + FILTER doc._stix2arango_note == "version=16_0" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true RETURN doc.name """, - "mitre_attack_mobile_id.txt": """ + "mitre_attack_mobile_id_v16_0.txt": """ FOR doc IN mitre_attack_mobile_vertex_collection - FILTER doc._stix2arango_note == "v15.1" + FILTER doc._stix2arango_note == "version=16_0" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true @@ -130,17 +129,17 @@ SORT reference.external_id ASC RETURN reference.external_id """, - "mitre_attack_mobile_name.txt": """ + "mitre_attack_mobile_name_v16_0.txt": """ FOR doc IN mitre_attack_mobile_vertex_collection - FILTER doc._stix2arango_note == "v15.1" + FILTER doc._stix2arango_note == "version=16_0" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true RETURN doc.name """, - "mitre_atlas_id.txt": """ + "mitre_atlas_id_v4_5_2.txt": """ FOR doc IN mitre_atlas_vertex_collection - FILTER doc._stix2arango_note == "v4.5.2" + FILTER doc._stix2arango_note == "version=4_5_2" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true @@ -150,17 +149,17 @@ SORT reference.external_id ASC RETURN reference.external_id """, - "mitre_atlas_name.txt": """ + "mitre_atlas_name_v4_5_2.txt": """ FOR doc IN mitre_atlas_vertex_collection - FILTER doc._stix2arango_note == "v4.5.2" + FILTER doc._stix2arango_note == "version=4_5_2" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true RETURN doc.name """, - "disarm_id.txt": """ + "disarm_id_v1_5.txt": """ FOR doc IN disarm_vertex_collection - FILTER doc._stix2arango_note == "v1.5" + FILTER doc._stix2arango_note == "version=1_5" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true @@ -170,9 +169,9 @@ SORT reference.external_id ASC RETURN reference.external_id """, - "disarm_name.txt": """ + "disarm_name_v1_5.txt": """ FOR doc IN disarm_vertex_collection - FILTER doc._stix2arango_note == "v1.5" + FILTER doc._stix2arango_note == "version=1_5" AND doc.type != "x-mitre-matrix" AND doc.x_mitre_deprecated != true AND doc.revoked != true diff --git a/includes/lookups/disarm_id.txt b/includes/lookups/disarm_id_v1_5.txt similarity index 100% rename from includes/lookups/disarm_id.txt rename to includes/lookups/disarm_id_v1_5.txt diff --git a/includes/lookups/disarm_name.txt b/includes/lookups/disarm_name_v1_5.txt similarity index 100% rename from includes/lookups/disarm_name.txt rename to includes/lookups/disarm_name_v1_5.txt diff --git a/includes/lookups/mitre_atlas_id.txt b/includes/lookups/mitre_atlas_id_v4_5_2.txt similarity index 100% rename from includes/lookups/mitre_atlas_id.txt rename to includes/lookups/mitre_atlas_id_v4_5_2.txt diff --git a/includes/lookups/mitre_atlas_name.txt b/includes/lookups/mitre_atlas_name_v4_5_2.txt similarity index 100% rename from includes/lookups/mitre_atlas_name.txt rename to includes/lookups/mitre_atlas_name_v4_5_2.txt diff --git a/includes/lookups/mitre_attack_enterprise_aliases.txt b/includes/lookups/mitre_attack_enterprise_aliases_v16_0.txt similarity index 94% rename from includes/lookups/mitre_attack_enterprise_aliases.txt rename to includes/lookups/mitre_attack_enterprise_aliases_v16_0.txt index 7d7a330..f63e669 100644 --- a/includes/lookups/mitre_attack_enterprise_aliases.txt +++ b/includes/lookups/mitre_attack_enterprise_aliases_v16_0.txt @@ -8,6 +8,7 @@ EKANS SNAKEHOSE BLINDINGCAN Ninja +Pikabot Wiarp RCSession Spark @@ -40,6 +41,7 @@ Get2 POWRUNER KOPILUWAK RobbinHood +VersaMem TDTESS Chinoxy SharpStage @@ -67,6 +69,7 @@ ThreatNeedle ZLib RedLeaves BUGJUICE +Miner-C POWERSOURCE DNSMessenger LITTLELAMB.WOOLTEA @@ -84,6 +87,7 @@ Bankshot Trojan Manuscript SharpDisco StrongPity +HAPPYWORK xCaon PLAINTEE Pony @@ -96,6 +100,8 @@ Lurid Enfal Kasidet OceanSalt +Playcrypt +Play Brave Prince RainyDay Ecipekac @@ -126,6 +132,7 @@ NemesisGemina EvilGrab EnvyScout SslMM +IMAPLoader GreyEnergy Aria-body Emotet @@ -136,6 +143,7 @@ Crimson MSIL/Crimson Tomiris TEARDROP +DUSTTRAP Turian BADHATCH Machete @@ -143,7 +151,9 @@ Pyark PowerLess Action RAT Avenger +DUSTPAN Prikormka +Gootloader PingPull WellMess Dacls @@ -159,6 +169,7 @@ AuTo Stealer Hildegard Agent.btz SLOWDRIFT +SHUTTERSPEED SombRAT FlawedGrace FLASHFLOOD @@ -170,16 +181,20 @@ Rifdoor SUGARUSH LoFiSe HOPLIGHT +Cuckoo Stealer GuLoader WastedLocker RegDuke ProLock +Moneybird InvisiMole P.A.S. Webshell Fobushell QUIETEXIT Naid +Apostle Volgmer +WINERACK WhisperGate FruitFly ZeroT @@ -195,6 +210,7 @@ SamSam Samas Neoichor Conti +Raspberry Robin Mispadu RemoteCMD Diavol @@ -209,6 +225,7 @@ Fysbis IcedID VERMIN UBoatRAT +Nightdoor MarkiRAT PowerShower Kazuar @@ -221,6 +238,7 @@ FYNLOS NETEAGLE POORAIM HUI Loader +CHIMNEYSWEEP Ragnar Locker FatDuke Lucifer @@ -286,6 +304,7 @@ CORESHELL Sofacy SOURFACE RunningRAT +VPNFilter Babuk Babyk Vasa Locker @@ -296,6 +315,7 @@ Dyreza BlackMould Javali PACEMAKER +LunarLoader BBSRAT PlugX Thoper @@ -306,6 +326,7 @@ Kaba Korplug Reaver Bisonal +MultiLayer Wiper S-Type SeaDuke SeaDaddy @@ -379,6 +400,10 @@ WCry Gazer WhiteBear TSCookie +Latrodectus +IceNova +Unidentified 111 +Saint Bot Pay2Key Chaes Briba @@ -404,6 +429,7 @@ Uroburos Snake Metamorfo Casbaneiro +Spica Trojan.Karagany xFrost Karagany @@ -440,7 +466,13 @@ Micropsia Kerrdown RARSTONE VBShower +BPFDoor +JustForFun +Backdoor.Linux.BPFDOOR +Backdoor.Solaris.BPFDOOR.ZAJE Black Basta +ZeroCleare +ZEROCLEAR Catchamas StoneDrill DROPSHOT @@ -511,6 +543,7 @@ ABK Pysa Mespinoza Final1stspy +MgBot ccf32 Zebrocy Zekapab @@ -518,6 +551,7 @@ Pandora FinFisher FinSpy SpeakUp +LunarMail WARPWIRE CrossRAT OwaAuth @@ -566,6 +600,8 @@ NativeZone NanoCore TajMahal PLEAD +Raccoon Stealer +IPsec Helper Daserf Muirim Nioupale @@ -593,6 +629,7 @@ MacMa OSX.CDDS DazzleSpy FunnyDream +ROADSWEEP SUNSPOT More_eggs SKID @@ -602,6 +639,7 @@ HyperSSL Soldier FOCUSFJORD TinyZBot +OutSteel BackConfig PowGoop Kwampirs @@ -645,10 +683,12 @@ Sensocode SLIGHTPULSE NDiskMonitor CoinTicker +DDKONG Penquin Penquin 2.0 Penquin_x64 BabyShark +LATEOP Cannon CreepySnail build_downer @@ -657,6 +697,7 @@ Winnti for Windows PowerPunch BONDUPDATER BLACKCOFFEE +BFG Agonizer Ebury Kinsing PITSTOP @@ -675,6 +716,7 @@ Scorpion HAYMAKER PowerStallion ANDROMEDA +Manjusaka IceApple JPIN metaMain @@ -687,6 +729,7 @@ HTTPBrowser Token Control HttpDump Mis-Type +LunarWeb XCSSET OSX.DubRobber Disco @@ -762,6 +805,8 @@ OSX/Shlayer Zshlayer Crossrider Denis +INC Ransomware +DEADWOOD GLOOXMAIL Trojan.GTALK Dok @@ -820,6 +865,8 @@ HermeticWizard Net net.exe RemoteUtilities +Covenant +NPPSPY BloodHound certutil certutil.exe @@ -844,6 +891,7 @@ spwebmember Empire EmPyre PowerShell Empire +FRP dsquery dsquery.exe PcShare @@ -871,6 +919,7 @@ ConnectWise ScreenConnect Imminent Monitor Ruler +Winexe MCMD Nltest MailSniper diff --git a/includes/lookups/mitre_attack_enterprise_id.txt b/includes/lookups/mitre_attack_enterprise_id_v16_0.txt similarity index 95% rename from includes/lookups/mitre_attack_enterprise_id.txt rename to includes/lookups/mitre_attack_enterprise_id_v16_0.txt index 42c94a8..06406be 100644 --- a/includes/lookups/mitre_attack_enterprise_id.txt +++ b/includes/lookups/mitre_attack_enterprise_id_v16_0.txt @@ -26,6 +26,12 @@ C0030 C0032 C0033 C0034 +C0035 +C0036 +C0037 +C0038 +C0039 +C0040 DS0001 DS0002 DS0003 @@ -212,6 +218,17 @@ G1023 G1024 G1026 G1028 +G1030 +G1031 +G1032 +G1033 +G1034 +G1035 +G1036 +G1037 +G1038 +G1039 +G1040 M1013 M1015 M1016 @@ -255,6 +272,7 @@ M1054 M1055 M1056 M1057 +M1060 S0001 S0002 S0003 @@ -839,6 +857,7 @@ S0696 S0697 S0698 S0699 +S1010 S1011 S1012 S1013 @@ -933,6 +952,38 @@ S1123 S1124 S1125 S1129 +S1130 +S1131 +S1132 +S1133 +S1134 +S1135 +S1136 +S1137 +S1138 +S1139 +S1140 +S1141 +S1142 +S1143 +S1144 +S1145 +S1146 +S1147 +S1148 +S1149 +S1150 +S1151 +S1152 +S1153 +S1154 +S1155 +S1156 +S1158 +S1159 +S1160 +S1161 +S1162 T1001 T1001.001 T1001.002 @@ -985,6 +1036,7 @@ T1027.010 T1027.011 T1027.012 T1027.013 +T1027.014 T1029 T1030 T1033 @@ -998,6 +1050,7 @@ T1036.006 T1036.007 T1036.008 T1036.009 +T1036.010 T1037 T1037.001 T1037.002 @@ -1052,6 +1105,7 @@ T1059.007 T1059.008 T1059.009 T1059.010 +T1059.011 T1068 T1069 T1069.001 @@ -1067,11 +1121,13 @@ T1070.006 T1070.007 T1070.008 T1070.009 +T1070.010 T1071 T1071.001 T1071.002 T1071.003 T1071.004 +T1071.005 T1072 T1074 T1074.001 @@ -1104,6 +1160,7 @@ T1098.003 T1098.004 T1098.005 T1098.006 +T1098.007 T1102 T1102.001 T1102.002 @@ -1131,6 +1188,7 @@ T1124 T1125 T1127 T1127.001 +T1127.002 T1129 T1132 T1132.001 @@ -1185,6 +1243,8 @@ T1213 T1213.001 T1213.002 T1213.003 +T1213.004 +T1213.005 T1216 T1216.001 T1216.002 @@ -1212,11 +1272,13 @@ T1222.001 T1222.002 T1480 T1480.001 +T1480.002 T1482 T1484 T1484.001 T1484.002 T1485 +T1485.001 T1486 T1489 T1490 @@ -1225,6 +1287,10 @@ T1491.001 T1491.002 T1495 T1496 +T1496.001 +T1496.002 +T1496.003 +T1496.004 T1497 T1497.001 T1497.002 @@ -1285,6 +1351,7 @@ T1546.013 T1546.014 T1546.015 T1546.016 +T1546.017 T1547 T1547.001 T1547.002 @@ -1350,11 +1417,13 @@ T1557 T1557.001 T1557.002 T1557.003 +T1557.004 T1558 T1558.001 T1558.002 T1558.003 T1558.004 +T1558.005 T1559 T1559.001 T1559.002 @@ -1570,6 +1639,7 @@ T1656 T1657 T1659 T1665 +T1666 TA0001 TA0002 TA0003 diff --git a/includes/lookups/mitre_attack_enterprise_name.txt b/includes/lookups/mitre_attack_enterprise_name_v16_0.txt similarity index 96% rename from includes/lookups/mitre_attack_enterprise_name.txt rename to includes/lookups/mitre_attack_enterprise_name_v16_0.txt index 04ccc47..2332ef1 100644 --- a/includes/lookups/mitre_attack_enterprise_name.txt +++ b/includes/lookups/mitre_attack_enterprise_name_v16_0.txt @@ -35,6 +35,7 @@ Path Interception by PATH Environment Variable Sharepoint Direct Volume Access Artificial Intelligence +Modify Cloud Resource Hierarchy Email Hiding Rules External Defacement Encrypted/Encoded File @@ -44,6 +45,7 @@ Rootkit PowerShell Profile JavaScript DNS +Lifecycle-Triggered Deletion Audio Capture Create or Modify System Process External Remote Services @@ -53,6 +55,7 @@ Container Orchestration Job Domain Generation Algorithms Double File Extension Bypass User Account Control +SMS Pumping Internet Connection Discovery Sudo and Sudo Caching Archive via Custom Method @@ -101,6 +104,7 @@ Hide Artifacts Dynamic Data Exchange Malicious File Identify Business Tempo +Publish/Subscribe Protocols Hardware Taint Shared Content Trust Modification @@ -165,6 +169,7 @@ Browser Extensions Service Exhaustion Flood Compromise Hardware Supply Chain Native API +Ccache Files Clear Network Connection History and Configurations AS-REP Roasting Virtual Private Server @@ -179,6 +184,7 @@ Outlook Rules Impair Defenses Cloud Accounts Email Accounts +Additional Local or Domain Groups Upload Malware Supply Chain Compromise Exploit Public-Facing Application @@ -202,8 +208,10 @@ Traffic Signaling Direct Cloud VM Connections System Binary Proxy Execution Timestomp +Evil Twin Reflective Code Loading Wi-Fi Discovery +Mutual Exclusion Ignore Process Interrupts Escape to Host Shortcut Modification @@ -295,6 +303,7 @@ Delete Cloud Instance Code Repositories Executable Installer File Permissions Weakness Accessibility Features +Bandwidth Hijacking Account Discovery Proxy Command and Scripting Interpreter @@ -378,6 +387,7 @@ Network Provider DLL Windows Management Instrumentation Event Subscription CDNs User Activity Based Checks +Cloud Service Hijacking Cloud Accounts Software Deployment Tools Exfiltration Over C2 Channel @@ -415,6 +425,7 @@ Systemd Timers Phishing ROMMONkit Compiled HTML File +Compute Hijacking Network Share Connection Removal Multi-hop Proxy Brute Force @@ -428,6 +439,7 @@ Data from Network Shared Drive Web Services Modify System Image Hijack Execution Flow +Lua Indicator Removal from Tools Malicious Image Container Service @@ -445,6 +457,7 @@ Remote Email Collection IIS Components Invalid Code Signature Run Virtual Instance +Polymorphic Code Password Policy Discovery Event Triggered Execution Unix Shell Configuration Modification @@ -464,6 +477,7 @@ Input Capture Spearphishing Voice Exploits Social Media +Customer Relationship Management Software Component Object Model Hijacking Credentials Compromise Software Supply Chain @@ -483,7 +497,7 @@ System Language Discovery Non-Application Layer Protocol Steganography DNS Server -Protocol Impersonation +Protocol or Service Impersonation Query Registry Data Transfer Size Limits Web Session Cookie @@ -504,7 +518,9 @@ ARP Cache Poisoning Disable or Modify Cloud Logs Security Software Discovery Hidden Window +ClickOnce Python +Relocate Malware Identify Roles Data Encoding AppInit DLLs @@ -529,6 +545,7 @@ Silver Ticket Data from Information Repositories Clear Persistence Windows Credential Manager +Masquerade Account Name Hardware Additions Server Software Component Data Destruction @@ -611,6 +628,7 @@ At Dynamic-link Library Injection Exploits Modify Authentication Process +Udev Rules Credential API Hooking Firmware Corruption Inhibit System Recovery @@ -626,6 +644,7 @@ Domains SQL Stored Procedures Network Device Authentication Disk Content Wipe +Messaging Applications Exfiltration Over Unencrypted Non-C2 Protocol Dylib Hijacking Downgrade System Image @@ -637,6 +656,7 @@ MMC Process Argument Spoofing COR_PROFILER Operation Dream Job +KV Botnet Activity Frankenstein Operation Sharpshooter Operation Honeybee @@ -646,17 +666,22 @@ Operation Dust Storm Operation Spalax Cutting Edge C0018 +Water Curupira Pikabot Distribution C0021 C0015 Operation Ghost +HomeLand Justice C0032 SolarWinds Compromise +Pikabot Distribution February 2024 FunnyDream Operation CuckooBees C0033 2016 Ukraine Electric Power Attack C0010 +APT41 DUST Night Dragon +Versa Director Zero Day Exploitation Operation Wocao C0011 C0017 @@ -687,6 +712,7 @@ Do Not Mitigate Pre-compromise SSL/TLS Inspection Boot Integrity +Out-of-Band Communications Channel Network Segmentation Threat Intelligence Program Password Policies @@ -720,6 +746,7 @@ Mustard Tempest GCMAN Kimsuky EXOTIC LILY +TA577 admin@338 Volt Typhoon Patchwork @@ -770,6 +797,7 @@ Aoqin Dragon Ferocious Kitten The White Company Ke3chang +Saint Bear APT1 DarkHydrus Confucius @@ -778,12 +806,14 @@ Leviathan MoustachedBouncer Group5 Blue Mockingbird +Winter Vivern SilverTerrier Turla Poseidon Group TA505 BITTER DarkVishnya +RedCurl APT-C-23 FIN5 Mofang @@ -800,8 +830,10 @@ TA551 TEMP.Veles Equation BackdoorDiplomacy +Star Blizzard Darkhotel Axiom +TA578 Deep Panda Ember Bear LazyScripter @@ -810,6 +842,7 @@ Volatile Cedar ToddyCat Whitefly LuminousMoth +Agrius APT28 Malteiro Metador @@ -823,6 +856,7 @@ Winnti Group Tonto Team GOLD SOUTHFIELD Lazarus Group +INC Ransom Earth Lusca FIN4 Silence @@ -838,11 +872,14 @@ Wizard Spider Molerats Transparent Tribe IndigoZebra +Moonstone Sleet Inception +Play PROMETHIUM APT30 HEXANE DragonOK +Daggerfly Rancor WIRTE PLATINUM @@ -862,6 +899,7 @@ PowerDuke EKANS BLINDINGCAN Ninja +Pikabot Wiarp RCSession Spark @@ -890,6 +928,7 @@ Get2 POWRUNER KOPILUWAK RobbinHood +VersaMem Power Loader TDTESS Chinoxy @@ -939,6 +978,7 @@ AuditCred Lurid Kasidet OceanSalt +Playcrypt Brave Prince RainyDay Ecipekac @@ -958,6 +998,7 @@ CosmicDuke EvilGrab EnvyScout SslMM +IMAPLoader GreyEnergy Aria-body Emotet @@ -966,13 +1007,16 @@ Olympic Destroyer Crimson Tomiris TEARDROP +DUSTTRAP Turian BADHATCH Machete PowerLess Action RAT Avenger +DUSTPAN Prikormka +Gootloader PingPull WellMess Dacls @@ -999,15 +1043,18 @@ Rifdoor SUGARUSH LoFiSe HOPLIGHT +Cuckoo Stealer GuLoader MobileOrder WastedLocker RegDuke ProLock +Moneybird InvisiMole P.A.S. Webshell QUIETEXIT Naid +Apostle Volgmer WINERACK WhisperGate @@ -1023,6 +1070,7 @@ Bonadan SamSam Neoichor Conti +Raspberry Robin Mispadu RemoteCMD Diavol @@ -1035,6 +1083,7 @@ Fysbis IcedID VERMIN UBoatRAT +Nightdoor MarkiRAT PowerShower Kazuar @@ -1043,6 +1092,7 @@ DarkComet NETEAGLE POORAIM HUI Loader +CHIMNEYSWEEP Ragnar Locker FatDuke Lucifer @@ -1090,16 +1140,19 @@ DarkTortilla ROKRAT CORESHELL RunningRAT +VPNFilter Babuk DarkWatchman Dyre BlackMould Javali PACEMAKER +LunarLoader BBSRAT PlugX Reaver Bisonal +MultiLayer Wiper S-Type SeaDuke BS2005 @@ -1141,6 +1194,7 @@ USBferry WannaCry Gazer TSCookie +Latrodectus Saint Bot Pay2Key Chaes @@ -1162,6 +1216,7 @@ Royal BendyBear Uroburos Metamorfo +Spica Trojan.Karagany Bandook PipeMon @@ -1187,7 +1242,9 @@ Micropsia Kerrdown RARSTONE VBShower +BPFDoor Black Basta +ZeroCleare Catchamas StoneDrill OopsIE @@ -1241,11 +1298,13 @@ ABK Pysa Wiper Final1stspy +MgBot ccf32 Zebrocy Pandora FinFisher SpeakUp +LunarMail WARPWIRE CrossRAT OwaAuth @@ -1283,6 +1342,8 @@ NativeZone NanoCore TajMahal PLEAD +Raccoon Stealer +IPsec Helper Daserf GoldFinder Carbon @@ -1306,6 +1367,7 @@ TrailBlazer Revenge RAT MacMa FunnyDream +ROADSWEEP SUNSPOT More_eggs SysUpdate @@ -1352,6 +1414,7 @@ Winnti for Windows PowerPunch BONDUPDATER BLACKCOFFEE +BFG Agonizer Ebury Kinsing PITSTOP @@ -1365,6 +1428,7 @@ TURNEDUP ChChes PowerStallion ANDROMEDA +Manjusaka IceApple JPIN metaMain @@ -1375,6 +1439,7 @@ Psylo Heyoka Backdoor HTTPBrowser Mis-Type +LunarWeb XCSSET Disco Dipsind @@ -1415,6 +1480,8 @@ BBK Komplex OSX/Shlayer Denis +INC Ransomware +DEADWOOD GLOOXMAIL Dok Waterbear @@ -1451,6 +1518,8 @@ HermeticWizard None Net RemoteUtilities +Covenant +NPPSPY BloodHound certutil at @@ -1471,6 +1540,7 @@ Arp spwebmember Empire ifconfig +FRP dsquery PcShare RawDisk diff --git a/includes/lookups/mitre_attack_ics_aliases.txt b/includes/lookups/mitre_attack_ics_aliases_v16_0.txt similarity index 98% rename from includes/lookups/mitre_attack_ics_aliases.txt rename to includes/lookups/mitre_attack_ics_aliases_v16_0.txt index 2dd0d5e..614a581 100644 --- a/includes/lookups/mitre_attack_ics_aliases.txt +++ b/includes/lookups/mitre_attack_ics_aliases_v16_0.txt @@ -30,6 +30,7 @@ WCry Triton TRISIS HatMan +Fuxnet Ryuk ACAD/Medre.A REvil diff --git a/includes/lookups/mitre_attack_ics_id.txt b/includes/lookups/mitre_attack_ics_id_v16_0.txt similarity index 99% rename from includes/lookups/mitre_attack_ics_id.txt rename to includes/lookups/mitre_attack_ics_id_v16_0.txt index 482ac83..eec1a3d 100644 --- a/includes/lookups/mitre_attack_ics_id.txt +++ b/includes/lookups/mitre_attack_ics_id_v16_0.txt @@ -156,6 +156,7 @@ S1009 S1010 S1045 S1072 +S1157 T0800 T0801 T0802 diff --git a/includes/lookups/mitre_attack_ics_name.txt b/includes/lookups/mitre_attack_ics_name_v16_0.txt similarity index 99% rename from includes/lookups/mitre_attack_ics_name.txt rename to includes/lookups/mitre_attack_ics_name_v16_0.txt index e6a1713..53786cd 100644 --- a/includes/lookups/mitre_attack_ics_name.txt +++ b/includes/lookups/mitre_attack_ics_name_v16_0.txt @@ -169,6 +169,7 @@ Duqu Industroyer2 WannaCry Triton +Fuxnet Ryuk ACAD/Medre.A REvil diff --git a/includes/lookups/mitre_attack_mobile_id.txt b/includes/lookups/mitre_attack_mobile_id_v16_0.txt similarity index 99% rename from includes/lookups/mitre_attack_mobile_id.txt rename to includes/lookups/mitre_attack_mobile_id_v16_0.txt index 2521ed0..172473b 100644 --- a/includes/lookups/mitre_attack_mobile_id.txt +++ b/includes/lookups/mitre_attack_mobile_id_v16_0.txt @@ -64,7 +64,6 @@ S0313 S0314 S0315 S0316 -S0317 S0318 S0319 S0320 diff --git a/includes/lookups/mitre_attack_mobile_name.txt b/includes/lookups/mitre_attack_mobile_name_v16_0.txt similarity index 99% rename from includes/lookups/mitre_attack_mobile_name.txt rename to includes/lookups/mitre_attack_mobile_name_v16_0.txt index bcd3492..664db23 100644 --- a/includes/lookups/mitre_attack_mobile_name.txt +++ b/includes/lookups/mitre_attack_mobile_name_v16_0.txt @@ -253,7 +253,6 @@ Adups SimBad Android/AdDisplay.Ashas Phenakite -Marcher TianySpy Sunbird DressCode diff --git a/includes/lookups/mitre_capec_id.txt b/includes/lookups/mitre_capec_id_v3_9.txt similarity index 100% rename from includes/lookups/mitre_capec_id.txt rename to includes/lookups/mitre_capec_id_v3_9.txt diff --git a/includes/lookups/mitre_capec_name.txt b/includes/lookups/mitre_capec_name_v3_9.txt similarity index 100% rename from includes/lookups/mitre_capec_name.txt rename to includes/lookups/mitre_capec_name_v3_9.txt diff --git a/includes/lookups/mitre_cwe_id.txt b/includes/lookups/mitre_cwe_id_v4_15.txt similarity index 100% rename from includes/lookups/mitre_cwe_id.txt rename to includes/lookups/mitre_cwe_id_v4_15.txt diff --git a/includes/lookups/mitre_cwe_name.txt b/includes/lookups/mitre_cwe_name_v4_15.txt similarity index 100% rename from includes/lookups/mitre_cwe_name.txt rename to includes/lookups/mitre_cwe_name_v4_15.txt