зеркало из
https://github.com/ceios/ceios.git
synced 2025-10-30 04:26:04 +02:00
335 строки
14 KiB
JSON
335 строки
14 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--e8d6416b-feb8-4e3b-833c-cb6b79dfd922",
|
|
"objects": [
|
|
{
|
|
"type": "extension-definition",
|
|
"id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4",
|
|
"spec_version": "2.1",
|
|
"name": "Attack Flow",
|
|
"description": "Extends STIX 2.1 with features to create Attack Flows.",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"created_by_ref": "identity--d673f8cb-c168-42da-8ed4-0cb26725f86c",
|
|
"schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json",
|
|
"version": "2.0.0",
|
|
"extension_types": [
|
|
"new-sdo"
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "Documentation",
|
|
"description": "Documentation for Attack Flow",
|
|
"url": "https://center-for-threat-informed-defense.github.io/attack-flow"
|
|
},
|
|
{
|
|
"source_name": "GitHub",
|
|
"description": "Source code repository for Attack Flow",
|
|
"url": "https://github.com/center-for-threat-informed-defense/attack-flow"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--d673f8cb-c168-42da-8ed4-0cb26725f86c",
|
|
"created_by_ref": "identity--d673f8cb-c168-42da-8ed4-0cb26725f86c",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"name": "MITRE Engenuity Center for Threat-Informed Defense",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--fe7860f3-e23f-4d3f-9248-91105467a77a",
|
|
"created_by_ref": "identity--fe7860f3-e23f-4d3f-9248-91105467a77a",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"name": "John Doe",
|
|
"contact_information": "jdoe@mitre.org",
|
|
"identity_class": "individual"
|
|
},
|
|
{
|
|
"type": "attack-flow",
|
|
"spec_version": "2.1",
|
|
"id": "attack-flow--e9ec3a4b-f787-4e81-a3d9-4cfe017ebc2f",
|
|
"created_by_ref": "identity--fe7860f3-e23f-4d3f-9248-91105467a77a",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"name": "Example Flow",
|
|
"description": "This Attack Flow example demonstrates some of the key concepts of the Attack Flow specification.",
|
|
"scope": "incident",
|
|
"start_refs": [
|
|
"attack-action--37345417-3ee0-4e11-b421-1d4be68e6f15",
|
|
"attack-action--3ea0de71-67a6-426e-bb2f-86375c620478",
|
|
"attack-action--4f541c4c-b7bb-4b14-befd-ca8e8fe12599"
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "APT X Campaign Report. Fictitious Corp. August 15 2022.",
|
|
"description": "A threat intel report summarizing the public CTI associated with the APT X phishing campaign.",
|
|
"url": "http://blog.example.com/apt-x-campaign-report/"
|
|
},
|
|
{
|
|
"source_name": "APT X Threat Actor Report. Imaginary LLC. Jun 24 2022.",
|
|
"description": "A threat intel report summarizing the public CTI associated with the APT X threat actor profile.",
|
|
"url": "http://blog.example.com/apt-x-threat-actor/"
|
|
}
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "attack-action",
|
|
"spec_version": "2.1",
|
|
"id": "attack-action--37345417-3ee0-4e11-b421-1d4be68e6f15",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"technique_id": "T1583.002",
|
|
"name": "Acquire Infrastructure: Domains",
|
|
"technique_ref": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3",
|
|
"description": "The attacker obtains a phishing domain similar to the target company.",
|
|
"effect_refs": [
|
|
"attack-condition--7e809f5b-319a-4b3f-82fe-e4dc09af5088"
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--962081ff-716c-444c-a5fa-c581fbb500a7",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"relationship_type": "related-to",
|
|
"target_ref": "attack-action--37345417-3ee0-4e11-b421-1d4be68e6f15",
|
|
"source_ref": "infrastructure--0048e01d-260f-4af2-8ebc-90377f520830"
|
|
},
|
|
{
|
|
"type": "infrastructure",
|
|
"spec_version": "2.1",
|
|
"id": "infrastructure--0048e01d-260f-4af2-8ebc-90377f520830",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"name": "Phishing infra: blog.examp1e.com",
|
|
"description": "The phishing domain uses a homoglyphic variant of example.com.",
|
|
"infrastructure_types": [
|
|
"phishing"
|
|
]
|
|
},
|
|
{
|
|
"type": "attack-condition",
|
|
"spec_version": "2.1",
|
|
"id": "attack-condition--7e809f5b-319a-4b3f-82fe-e4dc09af5088",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"description": "Adversary possesses a phishing domain.",
|
|
"on_true_refs": [
|
|
"attack-operator--609d7adf-a3d2-44e8-82de-4b30e3fb97be"
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "attack-action",
|
|
"spec_version": "2.1",
|
|
"id": "attack-action--3ea0de71-67a6-426e-bb2f-86375c620478",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"technique_id": "T1583.003",
|
|
"name": "Acquire Infrastructure: Virtual Private Server",
|
|
"technique_ref": "attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795",
|
|
"description": "The attacker obtains a VPC for hosting phishing sites.",
|
|
"effect_refs": [
|
|
"attack-condition--a9416f58-3fd1-4743-bd4c-6272dfd8c4e2"
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--a41c5033-da75-44cd-9bcb-632a7a165d11",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"relationship_type": "related-to",
|
|
"target_ref": "attack-action--3ea0de71-67a6-426e-bb2f-86375c620478",
|
|
"source_ref": "infrastructure--0048e01d-260f-4af2-8ebc-90377f520830"
|
|
},
|
|
{
|
|
"type": "attack-condition",
|
|
"spec_version": "2.1",
|
|
"id": "attack-condition--a9416f58-3fd1-4743-bd4c-6272dfd8c4e2",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"description": "Adversary possesses phishing server.",
|
|
"on_true_refs": [
|
|
"attack-operator--609d7adf-a3d2-44e8-82de-4b30e3fb97be"
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "attack-action",
|
|
"spec_version": "2.1",
|
|
"id": "attack-action--4f541c4c-b7bb-4b14-befd-ca8e8fe12599",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"technique_id": "T1589.002",
|
|
"name": "Gather Victim Identity Information: Email",
|
|
"technique_ref": "attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262",
|
|
"description": "The attacker scrapes email addresses from the corporate web site.",
|
|
"effect_refs": [
|
|
"attack-condition--3ace48ed-24fd-4d24-a399-62202ae6356b"
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "attack-condition",
|
|
"spec_version": "2.1",
|
|
"id": "attack-condition--3ace48ed-24fd-4d24-a399-62202ae6356b",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"description": "Adversary possesses list of emails.",
|
|
"on_true_refs": [
|
|
"attack-operator--609d7adf-a3d2-44e8-82de-4b30e3fb97be"
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "attack-operator",
|
|
"spec_version": "2.1",
|
|
"id": "attack-operator--609d7adf-a3d2-44e8-82de-4b30e3fb97be",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"operator": "AND",
|
|
"effect_refs": [
|
|
"attack-action--d68e5201-796c-469c-b012-290b7040db02"
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "attack-action",
|
|
"spec_version": "2.1",
|
|
"id": "attack-action--d68e5201-796c-469c-b012-290b7040db02",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"technique_id": "1598.003",
|
|
"name": "Phishing: Spearphishing Link",
|
|
"technique_ref": "attack-pattern--20138b9d-1aac-4a26-8654-a36b6bbf2bba",
|
|
"description": "The email says that the users's Outlook credentials have been compromised and contain a fake link to reset the credentials.",
|
|
"asset_refs": [
|
|
"attack-asset--f7edf4aa-29ec-47aa-b4f6-c42dfbe2ac20"
|
|
],
|
|
"effect_refs": [
|
|
"attack-condition--2277d494-031e-4d79-b557-f31e4451a305"
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "attack-asset",
|
|
"spec_version": "2.1",
|
|
"id": "attack-asset--f7edf4aa-29ec-47aa-b4f6-c42dfbe2ac20",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"name": "Employee WordPress Account",
|
|
"description": "The employee's credentials for accessing the WordPress blog.",
|
|
"object_ref": "user-account--ce035bd0-8e58-4d18-aefb-f1fbb031d782",
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "user-account",
|
|
"spec_version": "2.1",
|
|
"id": "user-account--ce035bd0-8e58-4d18-aefb-f1fbb031d782",
|
|
"account_login": "jdoe@example.com",
|
|
"account_type": "wordpress"
|
|
},
|
|
{
|
|
"type": "attack-condition",
|
|
"spec_version": "2.1",
|
|
"id": "attack-condition--2277d494-031e-4d79-b557-f31e4451a305",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"description": "Adversary acquires an employee's password in plaintext.",
|
|
"on_true_refs": [
|
|
"attack-action--1c0078ec-0731-4bf4-b1e5-6e3289c9c4eb"
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "attack-action",
|
|
"spec_version": "2.1",
|
|
"id": "attack-action--1c0078ec-0731-4bf4-b1e5-6e3289c9c4eb",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"technique_id": "T1190",
|
|
"name": "Exploit Public-Facing Application",
|
|
"technique_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
|
|
"description": "Adversary logs into corporate WordPress blog with employee credentials.",
|
|
"asset_refs": [
|
|
"attack-asset--f7edf4aa-29ec-47aa-b4f6-c42dfbe2ac20",
|
|
"attack-asset--5638cc2e-39b9-4a83-8edc-b6875d2cd30b"
|
|
],
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "attack-asset",
|
|
"spec_version": "2.1",
|
|
"id": "attack-asset--5638cc2e-39b9-4a83-8edc-b6875d2cd30b",
|
|
"created": "2022-08-02T19:34:35.143Z",
|
|
"modified": "2022-08-02T19:34:35.143Z",
|
|
"name": "Corporate Blog on WordPress",
|
|
"description": "The corporate blog is hosted on a WordPress site.",
|
|
"extensions": {
|
|
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
|
|
"extension_type": "new-sdo"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|