• Stars
    star
    439
  • Rank 99,247 (Top 2 %)
  • Language
    Python
  • License
    Other
  • Created over 8 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Clusters and elements to attach to MISP events or attributes (like threat actors)

misp-galaxy

Python application

Screenshot - MISP galaxy integeration in MISP threat intelligence platform

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default knowledge base (such as Threat Actors, Tools, Ransomware, ATT&CK matrixes) available in MISP galaxy but those can be overwritten, replaced, updated, forked and shared as you wish.

Existing clusters and vocabularies can be used as-is or as a common knowledge base. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.

Galaxies can be also used to expressed existing matrix-like standards such as MITRE ATT&CK(tm) or custom ones.

The objective is to have a comment set of clusters for organizations starting analysis but that can be expanded to localized information (which is not shared) or additional information (that can be shared).

Available Galaxy - clusters

360.net Threat Actors

360.net Threat Actors - Known or estimated adversary groups as identified by 360.net.

Category: actor - source: https://apt.360.net/aptlist - total: 42 elements

[HTML] - [JSON]

Android

Android - Android malware galaxy based on multiple open sources.

Category: tool - source: Open Sources - total: 433 elements

[HTML] - [JSON]

Azure Threat Research Matrix

Azure Threat Research Matrix - The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.

Category: atrm - source: https://github.com/microsoft/Azure-Threat-Research-Matrix - total: 89 elements

[HTML] - [JSON]

attck4fraud

attck4fraud - attck4fraud - Principles of MITRE ATT&CK in the fraud domain

Category: guidelines - source: Open Sources - total: 71 elements

[HTML] - [JSON]

Backdoor

Backdoor - A list of backdoor malware.

Category: tool - source: Open Sources - total: 16 elements

[HTML] - [JSON]

Banker

Banker - A list of banker malware.

Category: tool - source: Open Sources - total: 53 elements

[HTML] - [JSON]

Bhadra Framework

Bhadra Framework - Bhadra Threat Modeling Framework

Category: mobile - source: https://arxiv.org/pdf/2005.05110.pdf - total: 47 elements

[HTML] - [JSON]

Botnet

Botnet - botnet galaxy

Category: tool - source: MISP Project - total: 76 elements

[HTML] - [JSON]

Branded Vulnerability

Branded Vulnerability - List of known vulnerabilities and attacks with a branding

Category: vulnerability - source: Open Sources - total: 14 elements

[HTML] - [JSON]

Cert EU GovSector

Cert EU GovSector - Cert EU GovSector

Category: sector - source: CERT-EU - total: 6 elements

[HTML] - [JSON]

China Defence Universities Tracker

China Defence Universities Tracker - The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre.

Category: academic-institution - source: ASPI International Cyber Policy Centre - total: 159 elements

[HTML] - [JSON]

CONCORDIA Mobile Modelling Framework - Attack Pattern

CONCORDIA Mobile Modelling Framework - Attack Pattern - A list of Techniques in CONCORDIA Mobile Modelling Framework.

Category: cmtmf-attack-pattern - source: https://5g4iot.vlab.cs.hioa.no/ - total: 93 elements

[HTML] - [JSON]

Country

Country - Country meta information based on the database provided by geonames.org.

Category: country - source: MISP Project - total: 252 elements

[HTML] - [JSON]

Cryptominers

Cryptominers - A list of cryptominer and cryptojacker malware.

Category: Cryptominers - source: Open Source Intelligence - total: 5 elements

[HTML] - [JSON]

Election guidelines

Election guidelines - Universal Development and Security Guidelines as Applicable to Election Technology.

Category: guidelines - source: Open Sources - total: 23 elements

[HTML] - [JSON]

Exploit-Kit

Exploit-Kit - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years

Category: tool - source: MISP Project - total: 52 elements

[HTML] - [JSON]

FIRST DNS Abuse Techniques Matrix

FIRST DNS Abuse Techniques Matrix - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.

Category: first-dns - source: https://www.first.org/global/sigs/dns/ - total: 21 elements

[HTML] - [JSON]

Malpedia

Malpedia - Malware galaxy cluster based on Malpedia.

Category: tool - source: Malpedia - total: 2823 elements

[HTML] - [JSON]

Microsoft Activity Group actor

Microsoft Activity Group actor - Activity groups as described by Microsoft

Category: actor - source: MISP Project - total: 79 elements

[HTML] - [JSON]

Misinformation Pattern

Misinformation Pattern - AM!TT Technique

Category: misinformation-pattern - source: https://github.com/misinfosecproject/amitt_framework - total: 61 elements

[HTML] - [JSON]

Attack Pattern

Attack Pattern - ATT&CK tactic

Category: attack-pattern - source: https://github.com/mitre/cti - total: 1099 elements

[HTML] - [JSON]

Course of Action

Course of Action - ATT&CK Mitigation

Category: course-of-action - source: https://github.com/mitre/cti - total: 279 elements

[HTML] - [JSON]

Enterprise Attack - Attack Pattern

Enterprise Attack - Attack Pattern - ATT&CK tactic

Category: attack-pattern - source: https://github.com/mitre/cti - total: 219 elements

[HTML] - [JSON]

Enterprise Attack - Course of Action

Enterprise Attack - Course of Action - ATT&CK Mitigation

Category: course-of-action - source: https://github.com/mitre/cti - total: 215 elements

[HTML] - [JSON]

Enterprise Attack - Intrusion Set

Enterprise Attack - Intrusion Set - Name of ATT&CK Group

Category: actor - source: https://github.com/mitre/cti - total: 69 elements

[HTML] - [JSON]

Enterprise Attack - Malware

Enterprise Attack - Malware - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 188 elements

[HTML] - [JSON]

Enterprise Attack - Tool

Enterprise Attack - Tool - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 45 elements

[HTML] - [JSON]

Assets

Assets - A list of asset categories that are commonly found in industrial control systems.

Category: asset - source: https://collaborate.mitre.org/attackics/index.php/All_Assets - total: 7 elements

[HTML] - [JSON]

Groups

Groups - Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions.

Category: actor - source: https://collaborate.mitre.org/attackics/index.php/Groups - total: 10 elements

[HTML] - [JSON]

Levels

Levels - Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment.

Category: level - source: https://collaborate.mitre.org/attackics/index.php/All_Levels - total: 3 elements

[HTML] - [JSON]

Software

Software - Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS.

Category: tool - source: https://collaborate.mitre.org/attackics/index.php/Software - total: 17 elements

[HTML] - [JSON]

Tactics

Tactics - A list of all 11 tactics in ATT&CK for ICS

Category: tactic - source: https://collaborate.mitre.org/attackics/index.php/All_Tactics - total: 9 elements

[HTML] - [JSON]

Techniques

Techniques - A list of Techniques in ATT&CK for ICS.

Category: attack-pattern - source: https://collaborate.mitre.org/attackics/index.php/All_Techniques - total: 78 elements

[HTML] - [JSON]

Intrusion Set

Intrusion Set - Name of ATT&CK Group

Category: actor - source: https://github.com/mitre/cti - total: 151 elements

[HTML] - [JSON]

Malware

Malware - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 653 elements

[HTML] - [JSON]

Mobile Attack - Attack Pattern

Mobile Attack - Attack Pattern - ATT&CK tactic

Category: attack-pattern - source: https://github.com/mitre/cti - total: 76 elements

[HTML] - [JSON]

Mobile Attack - Course of Action

Mobile Attack - Course of Action - ATT&CK Mitigation

Category: course-of-action - source: https://github.com/mitre/cti - total: 14 elements

[HTML] - [JSON]

Mobile Attack - Intrusion Set

Mobile Attack - Intrusion Set - Name of ATT&CK Group

Category: actor - source: https://github.com/mitre/cti - total: 1 elements

[HTML] - [JSON]

Mobile Attack - Malware

Mobile Attack - Malware - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 35 elements

[HTML] - [JSON]

Mobile Attack - Tool

Mobile Attack - Tool - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 1 elements

[HTML] - [JSON]

Pre Attack - Attack Pattern

Pre Attack - Attack Pattern - ATT&CK tactic

Category: attack-pattern - source: https://github.com/mitre/cti - total: 174 elements

[HTML] - [JSON]

Pre Attack - Intrusion Set

Pre Attack - Intrusion Set - Name of ATT&CK Group

Category: actor - source: https://github.com/mitre/cti - total: 7 elements

[HTML] - [JSON]

Tool

Tool - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 84 elements

[HTML] - [JSON]

o365-exchange-techniques

o365-exchange-techniques - o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC and @inversecos

Category: guidelines - source: Open Sources, https://www.inversecos.com/2021/09/office365-attacks-bypassing-mfa.html - total: 62 elements

[HTML] - [JSON]

online-service

online-service - Known public online services.

Category: tool - source: Open Sources - total: 1 elements

[HTML] - [JSON]

Preventive Measure

Preventive Measure - Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.

Category: measure - source: MISP Project - total: 20 elements

[HTML] - [JSON]

Ransomware

Ransomware - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar

Category: tool - source: Various - total: 1705 elements

[HTML] - [JSON]

RAT

RAT - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.

Category: tool - source: MISP Project - total: 265 elements

[HTML] - [JSON]

Regions UN M49

Regions UN M49 - Regions based on UN M49.

Category: location - source: https://unstats.un.org/unsd/methodology/m49/overview/ - total: 32 elements

[HTML] - [JSON]

rsit

rsit - rsit

Category: rsit - source: https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force - total: 39 elements

[HTML] - [JSON]

Sector

Sector - Activity sectors

Category: sector - source: CERT-EU - total: 117 elements

[HTML] - [JSON]

Sigma-Rules

Sigma-Rules - MISP galaxy cluster based on Sigma Rules.

Category: rules - source: https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma - total: 2568 elements

[HTML] - [JSON]

Dark Patterns

Dark Patterns - Dark Patterns are user interface that tricks users into making decisions that benefit the interface's holder to the expense of the user.

Category: dark-patterns - source: CIRCL - total: 19 elements

[HTML] - [JSON]

SoD Matrix

SoD Matrix - SOD Matrix

Category: sod-matrix - source: https://github.com/cudeso/SoD-Matrix - total: 276 elements

[HTML] - [JSON]

Stealer

Stealer - A list of malware stealer.

Category: tool - source: Open Sources - total: 13 elements

[HTML] - [JSON]

Surveillance Vendor

Surveillance Vendor - List of vendors selling surveillance technologies including malware, interception devices or computer exploitation services.

Category: actor - source: MISP Project - total: 15 elements

[HTML] - [JSON]

Target Information

Target Information - Description of targets of threat actors.

Category: target - source: Various - total: 240 elements

[HTML] - [JSON]

TDS

TDS - TDS is a list of Traffic Direction System used by adversaries

Category: tool - source: MISP Project - total: 11 elements

[HTML] - [JSON]

Tea Matrix

Tea Matrix - Tea Matrix

Category: tea-matrix - source: ** - total: 7 elements

[HTML] - [JSON]

Threat Actor

Threat Actor - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.

Category: actor - source: MISP Project - total: 420 elements

[HTML] - [JSON]

Tool

Tool - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.

Category: tool - source: MISP Project - total: 557 elements

[HTML] - [JSON]

UAVs/UCAVs

UAVs/UCAVs - Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles

Category: military equipment - source: Popular Mechanics - total: 36 elements

[HTML] - [JSON]

Online documentation

A readable PDF overview of the MISP galaxy is available or HTML and generated from the JSON.

How to contribute?

License

The MISP galaxy (JSON files) are dual-licensed under:

or

 Copyright (c) 2015-2023 Alexandre Dulaunoy - [email protected]
 Copyright (c) 2015-2023 CIRCL - Computer Incident Response Center Luxembourg
 Copyright (c) 2015-2023 Andras Iklody
 Copyright (c) 2015-2023 Raphael Vinot
 Copyright (c) 2015-2023 Deborah Servili
 Copyright (c) 2016-2023 Various contributors to MISP Project

 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice,
       this list of conditions and the following disclaimer.
    2. Redistributions in binary form must reproduce the above copyright notice,
       this list of conditions and the following disclaimer in the documentation
       and/or other materials provided with the distribution.

 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 OF THE POSSIBILITY OF SUCH DAMAGE.

More Repositories

1

MISP

MISP (core software) - Open Source Threat Intelligence and Sharing Platform
PHP
4,717
star
2

misp-warninglists

Warning lists to inform users of MISP about potential false-positives or other information in indicators
Python
412
star
3

PyMISP

Python library using the MISP Rest API
Python
381
star
4

misp-modules

Modules for expansion services, enrichment, import and export in MISP and other tools.
Python
344
star
5

misp-training

MISP trainings, threat intel and information sharing training materials with source code
TeX
316
star
6

x_old_misp_docker

MISP Docker (XME edition)
Shell
283
star
7

misp-book

User guide of MISP
Shell
253
star
8

misp-taxonomies

Taxonomies used in MISP taxonomy system and can be used by other information sharing tool.
Python
237
star
9

misp-dashboard

A live dashboard for a real-time overview of threat intelligence from MISP instances
JavaScript
184
star
10

MISP-maltego

Set of Maltego transforms to inferface with a MISP Threat Sharing instance, and also to explore the whole MITRE ATT&CK dataset.
Python
156
star
11

misp-docker

A production ready Dockered MISP
Shell
156
star
12

docker-misp

Automated Docker MISP container - Malware Information Sharing Platform and Threat Sharing
Dockerfile
100
star
13

misp-objects

Definition, description and relationship types of MISP objects
Python
83
star
14

MISP-Taxii-Server

An OpenTAXII Configuration for MISP
Python
79
star
15

mail_to_misp

Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails.
Python
67
star
16

MISP-STIX-Converter

A utility repo to assist with converting between MISP and STIX formats
Python
64
star
17

misp-cloud

misp-cloud - Cloud-ready images of MISP
Shell
64
star
18

misp-stix

MISP-STIX-Converter - Python library to handle the conversion between MISP and STIX formats
Python
49
star
19

best-practices-in-threat-intelligence

Best practices in threat intelligence
HTML
44
star
20

misp-playbooks

MISP Playbooks
Jupyter Notebook
41
star
21

misp-rfc

Specifications used in the MISP project including MISP core format
HTML
41
star
22

misp-vagrant

Deploy MISP Project software with Vagrant.
Shell
41
star
23

threat-actor-intelligence-server

A simple ReST server to lookup threat actors (by name, synonym or UUID) and returning the corresponding MISP galaxy information about the known threat actors.
Python
37
star
24

intelligence-icons

intelligence-icons is a collection of icons and diagrams for building training and marketing materials around Intelligence sharing; including but not limited to CTI, MISP Threat Sharing, STIX 2.
JavaScript
35
star
25

misp-compliance

Legal, procedural and policies document templates for operating MISP and information sharing communities
33
star
26

misp-packer

Build Automated Machine Images for MISP
Shell
29
star
27

MISPego

Maltego Transform to put entities into MISP events
Python
26
star
28

misp-training-lea

Practical Information Sharing between Law Enforcement and CSIRT communities using MISP
TeX
26
star
29

PyTaxonomies

Python module to use the MISP Taxonomies
Python
26
star
30

misp-workbench

MISP Workbench
Python
26
star
31

PyMISPWarningLists

Pythonic way to work with the warning lists defined there: https://github.com/MISP/misp-warninglists
Python
26
star
32

misp-wireshark

Lua plugin to extract data from Wireshark and convert it into MISP format
Lua
23
star
33

ansible

MISP - Ansible installation script
PHP
22
star
34

misp-website

MISP website (hugo-based)
HTML
21
star
35

misp-takedown

A curses-style interface for automatic takedown notification based on MISP events.
Python
20
star
36

misp-graph

A tool to convert MISP XML files (events and attributes) into graphs
Python
20
star
37

PyMISPGalaxies

Pythonic way to work with the galaxies defined there: https://github.com/MISP/misp-galaxy
Python
17
star
38

misp-grafana

A real-time Grafana dashboard using MISP ZeroMQ message queue and InfluxDB
Python
13
star
39

misp-privacy-aware-exchange

A privacy-aware exchange module to securely and privately share your indicators
Python
13
star
40

misp-sighting-server

MISP sighting server is a fast sighting server to store and look-up sightings on attributes (network indicators, file hashes, system indicators) in a space efficient way.
Python
13
star
41

data-processing

Scripts to process big chunks of data from MISP and do in depth correlations on samples.
Python
12
star
42

yara-misp

Export MISP attributes in Yara
Python
12
star
43

misp-workflow-blueprints

Library of blueprints usable in MISP Workflows
Shell
11
star
44

MISP-sizer

Sizing your MISP instance
JavaScript
11
star
45

cexf

Common Exercise Format - CEXF
Python
10
star
46

misp-guard

misp-guard is a mitmproxy addon that inspects and blocks outgoing events to external MISP instances via sync mechanisms (pull/push) based on a set of customizable block rules.
Python
10
star
47

misp-bump

Simple and secure synchronisation of MISP instances with mobile phones
Java
9
star
48

evtx-toolkit

Tool to read EVTX files including SYSMON and convert to JSON, MISP Objects and Graph stream
Python
9
star
49

misp-decaying-models

MISP decaying models
Shell
9
star
50

threat-intelligence-browser

A browser for the threat intelligence knowledge base of the MISP project galaxies
JavaScript
9
star
51

MISP-presentations

8
star
52

misp-noticelist

Notice lists to inform users of MISP about legal or technical implication for some attributes, categories and objects
8
star
53

dockerized_training_environment

A training environment, with docker.
Python
8
star
54

misp-opendata

Tool to submit / delete data from MISP to opendata portal
Python
8
star
55

MISP-RPM

RPM packages for MISP
Makefile
8
star
56

misp-standard.org

misp-standard.org website
HTML
7
star
57

PyIntel471

Python API for PyIntel471
Python
7
star
58

misp-bloomfilter

A tool to create bloom filters from MISP records to share IOCs with others without breaking confidentiality.
Python
6
star
59

matrix-misp-bot

Very basic MISP bot for matrix.
Python
6
star
60

misp-expansion

MISP expansion - a browser extension (Firefox and Chrome) to lookup on MISP
JavaScript
5
star
61

misp-darwin

MISP darwin is a model and tools to automatically translate in natural language technical or structured information from MISP
Python
5
star
62

mail_to_misp_test

Test emails for mail to misp
4
star
63

LuaMISP

Lua Library to create and manipulate MISP entities
Lua
3
star
64

pdf_fonts

PDF Fonts used by PyMISP PDFtools export to support internalization
3
star
65

misp-usage-statistics

MISP usage statistics using bokeh (as a static webpage)
Python
3
star
66

misp-sighting-tools

Tools to support sighting from various sources (e.g. network pcap) to sight attributes in MISP instances
Python
3
star
67

misp-monitoring

Tools and documentation related to MISP instance monitoring in production/corporate environments
Shell
3
star
68

pypraware

Python Privacy Aware (pypraware) module containing script for misp-privacy-aware-exchange
Python
3
star
69

misp-stix-tests

STIX files for testing misp-stix and various libraries
2
star
70

misp_dockerized_testing

Test MISP instances using a dockerized infrastructure
Python
2
star
71

widget-collection

PHP
1
star
72

cakephp

CakePHP (v2.x branch + updates)
PHP
1
star
73

PyMISPObjectTemplates

Python API to create and update MISP Object templates
Python
1
star