-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathdefining-campaigns-threat-actors.xml
executable file
·154 lines (154 loc) · 9.09 KB
/
defining-campaigns-threat-actors.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
<stix:STIX_Package
xmlns:campaign="http://stix.mitre.org/Campaign-1"
xmlns:ta="http://stix.mitre.org/ThreatActor-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:et="http://stix.mitre.org/ExploitTarget-1"
xmlns:stix-ciqidentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:example="http://example.com"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
id="example:STIXPackage-81810123-b298-40f6-a4e7-186efcd07670" version="1.2">
<stix:TTPs>
<stix:TTP id="example:ttp-19da6e1c-71ab-4c2f-886d-d620d09d3b5a" timestamp="2017-01-30T21:15:04.127000+00:00" xsi:type='ttp:TTPType'>
<ttp:Behavior>
<ttp:Attack_Patterns>
<ttp:Attack_Pattern capec_id="CAPEC-148">
<ttp:Title>Content Spoofing</ttp:Title>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns>
</ttp:Behavior>
<ttp:Victim_Targeting>
<ttp:Identity id="example:identity-ddfe7140-2ba4-48e4-b19a-df069432103b" xsi:type="stix-ciqidentity:CIQIdentity3.0InstanceType">
<stixCommon:Name>Branistan Peoples Party</stixCommon:Name>
<stix-ciqidentity:Specification xmlns:stix-ciqidentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1">
<xpil:FreeTextLines xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:FreeTextLine>identity_class: organisation</xpil:FreeTextLine>
</xpil:FreeTextLines>
</stix-ciqidentity:Specification>
</ttp:Identity>
</ttp:Victim_Targeting>
<ttp:Information_Source>
<stixCommon:References>
<stixCommon:Reference>https://capec.mitre.org/data/definitions/148.html</stixCommon:Reference>
</stixCommon:References>
</ttp:Information_Source>
</stix:TTP>
<stix:TTP id="example:ttp-f6050ea6-a9a3-4524-93ed-c27858d6cb3c" timestamp="2017-01-30T21:15:04.127000+00:00" xsi:type='ttp:TTPType'>
<ttp:Behavior>
<ttp:Attack_Patterns>
<ttp:Attack_Pattern capec_id="CAPEC-488">
<ttp:Title>HTTP Flood</ttp:Title>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns>
</ttp:Behavior>
<ttp:Exploit_Targets>
<ttp:Exploit_Target>
<stixCommon:Exploit_Target idref="example:et-45920fe2-fca7-4209-b1f6-9abb40432d13" xsi:type='et:ExploitTargetType'/>
</ttp:Exploit_Target>
</ttp:Exploit_Targets>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase name="Reconnaissance" phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_name="LM Cyber Kill Chain" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
</stix:TTPs>
<stix:Exploit_Targets>
<stixCommon:Exploit_Target id="example:et-45920fe2-fca7-4209-b1f6-9abb40432d13" timestamp="2017-01-27T13:49:41.345000+00:00" xsi:type='et:ExploitTargetType'>
<et:Vulnerability>
<et:Title>Cisco Unified Communications Manager causes file-descriptor exhaustion</et:Title>
<et:CVE_ID>CVE-2009-2054</et:CVE_ID>
<et:References>
<stixCommon:Reference>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2009-2054</stixCommon:Reference>
</et:References>
</et:Vulnerability>
</stixCommon:Exploit_Target>
</stix:Exploit_Targets>
<stix:Campaigns>
<stix:Campaign id="example:campaign-e5268b6e-4931-42f1-b379-87f48eb41b1e" timestamp="2016-08-08T15:50:10.983000+00:00" xsi:type='campaign:CampaignType'>
<campaign:Title>Operation Bran Flakes</campaign:Title>
<campaign:Description ordinality="1">A concerted effort to insert false information into the BPP's web pages</campaign:Description>
<campaign:Description ordinality="2">first_seen: 2016-01-08 12:50:40.123000+00:00</campaign:Description>
<campaign:Names>
<campaign:Name>OBF</campaign:Name>
</campaign:Names>
<campaign:Intended_Effect timestamp="2018-05-09T00:05:17.374248+00:00">
<stixCommon:Description>Hack www.bpp.bn</stixCommon:Description>
</campaign:Intended_Effect>
<campaign:Related_TTPs>
<campaign:Related_TTP>
<stixCommon:TTP idref="example:ttp-19da6e1c-71ab-4c2f-886d-d620d09d3b5a" xsi:type='ttp:TTPType'/>
</campaign:Related_TTP>
</campaign:Related_TTPs>
</stix:Campaign>
<stix:Campaign id="example:campaign-1d8897a7-fdc2-4e59-afc9-becbe04df727" timestamp="2016-08-08T15:50:10.983000+00:00" xsi:type='campaign:CampaignType'>
<campaign:Title>Operation Raisin Bran</campaign:Title>
<campaign:Description ordinality="1">A DDOS campaign to flood BPP web servers</campaign:Description>
<campaign:Description ordinality="2">first_seen: 2016-02-07 19:45:32.126000+00:00</campaign:Description>
<campaign:Names>
<campaign:Name>ORB</campaign:Name>
</campaign:Names>
<campaign:Intended_Effect timestamp="2018-05-09T00:05:17.375704+00:00">
<stixCommon:Description>Flood www.bpp.bn</stixCommon:Description>
</campaign:Intended_Effect>
<campaign:Related_TTPs>
<campaign:Related_TTP>
<stixCommon:TTP idref="example:ttp-f6050ea6-a9a3-4524-93ed-c27858d6cb3c" xsi:type='ttp:TTPType'/>
</campaign:Related_TTP>
</campaign:Related_TTPs>
</stix:Campaign>
</stix:Campaigns>
<stix:Threat_Actors>
<stix:Threat_Actor id="example:threat-actor-56f3f0db-b5d5-431c-ae56-c18f02caf500" timestamp="2016-08-08T15:50:10.983000+00:00" xsi:type='ta:ThreatActorType'>
<ta:Title>Fake BPP (Branistan Peoples Party)</ta:Title>
<ta:Description ordinality="1">resource_level: government</ta:Description>
<ta:Description ordinality="2">roles: director</ta:Description>
<ta:Identity id="example:identity-8c6af861-7b20-41ef-9b59-6344fd872a8f" xsi:type="stix-ciqidentity:CIQIdentity3.0InstanceType">
<stixCommon:Name>Franistan Intelligence</stixCommon:Name>
<stix-ciqidentity:Specification xmlns:stix-ciqidentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1">
<xpil:FreeTextLines xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:FreeTextLine>identity_class: organisation</xpil:FreeTextLine>
</xpil:FreeTextLines>
</stix-ciqidentity:Specification>
</ta:Identity>
<ta:Type timestamp="2018-05-09T00:05:17.372836+00:00">
<stixCommon:Value>State Actor / Agency</stixCommon:Value>
</ta:Type>
<ta:Motivation timestamp="2018-05-09T00:05:17.373111+00:00">
<stixCommon:Value>Ideological</stixCommon:Value>
</ta:Motivation>
<ta:Sophistication timestamp="2018-05-09T00:05:17.373043+00:00">
<stixCommon:Value>strategic</stixCommon:Value>
</ta:Sophistication>
<ta:Intended_Effect timestamp="2018-05-09T00:05:17.372983+00:00">
<stixCommon:Value>Influence the election in Branistan</stixCommon:Value>
</ta:Intended_Effect>
<ta:Observed_TTPs>
<ta:Observed_TTP>
<stixCommon:TTP id="example:ttp-962077a4-b4e6-4059-9c04-c89216a3776b" timestamp="2018-05-09T00:05:17.380081+00:00" xsi:type='ttp:TTPType'>
<ttp:Victim_Targeting>
<ttp:Identity idref="example:identity-ddfe7140-2ba4-48e4-b19a-df069432103b"/>
</ttp:Victim_Targeting>
</stixCommon:TTP>
</ta:Observed_TTP>
<ta:Observed_TTP>
<stixCommon:TTP idref="example:ttp-19da6e1c-71ab-4c2f-886d-d620d09d3b5a" xsi:type='ttp:TTPType'/>
</ta:Observed_TTP>
<ta:Observed_TTP>
<stixCommon:TTP idref="example:ttp-f6050ea6-a9a3-4524-93ed-c27858d6cb3c" xsi:type='ttp:TTPType'/>
</ta:Observed_TTP>
</ta:Observed_TTPs>
<ta:Associated_Campaigns>
<ta:Associated_Campaign>
<stixCommon:Campaign idref="example:campaign-e5268b6e-4931-42f1-b379-87f48eb41b1e" xsi:type='campaign:CampaignType'/>
</ta:Associated_Campaign>
<ta:Associated_Campaign>
<stixCommon:Campaign idref="example:campaign-1d8897a7-fdc2-4e59-afc9-becbe04df727" xsi:type='campaign:CampaignType'/>
</ta:Associated_Campaign>
</ta:Associated_Campaigns>
</stix:Threat_Actor>
</stix:Threat_Actors>
</stix:STIX_Package>