MISP Threat Sharing Taxonomies
MISP Threat Sharing Taxonomies
MISP Threat Sharing Taxonomies
machine tags
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
MISP taxonomies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
CERT-XLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
DML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
PAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
access-method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
accessnow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
action-taken. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
admiralty-scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
adversary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
ais-marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
analyst-assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
approved-category-of-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
binary-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
cccs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
circl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
collaborative-intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
common-taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
copine-scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
cryptocurrency-threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
csirt-americas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
csirt_case_classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
cssa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
cyber-threat-framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
dark-web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
data-classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
dcso-sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
ddos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
de-vs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
dhs-ciip-sectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
diamond-model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
dni-ism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
domain-abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
drugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
economical-impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
ecsirt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
enisa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
estimative-language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
eu-marketop-and-publicadmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
eu-nis-sector-and-subsectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
euci . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
europol-event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
europol-incident. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
event-assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
event-classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
false-positive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
file-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
flesch-reading-ease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
fpf. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
fr-classif . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
gdpr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
gsma-attack-category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
gsma-fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
gsma-network-technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
honeypot-basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
iep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
ifx-vetting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
incident-disposition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
infoleak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
information-security-data-source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
information-security-indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
interception-method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
kill-chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
maec-delivery-vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
maec-malware-behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
maec-malware-capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
maec-malware-obfuscation-methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
malware_classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
misp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
monarc-threat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
ms-caro-malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
ms-caro-malware-full . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
nato . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
nis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
open_threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
osint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
passivetotal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
pentest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
priority-level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
rsit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
rt_event_status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
runtime-packer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
scrippsco2-fgc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
scrippsco2-fgi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
scrippsco2-sampling-stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
smart-airports-threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
stealth_malware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
stix-ttp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
targeted-threat-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
threats-to-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
tlp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
tor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
use-case-applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
veris. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
vocabulaire-des-probabilites-estimatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
The MISP threat sharing platform is a free and open source software helping information sharing
of threat intelligence including cyber security indicators, financial fraud or counter-terrorism
information. The MISP project includes multiple sub-projects to support the operational
requirements of analysts and improve the overall quality of information shared.
Taxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in
Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST)
and an (OPTIONAL) value. Machine tags are often called triple tag due to their format. The
following document is generated from the machine-readable JSON describing the MISP taxonomies.
1
Funding and Support
The MISP project is financially and resource supported by CIRCL Computer Incident Response
Center Luxembourg .
A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted
from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-
generation information sharing.
If you are interested to co-fund projects around MISP, feel free to get in touch with us.
2
MISP taxonomies
CERT-XLM
CERT-XLM namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
abusive-content
Abusive Content.
CERT-XLM:abusive-content="spam"
spam
Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission
for the message to be sent and that the message is sent as part of a larger collection of messages, all
having identical content.
CERT-XLM:abusive-content="harmful-speech"
Harmful Speech
Discretization or discrimination of somebody (e.g. cyber stalking, racism and threats against one or
more individuals) May be found on a forum, email, tweet etc…
CERT-XLM:abusive-content="violence"
Child/Sexual/Violence/…
Any Child pornography, glorification of violence, may be found on a website, forum, email, tweet
etc…
malicious-code
Software that is intentionally included or inserted in a system for a harmful purpose. A user
interaction is normally necessary to activate the code.
CERT-XLM:malicious-code="virus"
Virus
Malicious code that replicate itself and infects the computer and files;
3
CERT-XLM:malicious-code="worm"
Worm
Malware that self-replicates and spread itself to other computers in the network without any user
interaction;
CERT-XLM:malicious-code="ransomware"
Ransomware
Ransomware is a type of malicious software from cryptovirology that blocks access to the victim’s
data or threatens to publish it until a ransom is paid.
CERT-XLM:malicious-code="trojan-malware"
Trojan/Malware
This category regroups many common malware types (Banking, POS, Mining malware).
CERT-XLM:malicious-code="spyware-rat"
Spyware/Rat
This category regroups malware types and tools that may have a bigger impact on the breached
infrastructure and usually need further investigations (Common Spyware/Rat, State sponsored
malwares, StealersHacking tool).
CERT-XLM:malicious-code="dialer"
Dialer
Computer program used to identify the phone numbers that can successfully make a connection
with a computer modem. Use this category to classify overpriced SMS sent by malicious mobile
application.
CERT-XLM:malicious-code="rootkit"
Rootkit
Malware, which alter the standard functionality of an operating system in order to do its malicious
actions in a stealthy way. In practice, Rootkits hijacks systems functions in order to alter the
returning values to hide themselves from simple analysis tools.
information-gathering
This group is for the reconnaissance; generally, it is the step before attacking.
4
CERT-XLM:information-gathering="scanner"
Scanning
Attacks that send requests to a system to discover weak points. This also includes some kinds of
testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS
querying, ICMP, SMTP (EXPN, RCPT,).
CERT-XLM:information-gathering="sniffing"
Sniffing
CERT-XLM:information-gathering="social-engineering"
Social Engineering
Gathering information from a human being in a non-technical way (eg, lies, tricks, bribes, or
threats).
intrusion-attempts
This group is for attack detected/tried but without success.
CERT-XLM:intrusion-attempts="exploit-known-vuln"
CERT-XLM:intrusion-attempts="login-attempts"
Login attempts
CERT-XLM:intrusion-attempts="new-attack-signature"
intrusion
This group is for successful unauthorized access to a system.
5
CERT-XLM:intrusion="privileged-account-compromise"
A successful full compromise of a system or application (service). This can have been caused
remotely by a known or new vulnerability, but also by an unauthorized local access.
CERT-XLM:intrusion="unprivileged-account-compromise"
A successful compromise of a system or application (service). This can have been caused remotely
by a known or new vulnerability, but also by an unauthorized local access. The intruded did not
achieve to escale his privileges locally.
CERT-XLM:intrusion="botnet-member"
Botnet member
The compromised asset is also being part of a botnet. This is reserved mainly for public web
servers. See malicious code in priority for workstations or internal server’s compromise. For
example, phpmailer, etc…
CERT-XLM:intrusion="domain-compromise"
Domain Compromise
The whole domain is compromised; this is commonly used for active directory and detected by a
“pass the ticket” attack or a discovery of “ad dumps” files.
CERT-XLM:intrusion="application-compromise"
Application Compromise
An application is compromised; the attacker possess an uncontrolled access to data, server, and
assets used by this application (CMDB, DB, Backend services, etc.).
availability
By this kind of an attack a system is bombarded with so many packets that the operations are
delayed or the system crashes.
CERT-XLM:availability="dos"
DoS
6
CERT-XLM:availability="ddos"
DDoS
Form of electronic attack involving multiple computers, which send repeated requests (HTTP
requests, pings, TCP or UDP Flood) to a server to load it down and render the service inaccessible
for a period of time.
CERT-XLM:availability="sabotage"
Sabotage
Deliberate and malicious acts that result in the disruption of the normal processes and functions or
the destruction or damage of equipment or information.
CERT-XLM:availability="outage"
information-content-security
This group is dealing with non-legitimate access or modification to data.
CERT-XLM:information-content-security="Unauthorised-information-
access"
Any access to unauthorized data. It may be access of data on improperly restricted server share or
database exfiltered by using a SQLi.
CERT-XLM:information-content-security="Unauthorised-information-
modification"
fraud
This group is for unauthorized use of resources using resources for unauthorized purposes
including profit-making ventures (eg, the use of e-mail to participate in illegal profit chain letters or
pyramid schemes).
CERT-XLM:fraud="copyright"
Copyright
7
Selling or installing copies of unlicensed commercial software or other copyright protected
materials (Warez).
CERT-XLM:fraud="masquerade"
Masquerade
Types of attacks in which one entity illegitimately assumes the identity of another in order to
benefit from it. This attack may be used for president fraud requesting transactions.
CERT-XLM:fraud="phishing"
Phishing
Masquerading as another entity in order to persuade the user to reveal a private credential.
vulnerable
Vulnerable
CERT-XLM:vulnerable="vulnerable-service"
Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus,
signatures not up to date, etc. This includes for example default SNMP community or default
password on any application.
conformity
This group is for catching breach about controls given by the company or externals entities.
CERT-XLM:conformity="regulator"
Regulator
CERT-XLM:conformity="standard"
Standard
All lack about standards certification of the company (ISO27000, NIS, ISAE3402, etc.).
CERT-XLM:conformity="security-policy"
Security policy
8
CERT-XLM:conformity="other-conformity"
Other
All lack that do not fit in one of previous categories should be put on this class.
other
Other
CERT-XLM:other="other"
other
All incidents that do not fit in one of the given categories should be put into this class. If the number
of incidents in this category increases, it is an indicator that the classification scheme must be
revised.
test
Meant for testing.
DML
DML namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
The Detection Maturity Level (DML) model is a capability maturity model for referencing ones
maturity in detecting cyber attacks. It’s designed for organizations who perform intel-driven
detection and response and who put an emphasis on having a mature detection program.
8
If the actor is part of a larger organized operation they may be receiving their goals from a higher
level source or handler. Depending on how organized and sophisticated the adversary’s campaigns
are, these goals may not even be shared with the operator(s) themselves. In cases of non-targeted
threat actors, this may be much less organized or distributed. Goals are nearly impossible to detect
(directly) but they’re almost always the toughest question C-level leaders ask about post-breach.
"Who was it and why?" These kinds of questions can never truthfully be answered unless you’re
operating at Detection Maturity Level 8 against your adversary and can prove reliably that you
know what their goals are. Short of that, it’s guessing at what the adversary’s true intentions were
based on behavioral observations made at lower DMLs (e.g. data stolen, directories listed,
employees or programs targeted, etc). I anticipate less than a handful of organizations truly operate
at this level, consistently, against the threat actors they face because it’s nearly impossible to detect
based on goals alone.
9
DML:8
Goals
If the actor is part of a larger organized operation they may be receiving their goals from a higher
level source or handler. Depending on how organized and sophisticated the adversary’s campaigns
are, these goals may not even be shared with the operator(s) themselves. In cases of non-targeted
threat actors, this may be much less organized or distributed. Goals are nearly impossible to detect
(directly) but they’re almost always the toughest question C-level leaders ask about post-breach.
"Who was it and why?" These kinds of questions can never truthfully be answered unless you’re
operating at Detection Maturity Level 8 against your adversary and can prove reliably that you
know what their goals are. Short of that, it’s guessing at what the adversary’s true intentions were
based on behavioral observations made at lower DMLs (e.g. data stolen, directories listed,
employees or programs targeted, etc). I anticipate less than a handful of organizations truly operate
at this level, consistently, against the threat actors they face because it’s nearly impossible to detect
based on goals alone.
If the adversary's high level goal is to "replicate Acme Company's Super Awesome
Product Foo in 2 years or less" their supporting strategies might include:
1. Implant physical persons into the companies that produce this technology, in
positions with physical access to the information necessary to fulfill this goal.
2. Compromise these organizations via cyber attack, and exfiltrate data from the
systems containing the information necessary to fulfill this goal.
For less targeted attacks, the strategy may be completely different, with shorter
durations or different objectives. The important distinguishing factor about Goals
(DML-8) and Strategy (DML-7) is that they are largely subjective in nature. They are
very non-technical, and are often reflective of the adversary's (or their handler's)
true intentions (and strategies for fulfilling those intentions). They represent what
the adversary wants. For these reasons, they are not easily detectable via
conventional cyber means for most private organizations. It's very common for DML-8
or DML-7 to not even be on the day-to-day radar of most Detection or Response
specialists, and if they are it's typically in the context of having received a
strategic intelligence report from an intelligence source about the adversary.
DML:7
Strategy
10
If the adversary's high level goal is to "replicate Acme Company's Super Awesome
Product Foo in 2 years or less" their supporting strategies might include:
1. Implant physical persons into the companies that produce this technology, in
positions with physical access to the information necessary to fulfill this goal.
2. Compromise these organizations via cyber attack, and exfiltrate data from the
systems containing the information necessary to fulfill this goal.
For less targeted attacks, the strategy may be completely different, with shorter
durations or different objectives. The important distinguishing factor about Goals
(DML-8) and Strategy (DML-7) is that they are largely subjective in nature. They are
very non-technical, and are often reflective of the adversary's (or their handler's)
true intentions (and strategies for fulfilling those intentions). They represent what
the adversary wants. For these reasons, they are not easily detectable via
conventional cyber means for most private organizations. It's very common for DML-8
or DML-7 to not even be on the day-to-day radar of most Detection or Response
specialists, and if they are it's typically in the context of having received a
strategic intelligence report from an intelligence source about the adversary.
6
To successfully operate at DML-6, one must be able to reliably detect a tactic being employed
regardless of the Technique or Procedure used by the adversary, the Tools they chose to use, or the
Artifacts and Atomic Indicators left behind as a result of employing the tactic. While this may sound
impossible on the surface, it absolutely is possible. In nearly all cases, tactics are not detected
directly by a single indicator or artifact serving as the smoking gun, or a single detection signature
or analytic technique. Tactics become known only after observation of multiple activities in
aggregate, with respect to time and circumstance. As a result, detection of tactics are usually done
by skilled analysts, rather than technical correlation or analytics systems.
DML:6
Tactics
To successfully operate at DML-6, one must be able to reliably detect a tactic being employed
regardless of the Technique or Procedure used by the adversary, the Tools they chose to use, or the
Artifacts and Atomic Indicators left behind as a result of employing the tactic. While this may sound
impossible on the surface, it absolutely is possible. In nearly all cases, tactics are not detected
directly by a single indicator or artifact serving as the smoking gun, or a single detection signature
or analytic technique. Tactics become known only after observation of multiple activities in
aggregate, with respect to time and circumstance. As a result, detection of tactics are usually done
by skilled analysts, rather than technical correlation or analytics systems.
5
From a maturity perspective, being able to detect an adversary’s techniques is superior to being
able to detect their procedures. The primary difference being techniques are specific to an
individual. So when respecting this distinction, the ability to detect a specific actor operating within
your environment by technique exclusively is an advantage. The best analogy to this is a rifled
11
barrel, which leaves uniquely identifiable characteristics in the side of a bullet. Because of this,
ballistics specialists can forensically match a spent round to the exact weapon from which it was
fired with a high degree of certainty. Not just any weapon by calibur or model, but the exact
weapon used to fire that specific round. Human beings are creatures of habit, and most adversaries
aren’t aware of the fact that every time they attack they’re leaving evidence of their personal
techniques behind for us to find. The same applies for the tool builders writing the tools these
adversaries use. It’s our obligation to find these distinctions and ensure we’re looking for them. It’s
personal behavior and habits that are the hardest for humans to change, so put the hurt on your
adversaries by finding creative ways to detect their behaviors and habits in your environment.
DML:5
Techniques
From a maturity perspective, being able to detect an adversary’s techniques is superior to being
able to detect their procedures. The primary difference being techniques are specific to an
individual. So when respecting this distinction, the ability to detect a specific actor operating within
your environment by technique exclusively is an advantage. The best analogy to this is a rifled
barrel, which leaves uniquely identifiable characteristics in the side of a bullet. Because of this,
ballistics specialists can forensically match a spent round to the exact weapon from which it was
fired with a high degree of certainty. Not just any weapon by calibur or model, but the exact
weapon used to fire that specific round. Human beings are creatures of habit, and most adversaries
aren’t aware of the fact that every time they attack they’re leaving evidence of their personal
techniques behind for us to find. The same applies for the tool builders writing the tools these
adversaries use. It’s our obligation to find these distinctions and ensure we’re looking for them. It’s
personal behavior and habits that are the hardest for humans to change, so put the hurt on your
adversaries by finding creative ways to detect their behaviors and habits in your environment.
4
Given today’s detection technology, and readily available correlation and analytics techniques, it’s
amazing that more organizations haven’t reached Detection Maturity Level 4 for most of their
adversaries. Procedures are one of the most effective ways of detecting adversary activity and can
really inflict the most pain against lesser experienced "B-teams". In it’s most simple form, detecting
a procedure is as simple as detecting a sequence of two or more of the individual steps employed by
the actor. The goal here is to isolate activities that the adversary appears to perform methodically,
two or more times during an incident.
DML:4
Procedures
Given today’s detection technology, and readily available correlation and analytics techniques, it’s
amazing that more organizations haven’t reached Detection Maturity Level 4 for most of their
adversaries. Procedures are one of the most effective ways of detecting adversary activity and can
really inflict the most pain against lesser experienced "B-teams". In it’s most simple form, detecting
a procedure is as simple as detecting a sequence of two or more of the individual steps employed by
the actor. The goal here is to isolate activities that the adversary appears to perform methodically,
12
two or more times during an incident.
3
Being able to detect at DML-3 means you can reliably detect the adversary’s tools, regardless of
minor functionality changes to the tool, or the Artifacts or Atomic Indicators it may leave behind.
Detecting tools falls into two main areas. The first is detecting the transfer and presence of the tool.
This includes being able to observe the tool being transferred over the network, being able to locate
it sitting at rest on a file system, or being able to identify it loaded in memory. The second, and
more important area of tool detection, is detecting the tool reliably by functionality. For example,
let’s take a given webshell that has 25 functions. If we want to claim DML-3 level detection for this
webshell we have to exercise each of those 25 functions and understand what each of them do.
What do they look like at the host, network, and event log level when they are exercised? We then
aim to build detections for as many of those 25 functions across those data domains as we possibly
can, reliably, balancing false positives and other constraints. The reason behind this is simple, we
want to be able to detect this version of the tool and as many future variants of the tool as we can
by function that it performs. If the adversary decides to change up 5 of the 25 functions for which
we have detections, we’re still detecting the entire tool. In order for the adversary to use this tool
completely undetected in our environment, they’ll be forced to change every one of those
functions; or at least the ones that we were able to reliably build detections against.
DML:3
Tools
Being able to detect at DML-3 means you can reliably detect the adversary’s tools, regardless of
minor functionality changes to the tool, or the Artifacts or Atomic Indicators it may leave behind.
Detecting tools falls into two main areas. The first is detecting the transfer and presence of the tool.
This includes being able to observe the tool being transferred over the network, being able to locate
it sitting at rest on a file system, or being able to identify it loaded in memory. The second, and
more important area of tool detection, is detecting the tool reliably by functionality. For example,
let’s take a given webshell that has 25 functions. If we want to claim DML-3 level detection for this
webshell we have to exercise each of those 25 functions and understand what each of them do.
What do they look like at the host, network, and event log level when they are exercised? We then
aim to build detections for as many of those 25 functions across those data domains as we possibly
can, reliably, balancing false positives and other constraints. The reason behind this is simple, we
want to be able to detect this version of the tool and as many future variants of the tool as we can
by function that it performs. If the adversary decides to change up 5 of the 25 functions for which
we have detections, we’re still detecting the entire tool. In order for the adversary to use this tool
completely undetected in our environment, they’ll be forced to change every one of those
functions; or at least the ones that we were able to reliably build detections against.
2
DML-2 is where most organizations spend too much of their resources; attempting to collect what
they call "threat intelligence" in the form of Host & Network Artifacts. The reality is, these are
merely just indicators that are observed either during or after the attack. They’re like symptoms of
13
the flu but not the flu itself. I often use the analogy "chasing the vapor trail" when I think of DML-2
because chasing after Host & Network Artifacts is much like chasing the vapor trail behind an
aircraft. We know the enemy aircraft is up there in front of us somewhere, if we just keep chasing
this vapor trial we’ll eventually catch up to the aircraft and find our enemy right? Wrong. Having a
mature detection and response program means your operating above DML-2 and you’re actually
locked onto the aircraft itself. You know how it operates, you know what it’s capabilities are, you
know the Tactics, Techniques, and Procedures of it’s pilot and you can almost predict what it’s next
moves might be. This is precisely why good Cyber Intelligence Analysts will almost never attribute
activity to a specific threat actor, group, or country based on just Host & Network Artifacts alone;
they understand this DML concept and realize when they’re likely just staring at the vapor trail.
They understand that in reality the vapor trail (indicators) could be from any number of aircraft
(tools), with any number of pilots (actors) behind the stick.
DML:2
DML-2 is where most organizations spend too much of their resources; attempting to collect what
they call "threat intelligence" in the form of Host & Network Artifacts. The reality is, these are
merely just indicators that are observed either during or after the attack. They’re like symptoms of
the flu but not the flu itself. I often use the analogy "chasing the vapor trail" when I think of DML-2
because chasing after Host & Network Artifacts is much like chasing the vapor trail behind an
aircraft. We know the enemy aircraft is up there in front of us somewhere, if we just keep chasing
this vapor trial we’ll eventually catch up to the aircraft and find our enemy right? Wrong. Having a
mature detection and response program means your operating above DML-2 and you’re actually
locked onto the aircraft itself. You know how it operates, you know what it’s capabilities are, you
know the Tactics, Techniques, and Procedures of it’s pilot and you can almost predict what it’s next
moves might be. This is precisely why good Cyber Intelligence Analysts will almost never attribute
activity to a specific threat actor, group, or country based on just Host & Network Artifacts alone;
they understand this DML concept and realize when they’re likely just staring at the vapor trail.
They understand that in reality the vapor trail (indicators) could be from any number of aircraft
(tools), with any number of pilots (actors) behind the stick.
1
These are the atomic particles that make up Host & Network artifacts. If you’re detecting at
Detection Maturity Level 1, it means you are probably taking "feeds of intel" from various sharing
organizations and vendors in the form of lists, like domains and IP addresses, and feeding them
into your detection technologies. Let me be clear on my position here. There are a few, and I mean
a very precious few, circumstances where this makes sense and can be done reliably. These are
edge cases where specific atomic indicators have a high enough "shelf life" where it makes sense to
go ahead and create detection capabilities from them. Examples of this include unique strings
found inside a binary, or perhaps an adversary is foolish enough to sit on the same recon, delivery,
C2, or exfiltration infrastructure allowing you to detect reliably on their domain names or IP
addresses. These might be viable cases where detecting on atomic indicator alone makes sense.
Unfortunately, for the remaining 99% of the time, attempting to detect on this kind of data is
suboptimal, for a number of reasons.
14
DML:1
Atomic IOCs
These are the atomic particles that make up Host & Network artifacts. If you’re detecting at
Detection Maturity Level 1, it means you are probably taking "feeds of intel" from various sharing
organizations and vendors in the form of lists, like domains and IP addresses, and feeding them
into your detection technologies. Let me be clear on my position here. There are a few, and I mean
a very precious few, circumstances where this makes sense and can be done reliably. These are
edge cases where specific atomic indicators have a high enough "shelf life" where it makes sense to
go ahead and create detection capabilities from them. Examples of this include unique strings
found inside a binary, or perhaps an adversary is foolish enough to sit on the same recon, delivery,
C2, or exfiltration infrastructure allowing you to detect reliably on their domain names or IP
addresses. These might be viable cases where detecting on atomic indicator alone makes sense.
Unfortunately, for the remaining 99% of the time, attempting to detect on this kind of data is
suboptimal, for a number of reasons.
0
For organizations who either don’t operate at DML-1 or higher, or they don’t even know where they
operate on this scale, we have Detection Maturity Level - 0. Instead of pointing out all the negative
things associated with this level, I’ll take the high road and lend a bit of positive encouragement.
Congratulations, you are at ground zero. It can only get better from here.
DML:0
None or Unknown
For organizations who either don’t operate at DML-1 or higher, or they don’t even know where they
operate on this scale, we have Detection Maturity Level - 0. Instead of pointing out all the negative
things associated with this level, I’ll take the high road and lend a bit of positive encouragement.
Congratulations, you are at ground zero. It can only get better from here.
PAP
PAP namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received
information can be used.
RED
PAP:RED
(PAP:RED) Non-detectable actions only. Recipients may not use PAP:RED information on the
network. Only passive actions on logs, that are not detectable from the outside.
15
AMBER
PAP:AMBER
(PAP:AMBER) Passive cross check. Recipients may use PAP:AMBER information for conducting
online checks, like using services provided by third parties (e.g. VirusTotal), or set up a monitoring
honeypot.
GREEN
PAP:GREEN
(PAP:GREEN) Active actions allowed. Recipients may use PAP:GREEN information to ping the target,
block incoming/outgoing traffic from/to the target or specifically configure honeypots to interact
with the target.
WHITE
PAP:WHITE
access-method
access-method namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
brute-force
Access was gained through systematic trial of credentials in bulk.
access-method:brute-force
Brute force
password-guessing
Access was gained through guessing passwords through trial and error.
16
access-method:password-guessing
Password guessing
Access was gained through guessing passwords through trial and error.
remote-desktop-application
Access was gained through an application designed for remote access.
access-method:remote-desktop-application
stolen-credentials
Access was gained with stolen credentials.
access-method:stolen-credentials
Stolen credentials
pass-the-hash
Access was gained through use of an existing known hash.
access-method:pass-the-hash
default-credentials
Access was gained through use of the system’s default credentials.
access-method:default-credentials
Default credentials
17
shell
Access was gained through the use of a shell.
access-method:shell
Shell
other
Access was gained through another method.
access-method:other
Other
accessnow
accessnow namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
Access Now classification to classify an issue (such as security, human rights, youth rights).
anti-corruption-transparency
The organization campaigns, or takes other actions against corruption and transparency.
accessnow:anti-corruption-transparency
The organization campaigns, or takes other actions against corruption and transparency.
anti-war-violence
The organization campaigns, or takes other actions against war
accessnow:anti-war-violence
Anti-War / Anti-Violence
18
culture
The organization campaigns or acts to promote cultural events
accessnow:culture
Culture
economic-change
Issues of economic policy, wealth distribution, etc.
accessnow:economic-change
Economic Change
education
The organization is concerned with some form of education
accessnow:education
Education
election-monitoring
The organization is an election monitor, or involved in election monitoring
accessnow:election-monitoring
Election Monitoring
environment
The organization campaigns or acts to protect the environment
accessnow:environment
Environment
19
The organization campaigns or acts to protect the environment
freedom-expression
The organization is concerned with freedom of speech issues
accessnow:freedom-expression
Freedom of Expression
freedom-tool-development
The organization develops tools for use in defending or extending digital rights
accessnow:freedom-tool-development
The organization develops tools for use in defending or extending digital rights
funding
accessnow:funding
Funding
health
The organization prevents epidemic illness or acts on curing them
accessnow:health
Health Issues
human-rights
relating to the detection, recording, exposure, or challenging of abuses of human rights
20
accessnow:human-rights
internet-telecom
Issues of digital rights in electronic communications
accessnow:internet-telecom
lgbt-gender-sexuality
Issues relating to the Lesbian, Gay, Bi, Transgender community
accessnow:lgbt-gender-sexuality
policy
The organization is a policy think-tank, or policy advocate
accessnow:policy
Policy
politics
The organization takes a strong political view or is a political entity
accessnow:politics
Politics
21
privacy
Issues relating to the individual’s reasonable right to privacy
accessnow:privacy
Privacy
rapid-response
The organization provides rapid response type capability for civil society
accessnow:rapid-response
Rapid Response
The organization provides rapid response type capability for civil society
refugees
Issues relating to displaced people
accessnow:refugees
Refugees
security
Issues relating to physical or information security
accessnow:security
Security
womens-right
Issues pertaining to inequality between men and women, or issues of particular relevance to
women
accessnow:womens-right
Women’s Rights
22
Issues pertaining to inequality between men and women, or issues of particular relevance to
women
youth-rights
Issues of particular relevance to youth
accessnow:youth-rights
Youth Rights
action-taken
action-taken namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
informed Registrar
action-taken:informed Registrar
Informed Registrar
informed Registrant
action-taken:informed Registrant
Informed Registrant
23
informed abuse-contact (IP)
action-taken:informed abuse-contact (IP)
admiralty-scale
admiralty-scale namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
The Admiralty Scale or Ranking (also called the NATO System) is used to rank the reliability of a
source and the credibility of an information. Reference based on FM 2-22.3 (FM 34-52) HUMAN
INTELLIGENCE COLLECTOR OPERATIONS and NATO documents.
source-reliability
admiralty-scale:source-reliability="a"
Completely reliable
admiralty-scale:source-reliability="b"
Usually reliable
Minor doubt about authenticity, trustworthiness, or competency; has a history of valid information
most of the time
admiralty-scale:source-reliability="c"
Fairly reliable
Doubt of authenticity, trustworthiness, or competency but has provided valid information in the
past
24
Associated numerical value="50"
admiralty-scale:source-reliability="d"
Significant doubt about authenticity, trustworthiness, or co mpetency but has provided valid
information in the past
admiralty-scale:source-reliability="e"
Unreliable
admiralty-scale:source-reliability="f"
admiralty-scale:source-reliability="g"
Deliberatly deceptive
information-credibility
admiralty-scale:information-credibility="1"
Confirmed by other independent sources; logical in itself; Consistent with other information on the
subject
admiralty-scale:information-credibility="2"
Probably true
Not confirmed; logical in itself; consistent with other information on the subject
25
admiralty-scale:information-credibility="3"
Possibly true
Not confirmed; reasonably logical in itself; agrees with some other information on the subject
admiralty-scale:information-credibility="4"
Doubtful
Not confirmed; possible but not logical ; no other information on the subject
admiralty-scale:information-credibility="5"
Improbable
Not confirmed; not logical in itself; contradicted by other information on the subject
admiralty-scale:information-credibility="6"
adversary
adversary namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
infrastructure-status
adversary:infrastructure-status="unknown"
adversary:infrastructure-status="compromised"
26
adversary:infrastructure-status="own-and-operated"
infrastructure-action
adversary:infrastructure-action="passive-only"
adversary:infrastructure-action="take-down"
Take down requests can be performed in order to deactivate the adversary infrastructure
adversary:infrastructure-action="monitoring-active"
adversary:infrastructure-action="pending-law-enforcement-request"
infrastructure-state
adversary:infrastructure-state="unknown"
adversary:infrastructure-state="active"
adversary:infrastructure-state="down"
infrastructure-type
adversary:infrastructure-type="unknown"
adversary:infrastructure-type="proxy"
27
adversary:infrastructure-type="drop-zone"
adversary:infrastructure-type="exploit-distribution-point"
adversary:infrastructure-type="vpn"
Infrastructure used by the adversary as Virtual Private Network to hide activities and reduce the
traffic analysis surface
adversary:infrastructure-type="panel"
adversary:infrastructure-type="tds"
Traffic Distribution Systems including exploit delivery or/and web monetization channels
ais-marking
ais-marking namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
The AIS Marking Schema implementation is maintained by the National Cybersecurity and
Communication Integration Center (NCCIC) of the U.S. Department of Homeland Security (DHS)
TLPMarking
ais-marking:TLPMarking="WHITE"
WHITE
ais-marking:TLPMarking="GREEN"
GREEN
ais-marking:TLPMarking="AMBER"
AMBER
AISConsent
28
ais-marking:AISConsent="EVERYONE"
EVERYONE
ais-marking:AISConsent="USG"
USG
ais-marking:AISConsent="NONE"
NONE
CISA_Proprietary
ais-marking:CISA_Proprietary="true"
true
ais-marking:CISA_Proprietary="false"
false
AISMarking
ais-marking:AISMarking="Is_Proprietary"
Is_Proprietary
ais-marking:AISMarking="Not_Proprietary"
Not_Proprietary
analyst-assessment
analyst-assessment namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
A series of assessment predicates describing the analyst capabilities to perform analysis. These
assessment can be assigned by the analyst him/herself or by another party evaluating the analyst.
experience
The analyst experience expressed in years range in the field tagged. The year range is based on a
standard 40-hour work week.
29
analyst-assessment:experience="less-than-1-year"
analyst-assessment:experience="between-1-and-5-years"
analyst-assessment:experience="between-5-and-10-years"
analyst-assessment:experience="between-10-and-20-years"
analyst-assessment:experience="more-than-20-years"
binary-reversing-arch
Architecture that the analyst has experience with.
analyst-assessment:binary-reversing-arch="x86"
analyst-assessment:binary-reversing-arch="arm"
analyst-assessment:binary-reversing-arch="mips"
analyst-assessment:binary-reversing-arch="powerpc"
PowerPC
30
binary-reversing-experience
The analyst experience in reversing expressed in years range in the field tagged. The year range is
based on a standard 40-hour work week.
analyst-assessment:binary-reversing-experience="less-than-1-year"
analyst-assessment:binary-reversing-experience="between-1-and-5-years"
analyst-assessment:binary-reversing-experience="between-5-and-10-years"
analyst-assessment:binary-reversing-experience="between-10-and-20-
years"
analyst-assessment:binary-reversing-experience="more-than-20-years"
os
Operating System that the analyst has experience with.
analyst-assessment:os="windows"
analyst-assessment:os="linux"
GNU/linux derivative OS
31
analyst-assessment:os="ios"
Current IOS
analyst-assessment:os="macos"
Current Apple OS
analyst-assessment:os="android"
Current Android OS
analyst-assessment:os="bsd"
BSD
web
Web application vulnerabilities and technique that the analyst has experience with.
analyst-assessment:web="ipex"
Inter-protocol exploitations
analyst-assessment:web="common"
analyst-assessment:web="js-desobfuscation"
web-experience
The analyst experience expressed to web application security in years range in the field tagged.
analyst-assessment:web-experience="less-than-1-year"
analyst-assessment:web-experience="between-1-and-5-years"
32
analyst-assessment:web-experience="between-5-and-10-years"
analyst-assessment:web-experience="between-10-and-20-years"
analyst-assessment:web-experience="more-than-20-years"
crypto-experience
The analyst experience related to cryptography expressed in years range in the field tagged.
analyst-assessment:crypto-experience="less-than-1-year"
analyst-assessment:crypto-experience="between-1-and-5-years"
analyst-assessment:crypto-experience="between-5-and-10-years"
analyst-assessment:crypto-experience="between-10-and-20-years"
analyst-assessment:crypto-experience="more-than-20-years"
33
Associated numerical value="5"
approved-category-of-action
approved-category-of-action namespace available in JSON format at this location.
The JSON format can be freely reused in your application or automatically enabled
in MISP taxonomy.
A pre-approved category of action for indicators being shared with partners (MIMIC).
cat1
Minimal Exposure - Passive Collection: CAT 1 actions provide the least exposure of an indicator,
either through adversary observation or disclosure. Usage of the indicator is restricted to passive
monitoring on Government or Cleared Partner networks, or through a classified passive capability
or Operation. CAT 1 actions do not interact with or affect malicious network traffic.
approved-category-of-action:cat1
Cat1
Minimal Exposure - Passive Collection: CAT 1 actions provide the least exposure of an indicator,
either through adversary observation or disclosure. Usage of the indicator is restricted to passive
monitoring on Government or Cleared Partner networks, or through a classified passive capability
or Operation. CAT 1 actions do not interact with or affect malicious network traffic.
cat2
Moderate Exposure - Government or Cleared Partner Internal Active Collection: CAT 2 actions
expose the usage of an indicator through non-disruptive collection techniques which require
interactions with an adversary, within Government or Cleared Partner networks. While it is not the
intent to disrupt the adversary it is possible that an adversary may discover they are subject to such
techniques.
approved-category-of-action:cat2
Cat2
Moderate Exposure - Government or Cleared Partner Internal Active Collection: CAT 2 actions
expose the usage of an indicator through non-disruptive collection techniques which require
interactions with an adversary, within Government or Cleared Partner networks. While it is not the
intent to disrupt the adversary it is possible that an adversary may discover they are subject to such
techniques.
34
cat3
Moderate Exposure - Government or Cleared Partner Internal Countermeasures: CAT 3 actions
expose the usage of an indicator through inward-facing countermeasures. Malicious network
traffic is affected in some manner, however the results are not directly observable to the adversary
or external parties and is, therefore, more difficult to attribute as a deliberate action. Usage of the
indicator is restricted to Government and Cleared Partner networks, or a classified capability or
Operation. This implies a lower likelihood for non-approved disclosures.
approved-category-of-action:cat3
Cat3
cat4
Moderate Exposure - Government Actions on External Networks: CAT 4 actions expose the usage of
an indicator through actions which occur on internet accessible networks, without the
authorization of the network or information owner. Such actions are conducted as classified
Operations under the auspices of national legislative and compliance provisions. Action
consequences are observable to the adversary and other, public parties and it is possible they may
be attributed as Government sanctioned actions.
approved-category-of-action:cat4
Cat4
Moderate Exposure - Government Actions on External Networks: CAT 4 actions expose the usage of
an indicator through actions which occur on internet accessible networks, without the
authorization of the network or information owner. Such actions are conducted as classified
Operations under the auspices of national legislative and compliance provisions. Action
consequences are observable to the adversary and other, public parties and it is possible they may
be attributed as Government sanctioned actions.
cat5
High Exposure - Public Actions Which Enable Internal Countermeasures: CAT 5 actions expose the
usage of an indicator through the public release of information which enables internal actions on
networks not owned and controlled by the Government (i.e. industry, commercial or foreign
governments). These actions are official public releases and are attributable as Government
sanctioned actions.
35
approved-category-of-action:cat5
Cat5
High Exposure - Public Actions Which Enable Internal Countermeasures: CAT 5 actions expose the
usage of an indicator through the public release of information which enables internal actions on
networks not owned and controlled by the Government (i.e. industry, commercial or foreign
governments). These actions are official public releases and are attributable as Government
sanctioned actions.
cat6
High Exposure - Actions on Adversary Infrastructure: CAT 6 actions expose the usage of an
indicator through actions which occur on adversary owned networks, without the authorization of
the network or information owner. Such actions are conducted as classified Operations under the
auspices of national legislative and compliance provisions. Action consequences are observable to
the adversary, and possibly other public parties, and it is possible they may deduce this as FVEY
action.
approved-category-of-action:cat6
Cat6
High Exposure - Actions on Adversary Infrastructure: CAT 6 actions expose the usage of an
indicator through actions which occur on adversary owned networks, without the authorization of
the network or information owner. Such actions are conducted as classified Operations under the
auspices of national legislative and compliance provisions. Action consequences are observable to
the adversary, and possibly other public parties, and it is possible they may deduce this as FVEY
action.
binary-class
binary-class namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
type
binary-class:type="good"
Known Good/Safe
binary-class:type="malicious"
Known Bad/Malicious
36
binary-class:type="unknown"
cccs
cccs namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
event
Type of event associated to the internal reference
cccs:event="beacon"
Beacon
cccs:event="browser-based-exploitation"
cccs:event="dos"
Dos
cccs:event="email"
cccs:event="exfiltration"
Exfiltration
Unauthorized transfer of data from a target’s network to a location a threat actor controls.
cccs:event="generic-event"
Generic event
37
Represents a collection of virtually identical events within a range of time.
cccs:event="improper-usage"
Improper usage
cccs:event="malware-artifacts"
Malware artifacts
cccs:event="malware-download"
Malware download
cccs:event="phishing"
Phishing
cccs:event="remote-access"
Remote access
cccs:event="remote-exploitation"
Remote exploitation
cccs:event="scan"
Scan
cccs:event="scraping"
Scraping
38
cccs:event="traffic-interception"
Traffic interception
Represents a collection of virtually identical traffic interception events within a range of time.
disclosure-type
Type of information being disclosed.
cccs:disclosure-type="goc-credential-disclosure"
cccs:disclosure-type="personal-credential-disclosure"
cccs:disclosure-type="personal-information-disclosure"
cccs:disclosure-type="none"
None
cccs:disclosure-type="other"
Other
domain-category
The Domain Category.
cccs:domain-category="c2"
C2
39
cccs:domain-category="proxy"
Proxy
cccs:domain-category="seeded"
Seeded
cccs:domain-category="wateringhole"
Wateringhole
cccs:domain-category="cloud-infrastructure"
Cloud infrastructure
cccs:domain-category="name-server"
Name server
cccs:domain-category="sinkholed"
Sinkholed
email-type
Type of email event.
cccs:email-type="spam"
Spam
cccs:email-type="content\-delivery\-attack"
Content\-delivery\-attack
40
Email contained malicious content or attachments.
cccs:email-type="phishing"
Phishing
cccs:email-type="baiting"
Baiting
cccs:email-type="unknown"
Unknown
exploitation-technique
The technique used to remotely exploit a GoC system.
cccs:exploitation-technique="sql-injection"
Sql injection
Exploitation occurred due to malicious SQL queries being executed against a database.
cccs:exploitation-technique="directory-traversal"
Directory traversal
Exploitation occurred through a directory traversal attack allowing access to a restricted directory.
cccs:exploitation-technique="remote-file-inclusion"
cccs:exploitation-technique="code-injection"
Code injection
41
cccs:exploitation-technique="other"
Other
Other.
ip-category
The IP Category.
cccs:ip-category="c2"
C2
cccs:ip-category="proxy"
Proxy
cccs:ip-category="seeded"
Seeded
cccs:ip-category="wateringhole"
Wateringhole
IP address is a wateringhole.
cccs:ip-category="cloud-infrastructure"
Cloud infrastructure
cccs:ip-category="network-gateway"
Network gateway
cccs:ip-category="server"
Server
42
IP address is a server of some type.
cccs:ip-category="dns-server"
Dns server
cccs:ip-category="smtp-server"
Smtp server
cccs:ip-category="web-server"
Web server
cccs:ip-category="file-server"
File server
cccs:ip-category="database-server"
Database server
cccs:ip-category="security-appliance"
Security appliance
cccs:ip-category="tor-node"
Tor node
cccs:ip-category="sinkhole"
Sinkhole
IP address is a sinkhole.
43
cccs:ip-category="router"
Router
maliciousness
Level of maliciousness.
cccs:maliciousness="non-malicious"
Non-malicious
cccs:maliciousness="suspicious"
Suspicious
cccs:maliciousness="malicious"
Malicious
malware-category
The Malware Category.
cccs:malware-category="exploit-kit"
Exploit kit
cccs:malware-category="first-stage"
First stage
Malware used in the initial phase of an attack and commonly used to retrieve a second stage.
cccs:malware-category="second-stage"
Second stage
44
cccs:malware-category="scanner"
Scanner
cccs:malware-category="downloader"
Downloader
cccs:malware-category="proxy"
Proxy
cccs:malware-category="reverse-proxy"
Reverse proxy
If you choose this option please provide a description of what it is to the ALFRED PO.
cccs:malware-category="webshell"
Webshell
cccs:malware-category="ransomware"
Ransomware
Malware used to hold infected host’s data hostage, typically through encryption until a payment is
made to the attackers.
cccs:malware-category="adware"
Adware
cccs:malware-category="spyware"
Spyware
Malware used to collect information from the infected host, such as credentials.
45
cccs:malware-category="virus"
Virus
cccs:malware-category="worm"
Worm
cccs:malware-category="trojan"
Trojan
Malware that looks like legitimate software but hides malicious code.
cccs:malware-category="rootkit"
Rootkit
Malware that can hide the existance of other malware by modifying operating system functions.
cccs:malware-category="keylogger"
Keylogger
Malware that runs in the background, capturing keystrokes from a user unknowingly for
exfiltration.
cccs:malware-category="browser-hijacker"
Browser hijacker
misusage-type
The type of misusage.
cccs:misusage-type="unauthorized-usage"
Unauthorized usage
cccs:misusage-type="misconfiguration"
Misconfiguration
46
System or resource is misconfigured.
cccs:misusage-type="lack-of-encryption"
Lack of encryption
cccs:misusage-type="vulnerable-software"
Vulnerable software
cccs:misusage-type="privilege-escalation"
Privilege escalation
cccs:misusage-type="other"
Other
Other.
mitigation-type
The type of mitigation.
cccs:mitigation-type="anti-virus"
Anti-virus
Anti-Virus
cccs:mitigation-type="content-filtering-system"
cccs:mitigation-type="dynamic-defense"
Dynamic defense
Dynamic Defense
47
cccs:mitigation-type="insufficient-privileges"
Insufficient privileges
Insufficient Privileges
cccs:mitigation-type="ids"
Ids
cccs:mitigation-type="sink-hole-/-take-down-by-third-party"
cccs:mitigation-type="isp"
Isp
cccs:mitigation-type="invalid-credentials"
Invalid credentials
Invalid Credentials
cccs:mitigation-type="not-vulnerable"
Not vulnerable
No mitigation was required because the system was not vulnerable to the attack.
cccs:mitigation-type="other"
Other
Other
cccs:mitigation-type="unknown"
Unknown
Unknown
cccs:mitigation-type="user"
User
48
User
origin
Where the request originated from.
cccs:origin="subscriber"
Subscriber
Subscriber.
cccs:origin="internet"
Internet
Internet.
originating-organization
Origin of a signature.
cccs:originating-organization="cse"
Cse
cccs:originating-organization="nsa"
Nsa
cccs:originating-organization="gchq"
Gchq
cccs:originating-organization="asd"
Asd
cccs:originating-organization="gcsb"
Gcsb
49
Government Communications Security Bureau.
cccs:originating-organization="open-source"
Open source
cccs:originating-organization="3rd-party"
3rd party
cccs:originating-organization="other"
Other
Other.
scan-type
The type of scan event.
cccs:scan-type="open-port"
Open port
Scan was looking for open ports corresponding to common applications or protocols.
cccs:scan-type="icmp"
Icmp
cccs:scan-type="os-fingerprinting"
Os fingerprinting
Scan was looking for operating system information through unique characteristics in responses.
cccs:scan-type="web"
Web
50
cccs:scan-type="other"
Other
Other.
severity
Severity of the event.
cccs:severity="reconnaissance"
Reconnaissance
An actor attempted or succeeded in gaining information that may be used to identify and/or
compromise systems or data.
cccs:severity="attempted-compromise"
Attempted compromise
cccs:severity="exploited"
Exploited
threat-vector
Specifies how the threat actor gained or attempted to gain initial access to the target GoC host.
cccs:threat-vector="application:cms"
Application:cms
cccs:threat-vector="application:bash"
Application:bash
BASH script.
cccs:threat-vector="application:acrobat-reader"
Application:acrobat reader
51
cccs:threat-vector="application:ms-excel"
Application:ms excel
Microsoft Excel.
cccs:threat-vector="application:other"
Application:other
Other Application.
cccs:threat-vector="language:sql"
Language:sql
cccs:threat-vector="language:php"
Language:php
cccs:threat-vector="language:javascript"
Language:javascript
JavaScript.
cccs:threat-vector="language:other"
Language:other
Other Language.
cccs:threat-vector="protocol:dns"
Protocol:dns
cccs:threat-vector="protocol:ftp"
Protocol:ftp
cccs:threat-vector="protocol:http"
Protocol:http
52
Hyper Text Transfer Protocol.
cccs:threat-vector="protocol:icmp"
Protocol:icmp
cccs:threat-vector="protocol:ntp"
Protocol:ntp
cccs:threat-vector="protocol:rdp"
Protocol:rdp
cccs:threat-vector="protocol:smb"
Protocol:smb
cccs:threat-vector="protocol:snmp"
Protocol:snmp
cccs:threat-vector="protocol:ssl"
Protocol:ssl
cccs:threat-vector="protocol:telnet"
Protocol:telnet
cccs:threat-vector="protocol:sip"
Protocol:sip
53
circl
circl namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
incident-classification
circl:incident-classification="spam"
Spam
circl:incident-classification="system-compromise"
System compromise
circl:incident-classification="scan"
Scan
circl:incident-classification="denial-of-service"
Denial of Service
circl:incident-classification="copyright-issue"
Copyright issue
circl:incident-classification="phishing"
Phishing
circl:incident-classification="malware"
Malware
circl:incident-classification="XSS"
XSS
circl:incident-classification="vulnerability"
Vulnerability
54
circl:incident-classification="fastflux"
Fastflux
circl:incident-classification="sql-injection"
SQL Injection
circl:incident-classification="information-leak"
Information leak
circl:incident-classification="scam"
Scam
circl:incident-classification="cryptojacking"
Cryptojacking
circl:incident-classification="locker"
Locker
circl:incident-classification="screenlocker"
Screenlocker
circl:incident-classification="wiper"
Wiper
circl:incident-classification="sextortion"
sextortion
topic
circl:topic="finance"
Finance
circl:topic="ict"
ICT
55
circl:topic="individual"
Individual
circl:topic="industry"
Industry
circl:topic="medical"
Medical
circl:topic="services"
Services
circl:topic="undefined"
Undefined
collaborative-intelligence
collaborative-intelligence namespace available in JSON format at this location.
The JSON format can be freely reused in your application or automatically enabled
in MISP taxonomy.
request
Request predicate covers all the requests which can be done by analysts or organisations willing to
get additional information to support their analysis.
collaborative-intelligence:request="sample"
collaborative-intelligence:request="deobfuscated-sample"
collaborative-intelligence:request="more-samples"
Request additional samples compared to the original analysis to build a competitive analysis on the
56
reversing aspect
collaborative-intelligence:request="related-samples"
collaborative-intelligence:request="static-analysis"
collaborative-intelligence:request="detection-signature"
collaborative-intelligence:request="context"
collaborative-intelligence:request="abuse-contact"
collaborative-intelligence:request="historical-information"
collaborative-intelligence:request="complementary-validation"
collaborative-intelligence:request="target-information"
collaborative-intelligence:request="request-analysis"
collaborative-intelligence:request="more-information"
common-taxonomy
common-taxonomy namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
57
Common Taxonomy for Law enforcement and CSIRTs
malware
Infection of one or various systems with a specific type of malware / Connection performed
by/from/to (a) suspicious system(s)
common-taxonomy:malware="infection"
Infection
common-taxonomy:malware="distribution"
Distribution
Malware attached to a message or email message containing link to malicious URL or IP.
common-taxonomy:malware="command-and-control"
System used as a command-and-control point by a botnet. Also included in this field are systems
serving as a point for gathering information stolen by botnets.
common-taxonomy:malware="malicious-connection"
Malicious connection
System attempting to gain access to a port normally linked to a specific type of malware / System
attempting to gain access to an IP address or URL normally linked to a specific type of malware, e.g.
C&C or a distribution page for components linked to a specific botnet.
availability
Disruption of the processing and response capacity of systems and networks in order to render
them inoperative / Premeditated action to damage a system, interrupt a process, change or delete
information, etc.
common-taxonomy:availability="dos-ddos"
Single source using specially designed software to affect the normal functioning of a specific
service, by exploiting vulnerability / Mass mailing of requests (network packets, emails, etc.) from
one single source to a specific service, aimed at affecting its normal functioning.
58
common-taxonomy:availability="sabotage"
Sabotage
Logical and physical activities which – although they are not aimed at causing damage to
information or at preventing its transmission among systems – have this effect.
information-gathering
Active and passive gathering of information on systems or networks / Unauthorised monitoring and
reading of network traffic / Attempt to gather information on a user or a system through phishing
methods.
common-taxonomy:information-gathering="scanning"
Scanning
Single system scan searching for open ports or services using these ports for responding / Scanning
a network aimed at identifying systems which are active in the same network / Transfer of a
specific DNS zone.
common-taxonomy:information-gathering="sniffing"
Sniffing
common-taxonomy:information-gathering="phishing"
Phishing
Mass emailing aimed at collecting data for phishing purposes with regard to the victims / Hosting
web sites for phishing purposes.
intrusion-attempt
Attempt to intrude by exploiting vulnerability in a system, component or network / Attempt to log
in to services or authentication/access control mechanisms.
common-taxonomy:intrusion-attempt="vulnerability-exploitation-attempt"
Unsuccessful use of a tool exploiting a specific vulnerability of the system / Unsuccessful attempt to
manipulate or read the information of a database by using the SQL injection technique /
Unsuccessful attempts to perform attacks by using cross-site scripting techniques / Unsuccessful
attempt to include files in the system under attack by using file inclusion techniques / Unauthorised
access to a system or component by bypassing an access control system in place.
59
common-taxonomy:intrusion-attempt="login-attempt"
Login attempt
Unsuccessful login by using sequential credentials for gaining access to the system / Unsuccessful
acquisition of access credentials by breaking the protective cryptographic keys / Unsuccessful login
by using system access credentials previously loaded into a dictionary.
intrusion
Actual intrusion by exploiting vulnerability in the system, component or network / Actual intrusion
in a system, component or network by compromising a user or administrator account.
common-taxonomy:intrusion="vulnerability-exploitation"
common-taxonomy:intrusion="account-compromise"
Compromising an account
information-security
Unauthorised access to a particular set of information / Unauthorised change or elimination of a
particular set of information.
common-taxonomy:information-security="unauthorised-access"
Unauthorised access
common-taxonomy:information-security="unauthorised-modification-or-
deletion"
60
fraud
Loss of property caused with fraudulent or dishonest intent of procuring, without right, an
economic benefit for oneself or for another person.
common-taxonomy:fraud="resources-misuse"
common-taxonomy:fraud="false-representation"
False representation
abusive-content
Sending SPAM messages / Distribution and sharing of copyright protected content / Dissemination
of content forbidden by law.
common-taxonomy:abusive-content="spam"
SPAM
Sending an unusually large quantity of email messages / Unsolicited or unwanted email message
sent to the recipient.
common-taxonomy:abusive-content="copyright"
Copyright
common-taxonomy:abusive-content="cse-racism-violence-incitement"
Distribution or sharing of illegal content such as child sexual exploitation material, racism,
xenophobia, etc.
other
Incidents not classified in the existing classification.
common-taxonomy:other="unclassified-incident"
Unclassified incident
61
Incidents which do not fit the existing classification, acting as an indicator for the classification’s
update.
common-taxonomy:other="undetermined-incident"
Undetermined incident
copine-scale
copine-scale namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
The COPINE Scale is a rating system created in Ireland and used in the United Kingdom to
categorise the severity of images of child sex abuse. The scale was developed by staff at the COPINE
(Combating Paedophile Information Networks in Europe) project. The COPINE Project was founded
in 1997, and is based in the Department of Applied Psychology, University College Cork, Ireland.
Exclusive flag set which means the values or predicate below must be set
exclusively.
level-10
copine-scale:level-10
Sadistic/bestiality: (a) Pictures showing a child being tied, bound, beaten, whipped, or otherwise
subjected to something that implies pain; (b) Pictures where an animal is involved in some form of
sexual behavior with a child
level-9
copine-scale:level-9
Gross assault: Grossly obscene pictures of sexual assault, involving penetrative sex, masturbation,
or oral sex involving an adult
level-8
copine-scale:level-8
Assault: Pictures of children being subjected to a sexual assault, involving digital touching,
involving an adult
62
level-7
copine-scale:level-7
Explicit sexual activity: Involves touching, mutual and self-masturbation, oral sex, and intercourse
by child, not involving an adult
level-6
copine-scale:level-6
Explicit erotic posing: Emphasizing genital areas where the child is posing either naked, partially
clothed, or fully clothed
level-5
copine-scale:level-5
Erotic posing: Deliberately posed pictures of fully or partially clothed or naked children in
sexualized or provocative poses
level-4
copine-scale:level-4
Posing: Deliberately posed pictures of children fully or partially clothed or naked (where the
amount, context, and organization suggests sexual interest)
level-3
copine-scale:level-3
Erotica: Surreptitiously taken photographs of children in play areas or other safe environments
showing either underwear or varying degrees of nakedness
level-2
copine-scale:level-2
Nudist: Pictures of naked or seminaked children in appropriate nudist settings, and from legitimate
sources
level-1
63
copine-scale:level-1
Indicative: Nonerotic and nonsexualized pictures showing children in their underwear, swimming
costumes, and so on, from either commercial sources or family albums; pictures of children playing
in normal settings, in which the context or organization of pictures by the collector indicates
inappropriateness
cryptocurrency-threat
cryptocurrency-threat namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
SIM Swapping
cryptocurrency-threat:SIM Swapping
An identity theft technique that takes over a victim’s mobile device to steal credentials and break
into wallets or exchange accounts to steal cryptocurrency.
Crypto Dusting
cryptocurrency-threat:Crypto Dusting
A new form of blockchain spam that erodes the recipient’s reputation by sending cryptocurrency
from known money mixers.
Sanction Evasion
cryptocurrency-threat:Sanction Evasion
Nation states using cryptocurrencies has been promoted by the Iranian and Venezuelan
governments.
Money laundering services that promise to exchange tainted tokens for freshly mined crypto, but in
reality, cleanse cryptocurrency through exchanges.
64
Shadow Money Service Businesses
cryptocurrency-threat:Shadow Money Service Businesses
Unlicensed Money Service Businesses (MSBs) banking cryptocurrency without the knowledge of
host financial institutions, and thus exposing banks to unknown risk.
Takeover attacks that mine for cryptocurrency at a massive scale have been discovered in
datacenters, including AWS.
Enable anonymous bitcoin transactions by going "off-chain," and cannow scale to $2,150,000.
Cyber-extortionists began distributing new malware that empties cryptocurrency wallets and steals
private keys while holding user data hostage.
csirt-americas
65
csirt-americas namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
defacement
csirt-americas:defacement
Defacement
malware
csirt-americas:malware
Malware
ddos
csirt-americas:ddos
DDoS
phishing
csirt-americas:phishing
Phishing
spam
csirt-americas:spam
Spam
botnet
csirt-americas:botnet
Botnet
66
fastflux
csirt-americas:fastflux
Fastflux
cryptojacking
csirt-americas:cryptojacking
Cryptojacking
xss
csirt-americas:xss
XSS
sqli
csirt-americas:sqli
SQL Injection
vulnerability
csirt-americas:vulnerability
Vulnerability
infoleak
csirt-americas:infoleak
Information leak
compromise
csirt-americas:compromise
System compromise
67
other
csirt-americas:other
Other
csirt_case_classification
csirt_case_classification namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
It is critical that the CSIRT provide consistent and timely response to the customer, and that
sensitive information is handled appropriately. This document provides the guidelines needed for
CSIRT Incident Managers (IM) to classify the case category, criticality level, and sensitivity level for
each CSIRT case. This information will be entered into the Incident Tracking System (ITS) when a
case is created. Consistent case classification is required for the CSIRT to provide accurate reporting
to management on a regular basis. In addition, the classifications will provide CSIRT IM’s with
proper case handling procedures and will form the basis of SLA’s between the CSIRT and other
Company departments.
incident-category
csirt_case_classification:incident-category="DOS"
csirt_case_classification:incident-category="forensics"
Forensics work
csirt_case_classification:incident-category="compromised-information"
csirt_case_classification:incident-category="compromised-asset"
Compromised host (root account, Trojan, rootkit), network device, application, user account.
csirt_case_classification:incident-category="unlawful-activity"
68
csirt_case_classification:incident-category="internal-hacking"
Reconnaissance or Suspicious activity originating from inside the Company corporate network,
excluding malware
csirt_case_classification:incident-category="external-hacking"
Reconnaissance or Suspicious Activity originating from outside the Company corporate network
(partner network, Internet), excluding malware.
csirt_case_classification:incident-category="malware"
A virus or worm typically affecting multiple corporate devices. This does not include compromised
hosts that are being actively controlled by an attacker via a backdoor or Trojan.
csirt_case_classification:incident-category="email"
csirt_case_classification:incident-category="consulting"
csirt_case_classification:incident-category="policy-violation"
criticality-classification
csirt_case_classification:criticality-classification="1"
csirt_case_classification:criticality-classification="2"
csirt_case_classification:criticality-classification="3"
Possible incident, non-critical systems. Incident or employee investigations that are not time
sensitive. Long-term investigations involving extensive research and/or detailed forensic work.
sensitivity-classification
69
csirt_case_classification:sensitivity-classification="1"
Extremely Sensitive
csirt_case_classification:sensitivity-classification="2"
Sensitive
csirt_case_classification:sensitivity-classification="3"
Not Sensitive
cssa
cssa namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
sharing-class
cssa:sharing-class="high_profile"
Generated within the company during incident/case related investigations or forensic analysis or
via malware reversing, validated by humans and highly contextualized.
cssa:sharing-class="vetted"
Generated within the company, validated by a human prior to sharing, data points have been
contextualized (to a degree) e.g. IPs are related to C2 or drop site.
cssa:sharing-class="unvetted"
Generated within the company by automated means without human interaction e.g., by malware
sandbox, honeypots, IDS, etc.
origin
cssa:origin="manual_investigation"
cssa:origin="honeypot"
70
cssa:origin="sandbox"
cssa:origin="email"
cssa:origin="3rd-party"
cssa:origin="other"
cssa:origin="unknown"
analyse
cyber-threat-framework
cyber-threat-framework namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
Preparation
cyber-threat-framework:Preparation="plan-activity"
Plan activity
cyber-threat-framework:Preparation="conduct-research-and-analysis"
71
cyber-threat-framework:Preparation="develop-resource-and-capabilities"
cyber-threat-framework:Preparation="acquire-victim-and-specific-
knowledge"
cyber-threat-framework:Preparation="complete-preparations"
Complete preparations
Engagement
cyber-threat-framework:Engagement="deploy-capability"
Deploy capability
cyber-threat-framework:Engagement="interact-with-intended-victim"
cyber-threat-framework:Engagement="exploit-vulnerabilities"
Exploit vulnerabilities
cyber-threat-framework:Engagement="deliver-malicious-capabilities"
Presence
72
cyber-threat-framework:Presence="establish-controlled-access"
cyber-threat-framework:Presence="hide"
Hide
cyber-threat-framework:Presence="expand-presence"
Expand presence
cyber-threat-framework:Presence="refine-focus-of-activity"
cyber-threat-framework:Presence="establish-persistence"
Establish persistence
Effect/Consequence
cyber-threat-framework:Effect/Consequence="enable-other-operations"
cyber-threat-framework:Effect/Consequence="deny-access"
Deny access
cyber-threat-framework:Effect/Consequence="extract-data"
Extract data
73
cyber-threat-framework:Effect/Consequence="alter-data-and-or-computer-
network-or-system-behavior"
cyber-threat-framework:Effect/Consequence="destroy-hardware-software-
or-data"
Destroy HW/SW/data
dark-web
dark-web namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins,
Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project
topic
Topic associated with the materials tagged
dark-web:topic="drugs-narcotics"
Drugs/Narcotics
Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g.
proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without
lawful accessibility).
dark-web:topic="electronics"
Electronics
dark-web:topic="finance"
Finance
74
dark-web:topic="finance-crypto"
CryptoFinance
dark-web:topic="credit-card"
Credit-Card
dark-web:topic="cash-in"
Cash-in
dark-web:topic="cash-out"
Cash-out
dark-web:topic="escrow"
Escrow
Third party keeping assets in behalf of two other parties making a transactions.
dark-web:topic="hacking"
Hacking
Materials relating to the illegal access to or alteration of data and/or electronic services.
dark-web:topic="identification-credentials"
Identification/Credentials
Materials used for providing/establishing identification with third parties. Examples include
passports, driver licenses and login credentials.
dark-web:topic="intellectual-property-copyright-materials"
Otherwise lawful materials stored, transferred or made available without consent of their legal
rights holders.
75
dark-web:topic="pornography-adult"
Pornography - Adult
dark-web:topic="pornography-child-exploitation"
Child abuse materials (aka child pornography), including 'fantasy' fiction materials, CGI. Also
includes the provision/offering of child abuse materials and/or activities
dark-web:topic="pornography-illicit-or-illegal"
Illegal pornography NOT including children/child abuse. Includes bestiality, stolen/revenge porn,
hidden cameras etc.
dark-web:topic="search-engine-index"
Search Engine/Index
Site providing links/references to other sites/services. Referred to as a ‘nexus’ by (Moore and Rid,
2016)
dark-web:topic="unclear"
Unclear
dark-web:topic="extremism"
Extremism
Illegal or ‘of concern’ levels of extremist ideology. Note this does not provide blanket coverage of
fundamentalist ideologies and dogma - only those associated with illegal acts.
Socialist/anarchist/religious materials (for example) will not be included unless inclusive or
indicative of associated illegal conduct, such as hate crimes.
dark-web:topic="violence"
Violence
76
dark-web:topic="weapons"
Weapons
Materials specifically associated with materials and/or items for use in violent acts against persons
or property. Examples include firearms and bomb-making ingredients.
dark-web:topic="softwares"
Softwares
dark-web:topic="counteir-feit-materials"
Counter-feit materials
dark-web:topic="gambling"
Gambling
dark-web:topic="library"
Library
dark-web:topic="other-not-illegal"
Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors.
dark-web:topic="legitimate"
Legitimate
Legitimate websites
dark-web:topic="chat"
Chats platforms
77
dark-web:topic="mixer"
Mixer
dark-web:topic="mystery-box"
Mystery-Box
dark-web:topic="anonymizer"
Anonymizer
Anonymization tools
dark-web:topic="vpn-provider"
VPN-Provider
dark-web:topic="email-provider"
EMail-Provider
dark-web:topic="ponies"
Ponies
dark-web:topic="games"
Games
dark-web:topic="parody"
Parody or Joke
dark-web:topic="whistleblower"
Whistleblower
78
Exposition and sharing of confidential information with protection of the witness in mind
motivation
Motivation with the materials tagged
dark-web:motivation="education-training"
dark-web:motivation="wiki"
Wiki
dark-web:motivation="forum"
Forum
dark-web:motivation="file-sharing"
File Sharing
General file sharing, typically (but not limited to) movie/image sharing
dark-web:motivation="hosting"
Hosting
dark-web:motivation="ddos-services"
DDoS-Services
dark-web:motivation="general"
General
Materials not covered by the other motivations. Typically, materials of a nature not of interest to
law enforcement. For example, personal biography sites.
79
dark-web:motivation="information-sharing-reportage"
Information Sharing/Reportage
Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are
covered by Recruitment/Advocacy.
dark-web:motivation="scam"
Scam
dark-web:motivation="political-speech"
Political-Speech
dark-web:motivation="conspirationist"
Conspirationist
dark-web:motivation="hate-speech"
Hate-Speech
dark-web:motivation="religious"
Religious
dark-web:motivation="marketplace-for-sale"
Marketplace/For Sale
dark-web:motivation="smuggling"
Smuggling
80
dark-web:motivation="recruitment-advocacy"
Recruitment/Advocacy
Propaganda
dark-web:motivation="system-placeholder"
System/Placeholder
Automatically generated content, not designed for any identifiable purpose other than diagnostics -
e.g. “It Works” message provided by default by Apache2
dark-web:motivation="unclear"
Unclear
structure
Structure of the materials tagged
dark-web:structure="incomplete"
dark-web:structure="captcha"
dark-web:structure="login-forms"
Authentication pages, login page, login forms that block access to an internal part of a website.
dark-web:structure="contact-forms"
Forms to perform a contact request, send an e-mail, fill information, enter a password, …
dark-web:structure="encryption-keys"
81
e.g. PGP Keys, passwords, …
dark-web:structure="police-notice"
Police Notice
dark-web:structure="legal-statement"
Legal-Statement
dark-web:structure="test"
Test
dark-web:structure="videos"
Videos
dark-web:structure="unclear"
Unclear
data-classification
data-classification namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk
book.
regulated-data
Data which is regulated under a specific regulation or law such as PII, SPD, PCI or PHI.
data-classification:regulated-data
Regulated data
82
Data which is regulated under a specific regulation or law such as PII, SPD, PCI or PHI.
commercially-confidential-information
Data which represents a specific commercial value and is confidential to an organisation such as
trade secrets, customer accounts.
data-classification:commercially-confidential-information
Data which represents a specific commercial value and is confidential to an organisation such as
trade secrets, customer accounts.
financially-sensitive-information
Data which represents a specific financial value to an organisation such as payroll, investment
information.
data-classification:financially-sensitive-information
Data which represents a specific financial value to an organisation such as payroll, investment
information.
valuation-sensitive-information
Data which is sensitive to the valuation of an organisation such as inside information (as defined by
a Financial Services Authority).
data-classification:valuation-sensitive-information
Data which is sensitive to the valuation of an organisation such as inside information (as defined by
a Financial Services Authority).
sensitive-information
Data which is sensitive such as email or letters.
data-classification:sensitive-information
Sensitive information
83
dcso-sharing
dcso-sharing namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
Taxonomy defined in the DCSO MISP Event Guide. It provides guidance for the creation and
consumption of MISP events in a way that minimises the extra effort for the sending party, while
enhancing the usefulness for receiving parties.
event-type
dcso-sharing:event-type="Observation"
This event describes traits and indicators closely related to a single entity, like an email campaign
or sighting of a reference sample on VirusTotal. Events of this type are typically created by CSOC
staff and may be verified by analysts. Observed and verified indicators would be consumed by
automated filtering systems in order to support near-time threat prevention. In retrospect,
observations could be correlated with reports and analysis events in order to help understand the
motivation for an attack and to reassess the associated risk.
dcso-sharing:event-type="Incident"
This event describes traits and indicators related to a security incident. As such, the event may refer
to multiple entities like organizations, bank account numbers, files, and URLs. Events of this type
contain first-hand information, that is, the reporting organization took part in the analysis of the
incident. Use event type "Report" for second-hand information. Events of this type are typically
created and consumed by analysts.
dcso-sharing:event-type="Report"
dcso-sharing:event-type="Analysis"
This event builds on "observation", "incident", and "report" events; adds enrichments; and provides
context. Events of this type will be created by analysts with support by automated tools. Analysts
are also the main consumers.
84
dcso-sharing:event-type="Collection"
This event collects unrelated IoCs. For example, an event could combine all network IoCs that were
learned of during a day or a week from events of other types.
ddos
ddos namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of
Service attacks and especially the types they belong too.
type
Types and techniques described the way that the attack is performed to launch the Denial of
Service attacks. A combination of type values can be used to explain combined techniques and
methods.
ddos:type="amplification-attack"
Amplification attack
ddos:type="reflected-spoofed-attack"
ddos:type="slow-read-attack"
ddos:type="flooding-attack"
Flooding attack
ddos:type="post-attack"
de-vs
de-vs namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
85
Einstufung
de-vs:Einstufung="STRENG GEHEIM"
STRENG GEHEIM
Kenntnisnahme durch Unbefugte kann den Bestand oder lebenswichtige Interessen der
Bundesrepublik Deutschland oder eines ihrer Länder gefährden.
de-vs:Einstufung="GEHEIM"
GEHEIM
Kenntnisnahme durch Unbefugte kann die Sicherheit der Bundesrepublik Deutschland oder eines
ihrer Länder gefährden oder ihren Interessen schweren Schaden zufügen.
de-vs:Einstufung="VS-VERTRAULICH"
VS-VERTRAULICH
Kenntnisnahme durch Unbefugte kann für die Interessen der Bundesrepublik Deutschland oder
eines ihrer Länder schädlich sein.
de-vs:Einstufung="VS-NfD"
Kenntnisnahme durch Unbefugte kann für die Interessen der Bundesrepublik Deutschland oder
eines ihrer Länder nachteilig sein.
Schutzwort
de-vs:Schutzwort="Dummy"
Dummy
Platzhalter.
dhs-ciip-sectors
dhs-ciip-sectors namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
86
DHS-critical-sectors
dhs-ciip-sectors:DHS-critical-sectors="chemical"
Chemical
dhs-ciip-sectors:DHS-critical-sectors="commercial-facilities"
Commercial Facilities
dhs-ciip-sectors:DHS-critical-sectors="communications"
Communications
dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"
Critical Manufacturing
dhs-ciip-sectors:DHS-critical-sectors="dams"
Dams
dhs-ciip-sectors:DHS-critical-sectors="dib"
dhs-ciip-sectors:DHS-critical-sectors="emergency-services"
Emergency services
dhs-ciip-sectors:DHS-critical-sectors="energy"
energy
dhs-ciip-sectors:DHS-critical-sectors="financial-services"
Financial Services
dhs-ciip-sectors:DHS-critical-sectors="food-agriculture"
dhs-ciip-sectors:DHS-critical-sectors="government-facilities"
Government Facilities
87
dhs-ciip-sectors:DHS-critical-sectors="healthcare-public"
dhs-ciip-sectors:DHS-critical-sectors="it"
Information Technology
dhs-ciip-sectors:DHS-critical-sectors="nuclear"
Nuclear
dhs-ciip-sectors:DHS-critical-sectors="transport"
Transportation Systems
dhs-ciip-sectors:DHS-critical-sectors="water"
sector
diamond-model
diamond-model namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin,
aims to help categorise and identify the stage of an attack.
Adversary
diamond-model:Adversary
An adversary is the actor/organization responsible for utilizing a capability against the victim to
achieve their intent.
Capability
diamond-model:Capability
The capability describes the tools and/or techniques of the adversary used in the event. It includes
all means to affect the victim from the most manual “unsophisticated” methods (e.g., manual
password guessing) to the most sophisticated automated techniques.
88
Infrastructure
diamond-model:Infrastructure
The infrastructure feature describes the physical and/or logical communication structures the
adversary uses to deliver a capability, maintain control of capabilities (e.g., commandand-
control/C2), and effect results from the victim (e.g., exfiltrate data). As with the other features, the
infrastructure can be as specific or broad as necessary. Examples include: Internet Protocol (IP)
addresses, domain names, e-mail addresses, Morse code flashes from a phone’s voice-mail light
watched from across a street, USB devices found in a parking lot and inserted into a workstation, or
the compromising emanations from hardware (e.g., Van Eck Phreaking) being collected by a nearby
listening post.
Victim
diamond-model:Victim
A victim is the target of the adversary and against whom vulnerabilities and exposures are
exploited and capabilities used. A victim can be described in whichever way necessary and
appropriate: organization, person, target email address, IP address, domain, etc. However, it is
useful to define the victim persona and their assets separately as they serve different analytic
functions. Victim personae are useful in non-technical analysis such as cyber-victimology and
social-political centered approaches whereas victim assets are associated with common technical
approaches such as vulnerability analysis..
dni-ism
dni-ism namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
A subset of Information Security Marking Metadata ISM as required by Executive Order (EO) 13526.
As described by DNI.gov as Data Encoding Specifications for Information Security Marking
Metadata in Controlled Vocabulary Enumeration Values for ISM
classification:all
dni-ism:classification:all="R"
RESTRICTED
dni-ism:classification:all="C"
CONFIDENTIAL
89
dni-ism:classification:all="S"
SECRET
dni-ism:classification:all="TS"
TOP SECRET
dni-ism:classification:all="U"
UNCLASSIFIED
classification:us
dni-ism:classification:us="C"
CONFIDENTIAL
dni-ism:classification:us="S"
SECRET
dni-ism:classification:us="TS"
TOP SECRET
dni-ism:classification:us="U"
UNCLASSIFIED
scicontrols
dni-ism:scicontrols="EL"
ENDSEAL
dni-ism:scicontrols="EL-EU"
ECRU
dni-ism:scicontrols="EL-NK"
NONBOOK
dni-ism:scicontrols="HCS"
HCS
90
dni-ism:scicontrols="HCS-O"
HCS-O
dni-ism:scicontrols="HCS-P"
HCS-P
dni-ism:scicontrols="KDK"
KLONDIKE
dni-ism:scicontrols="KDK-BLFH"
KDK BLUEFISH
dni-ism:scicontrols="KDK-IDIT"
KDK IDITAROD
dni-ism:scicontrols="KDK-KAND"
KDK KANDIK
dni-ism:scicontrols="RSV"
RESERVE
dni-ism:scicontrols="SI"
SPECIAL INTELLIGENCE
dni-ism:scicontrols="SI-G"
SI-GAMMA
dni-ism:scicontrols="TK"
TALENT KEYHOLE
complies:with
dni-ism:complies:with="USGov"
Document claims compliance with all rules encoded in ISM for documents produced by the US
Federal Government. This is the minimum set of rules for US documents to adhere to, and all US
documents should claim compliance with USGov.
91
dni-ism:complies:with="USIC"
Document claims compliance with all rules encoded in ISM for documents produced by the US
Intelligence Community. Documents that claim compliance with USIC MUST also claim compliance
with USGov.
dni-ism:complies:with="USDOD"
Document claims compliance with all rules encoded in ISM for documents produced by the US
Department of Defense. Documents that claim compliance with USDOD MUST also claim
compliance with USGov.
dni-ism:complies:with="OtherAuthority"
Document claims compliance with an authority other than the USGov, USIC, or USDOD.
atomicenergymarkings
dni-ism:atomicenergymarkings="RD"
RESTRICTED DATA
dni-ism:atomicenergymarkings="RD-CNWDI"
dni-ism:atomicenergymarkings="FRD"
dni-ism:atomicenergymarkings="DCNI"
dni-ism:atomicenergymarkings="UCNI"
dni-ism:atomicenergymarkings="TFNI"
notice
dni-ism:notice="FISA"
92
dni-ism:notice="IMC"
dni-ism:notice="CNWDI"
dni-ism:notice="RD"
RD Warning statement
dni-ism:notice="FRD"
dni-ism:notice="DS"
LIMDIS caveat
dni-ism:notice="LES"
LES Notice
dni-ism:notice="LES-NF"
LES-NF Notice
dni-ism:notice="DSEN"
DSEN Notice
dni-ism:notice="DoD-Dist-A"
dni-ism:notice="DoD-Dist-B"
dni-ism:notice="DoD-Dist-C"
dni-ism:notice="DoD-Dist-D"
93
dni-ism:notice="DoD-Dist-E"
dni-ism:notice="DoD-Dist-F"
dni-ism:notice="DoD-Dist-X"
dni-ism:notice="US-Person"
dni-ism:notice="pre13526ORCON"
Indicates that an instance document must abide by rules pertaining to ORIGINATOR CONTROLLED
data issued prior to Executive Order 13526.
dni-ism:notice="POC"
Indicates that the contents of this notice specify the contact information for a required point-of-
contact.
dni-ism:notice="COMSEC"
COMSEC Notice
nonic
dni-ism:nonic="NNPI"
dni-ism:nonic="DS"
LIMITED DISTRIBUTION
dni-ism:nonic="XD"
EXCLUSIVE DISTRIBUTION
dni-ism:nonic="ND"
NO DISTRIBUTION
94
dni-ism:nonic="SBU"
dni-ism:nonic="SBU-NF"
dni-ism:nonic="LES"
dni-ism:nonic="LES-NF"
dni-ism:nonic="SSI"
nonuscontrols
dni-ism:nonuscontrols="ATOMAL"
dni-ism:nonuscontrols="BOHEMIA"
dni-ism:nonuscontrols="BALK"
dissem
dni-ism:dissem="RS"
RISK SENSITIVE
dni-ism:dissem="FOUO"
dni-ism:dissem="OC"
ORIGINATOR CONTROLLED
95
dni-ism:dissem="OC-USGOV"
dni-ism:dissem="IMC"
CONTROLLED IMAGERY
dni-ism:dissem="NF"
dni-ism:dissem="PR"
dni-ism:dissem="REL"
dni-ism:dissem="RELIDO"
dni-ism:dissem="DSEN"
DEA SENSITIVE
dni-ism:dissem="FISA"
dni-ism:dissem="DISPLAYONLY"
domain-abuse
domain-abuse namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
Domain Name Abuse - taxonomy to tag domain names used for cybercrime. Use europol-incident to
tag abuse-activity
96
domain-status
Domain status - describes the registration status of the domain name
domain-abuse:domain-status="active"
domain-abuse:domain-status="inactive"
domain-abuse:domain-status="suspended"
Domain name is registered & DNS delegation is temporarily removed by the registry
domain-abuse:domain-status="not-registered"
Not registered
domain-abuse:domain-status="not-registrable"
Not registrable
domain-abuse:domain-status="grace-period"
Grace period
domain-access-method
Domain Access - describes how the adversary has gained access to the domain name
domain-abuse:domain-access-method="criminal-registration"
Criminal registration
97
domain-abuse:domain-access-method="compromised-webserver"
Compromised webserver
domain-abuse:domain-access-method="compromised-dns"
Compromised DNS
domain-abuse:domain-access-method="sinkhole"
Sinkhole
drugs
drugs namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
alkaloids-and-derivatives
drugs:alkaloids-and-derivatives="ajmaline-sarpagine-alkaloids"
Ajmaline-sarpagine alkaloids
drugs:alkaloids-and-derivatives=" allocolchicine-alkaloids"
Allocolchicine alkaloids
Amaryllidaceae alkaloids
drugs:alkaloids-and-derivatives="aporphines"
Aporphines
98
drugs:alkaloids-and-derivatives="camptothecins"
Camptothecins
drugs:alkaloids-and-derivatives="cephalotaxus-alkaloids"
Cephalotaxus alkaloids
drugs:alkaloids-and-derivatives="cinchona-alkaloids"
Cinchona alkaloids
drugs:alkaloids-and-derivatives="eburnan-type-alkaloids"
Eburnan-type alkaloids
drugs:alkaloids-and-derivatives="epibatidine-analogues"
Epibatidine analogues
drugs:alkaloids-and-derivatives="ergoline-and-derivatives"
drugs:alkaloids-and-derivatives="harmala-alkaloids"
Harmala alkaloids
drugs:alkaloids-and-derivatives="ibogan-type-alkaloids"
Ibogan-type alkaloids
drugs:alkaloids-and-derivatives="lupin-alkaloids"
Lupin alkaloids
drugs:alkaloids-and-derivatives="morphinans"
Morphinans
drugs:alkaloids-and-derivatives="phthalide-isoquinolines"
Phthalide isoquinolines
drugs:alkaloids-and-derivatives="protoberberine-alkaloids-and-
derivatives"
99
drugs:alkaloids-and-derivatives="tropane-alkaloids"
Tropane alkaloids
drugs:alkaloids-and-derivatives="vinca-alkaloids"
Vinca alkaloids
drugs:alkaloids-and-derivatives="yohimbine-alkaloids"
Yohimbine alkaloids
benzenoids
drugs:benzenoids="anthracenes"
Anthracenes
drugs:benzenoids="benzene-and-substituted-derivatives"
drugs:benzenoids="dibenzocycloheptenes"
Dibenzocycloheptenes
drugs:benzenoids="fluorenes"
Fluorenes
drugs:benzenoids="indanes"
Indanes
drugs:benzenoids="indenes-and-isoindenes"
drugs:benzenoids="naphthacenes"
Naphthacenes
drugs:benzenoids="phenanthrenes-and-derivatives"
100
drugs:benzenoids="phenol-esters"
Phenol esters
drugs:benzenoids="phenol-ethers"
Phenol ethers
drugs:benzenoids="phenols"
Phenols
drugs:benzenoids="pyrenes"
Pyrenes
drugs:benzenoids="tetralins"
Tetralins
drugs:benzenoids="triphenyl-compounds"
Triphenyl compounds
homogeneous-metal-compounds
drugs:homogeneous-metal-compounds="homogeneous-actinide-
compounds"
drugs:homogeneous-metal-compounds="homogeneous-alkali-metal-
compounds"
drugs:homogeneous-metal-compounds="homogeneous-alkaline-earth-
metal-compounds"
drugs:homogeneous-metal-compounds="homogeneous-lanthanide-
compounds"
101
drugs:homogeneous-metal-compounds="homogeneous-metalloid-
compounds"
drugs:homogeneous-metal-compounds="homogeneous-post-transition-
metal-compounds"
drugs:homogeneous-metal-compounds="homogeneous-transition-metal-
compounds"
homogeneous-non-metal-compounds
drugs:homogeneous-non-metal-compounds="halogen-organides"
Halogen organides
drugs:homogeneous-non-metal-compounds="homogeneous-halogens"
Homogeneous halogens
drugs:homogeneous-non-metal-compounds="homogeneous-noble-gases"
drugs:homogeneous-non-metal-compounds="homogeneous-other-non-
metal-compounds"
drugs:homogeneous-non-metal-compounds="non-metal-oxoanionic-
compounds"
drugs:homogeneous-non-metal-compounds="other-non-metal-halides"
drugs:homogeneous-non-metal-compounds="other-non-metal-organides"
102
hydrocarbons
drugs:hydrocarbons="polycyclic-hydrocarbons"
Polycyclic hydrocarbons
hydrocarbon-derivatives
drugs:hydrocarbon-derivatives="tropones"
Tropones
lignans,-neolignans-and-related-compounds
drugs:lignans,-neolignans-and-related-compounds="aryltetralin-lignans"
Aryltetralin lignans
drugs:lignans,-neolignans-and-related-compounds="dibenzylbutane-
lignans"
Dibenzylbutane lignans
drugs:lignans,-neolignans-and-related-compounds="flavonolignans"
Flavonolignans
drugs:lignans,-neolignans-and-related-compounds="furanoid-lignans"
Furanoid lignans
drugs:lignans,-neolignans-and-related-compounds="lignan-lactones"
Lignan lactones
lipids-and-lipid-like-molecules
drugs:lipids-and-lipid-like-molecules="fatty-acyls"
Fatty Acyls
drugs:lipids-and-lipid-like-molecules="glycero-3-dithiophosphocholines"
Glycero-3-dithiophosphocholines
103
drugs:lipids-and-lipid-like-molecules="glycerolipids"
Glycerolipids
drugs:lipids-and-lipid-like-molecules="glycerophospholipids"
Glycerophospholipids
drugs:lipids-and-lipid-like-molecules="prenol-lipids"
Prenol lipids
drugs:lipids-and-lipid-like-molecules="saccharolipids"
Saccharolipids
drugs:lipids-and-lipid-like-molecules="s-alkyl-coas"
S-alkyl-CoAs
drugs:lipids-and-lipid-like-molecules="sphingolipids"
Sphingolipids
drugs:lipids-and-lipid-like-molecules="steroids-and-steroid-derivatives"
mixed-metal/non-metal-compounds
drugs:mixed-metal/non-metal-compounds="alkali-metal-organides"
drugs:mixed-metal/non-metal-compounds="alkali-metal-oxoanionic-
compounds"
drugs:mixed-metal/non-metal-compounds="alkali-metal-salts"
drugs:mixed-metal/non-metal-compounds="alkaline-earth-metal-
organides"
104
drugs:mixed-metal/non-metal-compounds="alkaline-earth-metal-
oxoanionic-compounds"
drugs:mixed-metal/non-metal-compounds="alkaline-earth-metal-salts"
drugs:mixed-metal/non-metal-compounds="metalloid-organides"
Metalloid organides
drugs:mixed-metal/non-metal-compounds="metalloid-oxoanionic-
compounds"
drugs:mixed-metal/non-metal-compounds="miscellaneous-mixed-
metal/non-metals"
drugs:mixed-metal/non-metal-compounds="other-mixed-metal/non-metal-
oxoanionic-compounds"
drugs:mixed-metal/non-metal-compounds="post-transition-metal-
organides"
drugs:mixed-metal/non-metal-compounds="post-transition-metal-
oxoanionic-compounds"
drugs:mixed-metal/non-metal-compounds="post-transition-metal-salts"
drugs:mixed-metal/non-metal-compounds="transition-metal-organides"
105
drugs:mixed-metal/non-metal-compounds="transition-metal-oxoanionic-
compounds"
drugs:mixed-metal/non-metal-compounds="transition-metal-salts"
nucleosides,-nucleotides,-and-analogues
drugs:nucleosides,-nucleotides,-and-analogues="2',3'-dideoxy-3'-
thionucleoside-monophosphates"
2',3'-dideoxy-3'-thionucleoside monophosphates
drugs:nucleosides,-nucleotides,-and-analogues="2',5'-
dideoxyribonucleosides"
2',5'-dideoxyribonucleosides
drugs:nucleosides,-nucleotides,-and-analogues="(3'->5')-dinucleotides-and-
analogues"
drugs:nucleosides,-nucleotides,-and-analogues="5'-deoxyribonucleosides"
5'-deoxyribonucleosides
drugs:nucleosides,-nucleotides,-and-analogues="(5'->5')-dinucleotides"
(5'->5')-dinucleotides
drugs:nucleosides,-nucleotides,-and-analogues="benzimidazole-
ribonucleosides-and-ribonucleotides"
drugs:nucleosides,-nucleotides,-and-analogues="flavin-nucleotides"
Flavin nucleotides
drugs:nucleosides,-nucleotides,-and-analogues="glycinamide-
ribonucleotides"
Glycinamide ribonucleotides
106
drugs:nucleosides,-nucleotides,-and-analogues="imidazole[4,5-c]pyridine-
ribonucleosides-and-ribonucleotides"
drugs:nucleosides,-nucleotides,-and-analogues="imidazole-ribonucleosides-
and-ribonucleotides"
drugs:nucleosides,-nucleotides,-and-analogues="molybdopterin-
dinucleotides"
Molybdopterin dinucleotides
drugs:nucleosides,-nucleotides,-and-analogues="nucleoside-and-nucleotide-
analogues"
drugs:nucleosides,-nucleotides,-and-analogues="purine-nucleosides"
Purine nucleosides
drugs:nucleosides,-nucleotides,-and-analogues="pyrazolo[3,4-d]pyrimidine-
glycosides"
Pyrazolo[3,4-d]pyrimidine glycosides
drugs:nucleosides,-nucleotides,-and-analogues="pyridine-nucleotides"
Pyridine nucleotides
drugs:nucleosides,-nucleotides,-and-analogues="pyrimidine-nucleosides"
Pyrimidine nucleosides
drugs:nucleosides,-nucleotides,-and-analogues="pyrimidine-nucleotides"
Pyrimidine nucleotides
drugs:nucleosides,-nucleotides,-and-analogues="pyrrolopyrimidine-
nucleosides-and-nucleotides"
107
drugs:nucleosides,-nucleotides,-and-analogues="ribonucleoside-3'-
phosphates"
Ribonucleoside 3'-phosphates
drugs:nucleosides,-nucleotides,-and-analogues="triazole-ribonucleosides-
and-ribonucleotides"
organic-1,3-dipolar-compounds
drugs:organic-1,3-dipolar-compounds="allyl-type-1,3-dipolar-organic-
compounds"
organic-acids-and-derivatives
drugs:organic-acids-and-derivatives="boronic-acid-derivatives"
drugs:organic-acids-and-derivatives="carboximidic-acids-and-derivatives"
drugs:organic-acids-and-derivatives="carboxylic-acids-and-derivatives"
drugs:organic-acids-and-derivatives="hydroxy-acids-and-derivatives"
drugs:organic-acids-and-derivatives="keto-acids-and-derivatives"
drugs:organic-acids-and-derivatives="organic-carbonic-acids-and-
derivatives"
108
drugs:organic-acids-and-derivatives="organic-phosphonic-acids-and-
derivatives"
drugs:organic-acids-and-derivatives="organic-phosphoric-acids-and-
derivatives"
drugs:organic-acids-and-derivatives="organic-sulfonic-acids-and-
derivatives"
drugs:organic-acids-and-derivatives="organic-sulfuric-acids-and-
derivatives"
drugs:organic-acids-and-derivatives="organic-thiophosphoric-acids-and-
derivatives"
drugs:organic-acids-and-derivatives="orthocarboxylic-acid-derivatives"
drugs:organic-acids-and-derivatives="peptidomimetics"
Peptidomimetics
drugs:organic-acids-and-derivatives="thiosulfinic-acid-esters"
organic-acids
drugs:organic-acids="carboxylic-acids-and-derivatives"
organic-nitrogen-compounds
109
drugs:organic-nitrogen-compounds="organonitrogen-compounds"
Organonitrogen compounds
organic-oxygen-compounds
drugs:organic-oxygen-compounds="organic-oxides"
Organic oxides
drugs:organic-oxygen-compounds="organic-oxoanionic-compounds"
drugs:organic-oxygen-compounds="organooxygen-compounds"
Organooxygen compounds
organic-polymers
drugs:organic-polymers="phosphorothioate-polynucleotides"
Phosphorothioate polynucleotides
drugs:organic-polymers="polypeptides"
Polypeptides
drugs:organic-polymers="polysaccharides"
Polysaccharides
organic-salts
drugs:organic-salts="organic-metal-salts"
organohalogen-compounds
drugs:organohalogen-compounds="acyl-halides"
Acyl halides
drugs:organohalogen-compounds="alkyl-halides"
Alkyl halides
110
drugs:organohalogen-compounds="aryl-halides"
Aryl halides
drugs:organohalogen-compounds="halohydrins"
Halohydrins
drugs:organohalogen-compounds="organochlorides"
Organochlorides
drugs:organohalogen-compounds="organofluorides"
Organofluorides
drugs:organohalogen-compounds="sulfonyl-halides"
Sulfonyl halides
drugs:organohalogen-compounds="vinyl-halides"
Vinyl halides
organoheterocyclic-compounds
drugs:organoheterocyclic-compounds="azaspirodecane-derivatives"
Azaspirodecane derivatives
drugs:organoheterocyclic-compounds="azepanes"
Azepanes
drugs:organoheterocyclic-compounds="azobenzenes"
Azobenzenes
drugs:organoheterocyclic-compounds="azoles"
Azoles
drugs:organoheterocyclic-compounds="azolidines"
Azolidines
111
drugs:organoheterocyclic-compounds="azolines"
Azolines
drugs:organoheterocyclic-compounds="benzazepines"
Benzazepines
drugs:organoheterocyclic-compounds="benzimidazoles"
Benzimidazoles
drugs:organoheterocyclic-compounds="benzisoxazoles"
Benzisoxazoles
drugs:organoheterocyclic-compounds="benzocycloheptapyridines"
Benzocycloheptapyridines
drugs:organoheterocyclic-compounds="benzodiazepines"
Benzodiazepines
drugs:organoheterocyclic-compounds="benzodioxanes"
Benzodioxanes
drugs:organoheterocyclic-compounds="benzodioxoles"
Benzodioxoles
drugs:organoheterocyclic-compounds="benzofurans"
Benzofurans
drugs:organoheterocyclic-compounds="benzopyrans"
Benzopyrans
drugs:organoheterocyclic-compounds="benzopyrazoles"
Benzopyrazoles
drugs:organoheterocyclic-compounds="benzothiadiazoles"
Benzothiadiazoles
112
drugs:organoheterocyclic-compounds="benzothiazepines"
Benzothiazepines
drugs:organoheterocyclic-compounds="benzothiazines"
Benzothiazines
drugs:organoheterocyclic-compounds="benzothiazoles"
Benzothiazoles
drugs:organoheterocyclic-compounds="benzothiepins"
Benzothiepins
drugs:organoheterocyclic-compounds="benzothiophenes"
Benzothiophenes
drugs:organoheterocyclic-compounds="benzothiopyrans"
Benzothiopyrans
drugs:organoheterocyclic-compounds="benzotriazoles"
Benzotriazoles
drugs:organoheterocyclic-compounds="benzoxadiazoles"
Benzoxadiazoles
drugs:organoheterocyclic-compounds="benzoxazepines"
Benzoxazepines
drugs:organoheterocyclic-compounds="benzoxazines"
Benzoxazines
drugs:organoheterocyclic-compounds="benzoxazoles"
Benzoxazoles
drugs:organoheterocyclic-compounds="benzoxepines"
Benzoxepines
113
drugs:organoheterocyclic-compounds="bi—and-oligothiophenes"
drugs:organoheterocyclic-compounds="biotin-and-derivatives"
drugs:organoheterocyclic-compounds="coumarans"
Coumarans
drugs:organoheterocyclic-compounds="cycloheptapyrans"
Cycloheptapyrans
drugs:organoheterocyclic-compounds="cycloheptathiophenes"
Cycloheptathiophenes
drugs:organoheterocyclic-compounds="diazanaphthalenes"
Diazanaphthalenes
drugs:organoheterocyclic-compounds="diazepanes"
Diazepanes
drugs:organoheterocyclic-compounds="diazinanes"
Diazinanes
drugs:organoheterocyclic-compounds="diazines"
Diazines
drugs:organoheterocyclic-compounds="dihydrofurans"
Dihydrofurans
drugs:organoheterocyclic-compounds="dihydroisoquinolines"
Dihydroisoquinolines
drugs:organoheterocyclic-compounds="dihydrothiophenes"
Dihydrothiophenes
114
drugs:organoheterocyclic-compounds="dioxaborolanes"
Dioxaborolanes
drugs:organoheterocyclic-compounds="dioxanes"
Dioxanes
drugs:organoheterocyclic-compounds="dioxolopyrans"
Dioxolopyrans
drugs:organoheterocyclic-compounds="dithianes"
Dithianes
drugs:organoheterocyclic-compounds="dithiolanes"
Dithiolanes
drugs:organoheterocyclic-compounds="epoxides"
Epoxides
drugs:organoheterocyclic-compounds="furans"
Furans
drugs:organoheterocyclic-compounds="furofurans"
Furofurans
drugs:organoheterocyclic-compounds="furopyrans"
Furopyrans
drugs:organoheterocyclic-compounds="furopyridines"
Furopyridines
drugs:organoheterocyclic-compounds="furopyrroles"
Furopyrroles
drugs:organoheterocyclic-compounds="heteroaromatic-compounds"
Heteroaromatic compounds
115
drugs:organoheterocyclic-compounds="imidazo[1,5-a]pyrazines"
Imidazo[1,5-a]pyrazines
drugs:organoheterocyclic-compounds="imidazodiazepines"
Imidazodiazepines
drugs:organoheterocyclic-compounds="imidazopyrazines"
Imidazopyrazines
drugs:organoheterocyclic-compounds="imidazopyridines"
Imidazopyridines
drugs:organoheterocyclic-compounds="imidazopyrimidines"
Imidazopyrimidines
drugs:organoheterocyclic-compounds="imidazotetrazines"
Imidazotetrazines
drugs:organoheterocyclic-compounds="imidazothiazoles"
Imidazothiazoles
drugs:organoheterocyclic-compounds="indoles-and-derivatives"
drugs:organoheterocyclic-compounds="indolizidines"
Indolizidines
drugs:organoheterocyclic-compounds="isocoumarans"
Isocoumarans
drugs:organoheterocyclic-compounds="isoindoles-and-derivatives"
drugs:organoheterocyclic-compounds="isoquinolines-and-derivatives"
116
drugs:organoheterocyclic-compounds="isoxazolopyridines"
Isoxazolopyridines
drugs:organoheterocyclic-compounds="lactams"
Lactams
drugs:organoheterocyclic-compounds="lactones"
Lactones
drugs:organoheterocyclic-compounds="metalloheterocyclic-compounds"
Metalloheterocyclic compounds
drugs:organoheterocyclic-compounds="naphthofurans"
Naphthofurans
drugs:organoheterocyclic-compounds="naphthopyrans"
Naphthopyrans
drugs:organoheterocyclic-compounds="oxanes"
Oxanes
drugs:organoheterocyclic-compounds="oxazaphosphinanes"
Oxazaphosphinanes
drugs:organoheterocyclic-compounds="oxazinanes"
Oxazinanes
drugs:organoheterocyclic-compounds="oxepanes"
Oxepanes
drugs:organoheterocyclic-compounds="phenanthrolines"
Phenanthrolines
drugs:organoheterocyclic-compounds="piperazinoazepines"
Piperazinoazepines
117
drugs:organoheterocyclic-compounds="piperidines"
Piperidines
drugs:organoheterocyclic-compounds="pteridines-and-derivatives"
drugs:organoheterocyclic-compounds="pyranodioxins"
Pyranodioxins
drugs:organoheterocyclic-compounds="pyranopyridines"
Pyranopyridines
drugs:organoheterocyclic-compounds="pyranopyrimidines"
Pyranopyrimidines
drugs:organoheterocyclic-compounds="pyrans"
Pyrans
drugs:organoheterocyclic-compounds="pyrazolopyridines"
Pyrazolopyridines
drugs:organoheterocyclic-compounds="pyrazolopyrimidines"
Pyrazolopyrimidines
drugs:organoheterocyclic-compounds="pyrazolotriazines"
Pyrazolotriazines
drugs:organoheterocyclic-compounds="pyridines-and-derivatives"
drugs:organoheterocyclic-compounds="pyridopyrimidines"
Pyridopyrimidines
drugs:organoheterocyclic-compounds="pyrroles"
Pyrroles
118
drugs:organoheterocyclic-compounds="pyrrolidines"
Pyrrolidines
drugs:organoheterocyclic-compounds="pyrrolines"
Pyrrolines
drugs:organoheterocyclic-compounds="pyrrolizines"
Pyrrolizines
drugs:organoheterocyclic-compounds="pyrroloazepines"
Pyrroloazepines
drugs:organoheterocyclic-compounds="pyrrolopyrazines"
Pyrrolopyrazines
drugs:organoheterocyclic-compounds="pyrrolopyrazoles"
Pyrrolopyrazoles
drugs:organoheterocyclic-compounds="pyrrolopyridines"
Pyrrolopyridines
drugs:organoheterocyclic-compounds="pyrrolopyrimidines"
Pyrrolopyrimidines
drugs:organoheterocyclic-compounds="pyrrolotriazines"
Pyrrolotriazines
drugs:organoheterocyclic-compounds="quinolines-and-derivatives"
drugs:organoheterocyclic-compounds="quinuclidines"
Quinuclidines
drugs:organoheterocyclic-compounds="selenazoles"
Selenazoles
119
drugs:organoheterocyclic-compounds="tetrahydrofurans"
Tetrahydrofurans
drugs:organoheterocyclic-compounds="tetrahydroisoquinolines"
Tetrahydroisoquinolines
drugs:organoheterocyclic-compounds="tetrapyrroles-and-derivatives"
drugs:organoheterocyclic-compounds="thiadiazinanes"
Thiadiazinanes
drugs:organoheterocyclic-compounds="thiadiazines"
Thiadiazines
drugs:organoheterocyclic-compounds="thianes"
Thianes
drugs:organoheterocyclic-compounds="thiazepines"
Thiazepines
drugs:organoheterocyclic-compounds="thiazinanes"
Thiazinanes
drugs:organoheterocyclic-compounds="thiazines"
Thiazines
drugs:organoheterocyclic-compounds="thienodiazepines"
Thienodiazepines
drugs:organoheterocyclic-compounds="thienoimidazolidines"
Thienoimidazolidines
drugs:organoheterocyclic-compounds="thienopyridines"
Thienopyridines
120
drugs:organoheterocyclic-compounds="thienopyrimidines"
Thienopyrimidines
drugs:organoheterocyclic-compounds="thienopyrroles"
Thienopyrroles
drugs:organoheterocyclic-compounds="thienothiazines"
Thienothiazines
drugs:organoheterocyclic-compounds="thiochromanes"
Thiochromanes
drugs:organoheterocyclic-compounds="thiochromenes"
Thiochromenes
drugs:organoheterocyclic-compounds="thiolanes"
Thiolanes
drugs:organoheterocyclic-compounds="thiophenes"
Thiophenes
drugs:organoheterocyclic-compounds="triazinanes"
Triazinanes
drugs:organoheterocyclic-compounds="triazines"
Triazines
drugs:organoheterocyclic-compounds="triazolopyrazines"
Triazolopyrazines
drugs:organoheterocyclic-compounds="triazolopyridines"
Triazolopyridines
drugs:organoheterocyclic-compounds="triazolopyrimidines"
Triazolopyrimidines
121
drugs:organoheterocyclic-compounds="trioxanes"
Trioxanes
organometallic-compounds
drugs:organometallic-compounds="organometalloid-compounds"
Organometalloid compounds
drugs:organometallic-compounds="organo-post-transition-metal-
compounds"
organophosphorus-compounds
drugs:organophosphorus-compounds="organic-phosphines-and-
derivatives"
drugs:organophosphorus-compounds="organophosphinic-acids-and-
derivatives"
drugs:organophosphorus-compounds="organothiophosphorus-compounds"
Organothiophosphorus compounds
organosulfur-compounds
drugs:organosulfur-compounds="isothioureas"
Isothioureas
drugs:organosulfur-compounds="organic-disulfides"
Organic disulfides
drugs:organosulfur-compounds="sulfonyls"
Sulfonyls
122
drugs:organosulfur-compounds="sulfoxides"
Sulfoxides
drugs:organosulfur-compounds="thiocarbonyl-compounds"
Thiocarbonyl compounds
drugs:organosulfur-compounds="thioethers"
Thioethers
drugs:organosulfur-compounds="thiols"
Thiols
drugs:organosulfur-compounds="thioureas"
Thioureas
phenylpropanoids-and-polyketides
drugs:phenylpropanoids-and-polyketides="2-arylbenzofuran-flavonoids"
2-arylbenzofuran flavonoids
drugs:phenylpropanoids-and-polyketides="anthracyclines"
Anthracyclines
drugs:phenylpropanoids-and-polyketides="aurone-flavonoids"
Aurone flavonoids
drugs:phenylpropanoids-and-polyketides="cinnamic-acids-and-derivatives"
drugs:phenylpropanoids-and-polyketides="cinnamyl-alcohols"
Cinnamyl alcohols
drugs:phenylpropanoids-and-polyketides="coumarins-and-derivatives"
123
drugs:phenylpropanoids-and-polyketides="depsides-and-depsidones"
drugs:phenylpropanoids-and-polyketides="diarylheptanoids"
Diarylheptanoids
drugs:phenylpropanoids-and-polyketides="flavonoids"
Flavonoids
drugs:phenylpropanoids-and-polyketides="isochromanequinones"
Isochromanequinones
drugs:phenylpropanoids-and-polyketides="isocoumarins-and-derivatives"
drugs:phenylpropanoids-and-polyketides="isoflavonoids"
Isoflavonoids
drugs:phenylpropanoids-and-polyketides="linear-1,3-diarylpropanoids"
Linear 1,3-diarylpropanoids
drugs:phenylpropanoids-and-polyketides="macrolactams"
Macrolactams
drugs:phenylpropanoids-and-polyketides="macrolide-lactams"
Macrolide lactams
drugs:phenylpropanoids-and-polyketides="macrolides-and-analogues"
drugs:phenylpropanoids-and-polyketides="neoflavonoids"
Neoflavonoids
drugs:phenylpropanoids-and-polyketides="phenylpropanoic-acids"
Phenylpropanoic acids
124
drugs:phenylpropanoids-and-polyketides="saxitoxins,-gonyautoxins,-and-
derivatives"
drugs:phenylpropanoids-and-polyketides="stilbenes"
Stilbenes
drugs:phenylpropanoids-and-polyketides="tannins"
Tannins
drugs:phenylpropanoids-and-polyketides="tetracyclines"
Tetracyclines
economical-impact
economical-impact namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the
tagged information (e.g. data exfiltration loss, a positive gain for an adversary).
loss
A financial impact evaluated as a casuality.
economical-impact:loss="none"
No loss
economical-impact:loss="less-than-25k-eur"
economical-impact:loss="less-than-50k-euro"
125
economical-impact:loss="less-than-100k-euro"
economical-impact:loss="less-than-1M-euro"
economical-impact:loss="less-than-10M-euro"
economical-impact:loss="less-than-100M-euro"
economical-impact:loss="less-than-1B-euro"
economical-impact:loss="more-than-1B-euro"
gain
A financial impact evaluated as a benefit.
economical-impact:gain="none"
No gain
economical-impact:gain="less-than-25k-eur"
126
economical-impact:gain="less-than-50k-euro"
economical-impact:gain="less-than-100k-euro"
economical-impact:gain="less-than-1M-euro"
economical-impact:gain="less-than-10M-euro"
economical-impact:gain="less-than-100M-euro"
economical-impact:gain="less-than-1B-euro"
economical-impact:gain="more-than-1B-euro"
ecsirt
ecsirt namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
Incident Classification by the ecsirt.net version mkVI of 31 March 2015 enriched with IntelMQ
taxonomy-type mapping.
127
abusive-content
Abusive Content.
ecsirt:abusive-content="spam"
spam
Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for
the message to be sent and that the message is sent as part of a larger collection of messages, all
having a functionally comparable content.
ecsirt:abusive-content="harmful-speech"
Harmful Speech
Discreditation or discrimination of somebody e.g. cyber stalking, racism and threats against one or
more individuals).
ecsirt:abusive-content="violence"
Child/Sexual/Violence/…
malicious-code
Software that is intentionally included or inserted in a system for a harmful purpose. A user
interaction is normally necessary to activate the code.
ecsirt:malicious-code="virus"
Virus
ecsirt:malicious-code="worm"
Worm
ecsirt:malicious-code="trojan"
Trojan
ecsirt:malicious-code="spyware"
Spyware
ecsirt:malicious-code="dialer"
Dialer
128
ecsirt:malicious-code="rootkit"
Rootkit
ecsirt:malicious-code="malware"
Malware
ecsirt:malicious-code="botnet-drone"
Botnet drone
ecsirt:malicious-code="ransomware"
Ransomware
ecsirt:malicious-code="malware-configuration"
Malware configuration
ecsirt:malicious-code="c&c"
C&C
information-gathering
Information Gathering.
ecsirt:information-gathering="scanner"
Scanning
Attacks that send requests to a system to discover weak points. This includes also some kind of
testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS
querying, ICMP, SMTP (EXPN, RCPT, …), port scanning.
ecsirt:information-gathering="sniffing"
Sniffing
ecsirt:information-gathering="social-engineering"
Social Engineering
Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or
threats).
129
intrusion-attempts
Intrusion Attempts.
ecsirt:intrusion-attempts="ids-alert"
ecsirt:intrusion-attempts="brute-force"
Login attempts
ecsirt:intrusion-attempts="exploit"
intrusions
A successful compromise of a system or application (service). This can have been caused remotely
by a known or new vulnerability, but also by an unauthorized local access. Also includes being part
of a botnet.
ecsirt:intrusions="privileged-account-compromise"
ecsirt:intrusions="unprivileged-account-compromise"
ecsirt:intrusions="application-compromise"
Application Compromise
ecsirt:intrusions="bot"
Bot
ecsirt:intrusions="defacement"
defacement
130
ecsirt:intrusions="compromised"
compromised
ecsirt:intrusions="backdoor"
backdoor
availability
By this kind of an attack a system is bombarded with so many packets that the operations are
delayed or the system crashes. DoS examples are ICMP and SYN floods, Teardrop attacks and mail-
bombing. DDoS often is based on DoS attacks originating from botnets, but also other scenarios
exist like DNS Amplification attacks. However, the availability also can be affected by local actions
(destruction, disruption of power supply, etc.) – or by Act of God, spontaneous failures or human
error, without malice or gross neglect being involved.
ecsirt:availability="dos"
DoS
Denial of Service.
ecsirt:availability="ddos"
DDoS
ecsirt:availability="sabotage"
Sabotage
Sabotage.
ecsirt:availability="outage"
information-content-security
Besides a local abuse of data and systems the information security can be endangered by a
successful account or application compromise. Furthermore attacks are possible that intercept and
access information during transmission (wiretapping, spoofing or hijacking).
Human/configuration/software error can also be the cause.
131
ecsirt:information-content-security="Unauthorised-information-access"
ecsirt:information-content-security="Unauthorised-information-
modification"
ecsirt:information-content-security="dropzone"
dropzone
fraud
Fraud.
ecsirt:fraud="unauthorized-use-of-resources"
Using resources for unauthorized purposes including profit-making ventures (E.g. the use of e-mail
to participate in illegal profit chain letters or pyramid schemes).
ecsirt:fraud="copyright"
Copyright
ecsirt:fraud="masquerade"
Masquerade
Type of attacks in which one entity illegitimately assumes the identity of another in order to benefit
from it.
ecsirt:fraud="phishing"
Phishing
Masquerading as another entity in order to persuade the user to reveal a private credential.
vulnerable
Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus
signatures not up-to-date, etc
132
ecsirt:vulnerable="vulnerable-service"
other
All incidents which don’t fit in one of the given categories should be put into this class. If the
number of incidents in this category increases, it is an indicator that the classification scheme must
be revised
ecsirt:other="blacklist"
blacklist
ecsirt:other="unknown"
unknown
ecsirt:other="other"
other
test
Meant for testing.
ecsirt:test="test"
Test
enisa
enisa namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
The present threat taxonomy is an initial version that has been developed on the basis of available
ENISA material. This material has been used as an ENISA-internal structuring aid for information
collection and threat consolidation purposes. It emerged in the time period 2012-2015.
physical-attack
Threats of intentional, hostile human actions.
enisa:physical-attack="fraud"
Fraud
133
Fraud committed by humans.
enisa:physical-attack="fraud-by-employees"
Fraud committed by employees or others that are in relation with entities, who have access to
entities' information and IT assets.
enisa:physical-attack="sabotage"
Sabotage
enisa:physical-attack="vandalism"
Vandalism
enisa:physical-attack="theft"
enisa:physical-attack="theft-of-mobile-devices"
Taking away another person’s property in the form of mobile devices, for example smartphones,
tablets.
enisa:physical-attack="theft-of-fixed-hardware"
Taking away another person’s hardware property (except mobile devices), which often contains
business-sensitive data.
enisa:physical-attack="theft-of-documents"
Theft of documents
Stealing documents from private/company archives, often for the purpose of re-sale or to achieve
personal benefits.
134
enisa:physical-attack="theft-of-backups"
Theft of backups
enisa:physical-attack="information-leak-or-unauthorised-sharing"
enisa:physical-attack="unauthorised-physical-access-or-unauthorised-
entry-to-premises"
enisa:physical-attack="coercion-or-extortion-or-corruption"
enisa:physical-attack="damage-from-the-wafare"
enisa:physical-attack="terrorist-attack"
Terrorist attack
unintentional-damage
Threats of unintentional human actions or errors.
enisa:unintentional-damage="information-leak-or-sharing-due-to-human-
error"
135
enisa:unintentional-damage="accidental-leaks-or-sharing-of-data-by-
employees"
enisa:unintentional-damage="leaks-of-data-via-mobile-applications"
Threat of leaking private data (a result of using applications for mobile devices).
enisa:unintentional-damage="leaks-of-data-via-web-applications"
enisa:unintentional-damage="leaks-of-information-transferred-by-
network"
enisa:unintentional-damage="erroneous-use-or-administration-of-devices-
and-systems"
Information leak / sharing / damage caused by misuse of IT assets (lack of awareness of application
features) or wrong / improper IT assets configuration or management.
enisa:unintentional-damage="loss-of-information-due-to-maintenance-
errors-or-operators-errors"
enisa:unintentional-damage="loss-of-information-due-to-configuration-or-
installation error"
136
enisa:unintentional-damage="increasing-recovery-time"
Threat of unavailability of information due to errors in the use of backup media and increasing
information recovery time.
enisa:unintentional-damage="lost-of-information-due-to-user-errors"
enisa:unintentional-damage="using-information-from-an-unreliable-
source"
enisa:unintentional-damage="unintentional-change-of-data-in-an-
information-system"
Loss of information integrity due to human error (information system user mistake).
enisa:unintentional-damage="inadequate-design-and-planning-or-
improper-adaptation"
enisa:unintentional-damage="damage-caused-by-a-third-party"
enisa:unintentional-damage="security-failure-caused-by-third-party"
137
enisa:unintentional-damage="damages-resulting-from-penetration-testing"
enisa:unintentional-damage="loss-of-information-in-the-cloud"
enisa:unintentional-damage="loss-of-(integrity-of)-sensitive-information"
enisa:unintentional-damage="loss-of-integrity-of-certificates"
enisa:unintentional-damage="loss-of-devices-and-storage-media-and-
documents"
enisa:unintentional-damage="loss-of-devices-or-mobile-devices"
enisa:unintentional-damage="loss-of-storage-media"
enisa:unintentional-damage="loss-of-documentation-of-IT-Infrastructure"
138
enisa:unintentional-damage="destruction-of-records"
Destruction of records
Threats of unavailability (destruction) of data and records (information) stored in devices and
storage media.
enisa:unintentional-damage="infection-of-removable-media"
Threat of loss of important data due to using removable media, web or mail infection.
enisa:unintentional-damage="abuse-of-storage"
Abuse of storage
disaster
Threats of damage to information assets caused by natural or environmental factors.
enisa:disaster="disaster"
Disaster (natural earthquakes, floods, landslides, tsunamis, heavy rains, heavy snowfalls, heavy
winds)
enisa:disaster="fire"
Fire
Threat of fire.
enisa:disaster="pollution-dust-corrosion"
Threat of disruption of work of IT systems (hardware) due to pollution, dust or corrosion (arising
from the air).
enisa:disaster="thunderstrike"
Thunderstrike
139
enisa:disaster="water"
Water
enisa:disaster="explosion"
Explosion
enisa:disaster="dangerous-radiation-leak"
enisa:disaster="unfavourable-climatic-conditions"
Threat of disruption of work of IT systems due to climatic conditions that have a negative effect on
hardware.
enisa:disaster="loss-of-data-or-accessibility-of-IT-infrastructure-as-a-result-
of-heightened-humidity"
enisa:disaster="lost-of-data-or-accessibility-of-IT-infrastructure-as-a-result-
of-very-high-temperature"
enisa:disaster="threats-from-space-or-electromagnetic-storm"
Threats of the negative impact of solar radiation to satellites and radio wave communication
systems - electromagnetic storm.
enisa:disaster="wildlife"
Wildlife
140
Threat of destruction of IT assets caused by animals: mice, rats, birds.
failures-malfunction
Threat of failure/malfunction of IT supporting infrastructure (i.e. degradation of quality, improper
working parameters, jamming). The cause of a failure is mostly an internal issue (e.g.. overload of
the power grid in a building).
enisa:failures-malfunction="failure-of-devices-or-systems"
enisa:failures-malfunction="failure-of-data-media"
enisa:failures-malfunction="hardware-failure"
Hardware failure
enisa:failures-malfunction="failure-of-applications-and-services"
enisa:failures-malfunction="failure-of-parts-of-devices-connectors-plug-
ins"
enisa:failures-malfunction="failure-or-disruption-of-communication-links-
communication networks"
enisa:failures-malfunction="failure-of-cable-networks"
141
Threat of failure of communications links due to problems with cable network.
enisa:failures-malfunction="failure-of-wireless-networks"
enisa:failures-malfunction="failure-of-mobile-networks"
enisa:failures-malfunction="failure-or-disruption-of-main-supply"
enisa:failures-malfunction="failure-or-disruption-of-power-supply"
enisa:failures-malfunction="failure-of-cooling-infrastructure"
enisa:failures-malfunction="failure-or-disruption-of-service-providers-
supply-chain"
Threat of failure or disruption of third party services required for proper operation of information
systems.
enisa:failures-malfunction="malfunction-of-equipment-devices-or-systems"
Threat of malfunction of IT hardware and/or software assets or its parts (i.e. improper working
parameters, jamming, rebooting).
outages
Threat of complete lack or loss of resources necessary for IT infrastructure. The cause of an outage
142
is mostly an external issue (i.e electricity blackout in the whole city).
enisa:outages="absence-of-personnel"
Absence of personnel
enisa:outages="strike"
Strike
enisa:outages="loss-of-support-services"
Unavailability of support services required for proper operation of the information system.
enisa:outages="internet-outage"
Internet outage
enisa:outages="network-outage"
Network outage
enisa:outages="outage-of-cable-networks"
enisa:outages="Outage-of-short-range-wireless-networks"
Threat of lack of communications links due to problems with wireless networks (802.11 networks,
Bluetooth, NFC etc.).
enisa:outages="outages-of-long-range-wireless-networks"
Threat of lack of communications links due to problems with mobile networks like cellular network
(3G, LTE, GSM etc.) or satellite links.
143
eavesdropping-interception-hijacking
Threats that alter communication between two parties. These attacks do not have to install
additional tools/software on a victim’s site.
enisa:eavesdropping-interception-hijacking="war-driving"
War driving
enisa:eavesdropping-interception-hijacking="intercepting-compromising-
emissions"
enisa:eavesdropping-interception-hijacking="interception-of-information"
Interception of information
enisa:eavesdropping-interception-hijacking="corporate-espionage"
Corporate espionage
enisa:eavesdropping-interception-hijacking="nation-state-espionage"
Threats of stealing information by nation state espionage (e.g. China based governmental
espionage, NSA from USA).
enisa:eavesdropping-interception-hijacking="information-leakage-due-to-
unsecured-wi-fi-like-rogue-access-points"
Threat of obtaining important information by insecure network rogue access points etc.
enisa:eavesdropping-interception-hijacking="interfering-radiation"
Interfering radiation
144
Threat of failure of IT hardware or transmission connection due to electromagnetic induction or
electromagnetic radiation emitted by an outside source.
enisa:eavesdropping-interception-hijacking="replay-of-messages"
Replay of messages
enisa:eavesdropping-interception-hijacking="network-reconnaissance-
network-traffic-manipulation-and-information-gathering"
enisa:eavesdropping-interception-hijacking="man-in-the-middle-session-
hijacking"
legal
Threat of financial or legal penalty or loss of trust of customers and collaborators due to legislation.
enisa:legal="violation-of-rules-and-regulations-breach-of-legislation"
Threat of financial or legal penalty or loss of trust of customers and collaborators due to violation
of law or regulations.
enisa:legal="failure-to-meet-contractual-requirements"
Threat of financial penalty or loss of trust of customers and collaborators due to failure to meet
contractual requirements.
enisa:legal="failure-to-meet-contractual-requirements-by-third-party"
Threat of financial penalty or loss of trust of customers and collaborators due to a third party’s
failure to meet contractual requirements
145
enisa:legal="unauthorized-use-of-IPR-protected-resources"
Threat of financial or legal penalty or loss of trust of customers and collaborators due to
improper/illegal use of IPR protected material (IPR- Intellectual Property Rights.
enisa:legal="illegal-usage-of-file-sharing-services"
Threat of financial or legal penalty or loss of trust of customers and collaborators due to
improper/illegal use of file sharing services.
enisa:legal="abuse-of-personal-data"
enisa:legal="judiciary-decisions-or-court-order"
Threat of financial or legal penalty or loss of trust of customers and collaborators due to judiciary
decisions/court order.
nefarious-activity-abuse
Threats of nefarious activities that require use of tools by the attacker. These attacks require
installation of additional tools/software or performing additional steps on the victim’s IT
infrastructure/software.
enisa:nefarious-activity-abuse="identity-theft-identity-fraud-account)"
enisa:nefarious-activity-abuse="credentials-stealing-trojans"
Credentials-stealing trojans
enisa:nefarious-activity-abuse="receiving-unsolicited-e-mail"
Threat of receiving unsolicited email which affects information security and efficiency.
146
enisa:nefarious-activity-abuse="spam"
SPAM
enisa:nefarious-activity-abuse="unsolicited-infected-e-mails"
Threat emanating from unwanted emails that may contain infected attachments or links to
malicious / infected web sites.
enisa:nefarious-activity-abuse="denial-of-service"
Denial of service
enisa:nefarious-activity-abuse="distributed-denial-of-network-service-
network-layer-attack"
Distributed denial of network service (DDoS) (network layer attack i.e. Protocol exploitation /
Malformed packets / Flooding / Spoofing)
Threat of service unavailability due to a massive number of requests for access to network services
from malicious clients.
enisa:nefarious-activity-abuse="distributed-denial-of-network-service-
application-layer-attack"
Distributed denial of application service (DDoS) (application layer attack i.e. Ping of Death / XDoS /
WinNuke / HTTP Floods)
Threat of service unavailability due to massive requests sent by multiple malicious clients.
enisa:nefarious-activity-abuse="distributed-denial-of-network-service-
amplification-reflection-attack"
Distributed DoS (DDoS) to both network and application services (amplification/reflection methods
i.e. NTP/ DNS /…/ BitTorrent)
enisa:nefarious-activity-abuse="malicious-code-software-activity"
147
enisa:nefarious-activity-abuse="search-engine-poisoning"
enisa:nefarious-activity-abuse="exploitation-of-fake-trust-of-social-media"
enisa:nefarious-activity-abuse="worms-trojans"
Worms/ Trojans
enisa:nefarious-activity-abuse="rootkits"
Rootkits
enisa:nefarious-activity-abuse="mobile-malware"
Mobile malware
enisa:nefarious-activity-abuse="infected-trusted-mobile-apps"
enisa:nefarious-activity-abuse="elevation-of-privileges"
Elevation of privileges
enisa:nefarious-activity-abuse="web-application-attacks-injection-attacks-
code-injection-SQL-XSS"
Threat of utilizing custom web applications embedded within social media sites, which can lead to
installation of malicious code onto computers to be used to gain unauthorized access.
148
enisa:nefarious-activity-abuse="spyware-or-deceptive-adware"
Threat of using software that aims to gather information about a person or organization without
their knowledge.
enisa:nefarious-activity-abuse="viruses"
Viruses
enisa:nefarious-activity-abuse="rogue-security-software-rogueware-
scareware"
Threat of internet fraud or malicious software that mislead users into believing there is a virus on
their computer, and manipulates them to pay money for fake removal tool.
enisa:nefarious-activity-abuse="ransomware"
Ransomware
Threat of infection of computer system or device by malware that restricts access to it and demands
that the user pay a ransom to remove the restriction.
enisa:nefarious-activity-abuse="exploits-exploit-kits"
Exploits/Exploit Kits
Threat to IT assets due to the use of web available exploits or exploits software.
enisa:nefarious-activity-abuse="social-engineering"
Social Engineering
enisa:nefarious-activity-abuse="phishing-attacks"
Phishing attacks
Threat of an email fraud method in which the perpetrator sends out legitimate-looking email in an
attempt to gather personal and financial information from recipients. Typically, the messages
appear to come from well-known and trustworthy websites.
149
enisa:nefarious-activity-abuse="spear-phishing-attacks"
Spear-phishing is a targeted e-mail message that has been crafted to create fake trust and thus lure
the victim to unveil some business or personal secrets that can be abused by the adversary.
enisa:nefarious-activity-abuse="abuse-of-information-leakage"
enisa:nefarious-activity-abuse="leakage-affecting-mobile-privacy-and-
mobile-applications"
enisa:nefarious-activity-abuse="leakage-affecting-web-privacy-and-web-
applications"
enisa:nefarious-activity-abuse="leakage-affecting-network-traffic"
enisa:nefarious-activity-abuse="leakage-affecting-cloud-computing"
enisa:nefarious-activity-abuse="generation-and-use-of-rogue-certificates"
enisa:nefarious-activity-abuse="loss-of-integrity-of-sensitive-information"
150
enisa:nefarious-activity-abuse="man-in-the-middle-session-hijacking"
Threat of attack consisting in the exploitation of the web session control mechanism, which is
normally managed by a session token.
enisa:nefarious-activity-abuse="social-engineering-via-signed-malware"
Threat of install fake trust signed software (malware) e.g. fake OS updates.
enisa:nefarious-activity-abuse="fake-SSL-certificates"
Threat of attack due to malware application signed by a certificate that is typically inherently
trusted by an endpoint.
enisa:nefarious-activity-abuse="manipulation-of-hardware-and-software"
enisa:nefarious-activity-abuse="anonymous-proxies"
Anonymous proxies
enisa:nefarious-activity-abuse="abuse-of-computing-power-of-cloud-to-
launch-attacks-cybercrime-as-a-service)"
enisa:nefarious-activity-abuse="abuse-of-vulnerabilities-0-day-
vulnerabilities"
enisa:nefarious-activity-abuse="access-of-web-sites-through-chains-of-
HTTP-Proxies-Obfuscation"
151
Threat of bypassing the security mechanism using HTTP proxies (bypassing the website blacklist).
enisa:nefarious-activity-abuse="access-to-device-software"
enisa:nefarious-activity-abuse="alternation-of-software"
Alternation of software
enisa:nefarious-activity-abuse="rogue-hardware"
Rogue hardware
enisa:nefarious-activity-abuse="manipulation-of-information"
Manipulation of information
enisa:nefarious-activity-abuse="repudiation-of-actions"
Repudiation of actions
enisa:nefarious-activity-abuse="address-space-hijacking-IP-prefixes"
enisa:nefarious-activity-abuse="routing-table-manipulation"
Threat of route packets of network to IP addresses other than that was intended via sender by
unauthorised manipulation of routing table.
enisa:nefarious-activity-abuse="DNS-poisoning-or-DNS-spoofing-or-DNS-
Manipulations"
152
Threat of falsification of DNS information.
enisa:nefarious-activity-abuse="falsification-of-record"
Falsification of record
enisa:nefarious-activity-abuse="autonomous-system-hijacking"
Threat of overtaking by the attacker the ownership of a whole autonomous system and its prefixes
despite origin validation.
enisa:nefarious-activity-abuse="autonomous-system-manipulation"
enisa:nefarious-activity-abuse="falsification-of-configurations"
Falsification of configurations
enisa:nefarious-activity-abuse="misuse-of-audit-tools"
Threat of nefarious actions performed using audit tools (discovery of security weaknesses in
information systems)
enisa:nefarious-activity-abuse="misuse-of-information-or-information
systems-including-mobile-apps"
enisa:nefarious-activity-abuse="unauthorized-activities"
Unauthorized activities
153
enisa:nefarious-activity-abuse="Unauthorised-use-or-administration-of-
devices-and-systems"
enisa:nefarious-activity-abuse="unauthorised-use-of-software"
enisa:nefarious-activity-abuse="unauthorized-access-to-the-information-
systems-or-networks-like-IMPI-Protocol-DNS-Registrar-Hijacking)"
enisa:nefarious-activity-abuse="network-intrusion"
Network Intrusion
enisa:nefarious-activity-abuse="unauthorized-changes-of-records"
enisa:nefarious-activity-abuse="unauthorized-installation-of-software"
enisa:nefarious-activity-abuse="Web-based-attacks-drive-by-download-or-
malicious-URLs-or-browser-based-attacks"
Web based attacks (Drive-by download / malicious URLs / Browser based attacks)
enisa:nefarious-activity-abuse="compromising-confidential-information-
like-data-breaches"
154
Threat of data breach.
enisa:nefarious-activity-abuse="hoax"
Hoax
enisa:nefarious-activity-abuse="false-rumour-and-or-fake-warning"
enisa:nefarious-activity-abuse="remote-activity-execution"
enisa:nefarious-activity-abuse="remote-command-execution"
enisa:nefarious-activity-abuse="remote-access-tool"
Threat of infection of software that has a remote administration capabilities allowing an attacker to
control the victim’s computer.
enisa:nefarious-activity-abuse="botnets-remote-activity"
enisa:nefarious-activity-abuse="targeted-attacks"
enisa:nefarious-activity-abuse="mobile-malware-exfiltration"
Threat of mobile software that aims to gather information about a person or organization without
their knowledge.
155
enisa:nefarious-activity-abuse="spear-phishing-attacks-targeted"
Threat of attack focused on a single user or department within an organization, coming from
someone within the company in a position of trust and requesting information such as login, IDs
and passwords.
enisa:nefarious-activity-abuse="installation-of-sophisticated-and-targeted-
malware"
enisa:nefarious-activity-abuse="watering-hole-attacks"
enisa:nefarious-activity-abuse="failed-business-process"
enisa:nefarious-activity-abuse="brute-force"
Brute force
Threat of unauthorised access via systematically checking all possible keys or passwords until the
correct one is found.
enisa:nefarious-activity-abuse="abuse-of-authorizations"
Abuse of authorizations
estimative-language
estimative-language namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
Estimative language to describe quality and credibility of underlying sources, data, and
methodologies based Intelligence Community Directive 203 (ICD 203) and JP 2-0, Joint Intelligence
156
likelihood-probability
Properly expresses and explains uncertainties associated with major analytic judgments: Analytic
products should indicate and explain the basis for the uncertainties associated with major analytic
judgments, specifically the likelihood of occurrence of an event or development, and the analyst’s
confidence in the basis for this judgment. Degrees of likelihood encompass a full spectrum from
remote to nearly certain. Analysts' confidence in an assessment or judgment may be based on the
logic and evidentiary base that underpin it, including the quantity and quality of source material,
and their understanding of the topic. Analytic products should note causes of uncertainty (e.g., type,
currency, and amount of information, knowledge gaps, and the nature of the issue) and explain
how uncertainties affect analysis (e.g., to what degree and how a judgment depends on
assumptions). As appropriate, products should identify indicators that would alter the levels of
uncertainty for major analytic judgments. Consistency in the terms used and the supporting
information and logic advanced is critical to success in expressing uncertainty, regardless of
whether likelihood or confidence expressions are used.
estimative-language:likelihood-probability="almost-no-chance"
estimative-language:likelihood-probability="very-unlikely"
estimative-language:likelihood-probability="unlikely"
estimative-language:likelihood-probability="roughly-even-chance"
estimative-language:likelihood-probability="likely"
estimative-language:likelihood-probability="very-likely"
157
estimative-language:likelihood-probability="almost-certain"
confidence-in-analytic-judgment
Confidence in a judgment is based on three factors: number of key assumptions required, the
credibility and diversity of sourcing in the knowledge base, and the strength of argumentation.
Each factor should be assessed independently and then in concert with the other factors to
determine the confidence level. Multiple judgments in a product may contain varying levels of
confidence. Confidence levels are stated as Low, Moderate, and High.
estimative-language:confidence-in-analytic-judgment="low"
Low
Uncorroborated information from good or marginal sources. Many assumptions. Mostly weak
logical inferences, minimal methods application. Glaring intelligence gaps exist. Terms or
expressions used: 'Possible', 'Could, may, might', 'Cannot judge, unclear.'
estimative-language:confidence-in-analytic-judgment="moderate"
Moderate
Partially corroborated information from good sources. Several assumptions. Mix of strong and
weak inferences and methods. Minimum intelligence gaps exist. Terms or expressions used: 'Likely,
unlikely', 'Probable, improbable' 'Anticipate, appear'.
estimative-language:confidence-in-analytic-judgment="high"
High
eu-marketop-and-publicadmin
eu-marketop-and-publicadmin namespace available in JSON format at this
location. The JSON format can be freely reused in your application or
automatically enabled in MISP taxonomy.
158
Market operators and public administrations that must comply to some notifications requirements
under EU NIS directive
critical-infra-operators
eu-marketop-and-publicadmin:critical-infra-operators="transport"
Transport
eu-marketop-and-publicadmin:critical-infra-operators="energy"
Energy
eu-marketop-and-publicadmin:critical-infra-operators="health"
Health
eu-marketop-and-publicadmin:critical-infra-operators="financial"
eu-marketop-and-publicadmin:critical-infra-operators="banking"
Banking
info-services
eu-marketop-and-publicadmin:info-services="e-commerce"
e-commerce platforms
eu-marketop-and-publicadmin:info-services="internet-payment"
Internet payment
eu-marketop-and-publicadmin:info-services="cloud"
cloud computing
eu-marketop-and-publicadmin:info-services="search-engines"
search engines
eu-marketop-and-publicadmin:info-services="socnet"
social networks
159
eu-marketop-and-publicadmin:info-services="app-stores"
application stores
public-admin
eu-marketop-and-publicadmin:public-admin="public-admin"
Public Administrations
eu-nis-sector-and-subsectors
eu-nis-sector-and-subsectors namespace available in JSON format at this location.
The JSON format can be freely reused in your application or automatically enabled
in MISP taxonomy.
eu-nis-oes
eu-nis-sector-and-subsectors:eu-nis-oes="energy"
Energy
eu-nis-sector-and-subsectors:eu-nis-oes="transport"
Transport Sector
eu-nis-sector-and-subsectors:eu-nis-oes="banking"
Banking
eu-nis-sector-and-subsectors:eu-nis-oes="financial"
eu-nis-sector-and-subsectors:eu-nis-oes="health"
Health
eu-nis-sector-and-subsectors:eu-nis-oes="water"
eu-nis-sector-and-subsectors:eu-nis-oes="digitalinfrastructure"
Digital Infrastructure
160
eu-nis-oes-energy
eu-nis-sector-and-subsectors:eu-nis-oes-energy="electricity-energy"
eu-nis-sector-and-subsectors:eu-nis-oes-energy="oil-energy"
eu-nis-sector-and-subsectors:eu-nis-oes-energy="gas-energy"
eu-nis-oes-transport
eu-nis-sector-and-subsectors:eu-nis-oes-transport="air-transport"
eu-nis-sector-and-subsectors:eu-nis-oes-transport="rail-transport"
eu-nis-sector-and-subsectors:eu-nis-oes-transport="water-transport"
eu-nis-sector-and-subsectors:eu-nis-oes-transport="road-transport"
eu-nis-oes-banking
eu-nis-sector-and-subsectors:eu-nis-oes-banking="credit-banking"
eu-nis-oes-financial
eu-nis-sector-and-subsectors:eu-nis-oes-financial="trading-financial"
eu-nis-sector-and-subsectors:eu-nis-oes-financial="ccp-financial"
161
eu-nis-oes-health
eu-nis-sector-and-subsectors:eu-nis-oes-health="healthcare-health"
eu-nis-oes-water
eu-nis-sector-and-subsectors:eu-nis-oes-water="supply-water"
eu-nis-sector-and-subsectors:eu-nis-oes-water="distribution-water"
eu-nis-oes-diginfra
eu-nis-sector-and-subsectors:eu-nis-oes-diginfra="ixp-diginfra"
eu-nis-sector-and-subsectors:eu-nis-oes-diginfra="dns-diginfra"
eu-nis-sector-and-subsectors:eu-nis-oes-diginfra="tld-diginfra"
eu-nis-dsp
eu-nis-sector-and-subsectors:eu-nis-dsp="market-dsp"
eu-nis-sector-and-subsectors:eu-nis-dsp="search-dsp"
eu-nis-sector-and-subsectors:eu-nis-dsp="cloud-dsp"
162
euci
euci namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
TS-UE/EU-TS
Information and material the unauthorised disclosure of which could cause exceptionally grave
prejudice to the essential interests of the European Union or of one or more of the Member States.
euci:TS-UE/EU-TS
Information and material the unauthorised disclosure of which could cause exceptionally grave
prejudice to the essential interests of the European Union or of one or more of the Member States.
S-UE/EU-S
Information and material the unauthorised disclosure of which could seriously harm the essential
interests of the European Union or of one or more of the Member States.
euci:S-UE/EU-S
Information and material the unauthorised disclosure of which could seriously harm the essential
interests of the European Union or of one or more of the Member States.
C-UE/EU-C
Information and material the unauthorised disclosure of which could harm the essential interests
of the European Union or of one or more of the Member States.
euci:C-UE/EU-C
Information and material the unauthorised disclosure of which could harm the essential interests
of the European Union or of one or more of the Member States.
163
R-UE/EU-R
Information and material the unauthorised disclosure of which could be disadvantageous to the
interests of the European Union or of one or more of the Member States.
euci:R-UE/EU-R
Information and material the unauthorised disclosure of which could be disadvantageous to the
interests of the European Union or of one or more of the Member States.
europol-event
europol-event namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
infected-by-known-malware
The presence of any of the types of malware was detected in a system.
europol-event:infected-by-known-malware
dissemination-malware-email
Malware attached to a message or email message containing link to malicious URL.
europol-event:dissemination-malware-email
hosting-malware-webpage
164
europol-event:hosting-malware-webpage
c&c-server-hosting
Web page disseminating one or various types of malware.
europol-event:c&c-server-hosting
worm-spreading
System infected by a worm trying to infect other systems.
europol-event:worm-spreading
connection-malware-port
System attempting to gain access to a port normally linked to a specific type of malware.
europol-event:connection-malware-port
System attempting to gain access to a port normally linked to a specific type of malware.
connection-malware-system
System attempting to gain access to an IP address or URL normally linked to a specific type of
malware, e.g. C&C or a distribution page for components linked to a specific botnet.
europol-event:connection-malware-system
System attempting to gain access to an IP address or URL normally linked to a specific type of
malware, e.g. C&C or a distribution page for components linked to a specific botnet.
165
flood
Mass mailing of requests (network packets, emails, etc…) from one single source to a specific
service, aimed at affecting its normal functioning.
europol-event:flood
Flood of requests
Mass mailing of requests (network packets, emails, etc…) from one single source to a specific
service, aimed at affecting its normal functioning.
exploit-tool-exhausting-resources
One single source using specially designed software to affect the normal functioning of a specific
service, by exploiting a vulnerability.
europol-event:exploit-tool-exhausting-resources
Exploit or tool aimed at exhausting resources (network, processing capacity, sessions, etc…)
One single source using specially designed software to affect the normal functioning of a specific
service, by exploiting a vulnerability.
packet-flood
Mass mailing of requests (network packets, emails, etc…) from various sources to a specific service,
aimed at affecting its normal functioning.
europol-event:packet-flood
Packet flooding
Mass mailing of requests (network packets, emails, etc…) from various sources to a specific service,
aimed at affecting its normal functioning.
exploit-framework-exhausting-resources
Various sources using specially designed software to affect the normal functioning of a specific
service, by exploiting a vulnerability.
europol-event:exploit-framework-exhausting-resources
Various sources using specially designed software to affect the normal functioning of a specific
service, by exploiting a vulnerability.
166
vandalism
Logical and physical activities which – although they are not aimed at causing damage to
information or at preventing its transmission among systems – have this effect.
europol-event:vandalism
Vandalism
Logical and physical activities which – although they are not aimed at causing damage to
information or at preventing its transmission among systems – have this effect.
disruption-data-transmission
Logical and physical activities aimed at causing damage to information or at preventing its
transmission among systems.
europol-event:disruption-data-transmission
Logical and physical activities aimed at causing damage to information or at preventing its
transmission among systems.
system-probe
Single system scan searching for open ports or services using these ports for responding.
europol-event:system-probe
System probe
Single system scan searching for open ports or services using these ports for responding.
network-scanning
Scanning a network aimed at identifying systems which are active in the same network.
europol-event:network-scanning
Network scanning
Scanning a network aimed at identifying systems which are active in the same network.
dns-zone-transfer
Transfer of a specific DNS zone.
167
europol-event:dns-zone-transfer
wiretapping
Logical or physical interception of communications.
europol-event:wiretapping
Wiretapping
dissemination-phishing-emails
Mass emailing aimed at collecting data for phishing purposes with regard to the victims.
europol-event:dissemination-phishing-emails
Mass emailing aimed at collecting data for phishing purposes with regard to the victims.
hosting-phishing-sites
Hosting web sites for phishing purposes.
europol-event:hosting-phishing-sites
aggregation-information-phishing-schemes
Collecting data obtained through phishing attacks on web pages, email accounts, etc…
europol-event:aggregation-information-phishing-schemes
Collecting data obtained through phishing attacks on web pages, email accounts, etc…
168
exploit-attempt
Unsuccessful use of a tool exploiting a specific vulnerability of the system.
europol-event:exploit-attempt
Exploit attempt
sql-injection-attempt
Unsuccessful attempt to manipulate or read the information of a database by using the SQL
injection technique.
europol-event:sql-injection-attempt
Unsuccessful attempt to manipulate or read the information of a database by using the SQL
injection technique.
xss-attempt
Unsuccessful attempts to perform attacks by using cross-site scripting techniques.
europol-event:xss-attempt
XSS attempt
file-inclusion-attempt
Unsuccessful attempt to include files in the system under attack by using file inclusion techniques.
europol-event:file-inclusion-attempt
Unsuccessful attempt to include files in the system under attack by using file inclusion techniques.
brute-force-attempt
Unsuccessful login attempt by using sequential credentials for gaining access to the system.
169
europol-event:brute-force-attempt
Unsuccessful login attempt by using sequential credentials for gaining access to the system.
password-cracking-attempt
Attempt to acquire access credentials by breaking the protective cryptographic keys.
europol-event:password-cracking-attempt
dictionary-attack-attempt
Unsuccessful login attempt by using system access credentials previously loaded into a dictionary.
europol-event:dictionary-attack-attempt
Unsuccessful login attempt by using system access credentials previously loaded into a dictionary.
exploit
Successful use of a tool exploiting a specific vulnerability of the system.
europol-event:exploit
sql-injection
Manipulation or reading of information contained in a database by using the SQL injection
technique.
europol-event:sql-injection
SQL injection
170
xss
Attacks performed with the use of cross-site scripting techniques.
europol-event:xss
XSS
file-inclusion
Inclusion of files into a system under attack with the use of file inclusion techniques.
europol-event:file-inclusion
File inclusion
Inclusion of files into a system under attack with the use of file inclusion techniques.
control-system-bypass
Unauthorised access to a system or component by bypassing an access control system in place.
europol-event:control-system-bypass
theft-access-credentials
Unauthorised access to a system or component by using stolen access credentials.
europol-event:theft-access-credentials
unauthorized-access-system
Unauthorised access to a system or component.
europol-event:unauthorized-access-system
171
Unauthorised access to a system or component.
unauthorized-access-information
Unauthorised access to a set of information.
europol-event:unauthorized-access-information
data-exfiltration
Unauthorised access to and sharing of a specific set of information.
europol-event:data-exfiltration
Data exfiltration
modification-information
Unauthorised changes to a specific set of information.
europol-event:modification-information
Modification of information
deletion-information
Unauthorised deleting of a specific set of information.
europol-event:deletion-information
Deletion of information
illegitimate-use-resources
Use of institutional resources for purposes other than those intended.
172
europol-event:illegitimate-use-resources
illegitimate-use-name
Using the name of an institution without permission to do so.
europol-event:illegitimate-use-name
email-flooding
Sending an unusually large quantity of email messages.
europol-event:email-flooding
Email flooding
spam
Sending an email message that was unsolicited or unwanted by the recipient.
europol-event:spam
copyrighted-content
Distribution or sharing of content protected by copyright and related rights.
europol-event:copyrighted-content
173
content-forbidden-by-law
Distribution or sharing of illegal content such as child pornography, racism, xenophobia, etc…
europol-event:content-forbidden-by-law
Distribution or sharing of illegal content such as child pornography, racism, xenophobia, etc…
unspecified
Other unlisted events.
europol-event:unspecified
undetermined
Field aimed at the classification of unprocessed events, which have remained undetermined from
the beginning.
europol-event:undetermined
Undetermined
Field aimed at the classification of unprocessed events, which have remained undetermined from
the beginning.
europol-incident
europol-incident namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
malware
europol-incident:malware="infection"
Infection
174
europol-incident:malware="distribution"
Distribution
europol-incident:malware="c&c"
C&C
europol-incident:malware="undetermined"
Undetermined
availability
europol-incident:availability="dos-ddos"
DoS/DDoS
Disruption of the processing and response capacity of systems and networks in order to render
them inoperative.
europol-incident:availability="sabotage"
Sabotage
Premeditated action to damage a system, interrupt a process, change or delete information, etc.
information-gathering
europol-incident:information-gathering="scanning"
Scanning
europol-incident:information-gathering="sniffing"
Sniffing
europol-incident:information-gathering="phishing"
Phishing
175
Attempt to gather information on a user or a system through phishing methods.
intrusion-attempt
europol-incident:intrusion-attempt="exploitation-vulnerability"
Exploitation of vulnerability
europol-incident:intrusion-attempt="login-attempt"
Login attempt
intrusion
europol-incident:intrusion="exploitation-vulnerability"
Exploitation of vulnerability
europol-incident:intrusion="compromising-account"
Compromising an account
information-security
europol-incident:information-security="unauthorized-access"
Unauthorised access
europol-incident:information-security="unauthorized-modification"
Unauthorised modification/deletion
fraud
176
europol-incident:fraud="illegitimate-use-resources"
europol-incident:fraud="illegitimate-use-name"
abusive-content
europol-incident:abusive-content="spam"
SPAM
europol-incident:abusive-content="copyright"
Copyright
europol-incident:abusive-content="content-forbidden-by-law"
other
europol-incident:other="other"
Other
event-assessment
event-assessment namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
177
A series of assessment predicates describing the event assessment performed to make judgement(s)
under a certain level of uncertainty.
alternative-points-of-view-process
A list of procedures or practices which describe alternative points of view to validate or rate an
analysis. The list describes techniques or methods which could reinforce the estimative language in
a human analysis and/or challenge the assumptions to reduce the potential bias of the analysis
introduced by the analyst(s).
event-assessment:alternative-points-of-view-process="analytic-debates-
within-the-organisation"
event-assessment:alternative-points-of-view-process="devils-advocates-
methodology"
event-assessment:alternative-points-of-view-process="competitive-
analysis"
competitive analysis
event-assessment:alternative-points-of-view-process="interdisciplinary-
brainstorming"
interdisciplinary brainstorming
event-assessment:alternative-points-of-view-process="intra-office-peer-
review"
event-assessment:alternative-points-of-view-process="outside-expertise-
review"
event-classification
event-classification namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
178
Classification of events as seen in tools such as RT/IR, MISP and other
event-class
event-classification:event-class="incident_report"
Incident Report
event-classification:event-class="incident"
Incident
event-classification:event-class="investigation"
Investigation
event-classification:event-class="countermeasure"
Countermeasure
event-classification:event-class="general"
General
event-classification:event-class="exercise"
Exercise
exercise
exercise namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.
cyber-europe
ENISA manages the programme of pan-European exercises CE2018 logonamed Cyber Europe. This
is a series of EU-level cyber incident and crisis management exercises for both the public and
private sectors from the EU and EFTA Member States. The Cyber Europe exercises are simulations
of large-scale cybersecurity incidents that escalate to become cyber crises. The exercises offer
opportunities to analyse advanced technical cybersecurity incidents but also to deal with complex
business continuity and crisis management situations.
179
exercise:cyber-europe="2018"
2018
5th pan European cyber crisis exercise, Cyber Europe 2018 (CE2018)
exercise:cyber-europe="2016"
2016
cyber-storm
Cyber Storm, the Department of Homeland Security’s (DHS) biennial exercise series, provides the
framework for the most extensive government-sponsored cybersecurity exercise of its kind.
Congress mandated the Cyber Storm exercise series to strengthen cyber preparedness in the public
and private sectors. Securing cyber space is the DHS Office of Cybersecurity and Communications'
top priority.
exercise:cyber-storm="spring-2018"
Spring 2018
The sixth iteration of the Cyber Storm exercise series, Cyber Storm VI, is scheduled for Spring 2018
locked-shields
Locked Shields is the world’s largest and most advanced international technical live-fire cyber
defence exercise. This annual scenario-based, real-time network defence exercise, which has been
organised by the NATO Cooperative Cyber Defence Centre of Excellence since 2010, focuses on
training for security experts who protect national IT systems.
exercise:locked-shields="2017"
2017
exercise:locked-shields="2018"
2018
exercise:locked-shields="2019"
2019
180
Locked Shields 2019
lukex
LÜKEX ist ein Kurzwort für Länderübergreifende Krisenmanagementübung (EXercise) und die
Bezeichnung für regelmäßig stattfindende Übungen in der Bundesrepublik Deutschland. Ziel von
Lükex ist es, das gemeinsame Management des Bundes und der Länder in nationalen Krisen
aufgrund von außergewöhnlichen Gefahren- und Schadenslagen auf strategischer Ebene zu
verbessern.
exercise:lukex="2020"
2020
cyber-coalition
Cyber Coalition tests and trains cyber defenders from across the Alliance in their ability to defend
NATO and national networks. From defence against malware, through tackling hybrid challenges
involving social media, to attacks on mobile devices, the exercise has a challenging, realistic
scenario that helps prepare our cyber defenders for real-life cyber challenges. The training includes
testing of operational and legal procedures, exchange of information and work with industry and
partners.
exercise:cyber-coalition="2017"
2017
exercise:cyber-coalition="2018"
2018
pace
NATO-EU Parallel and Coordinated Exercise. PACE focuses on four key areas, namely situational
awareness, effectiveness of our instruments to counter cyber threats at EU level, speed of reaction
and appropriate reactivity of our crisis response mechanisms, as well as our capacity to
communicate fast and in a coordinated way.
exercise:pace="2017"
2017
181
PACE17 will focus on four key areas, namely situational awareness, effectiveness of our
instruments to counter cyber threats at EU level, speed of reaction and appropriate reactivity of our
crisis response mechanisms, as well as our capacity to communicate fast and in a coordinated way.
The exercise will be followed by an evaluation phase, to identify lessons learned and improve our
toolbox.
exercise:pace="2018"
2018
cyber-sopex
Cyber SOPEx (formerly known as EuroSOPEx) is the first step in a series of ENISA exercises focusing
on training the participants on situational awareness, information sharing, understanding roles
and responsibilities and utilising related tools, as agreed by the CSIRTs Network
exercise:cyber-sopex="2019"
2019
exercise:cyber-sopex="2018"
2018
false-positive
false-positive namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
risk
Risk of having false positives in the tagged value.
false-positive:risk="low"
Low
false-positive:risk="medium"
Medium
182
The risk of having false positives in the tagged value is medium.
false-positive:risk="high"
High
file-type
file-type namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
type
file-type:type="peexe"
executable
file-type:type="pedll"
executable
file-type:type="neexe"
executable
file-type:type="nedll"
executable
file-type:type="mz"
executable
file-type:type="msi"
executable
183
file-type:type="com"
executable
file-type:type="coff"
executable
file-type:type="elf"
executable
file-type:type="krnl"
executable
file-type:type="rpm"
executable
file-type:type="linux"
executable
file-type:type="macho"
executable
file-type:type="elf32"
executable
file-type:type="elf64"
executable
file-type:type="elfso"
executable
file-type:type="peexe32"
executable
file-type:type="peexe64"
executable
184
file-type:type="assembly"
executable
file-type:type="html"
internet
file-type:type="xml"
internet
file-type:type="flash"
internet
file-type:type="fla"
internet
file-type:type="iecookie"
internet
file-type:type="bittorrent"
internet
file-type:type="email"
internet
file-type:type="outlook"
internet
file-type:type="cap"
internet
file-type:type="symbian"
file-type:type="palmos"
185
file-type:type="wince"
file-type:type="android"
file-type:type="iphone"
file-type:type="jpeg"
image
file-type:type="emf"
image
file-type:type="tiff"
image
file-type:type="gif"
image
file-type:type="png"
image
file-type:type="bmp"
image
file-type:type="gimp"
image
file-type:type="indesign"
image
file-type:type="psd"
image
186
file-type:type="targa"
image
file-type:type="xws"
image
file-type:type="dib"
image
file-type:type="jng"
image
file-type:type="ico"
image
file-type:type="fpx"
image
file-type:type="eps"
image
file-type:type="svg"
image
file-type:type="ogg"
file-type:type="flc"
file-type:type="fli"
file-type:type="mp3"
187
file-type:type="flac"
file-type:type="wav"
file-type:type="midi"
file-type:type="avi"
file-type:type="mpeg"
file-type:type="qt"
file-type:type="asf"
file-type:type="divx"
file-type:type="flv"
file-type:type="wma"
file-type:type="wmv"
file-type:type="rm"
188
file-type:type="mov"
file-type:type="mp4"
file-type:type="3gp"
file-type:type="text"
document
file-type:type="pdf"
document
file-type:type="ps"
document
file-type:type="doc"
document
file-type:type="docx"
document
file-type:type="rtf"
document
file-type:type="ppt"
document
file-type:type="pptx"
document
file-type:type="xls"
document
189
file-type:type="xlsx"
document
file-type:type="odp"
document
file-type:type="ods"
document
file-type:type="odt"
document
file-type:type="hwp"
document
file-type:type="gul"
document
file-type:type="ebook"
document
file-type:type="latex"
document
file-type:type="isoimage"
bundle
file-type:type="zip"
bundle
file-type:type="gzip"
bundle
file-type:type="bzip"
bundle
190
file-type:type="rzip"
bundle
file-type:type="dzip"
bundle
file-type:type="7zip"
bundle
file-type:type="cab"
bundle
file-type:type="jar"
bundle
file-type:type="rar"
bundle
file-type:type="mscompress"
bundle
file-type:type="ace"
bundle
file-type:type="arc"
bundle
file-type:type="arj"
bundle
file-type:type="asd"
bundle
file-type:type="blackhole"
bundle
191
file-type:type="kgb"
bundle
file-type:type="xz"
bundle
file-type:type="script"
code
file-type:type="php"
code
file-type:type="python"
code
file-type:type="perl"
code
file-type:type="ruby"
code
file-type:type="c"
code
file-type:type="cpp"
code
file-type:type="java"
code
file-type:type="shell"
code
file-type:type="pascal"
code
192
file-type:type="awk"
code
file-type:type="dyalog"
code
file-type:type="fortran"
code
file-type:type="java-bytecode"
code
file-type:type="apple"
apple
file-type:type="mac"
apple
file-type:type="applesingle"
apple
file-type:type="appledouble"
apple
file-type:type="machfs"
apple
file-type:type="appleplist"
apple
file-type:type="maclib"
apple
file-type:type="lnk"
miscellaneous
193
file-type:type="ttf"
miscellaneous
file-type:type="rom"
miscellaneous
file-type:type="data"
miscellaneous
flesch-reading-ease
flesch-reading-ease namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
Flesch Reading Ease is a revised system for determining the comprehension difficulty of written
material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how
low a score can be (negative score are valid).
score
flesch-reading-ease:score="90-100"
Very Easy
flesch-reading-ease:score="80-89"
Easy
flesch-reading-ease:score="70-79"
Fairly Easy
194
flesch-reading-ease:score="60-69"
Standard
flesch-reading-ease:score="50-59"
Fairly Difficult
flesch-reading-ease:score="30-49"
Difficult
Difficult to read.
flesch-reading-ease:score="0-29"
Very Confusing
fpf
fpf namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
degrees-of-identifiability
Information containing direct and indirect identifiers.
195
fpf:degrees-of-identifiability="explicitly-personal"
Explicitly personal
Name, address, phone number, SSN, government-issued ID (e.g., Jane Smith, 123 Main Street, 555-
555-5555)
fpf:degrees-of-identifiability="potentially-identifiable"
Potentially identifiable
Unique device ID, license plate, medical record number, cookie, IP address (e.g., MAC address
68:A8:6D:35:65:03)
fpf:degrees-of-identifiability="not-readily-identifiable"
Same as Potentially Identifiable except data are also protected by safeguards and controls (e.g.,
hashed MAC addresses & legal representations)
pseudonymous-data
Information from which direct identifiers have been eliminated or transformed, but indirect
entifiers remain intact.
fpf:pseudonymous-data="key-coded"
Key coded
Clinical or research datasets where only curator retains key (e.g., Jane Smith, diabetes, HgB 15.1 g/dl
= Csrk123)
fpf:pseudonymous-data="pseudonymous"
Pseudonymous
Unique, artificial pseudonyms replace direct identifiers (e.g., HIPAA Limited Datasets, John Doe =
5L7T LX619Z) (unique sequence not used anywhere else)
fpf:pseudonymous-data="protected-pseudonymous"
Protected pseudonymous
Same as Pseudonymous, except data are also protected by safeguards and controls
de-identified-data
Direct and known indirect identifiers have been removed or manipulated to break the linkage to
196
real world identities.
fpf:de-identified-data="de-identified"
De-identified
Data are suppressed, generalized, perturbed, swapped, etc. (e.g., GPA: 3.2 = 3.0-3.5, gender: female =
gender: male)
fpf:de-identified-data="protected-de-identified"
Protected de-identified
Same as De-Identified, except data are also protected by safeguards and controls
anonymous-data
Direct and indirect identifiers have en removed or manipulated together with mathematical and
technical guarantees to prevent re-identification.
fpf:anonymous-data="anonymous"
Anonymous
For example, noise is calibrated to a data set to hide whether an individual is present or not
(differential privacy)
fpf:anonymous-data="aggregated-anonymous"
Aggregated anonymous
Very highly aggregated data (e.g., statistical data, census data, or population data that 52.6% of
Washington, DC residents are women)
fr-classif
fr-classif namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
Exclusive flag set which means the values or predicate below must be set
exclusively.
197
classifiees-defense
Exclusive flag set which means the values or predicate below must be set
exclusively.
fr-classif:classifiees-defense="TRES_SECRET_DEFENSE"
fr-classif:classifiees-defense="SECRET_DEFENSE"
SECRET DEFENSE
fr-classif:classifiees-defense="CONFIDENTIEL_DEFENSE"
CONFIDENTIEL DEFENSE
non-classifiees-defense
Exclusive flag set which means the values or predicate below must be set
exclusively.
fr-classif:non-classifiees-defense="SECRET"
SECRET
fr-classif:non-classifiees-defense="CONFIDENTIEL"
CONFIDENTIEL
fr-classif:non-classifiees-defense="DIFFUSION_RESTREINTE"
DIFFUSION RESTREINTE
non-classifiees
Exclusive flag set which means the values or predicate below must be set
exclusively.
fr-classif:non-classifiees="NON-CLASSIFIEES"
NON CLASSIFIEES
198
gdpr
gdpr namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
Taxonomy related to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF
THE COUNCIL on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation)
special-categories
Special categories of personal data, refer to Art. 9 of the GDPR
gdpr:special-categories="racial-or-ethnic-origin"
gdpr:special-categories="political-opinions"
Political opinions
gdpr:special-categories="religious-or-philosophical-beliefs"
gdpr:special-categories="trade-union-membership"
gdpr:special-categories="genetic-data"
Genetic data
Genetic data means personal data relating to the inherited or acquired genetic characteristics of a
natural person which give unique information about the physiology or the health of that natural
person and which result, in particular, from an analysis of a biological sample from the natural
person in question.
gdpr:special-categories="biometric-data"
Biometric data
Biometric data for the purpose of uniquely identifying a natural person. Biometric data means
personal data resulting from specific technical processing relating to the physical, physiological or
behavioural characteristics of a natural person, which allow or confirm the unique identification of
that natural person, such as facial images or dactyloscopic data.
199
gdpr:special-categories="health"
Health
Data concerning health. Data concerning health means personal data related to the physical or
mental health of a natural person, including the provision of health care services, which reveal
information about his or her health status.
gdpr:special-categories="sex-life-or-sexual-orientation"
gsma-attack-category
gsma-attack-category namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
Taxonomy used by GSMA for their information sharing program with telco describing the attack
categories
denial-of-service
gsma-attack-category:denial-of-service
exploit-attack
gsma-attack-category:exploit-attack
Exploit attack
information-gathering
gsma-attack-category:information-gathering
Information gathering
insider-attack
gsma-attack-category:insider-attack
Insider attack
200
interception-attack
gsma-attack-category:interception-attack
Interception attack
manipulation-attack
gsma-attack-category:manipulation-attack
Manipulation attack
physical-attack
gsma-attack-category:physical-attack
Physical attack
spoofing
gsma-attack-category:spoofing
Spoofing
gsma-fraud
gsma-fraud namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
Taxonomy used by GSMA for their information sharing program with telco describing the various
aspects of fraud
technical
gsma-fraud:technical="mailbox-hacking"
gsma-fraud:technical="imei-reprogramming"
IMEI Reprogramming
201
gsma-fraud:technical="call-forwarding-fraud"
gsma-fraud:technical="call-conference"
gsma-fraud:technical="hlr-tampering"
gsma-fraud:technical="sim-card-cloning"
gsma-fraud:technical="false-base-station-attack"
gsma-fraud:technical="spamming"
gsma-fraud:technical="phishing-pharming"
gsma-fraud:technical="mobile-malware"
Mobile Malware
gsma-fraud:technical="fraud-risks-associated-with-voice-over-ip-services"
gsma-fraud:technical="pbx-hacking"
PBX Hacking
gsma-fraud:technical="fraud-risks-associated-with-m2m-services"
gsma-fraud:technical="data-charing-bypass"
202
subscription
gsma-fraud:subscription="subscription-fraud"
Subscription Fraud
gsma-fraud:subscription="proxy-fraud"
Proxy Fraud
gsma-fraud:subscription="account-takeover"
Account Takeover
gsma-fraud:subscription="call-selling"
Call Selling
gsma-fraud:subscription="direct-debit-fraud"
gsma-fraud:subscription="credit-card-fraud"
gsma-fraud:subscription="credit-card-not-present-transactions"
gsma-fraud:subscription="cheque-fraud"
Cheque Fraud
distribution
gsma-fraud:distribution="dealer-fraud"
Dealer Fraud
gsma-fraud:distribution="false-agent"
gsma-fraud:distribution="theft-and-handling-stolen-goods"
203
gsma-fraud:distribution="handset-subsidy-loss"
gsma-fraud:distribution="remote-order-fraud"
business
gsma-fraud:business="premium-rate"
gsma-fraud:business="roaming-fraud"
Roaming Fraud
gsma-fraud:business="international-revenue-share-fraud"
gsma-fraud:business="inbound-roaming-fraud-risk-to-vpmn"
gsma-fraud:business="interconnect-abuse"
gsma-fraud:business="refiling"
Refiling
gsma-fraud:business="mobile-to-fixed-network-gateway-abuse"
gsma-fraud:business="false-answer-false-ring"
gsma-fraud:business="social-engineering"
Social Engineering
204
gsma-fraud:business="internal-fraud"
Internal Fraud
gsma-fraud:business="normal-business-fraud-crime"
gsma-fraud:business="brand-name-logo-abuse"
gsma-fraud:business="m-commerce-provider-content-fraud"
gsma-fraud:business="m-commerce-provider-prs-fraud"
gsma-fraud:business="content-theft"
Content Theft
gsma-fraud:business="wangiri"
Wangiri
gsma-fraud:business="airtime-reseller-fraud"
prepaid
gsma-fraud:prepaid="services-fraud"
gsma-fraud:prepaid="hlr-profile-manipulation"
gsma-fraud:prepaid="manual-recharging"
Manual Recharging
205
gsma-fraud:prepaid="generation-of-abusive-credits"
gsma-fraud:prepaid="scartch-card-abuse"
gsma-network-technology
gsma-network-technology namespace available in JSON format at this location.
The JSON format can be freely reused in your application or automatically enabled
in MISP taxonomy.
Taxonomy used by GSMA for their information sharing program with telco describing the types of
infrastructure. WiP
user
applications
end-devices-and-components
gsma-network-technology:end-devices-and-components="ms"
Mobile Station
gsma-network-technology:end-devices-and-components="mobile-
equipment-radio"
services
radio-access-network
support-and-provisioning-systems
interconnects
core
206
sim-secure-element-modules
honeypot-basic
honeypot-basic namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
Updated (CIRCL, Seamus Dowling and EURECOM) from Christian Seifert, Ian Welch, Peter
Komisarczuk, ‘Taxonomy of Honeypots’, Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF
WELLINGTON, School of Mathematical and Computing Sciences, June 2006,
http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf
interaction-level
Describes whether the exposed functionality of a honeypot is limited in some way, which is usually
the case for honeypots that simulate services.
honeypot-basic:interaction-level="high"
honeypot-basic:interaction-level="medium"
Exposed functionality of the honeypot is limited to the service without exposing the full operating
system.
honeypot-basic:interaction-level="low"
Exposed functionality being limited. For example, a simulated SSH server of a honeypot is not able
to authenticate against a valid login/password combination.
honeypot-basic:interaction-level="none"
No interaction capabilities
honeypot-basic:interaction-level="adaptive"
207
Learns from attack interaction
data-capture
Describes the type of data a honeypot is able to capture
honeypot-basic:data-capture="network-capture"
Network capture
honeypot-basic:data-capture="events"
Events
The honeypot collects data about something that has happened or took place, a change in state.
honeypot-basic:data-capture="attacks"
Attacks
honeypot-basic:data-capture="intrusions"
Intrusions
honeypot-basic:data-capture="none"
None
containment
Classifies the measures a honeypot takes to defend against malicious activity spreading from itself.
honeypot-basic:containment="block"
Block
Attacker’s actions are identified and blocked. The attack never reaches the target.
honeypot-basic:containment="defuse"
Defuse
208
The attack reaches the target, but is manipulated in a way that it fails against the target.
honeypot-basic:containment="slow-down"
Slow Down
honeypot-basic:containment="none"
None
No action is taken to limit the intruder’s spread of malicious activity against other systems.
distribution-appearance
Describes whether the honeypot system appears to be confined to one system or multiple systems.
honeypot-basic:distribution-appearance="distributed"
Distributed
honeypot-basic:distribution-appearance="stand-alone"
Stand-Alone
communication-interface
Describes the interfaces one can use to interact directly with the honeypot.
honeypot-basic:communication-interface="network-interface"
Network Interface
honeypot-basic:communication-interface="hardware-interface"
honeypot-basic:communication-interface="software-api"
Software API
209
The honeypot can be interacted with via a software API.
role
Describes in what role the honeypot acts within a multi-tier architecture.
honeypot-basic:role="server"
Server
honeypot-basic:role="client"
Client
iep
iep namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
Forum of Incident Response and Security Teams (FIRST) Information Exchange Policy (IEP)
framework
commercial-use
States whether Recipients are permitted to use information received in commercial products or
services.
iep:commercial-use="MAY"
iep:commercial-use="MUST NOT"
external-reference
This statement can be used to convey a description or reference to any applicable licenses,
agreements, or conditions between the producer and receiver.
iep:external-reference="$text"
210
encrypt-in-transit
States whether the received information has to be encrypted when it is retransmitted by the
recipient.
iep:encrypt-in-transit="MUST"
iep:encrypt-in-transit="MAY"
encrypt-at-rest
States whether the received information has to be encrypted by the Recipient when it is stored at
rest.
iep:encrypt-at-rest="MUST"
iep:encrypt-at-rest="MAY"
permitted-actions
States the permitted actions that Recipients can take upon information received.
iep:permitted-actions="NONE"
Recipients MUST contact the Providers before acting upon the information received.
Recipients MUST contact the Providers before acting upon the information received.
Recipients MAY conduct actions on the information received that are only visible on the Recipients
internal networks and systems, and MUST NOT conduct actions that are visible outside of the
Recipients networks and systems, or visible to third parties.
Recipients MAY conduct indirect, or passive, actions on the information received that are externally
visible and MUST NOT conduct direct, or active, actions.
211
iep:permitted-actions="EXTERNALLY VISIBLE DIRECT ACTIONS"
Recipients MAY conduct direct, or active, actions on the information received that are externally
visible.
affected-party-notifications
Recipients are permitted notify affected third parties of a potential compromise or threat.
iep:affected-party-notifications="MAY"
iep:affected-party-notifications="MUST NOT"
traffic-light-protocol
Recipients are permitted to redistribute the information received within the redistribution scope as
defined by the enumerations.
iep:traffic-light-protocol="RED"
iep:traffic-light-protocol="AMBER"
iep:traffic-light-protocol="GREEN"
iep:traffic-light-protocol="WHITE"
Unlimited sharing.
provider-attribution
Recipients could be required to attribute or anonymize the Provider when redistributing the
information received.
iep:provider-attribution="MAY"
Recipients MAY attribute the Provider when redistributing the information received.
212
iep:provider-attribution="MUST"
Recipients MUST attribute the Provider when redistributing the information received.
iep:provider-attribution="MUST NOT"
Recipients MUST NOT attribute the Provider when redistributing the information received.
obfuscate-affected-parties
Recipients could be required to obfuscate or anonymize information that could be used to identify
the victims before redistributing the information received.
iep:obfuscate-affected-parties="MAY"
iep:obfuscate-affected-parties="MUST"
iep:obfuscate-affected-parties="MUST NOT"
Recipients MUST NOT obfuscate information about the specific affected parties.
unmodified-resale
States whether the recipient MAY or MUST NOT resell the information received unmodified or in a
semantically equivalent format.
iep:unmodified-resale="MAY"
iep:unmodified-resale="MUST NOT"
Recipients MUST NOT resell the information received unmodified or in a semantically equivalent
format.
start-date
States the UTC date that the IEP is effective from.
iep:start-date="$text"
213
end-date
States the UTC date that the IEP is effective until.
iep:end-date="$text"
reference
This statement can be used to provide a URL reference to the specific IEP implementation.
iep:reference="$text"
name
This statement can be used to provide a name for an IEP implementation.
iep:name="$text"
version
States the version of the IEP framework that has been used.
iep:version="$text"
id
Provides a unique ID to identify a specific IEP implementation.
iep:id="$text"
An id value is required
ifx-vetting
ifx-vetting namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
214
The IFX taxonomy is used to categorise information (MISP events and attributes) to aid in the
intelligence vetting process
vetted
ifx-vetting:vetted="legit-but-compromised"
The attribute/event describes something that is legitly used, but seems to be compromised by 3rd
parties to be used for malicious activities. Consider this if blocking is your course of action.
ifx-vetting:vetted="legit"
The attribute/event describes something legitly used, that does not show signes of compromise or
misuse.
ifx-vetting:vetted="legit-uncertain"
The attribute/event describes something where it is not 100% clear if it is used only legitly.
ifx-vetting:vetted="malicious"
ifx-vetting:vetted="malicious-uncertain"
The attribute/event describes something that seems to be used maliciously, but there is no 100%
proof.
ifx-vetting:vetted="invalid"
The attribute/event is invalid or wrong in respect to the situation described by the event.
ifx-vetting:vetted="irrelevant"
ifx-vetting:vetted="undetermined"
The nature of the attribute/event cannot be further determined. Use this only as a last resort.
ifx-vetting:vetted="fast-track"
The attribute/event was not vetted but passed through for operational reasons. A result might be
higher false-positive rates.
score
215
ifx-vetting:score="0"
ifx-vetting:score="1"
ifx-vetting:score="2"
ifx-vetting:score="3"
ifx-vetting:score="4"
ifx-vetting:score="5"
ifx-vetting:score="6"
ifx-vetting:score="7"
ifx-vetting:score="8"
ifx-vetting:score="9"
ifx-vetting:score="10"
10
ifx-vetting:score="11"
11
216
ifx-vetting:score="12"
12
ifx-vetting:score="13"
13
ifx-vetting:score="14"
14
ifx-vetting:score="15"
15
ifx-vetting:score="16"
16
ifx-vetting:score="17"
17
ifx-vetting:score="18"
18
ifx-vetting:score="19"
19
ifx-vetting:score="20"
20
ifx-vetting:score="21"
21
ifx-vetting:score="22"
22
ifx-vetting:score="23"
23
217
ifx-vetting:score="24"
24
ifx-vetting:score="25"
25
ifx-vetting:score="26"
26
ifx-vetting:score="27"
27
ifx-vetting:score="28"
28
ifx-vetting:score="29"
29
ifx-vetting:score="30"
30
ifx-vetting:score="31"
31
ifx-vetting:score="32"
32
ifx-vetting:score="33"
33
ifx-vetting:score="34"
34
ifx-vetting:score="35"
35
218
ifx-vetting:score="36"
36
ifx-vetting:score="37"
37
ifx-vetting:score="38"
38
ifx-vetting:score="39"
39
ifx-vetting:score="40"
40
ifx-vetting:score="41"
41
ifx-vetting:score="42"
42
ifx-vetting:score="43"
43
ifx-vetting:score="44"
44
ifx-vetting:score="45"
45
ifx-vetting:score="46"
46
ifx-vetting:score="47"
47
219
ifx-vetting:score="48"
48
ifx-vetting:score="49"
49
ifx-vetting:score="50"
50
ifx-vetting:score="51"
51
ifx-vetting:score="52"
52
ifx-vetting:score="53"
53
ifx-vetting:score="54"
54
ifx-vetting:score="55"
55
ifx-vetting:score="56"
56
ifx-vetting:score="57"
57
ifx-vetting:score="58"
58
ifx-vetting:score="59"
59
220
ifx-vetting:score="60"
60
ifx-vetting:score="61"
61
ifx-vetting:score="62"
62
ifx-vetting:score="63"
63
ifx-vetting:score="64"
64
ifx-vetting:score="65"
65
ifx-vetting:score="66"
66
ifx-vetting:score="67"
67
ifx-vetting:score="68"
68
ifx-vetting:score="69"
69
ifx-vetting:score="70"
70
ifx-vetting:score="71"
71
221
ifx-vetting:score="72"
72
ifx-vetting:score="73"
73
ifx-vetting:score="74"
74
ifx-vetting:score="75"
75
ifx-vetting:score="76"
76
ifx-vetting:score="77"
77
ifx-vetting:score="78"
78
ifx-vetting:score="79"
79
ifx-vetting:score="80"
80
ifx-vetting:score="81"
81
ifx-vetting:score="82"
82
ifx-vetting:score="83"
83
222
ifx-vetting:score="84"
84
ifx-vetting:score="85"
85
ifx-vetting:score="86"
86
ifx-vetting:score="87"
87
ifx-vetting:score="88"
88
ifx-vetting:score="89"
89
ifx-vetting:score="90"
90
ifx-vetting:score="91"
91
ifx-vetting:score="92"
92
ifx-vetting:score="93"
93
ifx-vetting:score="94"
94
ifx-vetting:score="95"
95
223
ifx-vetting:score="96"
96
ifx-vetting:score="97"
97
ifx-vetting:score="98"
98
ifx-vetting:score="99"
99
ifx-vetting:score="100"
100
incident-disposition
incident-disposition namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
How an incident is classified in its process to be resolved. The taxonomy is inspired from NASA
Incident Response and Management Handbook. https://www.nasa.gov/pdf/589502main_ITS-HBK-
2810.09-02%20%5bNASA%20Information%20Security%20Incident%20Management%5d.pdf#
page=9
incident
incident-disposition:incident="confirmed"
Confirmed
The incident is confirmed and response is underway following incident response procedure of the
organisation.
incident-disposition:incident="deferred"
Deferred
The incident is deferred due to resource constraints, information type or external reasons.
224
incident-disposition:incident="unidentified"
Unidentified
The incident is unidentified because some assets, ressources or context is missing to go a state
which can be handled following the incident response response procedure.
incident-disposition:incident="transferred"
Transferred
The incident is transferred to another organisations for further processing or incident handling.
incident-disposition:incident="discarded"
Discarded
The incident is discarded due to resource constraints, information type or external reasons.
incident-disposition:incident="silently-discarded"
Silently discarded
The incident is silently discarded due to resource constraints, information type or external reasons.
not-an-incident
incident-disposition:not-an-incident="insufficient-data"
Insufficient data
When insufficient data is available to explain an ambiguous (i.e., not definitively hostile or benign)
indicator, the incident may be dispositioned as Insufficient Data.
incident-disposition:not-an-incident="faulty-indicator"
Faulty indicator
A false positive where an investigation reveals that the source indicator used as the basis for
incident detection was a Faulty Indicator.
incident-disposition:not-an-incident="misconfiguration"
Misconfiguration
A false positive where an event that appeared to be malicious activity was subsequently disproven
and determined to be a Misconfiguration (malfunction) of a system.
225
incident-disposition:not-an-incident="scan-probe"
Scan or Probe
Reconnaissance activity which Scanned or Probed for the presence of a vulnerability which may be
later exploited to gain unauthorized access.
incident-disposition:not-an-incident="failed"
Failed
A Failed attempt to gain unauthorized access, conduct a denial of service, install malicious code, or
misuse an IT resource, typically because a security control prevented it from succeeding.
incident-disposition:not-an-incident="refuted"
Refuted
Any other circumstance where a suspected incident was determined to not be an incident and was
Refuted.
duplicate
incident-disposition:duplicate="duplicate"
Duplicate
An incident may be a Dup l icate of another record in the Incident Management System, and should
be merged with the existing workflow.
infoleak
infoleak namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
A taxonomy describing information leaks and especially information classified as being potentially
leaked. The taxonomy is based on the work by CIRCL on the AIL framework. The taxonomy aim is
to be used at large to improve classification of leaked information.
automatic-detection
infoleak:automatic-detection="credential"
Credential
226
infoleak:automatic-detection="credit-card"
Credit card
infoleak:automatic-detection="iban"
IBAN
infoleak:automatic-detection="mail"
infoleak:automatic-detection="phone-number"
Phone number
infoleak:automatic-detection="api-key"
API key
infoleak:automatic-detection="google-api-key"
infoleak:automatic-detection="aws-key"
AWS key
infoleak:automatic-detection="private-key"
infoleak:automatic-detection="encrypted-private-key"
infoleak:automatic-detection="private-ssh-key"
infoleak:automatic-detection="private-static-key"
infoleak:automatic-detection="vpn-static-key"
227
infoleak:automatic-detection="pgp-message"
PGP message
infoleak:automatic-detection="pgp-public-key-block"
infoleak:automatic-detection="pgp-signature"
PGP signature
infoleak:automatic-detection="pgp-private-key"
infoleak:automatic-detection="certificate"
Certificate
infoleak:automatic-detection="rsa-private-key"
infoleak:automatic-detection="dsa-private-key"
infoleak:automatic-detection="ec-private-key"
EC private key
infoleak:automatic-detection="base64"
Base64
infoleak:automatic-detection="binary"
Binary
infoleak:automatic-detection="hexadecimal"
Hexadecimal
infoleak:automatic-detection="bitcoin-address"
Bitcoin address
228
infoleak:automatic-detection="bitcoin-private-key"
infoleak:automatic-detection="cve"
CVE
infoleak:automatic-detection="onion"
Onion link
infoleak:automatic-detection="sql-injection"
SQL injection
analyst-detection
infoleak:analyst-detection="credential"
Credential
infoleak:analyst-detection="credit-card"
Credit card
infoleak:analyst-detection="iban"
IBAN
infoleak:analyst-detection="mail"
infoleak:analyst-detection="phone-number"
Phone number
infoleak:analyst-detection="api-key"
API key
infoleak:analyst-detection="google-api-key"
229
infoleak:analyst-detection="aws-key"
AWS key
infoleak:analyst-detection="private-key"
infoleak:analyst-detection="encrypted-private-key"
infoleak:analyst-detection="private-ssh-key"
infoleak:analyst-detection="private-static-key"
infoleak:analyst-detection="vpn-static-key"
infoleak:analyst-detection="pgp-message"
PGP message
infoleak:analyst-detection="pgp-public-key-block"
infoleak:analyst-detection="pgp-signature"
PGP signature
infoleak:analyst-detection="pgp-private-key"
infoleak:analyst-detection="certificate"
Certificate
infoleak:analyst-detection="rsa-private-key"
230
infoleak:analyst-detection="dsa-private-key"
infoleak:analyst-detection="ec-private-key"
EC private key
infoleak:analyst-detection="base64"
Base64
infoleak:analyst-detection="binary"
Binary
infoleak:analyst-detection="hexadecimal"
Hexadecimal
infoleak:analyst-detection="bitcoin-address"
Bitcoin address
infoleak:analyst-detection="bitcoin-private-key"
infoleak:analyst-detection="cve"
CVE
infoleak:analyst-detection="onion"
Onion link
infoleak:analyst-detection="sql-injection"
SQL injection
confirmed
infoleak:confirmed="false-positive"
False positive
231
infoleak:confirmed="false-negative"
False negative
infoleak:confirmed="true-positive"
True positive
infoleak:confirmed="true-negative"
True negative
source
infoleak:source="public-website"
Public website
infoleak:source="pastie-website"
Pastie-like website
infoleak:source="electronic-forum"
Electronic forum
infoleak:source="mailing-list"
Mailing-list
infoleak:source="source-code-repository"
infoleak:source="automatic-collection"
infoleak:source="manual-analysis"
infoleak:source="unknown"
Unknown
232
infoleak:source="other"
submission
infoleak:submission="manual"
Manual
infoleak:submission="automatic"
Automatic
infoleak:submission="crawler"
Crawler
output-format
infoleak:output-format="ail-daily"
Daily event
infoleak:output-format="ail-weekly"
Weekly event
infoleak:output-format="ail-monthly"
Monthly event
certainty
infoleak:certainty="100"
Certainty
infoleak:certainty="93"
Almost certain
233
Associated numerical value="93"
infoleak:certainty="75"
Probable
infoleak:certainty="50"
infoleak:certainty="30"
Probably not
infoleak:certainty="7"
infoleak:certainty="0"
Impossibility
test
information-security-data-source
information-security-data-source namespace available in JSON format at this
location. The JSON format can be freely reused in your application or
automatically enabled in MISP taxonomy.
234
type-of-information
Type of provided information
information-security-data-source:type-of-information="vulnerability"
Vulnerability
information-security-data-source:type-of-information="threat"
Threat
information-security-data-source:type-of-information="countermeasure"
Countermeasure
Information regarding any administrative, managerial, technical or legal control that is used to
counteract an information security risk
information-security-data-source:type-of-information="attack"
Attack
information-security-data-source:type-of-information="risk"
Risk
information-security-data-source:type-of-information="asset"
Asset
originality
Originality and novelty of the provided information
information-security-data-source:originality="original-source"
Original source
Information originates from the data sources which publish their own information
235
information-security-data-source:originality="secondary-source"
Secondary source
timeliness-sharing-behavior
Timeliness of the provided information
information-security-data-source:timeliness-sharing-behavior="routine-
sharing"
Routine sharing
Information is published at a specific point in time on a regular basis, such as daily, weakly or
monthly reports
information-security-data-source:timeliness-sharing-behavior="incident-
specific"
Incident specific
integrability-format
Level of integrability format for the provided information
information-security-data-source:integrability-format="structured"
Structured
The provided security information is available in an standardized and structured data format such
as MISP core format
information-security-data-source:integrability-format="unstructured"
Unstructured
The provided security information is available in unstructured form without following a common
data representation format
integrability-interface
Level of integrability interface for the provided information
236
information-security-data-source:integrability-interface="no-interface"
No interface
The information security data source doesn’t provide any interface to access the information
information-security-data-source:integrability-interface="api"
API
The information security data source provides an application programming interface (APIs) to
obtain the provided information
information-security-data-source:integrability-interface="rss-feeds"
RSS Feeds
The information security data source provides an RSS Feed to keep track of the provided
information
information-security-data-source:integrability-interface="export"
Export
The information security data source provides an interface to export contents as XML, JSON or
plain text
trustworthiness-creditabilily
Source of the creditability
information-security-data-source:trustworthiness-creditabilily="vendor"
Vendor
information-security-data-source:trustworthiness-
creditabilily="government"
Government
information-security-data-source:trustworthiness-creditabilily="security-
expert"
Security expert
237
information-security-data-source:trustworthiness-creditabilily="normal-
user"
Normal user
trustworthiness-traceability
Traceability of the provided information
information-security-data-source:trustworthiness-traceability="yes"
Yes
The provided information is classified as traceable if it can be traced back, based on meta-data, to a
specific publisher and a publishing date
information-security-data-source:trustworthiness-traceability="no"
No
The provided information cannot be traced back (meta-data are not provided)
trustworthiness-feedback-mechanism
Feedback such as user ratings or comments regarding the usefulness of the provided information
information-security-data-source:trustworthiness-feedback-
mechanism="yes"
Yes
The provided information is validated by including user rating, comments or additional analysis
information-security-data-source:trustworthiness-feedback-
mechanism="no"
No
The provided information is not validated (a user rating, comments is not available)
type-of-source
Types of information security data source
238
information-security-data-source:type-of-source="news-website"
News website
information-security-data-source:type-of-source="expert-blog"
Expert blog
information-security-data-source:type-of-source="security-product-vendor-
website"
information-security-data-source:type-of-source="vulnerability-database"
Vulnerability database
information-security-data-source:type-of-source="mailing-list-archive"
information-security-data-source:type-of-source="social-network"
Social network
information-security-data-source:type-of-source="streaming-portal"
Streaming portal
information-security-data-source:type-of-source="forum"
Forum
information-security-data-source:type-of-source="other"
Other
information-security-indicators
information-security-indicators namespace available in JSON format at this
location. The JSON format can be freely reused in your application or
automatically enabled in MISP taxonomy.
A full set of operational indicators for organizations to use to benchmark their security posture.
239
IEX
Indicators of this category give information on the occurrence of incidents caused by external
malicious threat sources.
information-security-indicators:IEX="FGY.1"
Forged domain or brand names impersonating or imitating legitimate and genuine names
Forged domains are addresses very close to the domain names legitimately filed with registration
companies or organizations (forged domains are harmful only when actively used to entice
customers to the website for fraudulent purposes). It also includes domain names that imitate
another domain name or a brand.
information-security-indicators:IEX="FGY.2"
Wholly or partly forged websites (excluding parking pages) spoiling company’s image or business
Forged websites correspond to two main threats (forgery of sites in order to steal personal data
such as account identifiers and passwords, forgery of services in order to capitalize on a brand and
to generate turnover that creates unfair competition). In this case, reference is often made to
phishing (1st usage) or pharming.
information-security-indicators:IEX="SPM.1"
Not requested received bulk messages (spam) targeting organization’s registered users
Spam are messages received in company’s or organization’s messaging systems in the framework
of mass and not individualized campaigns, luring into clicking dangerous URLs (possibly Trojan
laden) or enticing to carry out harmful to concerned individual actions.
information-security-indicators:IEX="PHI.1"
Phishing involves a growing number of business sectors (financial organizations, e-commerce sites,
online games, social sites etc.). It includes attacks via e-mail with messages that contain either
malicious URL links (to forged websites) or malicious URL links (to malware laden genuine
websites).
information-security-indicators:IEX="PHI.2"
Spear phishing or whaling carried out using social engineering and targeting organization’s specific
registered users
Spear phishing are "spoofed" and customized messages looking like a usual professional
relationship or an authority, and asking to click on or open dangerous URL links or dangerous
attachments (malware laden).
240
information-security-indicators:IEX="INT.1"
Attempts are here systematic scans (excluding network reconnaissance) and abnormal and
suspicious requests on externally accessible servers, detected by an IDS/IPS or not.
information-security-indicators:IEX="INT.2"
Intrusion usually targets servers that host personal data (including data subject to regulations such
as PCI DSS, for example). 3 objectives or motivations can be found wherever an intrusion exists:
data theft (see before), installation of transfer links towards unlawful and rogue websites, getting a
permanent internal access by installation of a backdoor for further purposes. This indicator does
not include the figures from the Defacement and Misappropriation indicators, both of which
however starting with an intrusion. However, it includes all means and methods to get access to
servers, i.e. purely technical means (such as Command execution/injection attack) or identity
usurpation to log on an admin or user account (see ETSI GS ISI 002 [4] specifications).
information-security-indicators:IEX="INT.3"
information-security-indicators:IEX="DFC.1"
Obvious defacements measures the defacement of homepages and of the most consulted pages of
sites.
information-security-indicators:IEX="MIS.1"
information-security-indicators:IEX="DOS.1"
241
This indicator measures denial-of-service attacks against websites, carried out either by sending of
harmful requests (DoS), by sending a massive flow coming from multiple distributed sites (DDoS) or
via other techniques. Due to the current state of the art of attack detection, the indicator is limited
to DDoS attacks.
information-security-indicators:IEX="MLW.1"
Malware installation attempts are detected by current conventional means (Antivirus and base IPS)
and blocked by the same means. This indicator (which includes desktop and laptop PC based
workstations, but does not include the different types of other workstations and mobile smart
devices) provides an approximate insight into the malicious external pressure suffered in this
regard. This indicator should be associated with indicator on successful malware installation in
order to assess the actual effectiveness of conventional detection and blockage means in the fight
against malware.
information-security-indicators:IEX="MLW.2"
Malware installation attempts are detected by current conventional means (antivirus and base IPS)
and blocked by the same means. This indicator gives an approximate insight into the malicious
external pressure suffered in this regard. This indicator should be associated with indicator on
successful malware installation in order to assess the actual effectiveness of conventional detection
and blockage means in the fight against malware.
information-security-indicators:IEX="MLW.3"
Malware could be not detected by conventional means (lack of activation or appropriate update), or
noninventoried and/or specific very stealthy incidents, most of the time not detectable by
conventional means (AV and standard IPS), consequently requiring other supplementary detection
means (network or WS load, outbound links, advanced network devices as DPI tools, users
themselves reporting to help desks). This indicator (which includes desktop and laptop Windows-
based workstations, but does not include the different types of other workstations and mobile
smart devices) therefore applies to both classical viruses and worms, as well as all new malware
such as Trojan horses (which are defined as malware meant to data theft or malicious transactions)
or bots (which are defined here as vectors for spam or DDoS attacks).
information-security-indicators:IEX="MLW.4"
Malware could be not detected by conventional means (lack of activation or of appropriate update),
or noninventoried and/or specific very stealthy incidents, most of the time not detectable by
conventional means (AV and standard IPS), consequently requiring other supplementary detection
means (network or server load, outbound links, advanced network devices as DPI tools,
242
administrators themselves). This indicator therefore applies to both classical viruses and worms, as
well as all new malware such as Trojan horses (which are defined as malware meant to data theft
or malicious transactions)
information-security-indicators:IEX="PHY.1"
IMF
Indicators of this category provides information on the occurrence of incidents caused by
malfunctions, breakdowns or human errors.
information-security-indicators:IMF="BRE.1"
Breakdowns or malfunctions apply to both hardware and software, caused by system errors
(components failure or bugs).
information-security-indicators:IMF="BRE.2"
Breakdowns or malfunctions apply to both hardware and software, caused by system errors
(components failure or bugs).
information-security-indicators:IMF="BRE.3"
Breakdowns or malfunctions apply to both hardware and software, caused by system errors
(components failure or bugs).
information-security-indicators:IMF="BRE.4"
Breakdowns or malfunctions apply to both hardware and software, caused by system errors
(components failure or bugs).
information-security-indicators:IMF="MDL.1"
This indicator measures errors from the sender when selecting or typing email addresses leading to
misdelivery incidents. Consequences may be very serious when confidentiality is critical.
243
information-security-indicators:IMF="LOM.1"
This indicator measures the loss of all types of systems containing sensitive or not information
belonging to the organization, whether encrypted or not (laptop computers, USB tokens, CD-ROMs,
diskettes, magnetic tapes, smartphones, tablets, etc.). In some cases, it could be difficult to
differentiate losses from thefts.
information-security-indicators:IMF="LOG.1"
Downtime or malfunction of the log production function with possible legal impact
This type of event could have two main causes: an accidental system malfunction or a system
manipulation error by an administrator. Logs taken into account here are systems logs and
applications logs of all servers.
information-security-indicators:IMF="LOG.2"
Absence of possible tracking of the person involved in a security event with possible legal impact
Concerns unique data related to a given and known to organization user (identifier tied to
application software or directory). This indicator is a sub-set of indicator IMF_LOG.1.
information-security-indicators:IMF="LOG.3"
Downtime or malfunction of the log production function for recordings with evidential value for
access to or handling of information that, at this level, is subject to law or regulatory requirements
This indicator primarily relates to Personal Identifiable Information (PII) protected by privacy laws,
to information falling under the PCI-DSS regulation, to information falling under European
regulation in the area of breach notification (Telcos and ISPs to begin with), and to information
about electronic exchanges between employees and the exterior (electronic messaging and Internet
connection). This indicator does not include possible difficulties pertaining to proof forwarding
from field operations to governance (state-of-the-art unavailable). This indicator is a sub-set of
indicator IMF_LOG.1, but can be identical to this one in advanced organizations.
IDB
Indicators of this category provide information on the occurrence of incidents regarding internal
deviant behaviours (including especially usurpation of rights or of identity).
information-security-indicators:IDB="UID.1"
User impersonation
A person within the organization impersonates a registered user (employee, partner, contractor,
external service provider) using identifier, passwords or authentication devices that had previously
been obtained in an illicit manner (using a social engineering technique or not). This measures
244
cases of usurpation for malicious purposes, and not ones that relate to user-friendly usage.
Moreover, assumption is made that ID/Password is the main way of authentication
information-security-indicators:IDB="RGH.1"
Exploited vulnerabilities are typically tied to the underlying OS that supports the Web application,
exploited notably through injection of additional characters in URL links. This behaviour
specifically involves external service providers and company’s business partners that wish to
access additional information or to launch unlawful actions (for example, service providers seeking
information about their competitors). This type of behaviour is less frequent amongst employees,
since it is often easier to get the same results by means of social engineering methods.
information-security-indicators:IDB="RGH.2"
It is often easier to get the same results by means of social engineering methods than with technical
means. Help desk teams are often involved in this kind of behaviour.
information-security-indicators:IDB="RGH.3"
Illicitly granting administrator privileges generally comes from simple errors or more worrisome
negligence on the part of the administrators (malicious action is rarer). The case of forgotten
temporary rights (see next indicator), is not included in this indicator.
information-security-indicators:IDB="RGH.4"
Use on a server or central application of time-limited granted rights after the planned period
This indicator measures situations where time-limited user accounts (created for training, problem
resolution, emergency access, test, etc.) are still in use after the initial planned period.
information-security-indicators:IDB="RGH.5"
The motivation of rights usurpation by an administrator is often the desire to breach the
confidentiality of sensitive data (for example, human resources data). This indicator is similar to
the indicator IDB_RGH.6 (but with consequences that may be however often potentially more
serious).
245
information-security-indicators:IDB="RGH.6"
This indicator applies for example to authorized users having access to personal identifiable
information aboutcelebrities with no real need for their job (thereby violating the "right to know").
information-security-indicators:IDB="RGH.7"
Illicit use on a server or central application of rights not removed after departure or position
change within the organization
This indicator also takes into account the problem of generic accounts (whose password might have
been changed each time a user knowing this password is leaving organization).
information-security-indicators:IDB="MIS.1"
This indicators measures misappropriation of on-line IT resources for one’s own use (personal,
association etc.).
information-security-indicators:IDB="IAC.1"
This indicator measures unauthorized access to a hacking Website from an internal workstation
information-security-indicators:IDB="LOG.1"
This event is generally decided and deployed by an administrator in order to improve performance
of the system under his/her responsibility (illicit voluntary stoppage). This indicator is a reduced
subset of indicator IUS_RGH.5
IWH
Indicators of this category are indicators that concern all categories of incidents.
information-security-indicators:IWH="VNP.1"
This indicators measures security incidents that are the result of an exploitation of a disclosed
software vulnerability that has no available patch (with or without an applied workaround
measure). It is used to assess the intensity of the exploitation of recently disclosed software
vulnerabilities (zero day or not). Patching here applies only to standard software (excluding
bespoke software), and the scope is limited to workstations (OS, browsers and various add-ons and
plug-ins, office automation standard software).
246
information-security-indicators:IWH="VNP.2"
This indicators measures security incidents that are the result of the exploitation of a non-patched
software vulnerability though a patch exists. It is used to assess effectiveness or application of
patching-related organization and processes and tools (patching not launched). It is linked with
indicator VOR_VNP.2 that is intended to assess problems of exceeding the "time limit for the
window of exposure to risks". It has the same limitations as IWH_VNP.1 regarding scope.
information-security-indicators:IWH="VNP.3"
This indicator measures security incidents that are the result of the exploitation of a poorly patched
software vulnerability. It is used to assess effectiveness of patching-related organization and
processes and tools (process launched but patch not operational - Cf. no reboot, etc.). It is linked
with indicator VOR_VNP.1, IWH_VNP.1 and IWH_VNP.2. It has the same limitations as IWH_VNP.1
regarding scope.
information-security-indicators:IWH="VCN.1"
This indicator measures security incidents that are the result of the exploitation of a configuration
flaw on servers or workstations. A configuration flaw should be considered as a nonconformity
against state-of-the-art security policy.
information-security-indicators:IWH="UKN.1"
This indicator measures all types of incidents that are new and/or a complex combination of more
basic incidents and cannot be fully qualified and therefore precisely categorized.
information-security-indicators:IWH="UNA.1"
This indicator measures security incidents tied to assets (on servers) non-inventoried and not
managed by appointed teams. It is a key indicator insofar as a high percentage of incidents
corresponds with this indicator on average in the profession (according to some public surveys).
VBH
Indicators of this category apply to the existence of abnormal behaviours that could lead to security
incidents.
247
information-security-indicators:VBH="PRC.1"
This indicator measures the use of insecure protocols set up by an administrator to get access to
organizationbased externally accessible servers making an external intrusion possible. Insecure
protocol means unencrypted, without time-out, with poor authentication means etc. (for example
Telnet).
information-security-indicators:VBH="PRC.2"
This indicator measures the installation of P2P clients set up by a user on its professional
workstation with the risk of partial or full sharing of the workstation content. It applies to
workstations that are either connected to the organization’s network from within the organization
or directly connected to the public network from outside (notably home). There is a high risk of
accidental sharing (in one quarter of all cases) of files that may host confidential company data. It is
most often carried out through HTTP channel (proposed on all of these services).
information-security-indicators:VBH="PRC.3"
This indicator measures VoIP clients installed by a user on his/hers own workstation in order to use
a peer-to-peer service. It applies to workstations connected to an organization’s network from
within the organization or directly connected to the public network from outside (notably home).
The associated risk is to exchange dangerous Office documents. It is most often carried out through
HTTP channel (proposed on all of these services).
information-security-indicators:VBH="PRC.4"
This indicator measures outbound connection dangerously set up to get remote access to the
company’s internal network without using an inbound VPN link and a focal access point with
possible exploitation by an external intruder. The outbound connection method consists for
example in using a GoToMyPC™ software or a LogMeIn® software or a computer to computer
connection in tunnel mode.
information-security-indicators:VBH="PRC.5"
This indicator measures remote or local connection to the organization’s internal network from a
roaming laptop computer that is organization-owned and is configured with weak parameters. In
this situation and in case of the existence of a software to check compliance of roaming computers,
another related software blocks the connection in principle and prevents its continuation.
248
information-security-indicators:VBH="PRC.6"
This indicator measures other unsecure or dangerous protocols set up with similar behaviours. The
other cases are the other than the 5 previous ones (VBH_PRC.1 to VBH_PRC.5). It relates to
dangerous or abusive usages, i.e. situations where usages are not required and where other more
secure solutions exist.
information-security-indicators:VBH="IAC.1"
This indicator measures the detection of Internet access from the internal network by means that
bypass the outbound security devices. It primarily relates to Internet accesses from a perimeter
area or to tunnelling (SSL port 443) or to straight accesses (via an ADSL link or public Wi-Fi access
points and the telephone network) or to accesses via Smartphones connected to the workstation.
The main underlying motivation is to prevent user tracking.
information-security-indicators:VBH="IAC.2"
This indicator measures the detection of anonymous Internet access from an internal workstation
through an anonymization site. The goal is to maintain free access and to avoid organization’s
filtering of accesses to forbidden websites.
information-security-indicators:VBH="FTR.1"
This indicator measures the download of files from an external website that is not known (no
reputation) within the profession to an internal workstation. "No reputation" can be assessed by
information provided by URL outbound filtering devices.
information-security-indicators:VBH="FTR.2"
Personal public instant messaging account used for business file exchanges
This indicator measures the use of personal public instant messaging accounts for business
exchanges with outside. This file exchange method has to be avoided due to network AV software
bypassing and to identify lesser effectiveness of AV software.
information-security-indicators:VBH="FTR.3"
This indicator measures the use of personal public messaging accounts for business file exchanges
with the exterior. The risk is to expose information to external attackers.
249
information-security-indicators:VBH="WTI.1"
information-security-indicators:VBH="WTI.2"
This indicator measures the use personal storage devices on a professional workstation to input or
output information or software. Mobile or removable personal storage devices include USB tokens,
smartphones, tablets, etc. It is not applicable to personal devices authorized by security policy (Cf.
VBH_WTI.3 and BYOD).
information-security-indicators:VBH="WTI.3"
This indicator measures the lack of or the removal of basic security measures meant to
compartmentalize professional activities on personal devices. Personal devices (BYOD) include PCs,
tablets, smartphones, etc.
information-security-indicators:VBH="WTI.4"
This indicator measures the lack of encryption of sensitive files uploaded from a professional
workstation to professional mobile or removable storage devices.
information-security-indicators:VBH="WTI.5"
This indicator measures the presence of personal software on a professional workstation that does
not comply with the corporate security policy. It corresponds with all types of local unauthorized
software (with a user licence or not), such as common personal software (games, office automation
etc.) or more dangerous ones (hacking etc.). It should be added that VBH_PRC.2 and VBH_PRC.3 are
a share of this indicator, and that this indicator is a subset of VBH_WTI.1.
information-security-indicators:VBH="WTI.6"
This indicator applies to users using their admin account on a workstation.to access their own
mailbox or Internet. This behaviour is particularly dangerous since malware (through attached
pieces on email or drive-by download on Web browser) are far easier to install on the workstation
in this case.
250
information-security-indicators:VBH="PSW.1"
The required strength of passwords depends on the organization’s security policy, but usable
general recommendations in ISO/IEC 27002 [2].
information-security-indicators:VBH="PSW.2"
This indicators measures password not changed in due periodic time (case of changes not
periodically imposed). Situations in which changes are not periodically imposed by accessed
systems themselves remain fairly frequent within organizations (apart from Active Directory), the
figure being around 25 % of the cases on average.
information-security-indicators:VBH="PSW.3"
This indicators measures password not changed in due periodic time by an administrator in charge
of an account used by automated applications and processes (case of changes not periodically
imposed). Situations in which changes are not periodically imposed by accessed systems
themselves remain fairly frequent within organizations (apart from Active Directory), the figure
being around 25 % of the cases on average.
information-security-indicators:VBH="RGH.1"
This indicator measures the granting of not compliant user rights by an administrator outside any
official procedure. This vulnerability may originate with an error, negligence or malice.
information-security-indicators:VBH="HUW.1"
Human weakness exploited by a spear phishing message meant to entice or appeal to do something
possibly harmful to the organization
This vulnerability typically includes clicking on an Internet link or opening an attached document
information-security-indicators:VBH="HUW.2"
Human weakness exploited by exchanges meant to entice or appeal to tell some secrets
to be used later
This vulnerability applies to discussions through on-line media leading to leakage of personal
identifiable information (PII) or various business details to be used later (notably for identity
usurpation)
251
VSW
Indicators of this category apply to the existence of weaknesses in software that could be exploited
and lead to security incidents.
information-security-indicators:VSW="WSR.1"
information-security-indicators:VSW="OSW.1"
information-security-indicators:VSW="WBR.1"
VCF
Indicators of this category apply to the existence of weaknesses in the configuration of IT devices
that could be exploited and lead to security incidents.
information-security-indicators:VCF="DIS.1"
This indicator measures the presence of illicit and dangerous system services running on an
externally accessible server.
information-security-indicators:VCF="LOG.1"
Such event could cause an overflow in case of quick series of unusual actions.
information-security-indicators:VCF="FWR.1"
This indicator measures the gaps between the active firewall filtering rules and the security policy.
252
information-security-indicators:VCF="WTI.1"
This indicator measures the use of workstation with a disabled or lacking update AV and/or FW.
The lack of update includes signature file older than x days (generally at least 6 days).
information-security-indicators:VCF="WTI.2"
information-security-indicators:VCF="UAC.1"
This indicator measures access rights configuration that are not compliant with corporate security
policy. This indicator is more reliable in case of existence of a central repository of user rights
within organization (and of an IAM achievement)
information-security-indicators:VCF="UAC.2"
This indicator measures non-compliant access rights on logs in servers which are sensitive and/or
subject to regulations. This situation representing a key weakness since the necessary high
confidence in the produced logs has been reduced to nothing. This indicator is a subset of
VCF_UAC.1.
information-security-indicators:VCF="UAC.3"
This indicator measures generic and shared administration accounts that are unnecessary or
accounts that are necessary but without patronage. It concerns operating systems, databases and
applications.
information-security-indicators:VCF="UAC.4"
This indicator measures accounts without owners that have not been erased. These are accounts
that have no more assigned users (for example after internal transfer or departure of the users
from organization).
information-security-indicators:VCF="UAC.5"
Inactive accounts
253
This indicator measures accounts inactive for at least 2 months that have not been disabled. These
accounts are not used by their users due to prolonged but not definitive absence (long term illness,
maternity, etc.), with the exclusion of messaging accounts (which should remain accessible to users
from their home).
VTC
Indicators of this category measure the existence of weaknesses in the IT and physical architecture
that could be exploited and lead to security incidents.
information-security-indicators:VTC="BKP.1"
information-security-indicators:VTC="IDS.1"
Many causes are possible, including deliberate disconnection by a network administrator (to
streamline operations or since IDS/IPS output is deemed too difficult to use), unwitting
disconnection (error by a network administrator), breakdown, software malfunction, etc.
information-security-indicators:VTC="WFI.1"
Many causes are possible, including for example local decisions for easier access of mobile users,
rogue user behaviours or workstations configured as access points.
information-security-indicators:VTC="RAP.1"
This indicator is interesting to assess whether such accesses are localized (local areas, countries,
etc.) or involve the whole organization or are increasing and spreading to whole organization.
information-security-indicators:VTC="NRG.1"
Devices or servers connected to the organization’s network without being registered and managed
According to some convergent studies, this event may be at the origin of some 70 % of all security
incidents associated to malice.
254
information-security-indicators:VTC="PHY.1"
This indicator includes access to protected internal areas. The 1st cause is the lack of effective
control of users at software level. The 2nd cause is hardware breakdown of a component in the
chain.
VOR
Indicators of this category measure the existence of weaknesses in the organization that could be
exploited and lead to security incidents.
information-security-indicators:VOR="DSC.1"
Discovery of attacks
This indicator measures stealthy security incidents difficult to detect. As most studies show, the
time to discovery is often several months, time frame especially used to steal sensitive data.
Incidents taken into account here are IEX_INT.3, IEX_MLW.3 and IEX_MLW.4. This indicator give
landmarks regarding what may be deemed excessive, i.e. with an assumption which is above one
week.
information-security-indicators:VOR="VNP.1"
This indicator measures situations in which the time of the window of risk exposure exceeds the
time limit expressed in security policy. The window of risks exposure is the period of time between
the public disclosure of a software vulnerability and the actual and checked application of a patch
that corresponds with the vulnerability’s remediation (independently of the time needed for the
vendor to provide the patch). This indicator only applies to workstations (OS, application software
and browsers), and to critical vulnerabilities (as publicly determined via the CVSS scale) that
require an action as quickly as possible.
information-security-indicators:VOR="VNP.2"
This indicator measures the rate of not patched systems for detected critical software
vulnerabilities (see VOR_VNP.1 for criticality definition). Not patched systems to be taken into
account are the ones which are not patched beyond the time limit defined in security policy. This
indicator only applies to workstations (OS, application software and browsers).
information-security-indicators:VOR="VNR.1"
This indicator measures the rate of not reconfigured systems for detected critical configuration
255
vulnerabilities. Configuration vulnerabilities are either non-conformities relative to a level 3
security policy, or discrepancies relative to a state-of-the-art available within the profession (and
that can correspond with a configuration master produced by a vendor and applied within the
organization). This indicator only applies to workstations (OS, application software and browsers).
Not reconfigured systems to be taken into account are the ones which are not reconfigured beyond
the time limit defined in security policy.
information-security-indicators:VOR="RCT.1"
This indicator applies to plans for responding to incidents formalized in security policy launched
without experience feedback.
information-security-indicators:VOR="RCT.2"
This indicator measures failure in the performance of plans, leading to non-recovery of incidents
and to subsequent possible launch of an escalation procedure.
information-security-indicators:VOR="PRT.1"
This indicator measures the launch of new IT projects without information classification.
Availability of a classification model and scheme within the organization would make easier this
task.
information-security-indicators:VOR="PRT.2"
This indicator measures the launch of new specific IT projects without performing a full risk
analysis.
information-security-indicators:VOR="PRT.3"
This indicator measures the launch of new IT projects of a standard type without identification of
vulnerabilities and threats and of related security measures. For these IT projects, potential
implementation of a simplified risk analysis method or of pre-defined security profiles can be
applied.
256
IMP
Indicators as regards impact measurement.
information-security-indicators:IMP="COS.1"
The average cost taken into account includes the following kinds of overhead: disruption to
business operations (increased operating costs, etc.), fraud (money, etc.) and incident recovery costs
(technical individual time, asset replacement, etc.). It does not include possible (generally very
heavy) breach notification costs to customers and enforcement bodies (according to US and
recently EU laws or regulations).
information-security-indicators:IMP="TIM.1"
Applies to all 4 classes, but main security incidents concerned are malfunctions or breakdowns
(software or hardware), DoS or DDoS attacks and Website defacements.
information-security-indicators:IMP="TIM.2"
This indicator is a subset of the previous one (IMP_TIM.1) focusing on 3 possible classes (IEX, IUS,
IMD).
information-security-indicators:IMP="TIM.3"
interception-method
interception-method namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
man-in-the-middle
Interception where an attacker secretly relayed and possibly altered the communication between
two parties.
257
interception-method:man-in-the-middle
Man-in-the-middle
Interception where an attacker secretly relayed and possibly altered the communication between
two parties.
man-on-the-side
Interception where an attacker could read and send messages between two parties but not alter
messages.
interception-method:man-on-the-side
Man-on-the-side
Interception where an attacker could read and send messages between two parties but not alter
messages.
passive
Interception where an attacker could read messages between two parties.
interception-method:passive
Passive
search-result-poisoning
Interception where an attacker creates malicious websites intended to show up in search engine
queries.
interception-method:search-result-poisoning
Interception where an attacker creates malicious websites intended to show up in search engine
queries.
dns
Interception where domain name resolution is altered to re-direct traffic to a malicious IP address.
interception-method:dns
Dns
258
Interception where domain name resolution is altered to re-direct traffic to a malicious IP address.
host-file
Interception where the HOSTS file is modified to re-direct traffic to a malicious IP address.
interception-method:host-file
Host file
Interception where the HOSTS file is modified to re-direct traffic to a malicious IP address.
other
Other.
interception-method:other
Other
Other.
kill-chain
kill-chain namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
The Cyber Kill Chain, a phase-based model developed by Lockheed Martin, aims to help categorise
and identify the stage of an attack.
Reconnaissance
kill-chain:Reconnaissance
Research, identification and selection of targets, often represented as crawling Internet websites
such as conference proceedings and mailing lists for email addresses, social relationships, or
information on specific technologies.
Weaponization
kill-chain:Weaponization
Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an
automated tool (weaponizer). Increasingly, client application data files such as Adobe Portable
Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable.
259
Delivery
kill-chain:Delivery
Transmission of the weapon to the targeted environment. The three most prevalent delivery
vectors for weaponized payloads by APT actors, as observed by the Lockheed Martin Computer
Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments, websites, and
USB removable media.
Exploitation
kill-chain:Exploitation
After the weapon is delivered to victim host, exploitation triggers intruders' code. Most often,
exploitation targets an application or operating system vulnerability, but it could also more simply
exploit the users themselves or leverage an operating system feature that auto-executes code.
Installation
kill-chain:Installation
Installation of a remote access trojan or backdoor on the victim system allows the adversary to
maintain persistence inside the environment.
Typically, compromised hosts must beacon outbound to an Internet controller server to establish a
C2 channel. APT malware especially requires manual interaction rather than conduct activity
automatically. Once the C2 channel establishes, intruders have 'hands on the keyboard' access
inside the target environment.
Actions on Objectives
kill-chain:Actions on Objectives
Only now, after progressing through the first six phases, can intruders take actions to achieve their
original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting
and extracting information from the victim environment; violations of data integrity or availability
are potential objectives as well. Alternatively, the intruders may only desire access to the initial
victim box for use as a hop point to compromise additional systems and move laterally inside the
network.
260
lifetime
lifetime namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
Lifetime of an event
falling
Falling
lifetime:falling
Falling
Falling
100
publishing
Publishing
lifetime:publishing
Publishing
Publishing
75
propagating
Propagating
lifetime:propagating
Propagating
Propagating
50
discovering
Discovering
261
lifetime:discovering
Discovering
Discovering
25
maec-delivery-vectors
maec-delivery-vectors namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
maec-delivery-vector
maec-delivery-vectors:maec-delivery-vector="active-attacker"
active Attacker
maec-delivery-vectors:maec-delivery-vector="auto-executing-media"
auto-executing-media
maec-delivery-vectors:maec-delivery-vector="downloader"
downloader
maec-delivery-vectors:maec-delivery-vector="dropper"
dropper
maec-delivery-vectors:maec-delivery-vector="email-attachment"
email-attachment
maec-delivery-vectors:maec-delivery-vector="exploit-kit-landing-page"
exploit-kit-landing-page
maec-delivery-vectors:maec-delivery-vector="fake-website"
fake-website
262
maec-delivery-vectors:maec-delivery-vector="janitor-attack"
janitor-attack
maec-delivery-vectors:maec-delivery-vector="malicious-iframes"
malicious-iframes
maec-delivery-vectors:maec-delivery-vector="malvertising"
malvertising
maec-delivery-vectors:maec-delivery-vector="media-baiting"
media-baiting
maec-delivery-vectors:maec-delivery-vector="pharming"
pharming
maec-delivery-vectors:maec-delivery-vector="phishing"
phishing
maec-delivery-vectors:maec-delivery-vector="trojanized-link"
trojanized-link
maec-delivery-vectors:maec-delivery-vector="trojanized-software"
trojanized-software
maec-delivery-vectors:maec-delivery-vector="usb-cable-syncing"
usb-cable-syncing
maec-delivery-vectors:maec-delivery-vector="watering-hole"
watering-hole
maec-malware-behavior
maec-malware-behavior namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
263
maec-malware-behavior
maec-malware-behavior:maec-malware-behavior="access-premium-
service"
access-premium-service
maec-malware-behavior:maec-malware-behavior="autonomous-remote-
infection"
autonomous-remote-infection
maec-malware-behavior:maec-malware-behavior="block-security-
websites"
block-security-websites
maec-malware-behavior:maec-malware-behavior="capture-camera-input"
capture-camera-input
maec-malware-behavior:maec-malware-behavior="capture-file-system-
data"
capture-file-system-data
maec-malware-behavior:maec-malware-behavior="capture-gps-data"
capture-gps-data
maec-malware-behavior:maec-malware-behavior="capture-keyboard-
input"
capture-keyboard-input
maec-malware-behavior:maec-malware-behavior="capture-microphone-
input"
capture-microphone-input
maec-malware-behavior:maec-malware-behavior="capture-mouse-input"
capture-mouse-input
maec-malware-behavior:maec-malware-behavior="capture-printer-output"
capture-printer-output
264
maec-malware-behavior:maec-malware-behavior="capture-system-
memory"
capture-system-memory
maec-malware-behavior:maec-malware-behavior="capture-system-
network-traffic"
capture-system-network-traffic
maec-malware-behavior:maec-malware-behavior="capture-system-
screenshot"
capture-system-screenshot
maec-malware-behavior:maec-malware-behavior="capture-touchscreen-
input"
capture-touchscreen-input
maec-malware-behavior:maec-malware-behavior="check-for-payload"
check-for-payload
maec-malware-behavior:maec-malware-behavior="click-fraud"
click-fraud
maec-malware-behavior:maec-malware-behavior="compare-host-
fingerprints"
compare-host-fingerprints
maec-malware-behavior:maec-malware-behavior="compromise-remote-
machine"
compromise-remote-machinen
maec-malware-behavior:maec-malware-behavior="control-local-machine-
via-remote-command"
control-local-machine-via-remote-command
maec-malware-behavior:maec-malware-behavior="control-malware-via-
remote-command"
control-malware-via-remote-command
265
maec-malware-behavior:maec-malware-behavior="crack-passwords"
crack-passwords
maec-malware-behavior:maec-malware-behavior="defeat-call-graph-
generation"
defeat-call-graph-generation
maec-malware-behavior:maec-malware-behavior="defeat-emulator"
defeat-emulator
maec-malware-behavior:maec-malware-behavior="defeat-flow-oriented-
disassembler"
defeat-flow-oriented-disassembler
maec-malware-behavior:maec-malware-behavior="defeat-linear-
disassembler"
defeat-linear-disassembler
maec-malware-behavior:maec-malware-behavior="degrade-security-
program"
degrade-security-program
maec-malware-behavior:maec-malware-behavior="denial-of-service"
denial-of-service
maec-malware-behavior:maec-malware-behavior="destroy-hardware"
destroy-hardware
maec-malware-behavior:maec-malware-behavior="detect-debugging"
detect-debugging
maec-malware-behavior:maec-malware-behavior="detect-emulator"
detect-emulator
maec-malware-behavior:maec-malware-behavior="detect-installed-
analysis-tools"
detect-installed-analysis-tools
266
maec-malware-behavior:maec-malware-behavior="detect-installed-av-
tools"
detect-installed-av-tools
maec-malware-behavior:maec-malware-behavior="detect-sandbox-
environment"
detect-sandbox-environment
maec-malware-behavior:maec-malware-behavior="detect-vm-
environment"
detect-vm-environment
maec-malware-behavior:maec-malware-behavior="determine-host-ip-
address"
determine-host-ip-address
maec-malware-behavior:maec-malware-behavior="disable-access-rights-
checking"
disable-access-rights-checking
maec-malware-behavior:maec-malware-behavior="disable-firewall"
disable-firewall
maec-malware-behavior:maec-malware-behavior="disable-kernel-patch-
protection"
disable-kernel-patch-protection
maec-malware-behavior:maec-malware-behavior="disable-os-security-
alerts"
disable-os-security-alerts
maec-malware-behavior:maec-malware-behavior="disable-privilege-
limiting"
disable-privilege-limiting
maec-malware-behavior:maec-malware-behavior="disable-service-pack-
patch-installation"
disable-service-pack-patch-installation
267
maec-malware-behavior:maec-malware-behavior="disable-system-file-
overwrite-protection"
disable-system-file-overwrite-protection
maec-malware-behavior:maec-malware-behavior="disable-update-services-
daemons"
disable-update-services-daemons
maec-malware-behavior:maec-malware-behavior="disable-user-account-
control"
disable-user-account-control
maec-malware-behavior:maec-malware-behavior="drop-retrieve-debug-
log-file"
drop-retrieve-debug-log-file
maec-malware-behavior:maec-malware-behavior="elevate-privilege"
elevate-privilege
maec-malware-behavior:maec-malware-behavior="encrypt-data"
encrypt-data
maec-malware-behavior:maec-malware-behavior="encrypt-files"
encrypt-files
maec-malware-behavior:maec-malware-behavior="encrypt-self"
encrypt-self
maec-malware-behavior:maec-malware-behavior="erase-data"
erase-data
maec-malware-behavior:maec-malware-behavior="evade-static-heuristic"
evade-static-heuristic
maec-malware-behavior:maec-malware-behavior="execute-before-
external-to-kernel-hypervisor"
execute-before-external-to-kernel-hypervisor
268
maec-malware-behavior:maec-malware-behavior="execute-non-main-cpu-
code"
execute-non-main-cpu-code
maec-malware-behavior:maec-malware-behavior="execute-stealthy-code"
execute-stealthy-code
maec-malware-behavior:maec-malware-behavior="exfiltrate-data-via-
covert channel"
exfiltrate-data-via-covert channel
maec-malware-behavior:maec-malware-behavior="exfiltrate-data-via—
dumpster-dive"
exfiltrate-data-via-dumpster-dives
maec-malware-behavior:maec-malware-behavior="exfiltrate-data-via-fax"
exfiltrate-data-via-fax
maec-malware-behavior:maec-malware-behavior="exfiltrate-data-via-
network"
exfiltrate-data-via-network
maec-malware-behavior:maec-malware-behavior="exfiltrate-data-via-
physical-media"
exfiltrate-data-via-physical-media
maec-malware-behavior:maec-malware-behavior="exfiltrate-data-via-voip-
phone"
exfiltrate-data-via-voip-phone
maec-malware-behavior:maec-malware-behavior="feed-misinformation-
during-physical-memory-acquisition"
feed-misinformation-during-physical-memory-acquisition
maec-malware-behavior:maec-malware-behavior="file-system-
instantiation"
file-system-instantiation
269
maec-malware-behavior:maec-malware-behavior="fingerprint-host"
fingerprint-host
maec-malware-behavior:maec-malware-behavior="generate-c2-domain-
names"
generate-c2-domain-names
maec-malware-behavior:maec-malware-behavior="hide-arbitrary-virtual-
memory"
hide-arbitrary-virtual-memory
maec-malware-behavior:maec-malware-behavior="hide-data-in-other-
formats"
hide-data-in-other-formats
maec-malware-behavior:maec-malware-behavior="hide-file-system-
artifacts"
hide-file-system-artifacts
maec-malware-behavior:maec-malware-behavior="hide-kernel-modules"
hide-kernel-modules
maec-malware-behavior:maec-malware-behavior="hide-network-traffic"
hide-network-traffic
maec-malware-behavior:maec-malware-behavior="hide-open-network-
ports"
hide-open-network-ports
maec-malware-behavior:maec-malware-behavior="hide-processes"
hide-processes
maec-malware-behavior:maec-malware-behavior="hide-services"
hide-services
maec-malware-behavior:maec-malware-behavior="hide-threads"
hide-threads
270
maec-malware-behavior:maec-malware-behavior="hide-userspace-
libraries"
hide-userspace-libraries
maec-malware-behavior:maec-malware-behavior="identify-file"
identify-file
maec-malware-behavior:maec-malware-behavior="identify-os"
identify-os
maec-malware-behavior:maec-malware-behavior="identify-target-
machines"
identify-target-machines
maec-malware-behavior:maec-malware-behavior="impersonate-user"
impersonate-user
maec-malware-behavior:maec-malware-behavior="install-backdoor"
install-backdoor
maec-malware-behavior:maec-malware-behavior="install-legitimate-
software"
install-legitimate-software
maec-malware-behavior:maec-malware-behavior="install-secondary-
malware"
install-secondary-malware
maec-malware-behavior:maec-malware-behavior="install-secondary-
module"
install-secondary-module
maec-malware-behavior:maec-malware-behavior="intercept-manipulate-
network-traffic"
intercept-manipulate-network-traffic
271
maec-malware-behavior:maec-malware-behavior="inventory-security-
products"
inventory-security-products
maec-malware-behavior:maec-malware-behavior="inventory-system-
applications"
inventory-system-applications
maec-malware-behavior:maec-malware-behavior="inventory-victims"
inventory-victims
maec-malware-behavior:maec-malware-behavior="limit-application-type-
version"
limit-application-type-version
maec-malware-behavior:maec-malware-behavior="log-activity"
log-activity
maec-malware-behavior:maec-malware-behavior="manipulate-file-system-
data"
manipulate-file-system-data
maec-malware-behavior:maec-malware-behavior="map-local-network"
map-local-network
maec-malware-behavior:maec-malware-behavior="mine-for-
cryptocurrency"
mine-for-cryptocurrency
maec-malware-behavior:maec-malware-behavior="modify-file"
modify-file
maec-malware-behavior:maec-malware-behavior="modify-security-
software-configuration"
modify-security-software-configuration
272
maec-malware-behavior:maec-malware-behavior="move-data-to-staging-
server"
move-data-to-staging-server
maec-malware-behavior:maec-malware-behavior="obfuscate-artifact-
properties"
obfuscate-artifact-properties
maec-malware-behavior:maec-malware-behavior="overload-sandbox"
overload-sandbox
maec-malware-behavior:maec-malware-behavior="package-data"
package-data
maec-malware-behavior:maec-malware-behavior="persist-after-hardware-
changes"
persist-after-hardware-changes
maec-malware-behavior:maec-malware-behavior="persist-after-os-
changes"
persist-after-os-changes
maec-malware-behavior:maec-malware-behavior="persist-after-system-
reboot"
persist-after-system-reboot
maec-malware-behavior:maec-malware-behavior="prevent-api-unhooking"
prevent-api-unhooking
maec-malware-behavior:maec-malware-behavior="prevent-concurrent-
execution"
prevent-concurrent-execution
maec-malware-behavior:maec-malware-behavior="prevent-debugging"
prevent-debugging
273
maec-malware-behavior:maec-malware-behavior="prevent-file-access"
prevent-file-access
maec-malware-behavior:maec-malware-behavior="prevent-file-deletion"
prevent-file-deletion
maec-malware-behavior:maec-malware-behavior="prevent-memory-
access"
prevent-memory-access
maec-malware-behavior:maec-malware-behavior="prevent-native-api-
hooking"
prevent-native-api-hooking
maec-malware-behavior:maec-malware-behavior="prevent-physical-
memory-acquisition"
prevent-physical-memory-acquisition
maec-malware-behavior:maec-malware-behavior="prevent-registry-
access"
prevent-registry-access
maec-malware-behavior:maec-malware-behavior="prevent-registry-
deletion"
prevent-registry-deletion
maec-malware-behavior:maec-malware-behavior="prevent-security-
software-from-executing"
prevent-security-software-from-executing
maec-malware-behavior:maec-malware-behavior="re-instantiate-self"
re-instantiate-self
maec-malware-behavior:maec-malware-behavior="remove-self"
remove-self
274
maec-malware-behavior:maec-malware-behavior="remove-sms-warning-
messages"
remove-sms-warning-messages
maec-malware-behavior:maec-malware-behavior="remove-system-
artifacts"
remove-system-artifacts
maec-malware-behavior:maec-malware-behavior="request-email-address-
list"
request-email-address-list
maec-malware-behavior:maec-malware-behavior="request-email-
template"
request-email-template
maec-malware-behavior:maec-malware-behavior="search-for-remote-
machines"
search-for-remote-machines
maec-malware-behavior:maec-malware-behavior="send-beacon"
send-beacon
maec-malware-behavior:maec-malware-behavior="send-email-message"
send-email-message
maec-malware-behavior:maec-malware-behavior="social-engineering-
based-remote-infection"
social-engineering-based-remote-infection
maec-malware-behavior:maec-malware-behavior="steal-browser-cache"
steal-browser-cache
maec-malware-behavior:maec-malware-behavior="steal-browser-cookies"
steal-browser-cookies
275
maec-malware-behavior:maec-malware-behavior="steal-browser-history"
steal-browser-history
maec-malware-behavior:maec-malware-behavior="steal-contact-list-data"
steal-contact-list-data
maec-malware-behavior:maec-malware-behavior="steal-cryptocurrency-
data"
steal-cryptocurrency-data
maec-malware-behavior:maec-malware-behavior="steal-database-content"
steal-database-content
maec-malware-behavior:maec-malware-behavior="steal-dialed-phone-
numbers"
steal-dialed-phone-numbers
maec-malware-behavior:maec-malware-behavior="steal-digital-
certificates"
steal-digital-certificates
maec-malware-behavior:maec-malware-behavior="steal-documents"
steal-documents
maec-malware-behavior:maec-malware-behavior="steal-email-data"
steal-email-data
maec-malware-behavior:maec-malware-behavior="steal-images"
steal-images
maec-malware-behavior:maec-malware-behavior="steal-password-hashes"
steal-password-hashes
maec-malware-behavior:maec-malware-behavior="steal-pki-key"
steal-pki-key
276
maec-malware-behavior:maec-malware-behavior="steal-referrer-urls"
steal-referrer-urls
maec-malware-behavior:maec-malware-behavior="steal-serial-numbers"
steal-serial-numbers
maec-malware-behavior:maec-malware-behavior="steal-sms-database"
steal-sms-database
maec-malware-behavior:maec-malware-behavior="steal-web-network-
credential"
steal-web-network-credential
maec-malware-behavior:maec-malware-behavior="stop-execution-of-
security-software"
stop-execution-of-security-software
maec-malware-behavior:maec-malware-behavior="suicide-exit"
suicide-exit
maec-malware-behavior:maec-malware-behavior="test-for-firewall"
test-for-firewall
maec-malware-behavior:maec-malware-behavior="test-for-internet-
connectivity"
test-for-internet-connectivity
maec-malware-behavior:maec-malware-behavior="test-for-network-
drives"
test-for-network-drives
maec-malware-behavior:maec-malware-behavior="test-for-proxy"
test-for-proxy
maec-malware-behavior:maec-malware-behavior="test-smtp-connection"
test-smtp-connection
277
maec-malware-behavior:maec-malware-behavior="update-configuration"
update-configuration
maec-malware-behavior:maec-malware-behavior="validate-data"
validate-data
maec-malware-behavior:maec-malware-behavior="write-code-into-file"
write-code-into-file
maec-malware-capabilities
maec-malware-capabilities namespace available in JSON format at this location.
The JSON format can be freely reused in your application or automatically enabled
in MISP taxonomy.
maec-malware-capability
maec-malware-capabilities:maec-malware-capability="anti-behavioral-
analysis"
anti-behavioral-analysis
maec-malware-capabilities:maec-malware-capability="anti-code-analysis"
anti-code-analysis
maec-malware-capabilities:maec-malware-capability="anti-detection"
anti-detection
maec-malware-capabilities:maec-malware-capability="anti-removal"
anti-removal
maec-malware-capabilities:maec-malware-capability="availability-
violation"
availability-violation
maec-malware-capabilities:maec-malware-capability="collection"
collection
278
maec-malware-capabilities:maec-malware-capability="command-and-
control"
command-and-control
maec-malware-capabilities:maec-malware-capability="data-theft"
data-theft
maec-malware-capabilities:maec-malware-capability="destruction"
destruction
maec-malware-capabilities:maec-malware-capability="discovery"
discovery
maec-malware-capabilities:maec-malware-capability="exfiltration"
exfiltration
maec-malware-capabilities:maec-malware-capability="fraud"
fraud
maec-malware-capabilities:maec-malware-capability="infection-
propagation"
infection-propagation
maec-malware-capabilities:maec-malware-capability="integrity-violation"
integrity-violation
maec-malware-capabilities:maec-malware-capability="machine-access-
control"
machine-access-control
maec-malware-capabilities:maec-malware-capability="persistence"
persistence
maec-malware-capabilities:maec-malware-capability="privilege-escalation"
privilege-escalation
279
maec-malware-capabilities:maec-malware-capability="secondary-
operation"
secondary-operation
maec-malware-capabilities:maec-malware-capability="security-
degradation"
security-degradation
maec-malware-capabilities:maec-malware-capability="access-control-
degradation"
access-control-degradation
maec-malware-capabilities:maec-malware-capability="anti-debugging"
anti-debugging
maec-malware-capabilities:maec-malware-capability="anti-disassembly"
anti-disassembly
maec-malware-capabilities:maec-malware-capability="anti-emulation"
anti-emulation
maec-malware-capabilities:maec-malware-capability="anti-memory-
forensics"
anti-memory-forensics
maec-malware-capabilities:maec-malware-capability="anti-sandbox"
anti-sandbox
maec-malware-capabilities:maec-malware-capability="anti-virus-evasion"
anti-virus-evasion
maec-malware-capabilities:maec-malware-capability="anti-vm"
anti-vm
maec-malware-capabilities:maec-malware-capability="authentication-
credentials-theft"
authentication-credentials-theft
280
maec-malware-capabilities:maec-malware-capability="clean-traces-of-
infection"
clean-traces-of-infection
maec-malware-capabilities:maec-malware-capability="communicate-with-
c2-server"
communicate-with-c2-server
maec-malware-capabilities:maec-malware-capability="compromise-data-
availability"
compromise-data-availability
maec-malware-capabilities:maec-malware-capability="compromise-system-
availability"
compromise-system-availability
maec-malware-capabilities:maec-malware-capability="consume-system-
resources"
consume-system-resources
maec-malware-capabilities:maec-malware-capability="continuous-
execution"
continuous-execution
maec-malware-capabilities:maec-malware-capability="data-integrity-
violation"
data-integrity-violation
maec-malware-capabilities:maec-malware-capability="data-obfuscation"
data-obfuscation
maec-malware-capabilities:maec-malware-capability="data-staging"
data-staging
maec-malware-capabilities:maec-malware-capability="determine-c2-
server"
determine-c2-server
281
maec-malware-capabilities:maec-malware-capability="email-spam"
email-spam
maec-malware-capabilities:maec-malware-capability="ensure-
compatibility"
ensure-compatibility
maec-malware-capabilities:maec-malware-capability="environment-
awareness"
environment-awareness
maec-malware-capabilities:maec-malware-capability="file-infection"
file-infection
maec-malware-capabilities:maec-malware-capability="hide-artifacts"
hide-artifacts
maec-malware-capabilities:maec-malware-capability="hide-executing-
code"
hide-executing-code
maec-malware-capabilities:maec-malware-capability="hide-non-executing-
code"
hide-non-executing-code
maec-malware-capabilities:maec-malware-capability="host-configuration-
probing"
host-configuration-probing
maec-malware-capabilities:maec-malware-capability="information-
gathering-for-improvement"
information-gathering-for-improvement
maec-malware-capabilities:maec-malware-capability="input-peripheral-
capture"
input-peripheral-capture
282
maec-malware-capabilities:maec-malware-capability="install-other-
components"
install-other-components
maec-malware-capabilities:maec-malware-capability="local-machine-
control"
local-machine-control
maec-malware-capabilities:maec-malware-capability="network-
environment-probing"
network-environment-probing
maec-malware-capabilities:maec-malware-capability="os-security-feature-
degradation"
os-security-feature-degradation
maec-malware-capabilities:maec-malware-capability="output-peripheral-
capture"
output-peripheral-capture
maec-malware-capabilities:maec-malware-capability="physical-entity-
destruction"
physical-entity-destruction
maec-malware-capabilities:maec-malware-capability="prevent-artifact-
access"
prevent-artifact-access
maec-malware-capabilities:maec-malware-capability="prevent-artifact-
deletion"
prevent-artifact-deletion
maec-malware-capabilities:maec-malware-capability="remote-machine-
access"
remote-machine-access
283
maec-malware-capabilities:maec-malware-capability="security-software-
degradation"
security-software-degradation
maec-malware-capabilities:maec-malware-capability="security-software-
evasion"
security-software-evasion
maec-malware-capabilities:maec-malware-capability="self-modification"
self-modification
maec-malware-capabilities:maec-malware-capability="service-provider-
security-feature-degradation"
service-provider-security-feature-degradation
maec-malware-capabilities:maec-malware-capability="stored-information-
theft"
stored-information-theft
maec-malware-capabilities:maec-malware-capability="system-interface-
data-capture"
system-interface-data-capture
maec-malware-capabilities:maec-malware-capability="system-operational-
integrity-violation"
system-operational-integrity-violation
maec-malware-capabilities:maec-malware-capability="system-re-infection"
system-re-infection
maec-malware-capabilities:maec-malware-capability="system-state-data-
capture"
system-state-data-capture
maec-malware-capabilities:maec-malware-capability="system-update-
degradation"
system-update-degradation
284
maec-malware-capabilities:maec-malware-capability="user-data-theft"
user-data-theft
maec-malware-capabilities:maec-malware-capability="virtual-entity-
destruction"
virtual-entity-destruction
maec-malware-obfuscation-methods
maec-malware-obfuscation-methods namespace available in JSON format at this
location. The JSON format can be freely reused in your application or
automatically enabled in MISP taxonomy.
maec-obfuscation-methods
maec-malware-obfuscation-methods:maec-obfuscation-methods="packing"
packing
maec-malware-obfuscation-methods:maec-obfuscation-methods="code-
encryption"
code-encryption
maec-malware-obfuscation-methods:maec-obfuscation-methods="dead-
code-insertion"
dead-code-insertion
maec-malware-obfuscation-methods:maec-obfuscation-methods="entry-
point-obfuscation"
entry-point-obfuscation
maec-malware-obfuscation-methods:maec-obfuscation-methods="import-
address-table-obfuscation"
import-address-table-obfuscation
285
maec-malware-obfuscation-methods:maec-obfuscation-
methods="interleaving-code"
interleaving-code
maec-malware-obfuscation-methods:maec-obfuscation-methods="symbolic-
obfuscation"
symbolic-obfuscation
maec-malware-obfuscation-methods:maec-obfuscation-methods="string-
obfuscation"
string-obfuscation
maec-malware-obfuscation-methods:maec-obfuscation-
methods="subroutine-reordering"
subroutine-reordering
maec-malware-obfuscation-methods:maec-obfuscation-methods="code-
transposition"
code-transposition
maec-malware-obfuscation-methods:maec-obfuscation-
methods="instruction-substitution"
instruction-substitution
maec-malware-obfuscation-methods:maec-obfuscation-methods="register-
reassignment"
register-reassignment
malware_classification
malware_classification namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
286
malware-category
malware_classification:malware-category="Virus"
Virus
malware_classification:malware-category="Worm"
Worm
malware_classification:malware-category="Trojan"
Trojan
malware_classification:malware-category="Ransomware"
Ransomware
malware_classification:malware-category="Rootkit"
Rootkit
malware_classification:malware-category="Downloader"
Downloader
malware_classification:malware-category="Adware"
Adware
malware_classification:malware-category="Spyware"
Spyware
malware_classification:malware-category="Botnet"
Botnet
obfuscation-technique
malware_classification:obfuscation-technique="no-obfuscation"
No obfuscation is used
malware_classification:obfuscation-technique="encryption"
encryption
287
malware_classification:obfuscation-technique="oligomorphism"
oligomorphism
malware_classification:obfuscation-technique="metamorphism"
metamorphism
malware_classification:obfuscation-technique="stealth"
stealth
malware_classification:obfuscation-technique="armouring"
armouring
malware_classification:obfuscation-technique="tunneling"
tunneling
malware_classification:obfuscation-technique="XOR"
XOR
malware_classification:obfuscation-technique="BASE64"
BASE64
malware_classification:obfuscation-technique="ROT13"
ROT13
payload-classification
malware_classification:payload-classification="no-payload"
No payload
malware_classification:payload-classification="non-destructive"
Non-Destructive
malware_classification:payload-classification="destructive"
Destructive
288
malware_classification:payload-classification="dropper"
Dropper
memory-classification
malware_classification:memory-classification="resident"
In memory
malware_classification:memory-classification="temporary-resident"
In memory temporarily
malware_classification:memory-classification="swapping-mode"
malware_classification:memory-classification="non-resident"
Not in memory
malware_classification:memory-classification="user-process"
malware_classification:memory-classification="kernel-process"
misp
misp namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
ui
misp:ui="hide"
api
289
misp:api="hide"
expansion
Expansion tag incluencing the MISP behavior using expansion modules
misp:expansion="block"
block
contributor
misp:contributor="pgpfingerprint"
OpenPGP Fingerprint
confidence-level
misp:confidence-level="completely-confident"
Completely confident
misp:confidence-level="usually-confident"
Usually confident
misp:confidence-level="fairly-confident"
Fairly confident
misp:confidence-level="rarely-confident"
Rarely confident
misp:confidence-level="unconfident"
Unconfident
290
misp:confidence-level="confidence-cannot-be-evalued"
threat-level
misp:threat-level="no-risk"
No risk
misp:threat-level="low-risk"
Low risk
misp:threat-level="medium-risk"
Medium risk
Medium risk which can include targeted attacks (e.g. APT). (CEUS threat level)
misp:threat-level="high-risk"
High risk
High risk which can include highly sophisticated attacks or 0-day attack. (CEUS threat level)
automation-level
Exclusive flag set which means the values or predicate below must be set
exclusively.
misp:automation-level="unsupervised"
291
misp:automation-level="reviewed"
misp:automation-level="manual"
should-not-sync
Event with this tag should not be synced to other MISP instances
tool
Tool associated with the information taggged
misp:tool="misp2stix"
misp2stix
misp:tool="misp2yara"
misp2yara
misp2yara
misp:misp2yara="generated"
generated
misp:misp2yara="as-is"
as-is
misp:misp2yara="valid"
valid
misp:misp2yara="invalid"
invalid
292
monarc-threat
monarc-threat namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
compromise-of-functions
monarc-threat:compromise-of-functions="error-in-use"
Error in use
A person commits an operating error, input error or utilisation error on hardware or software.
monarc-threat:compromise-of-functions="forging-of-rights"
Forging of rights
A person assumes the identity of a different person in order to use his/her access rights to the
information system, misinform the recipient, commit a fraud, etc.
monarc-threat:compromise-of-functions="eavesdropping"
Eavesdropping
monarc-threat:compromise-of-functions="denial-of-actions"
Denial of actions
A person or entity denies being involved in an exchange with a third party or carrying out an
operation.
monarc-threat:compromise-of-functions="abuse-of-rights"
Abuse of rights
Someone with special rights (network administration, computer specialists, etc.) modifies the
operating characteristics of the resources.
monarc-threat:compromise-of-functions="breach-of-personnel-availability"
293
Absence of qualified or authorised personnel to execute the usual operations.
unauthorised-actions
monarc-threat:unauthorised-actions="fraudulent-copying-or-use-of-
counterfeit-software"
Someone inside the organisation makes fraudulent copies (also called pirated copies) of package
software or in-house software.
monarc-threat:unauthorised-actions="corruption-of-data"
Corruption of data
Someone gains access to the communication equipment of the information system and corrupts
transmission of information (by intercepting, inserting, destroying, etc.) or repeatedly attempts
access until successful.
monarc-threat:unauthorised-actions="illegal-processing-of-data"
A person carries out information processing that is forbidden by the law or a regulation.
compromise-of-information
monarc-threat:compromise-of-information="remote-spying"
Remote spying
Personnel actions observable from a distance. Visual observation with or without optical
equipment, for example observation of a user entering a code or password on a keyboard.
monarc-threat:compromise-of-information="tampering-with-hardware"
monarc-threat:compromise-of-information="interception-of-
compromising-interference-signals"
Interfering signals from an electromagnetic source emitted by the equipment (by conduction on the
electrical power supply cables or earth wires or by radiation in free space). Capture of these signals
294
depends on the distance to the targeted equipment or the possibility of connecting to cables or any
other conductor passing close to the equipment (coupling phenomenon).
monarc-threat:compromise-of-information="theft-or-destruction-of-media-
documents-or-equipment"
Media, documents or equipment can be accessed by foreigners either internally or externally. It can
be damaged or stolen.
monarc-threat:compromise-of-information="retrieval-of-recycled-or-
discarded media"
Retrieval of electronic media (hard discs, floppy discs, back-up cartridges, USB keys, ZIP discs,
removable hard discs, etc.) or paper copies (lists, incomplete print-outs, messages, etc.) intended for
recycling and containing retrievable information.
monarc-threat:compromise-of-information="malware-infection"
Malware infection
monarc-threat:compromise-of-information="data-from-untrustworthy-
sources"
Receiving false data or unsuitable equipment from outside sources and using them in the
organisation.
monarc-threat:compromise-of-information="disclosure"
Disclosure
loss-of-essential-services
monarc-threat:loss-of-essential-services="failure-of-telecommunication-
equipment"
295
monarc-threat:loss-of-essential-services="loss-of-power-supply"
Failure, shutdown or incorrect sizing of the power supply to the assets arising either from the
supplier’s service or from the internal distribution system.
monarc-threat:loss-of-essential-services="failure-of-air-conditioning"
Failure of air-conditioning
Failure, shutdown or inadequacy of the air-conditioning service may cause assets requiring cooling
or ventilation to shut down, malfunction or fail completely.
technical-failures
monarc-threat:technical-failures="software-malfunction"
Software malfunction
Design error, installation error or operating error committed during modification causing incorrect
execution.
monarc-threat:technical-failures="equipment-malfunction-or-failure"
monarc-threat:technical-failures="saturation-of-the-information-system"
monarc-threat:technical-failures="breach-of-information-system-
maintainability"
physical-damage
monarc-threat:physical-damage="destruction-of-equipment-or-supports"
296
Event causing destruction of equipment or media.
monarc-threat:physical-damage="fire"
Fire
monarc-threat:physical-damage="water-damage"
Water damage
Situation facilitating the water hazard on equipment (floods, water leak, cellars, etc.)
monarc-threat:physical-damage="major-accident"
Major accident
monarc-threat:physical-damage="pollution"
Pollution
monarc-threat:physical-damage="environmental-disaster"
ms-caro-malware
ms-caro-malware namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
Malware Type and Platform classification based on Microsoft’s implementation of the Computer
Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology. Based on
https://www.microsoft.com/en-us/security/portal/mmpc/shared/malwarenaming.aspx,
https://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx, https://www.microsoft.com/
security/portal/mmpc/shared/objectivecriteria.aspx, and http://www.caro.org/definitions/
index.html. Malware families are extracted from Microsoft SIRs since 2008 based on
https://www.microsoft.com/security/sir/archive/default.aspx and https://www.microsoft.com/en-us/
security/portal/threat/threats.aspx. Note that SIRs do NOT include all Microsoft malware families.
297
malware-type
ms-caro-malware:malware-type="Adware"
Adware - Software that shows you extra promotions that you cannot control as you use your PC
ms-caro-malware:malware-type="Backdoor"
A type of trojan that gives a malicious hacker access to and control of your PC
ms-caro-malware:malware-type="Behavior"
A type of detection based on file actions that are often associated with malicious activity
ms-caro-malware:malware-type="BroswerModifier"
A program than makes changes to your Internet browser without your permission
ms-caro-malware:malware-type="Constructor"
ms-caro-malware:malware-type="DDoS"
When a number of PCs are made to access a website, network or server repeatedly within a given
time period. The aim of the attack is to overload the target so that it crashes and can’t respond
ms-caro-malware:malware-type="Dialer"
A program that makes unauthorized telephone calls. These calls may be charged at a premium rate
and cost you a lot of money
ms-caro-malware:malware-type="DoS"
When a target PC or server is deliberately overloaded so that it doesn’t work for any visitors
anymore
ms-caro-malware:malware-type="Exploit"
A piece of code that uses software vulnerabilities to access information on your PC or install
malware
ms-caro-malware:malware-type="HackTool"
A type of tool that can be used to allow and maintain unauthorized access to your PC
298
ms-caro-malware:malware-type="Joke"
A program that pretends to do something malicious but actually doesn’t actually do anything
harmful. For example, some joke programs pretend to delete files or format disks
ms-caro-malware:malware-type="Misleading"
The program that makes misleading or fraudulent claims about files, registry entries or other items
on your PC
ms-caro-malware:malware-type="MonitoringTool"
A commercial program that monitors what you do on your PC. This can include monitoring what
keys you press; your email or instant messages; your voice or video conversations; and your
banking details and passwords. It can also take screenshots as you use your PC
ms-caro-malware:malware-type="Program"
ms-caro-malware:malware-type="PUA"
ms-caro-malware:malware-type="PWS"
A type of malware that is used steal your personal information, such as user names and passwords.
It often works along with a keylogger that collects and sends information about what keys you
press and websites you visit to a malicious hacker
ms-caro-malware:malware-type="Ransom"
A detection for malicious programs that seize control of the computer on which they are installed.
This trojan usually locks the screen and prevents the user from using the computer. It usually
displays an alert message.
ms-caro-malware:malware-type="RemoteAccess"
A program that gives someone access to your PC from a remote location. This type of program is
often installed by the computer owner
ms-caro-malware:malware-type="Rogue"
Software that pretends to be an antivirus program but doesn’t actually provide any security. This
type of software usually gives you a lot of alerts about threats on your PC that don’t exist. It also
tries to convince you to pay for its services
299
ms-caro-malware:malware-type="SettingsModifier"
ms-caro-malware:malware-type="SoftwareBundler"
A program that installs unwanted software on your PC at the same time as the software you are
trying to install, without adequate consent
ms-caro-malware:malware-type="Spammer"
A trojan that sends large numbers of spam emails. It may also describe the person or business
responsible for sending spam
ms-caro-malware:malware-type="Spoofer"
A type of trojan that makes fake emails that look like they are from a legitimate source
ms-caro-malware:malware-type="Spyware"
A program that collects your personal information, such as your browsing history, and uses it
without adequate consent
ms-caro-malware:malware-type="Tool"
A type of software that may have a legitimate purpose, but which may also be abused by malware
authors
ms-caro-malware:malware-type="Trojan"
A trojan is a program that tries to look innocent, but is actually a malicious application. Unlike a
virus or a worm , a trojan doesn’t spread by itself. Instead they try to look innocent to convince you
to download and install them. Once installed, a trojan can steal your personal information,
download more malware, or give a malicious hacker access to your PC
ms-caro-malware:malware-type="TrojanClicker"
A type of trojan that can use your PC to click on websites or applications. They are usually used to
make money for a malicious hacker by clicking on online advertisements and making it look like
the website gets more traffic than it does. They can also be used to skew online polls, install
programs on your PC, or make unwanted software appear more popular than it is
ms-caro-malware:malware-type="TrojanDownloader"
A type of trojan that installs other malicious files, including malware, onto your PC. It can
download the files from a remote PC or install them directly from a copy that is included in its file.
300
ms-caro-malware:malware-type="TrojanDropper"
A type of trojan that installs other malicious files, including malware, onto your PC. It can
download the files from a remote PC or install them directly from a copy that is included in its file.
ms-caro-malware:malware-type="TrojanNotifier"
A type of trojan that sends information about your PC to a malicious hacker. It is similar to a
password stealer
ms-caro-malware:malware-type="TrojanProxy"
A type of trojan that installs a proxy server on your PC. The server can be configured so that when
you use the Internet, any requests you make are sent through a server controlled by a malicious
hacker.
ms-caro-malware:malware-type="TrojanSpy"
A program that collects your personal information, such as your browsing history, and uses it
without adequate consent.
ms-caro-malware:malware-type="VirTool"
A detection that is used mostly for malware components, or tools used for malware-related actions,
such as rootkits.
ms-caro-malware:malware-type="Virus"
A type of malware. Viruses spread on their own by attaching their code to other programs, or
copying themselves across systems and networks.
ms-caro-malware:malware-type="Worm"
A type of malware that spreads to other PCs. Worms may spread using one or more of the following
methods: Email programs, Instant messaging programs, File-sharing programs, Social networking
sites, Network shares, Removable drives with Autorun enabled, Software vulnerabilities
malware-platform
ms-caro-malware:malware-platform="AndroidOS"
ms-caro-malware:malware-platform="DOS"
MS-DOS platform
301
ms-caro-malware:malware-platform="EPOC"
Psion devices
ms-caro-malware:malware-platform="FreeBSD"
FreeBSD platform
ms-caro-malware:malware-platform="iPhoneOS"
ms-caro-malware:malware-platform="Linux"
Linux platform
ms-caro-malware:malware-platform="MacOS"
ms-caro-malware:malware-platform="MacOS_X"
MacOS X or later
ms-caro-malware:malware-platform="OS2"
OS2 platform
ms-caro-malware:malware-platform="Palm"
ms-caro-malware:malware-platform="Solaris"
ms-caro-malware:malware-platform="SunOS"
ms-caro-malware:malware-platform="SymbOS"
ms-caro-malware:malware-platform="Unix"
302
ms-caro-malware:malware-platform="Win16"
ms-caro-malware:malware-platform="Win2K"
ms-caro-malware:malware-platform="Win32"
ms-caro-malware:malware-platform="Win64"
ms-caro-malware:malware-platform="Win95"
ms-caro-malware:malware-platform="Win98"
ms-caro-malware:malware-platform="WinCE"
Windows CE platform
ms-caro-malware:malware-platform="WinNT"
WinNT
ms-caro-malware:malware-platform="ABAP"
ms-caro-malware:malware-platform="ALisp"
ALisp scripts
ms-caro-malware:malware-platform="AmiPro"
AmiPro script
ms-caro-malware:malware-platform="ANSI"
303
ms-caro-malware:malware-platform="AppleScript"
ms-caro-malware:malware-platform="ASP"
ms-caro-malware:malware-platform="AutoIt"
AutoIT scripts
ms-caro-malware:malware-platform="BAS"
Basic scripts
ms-caro-malware:malware-platform="BAT"
Basic scripts
ms-caro-malware:malware-platform="CorelScript"
Corelscript scripts
ms-caro-malware:malware-platform="HTA"
ms-caro-malware:malware-platform="HTML"
ms-caro-malware:malware-platform="INF"
Install scripts
ms-caro-malware:malware-platform="IRC"
mIRC/pIRC scripts
ms-caro-malware:malware-platform="Java"
ms-caro-malware:malware-platform="JS"
Javascript scripts
304
ms-caro-malware:malware-platform="LOGO"
LOGO scripts
ms-caro-malware:malware-platform="MPB"
MapBasic scripts
ms-caro-malware:malware-platform="MSH"
ms-caro-malware:malware-platform="MSIL"
ms-caro-malware:malware-platform="Perl"
Net intermediate language scripts
Perl scripts
ms-caro-malware:malware-platform="PHP"
ms-caro-malware:malware-platform="Python"
Python scripts
ms-caro-malware:malware-platform="SAP"
ms-caro-malware:malware-platform="SH"
Shell scripts
ms-caro-malware:malware-platform="VBA"
ms-caro-malware:malware-platform="VBS"
ms-caro-malware:malware-platform="WinBAT"
Winbatch scripts
305
ms-caro-malware:malware-platform="WinHlp"
ms-caro-malware:malware-platform="WinREG"
ms-caro-malware:malware-platform="A97M"
ms-caro-malware:malware-platform="HE"
macro scripting
ms-caro-malware:malware-platform="O97M"
Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
ms-caro-malware:malware-platform="PP97M"
ms-caro-malware:malware-platform="V5M"
Visio5 macros
ms-caro-malware:malware-platform="W1M"
Word1Macro
ms-caro-malware:malware-platform="W2M"
Word2Macro
ms-caro-malware:malware-platform="W97M"
ms-caro-malware:malware-platform="WM"
Word 95 macros
ms-caro-malware:malware-platform="X97M"
306
ms-caro-malware:malware-platform="XF"
Excel formulas
ms-caro-malware:malware-platform="XM"
Excel 95 macros
ms-caro-malware:malware-platform="ASX"
ms-caro-malware:malware-platform="HC"
ms-caro-malware:malware-platform="MIME"
MIME packets
ms-caro-malware:malware-platform="Netware"
ms-caro-malware:malware-platform="QT"
Quicktime files
ms-caro-malware:malware-platform="SB"
ms-caro-malware:malware-platform="SWF"
ms-caro-malware:malware-platform="TSQL"
ms-caro-malware:malware-platform="XML"
XML files
ms-caro-malware-full
307
ms-caro-malware-full namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
Malware Type and Platform classification based on Microsoft’s implementation of the Computer
Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology. Based on
https://www.microsoft.com/en-us/security/portal/mmpc/shared/malwarenaming.aspx,
https://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx, https://www.microsoft.com/
security/portal/mmpc/shared/objectivecriteria.aspx, and http://www.caro.org/definitions/
index.html. Malware families are extracted from Microsoft SIRs since 2008 based on
https://www.microsoft.com/security/sir/archive/default.aspx and https://www.microsoft.com/en-us/
security/portal/threat/threats.aspx. Note that SIRs do NOT include all Microsoft malware families.
malware-type
ms-caro-malware-full:malware-type="Adware"
Adware - Software that shows you extra promotions that you cannot control as you use your PC
ms-caro-malware-full:malware-type="Backdoor"
A type of trojan that gives a malicious hacker access to and control of your PC
ms-caro-malware-full:malware-type="Behavior"
A type of detection based on file actions that are often associated with malicious activity
ms-caro-malware-full:malware-type="BroswerModifier"
A program than makes changes to your Internet browser without your permission
ms-caro-malware-full:malware-type="Constructor"
ms-caro-malware-full:malware-type="DDoS"
When a number of PCs are made to access a website, network or server repeatedly within a given
time period. The aim of the attack is to overload the target so that it crashes and can’t respond
ms-caro-malware-full:malware-type="Dialer"
A program that makes unauthorized telephone calls. These calls may be charged at a premium rate
and cost you a lot of money
ms-caro-malware-full:malware-type="DoS"
When a target PC or server is deliberately overloaded so that it doesn’t work for any visitors
308
anymore
ms-caro-malware-full:malware-type="Exploit"
A piece of code that uses software vulnerabilities to access information on your PC or install
malware
ms-caro-malware-full:malware-type="HackTool"
A type of tool that can be used to allow and maintain unauthorized access to your PC
ms-caro-malware-full:malware-type="Joke"
A program that pretends to do something malicious but actually doesn’t actually do anything
harmful. For example, some joke programs pretend to delete files or format disks
ms-caro-malware-full:malware-type="Misleading"
The program that makes misleading or fraudulent claims about files, registry entries or other items
on your PC
ms-caro-malware-full:malware-type="MonitoringTool"
A commercial program that monitors what you do on your PC. This can include monitoring what
keys you press; your email or instant messages; your voice or video conversations; and your
banking details and passwords. It can also take screenshots as you use your PC
ms-caro-malware-full:malware-type="Program"
ms-caro-malware-full:malware-type="PUA"
ms-caro-malware-full:malware-type="PWS"
A type of malware that is used steal your personal information, such as user names and passwords.
It often works along with a keylogger that collects and sends information about what keys you
press and websites you visit to a malicious hacker
ms-caro-malware-full:malware-type="Ransom"
A detection for malicious programs that seize control of the computer on which they are installed.
This trojan usually locks the screen and prevents the user from using the computer. It usually
displays an alert message.
309
ms-caro-malware-full:malware-type="RemoteAccess"
A program that gives someone access to your PC from a remote location. This type of program is
often installed by the computer owner
ms-caro-malware-full:malware-type="Rogue"
Software that pretends to be an antivirus program but doesn’t actually provide any security. This
type of software usually gives you a lot of alerts about threats on your PC that don’t exist. It also
tries to convince you to pay for its services
ms-caro-malware-full:malware-type="SettingsModifier"
ms-caro-malware-full:malware-type="SoftwareBundler"
A program that installs unwanted software on your PC at the same time as the software you are
trying to install, without adequate consent
ms-caro-malware-full:malware-type="Spammer"
A trojan that sends large numbers of spam emails. It may also describe the person or business
responsible for sending spam
ms-caro-malware-full:malware-type="Spoofer"
A type of trojan that makes fake emails that look like they are from a legitimate source
ms-caro-malware-full:malware-type="Spyware"
A program that collects your personal information, such as your browsing history, and uses it
without adequate consent
ms-caro-malware-full:malware-type="Tool"
A type of software that may have a legitimate purpose, but which may also be abused by malware
authors
ms-caro-malware-full:malware-type="Trojan"
A trojan is a program that tries to look innocent, but is actually a malicious application. Unlike a
virus or a worm , a trojan doesn’t spread by itself. Instead they try to look innocent to convince you
to download and install them. Once installed, a trojan can steal your personal information,
download more malware, or give a malicious hacker access to your PC
ms-caro-malware-full:malware-type="TrojanClicker"
A type of trojan that can use your PC to click on websites or applications. They are usually used to
310
make money for a malicious hacker by clicking on online advertisements and making it look like
the website gets more traffic than it does. They can also be used to skew online polls, install
programs on your PC, or make unwanted software appear more popular than it is
ms-caro-malware-full:malware-type="TrojanDownloader"
A type of trojan that installs other malicious files, including malware, onto your PC. It can
download the files from a remote PC or install them directly from a copy that is included in its file.
ms-caro-malware-full:malware-type="TrojanDropper"
A type of trojan that installs other malicious files, including malware, onto your PC. It can
download the files from a remote PC or install them directly from a copy that is included in its file.
ms-caro-malware-full:malware-type="TrojanNotifier"
A type of trojan that sends information about your PC to a malicious hacker. It is similar to a
password stealer
ms-caro-malware-full:malware-type="TrojanProxy"
A type of trojan that installs a proxy server on your PC. The server can be configured so that when
you use the Internet, any requests you make are sent through a server controlled by a malicious
hacker.
ms-caro-malware-full:malware-type="TrojanSpy"
A program that collects your personal information, such as your browsing history, and uses it
without adequate consent.
ms-caro-malware-full:malware-type="VirTool"
A detection that is used mostly for malware components, or tools used for malware-related actions,
such as rootkits.
ms-caro-malware-full:malware-type="Virus"
A type of malware. Viruses spread on their own by attaching their code to other programs, or
copying themselves across systems and networks.
ms-caro-malware-full:malware-type="Worm"
A type of malware that spreads to other PCs. Worms may spread using one or more of the following
methods: Email programs, Instant messaging programs, File-sharing programs, Social networking
sites, Network shares, Removable drives with Autorun enabled, Software vulnerabilities
311
malware-platform
ms-caro-malware-full:malware-platform="AndroidOS"
ms-caro-malware-full:malware-platform="DOS"
MS-DOS platform
ms-caro-malware-full:malware-platform="EPOC"
Psion devices
ms-caro-malware-full:malware-platform="FreeBSD"
FreeBSD platform
ms-caro-malware-full:malware-platform="iPhoneOS"
ms-caro-malware-full:malware-platform="Linux"
Linux platform
ms-caro-malware-full:malware-platform="MacOS"
ms-caro-malware-full:malware-platform="MacOS_X"
MacOS X or later
ms-caro-malware-full:malware-platform="OS2"
OS2 platform
ms-caro-malware-full:malware-platform="Palm"
ms-caro-malware-full:malware-platform="Solaris"
312
ms-caro-malware-full:malware-platform="SunOS"
ms-caro-malware-full:malware-platform="SymbOS"
ms-caro-malware-full:malware-platform="Unix"
ms-caro-malware-full:malware-platform="Win16"
ms-caro-malware-full:malware-platform="Win2K"
ms-caro-malware-full:malware-platform="Win32"
ms-caro-malware-full:malware-platform="Win64"
ms-caro-malware-full:malware-platform="Win95"
ms-caro-malware-full:malware-platform="Win98"
ms-caro-malware-full:malware-platform="WinCE"
Windows CE platform
ms-caro-malware-full:malware-platform="WinNT"
WinNT
ms-caro-malware-full:malware-platform="ABAP"
313
ms-caro-malware-full:malware-platform="ALisp"
ALisp scripts
ms-caro-malware-full:malware-platform="AmiPro"
AmiPro script
ms-caro-malware-full:malware-platform="ANSI"
ms-caro-malware-full:malware-platform="AppleScript"
ms-caro-malware-full:malware-platform="ASP"
ms-caro-malware-full:malware-platform="AutoIt"
AutoIT scripts
ms-caro-malware-full:malware-platform="BAS"
Basic scripts
ms-caro-malware-full:malware-platform="BAT"
Basic scripts
ms-caro-malware-full:malware-platform="CorelScript"
Corelscript scripts
ms-caro-malware-full:malware-platform="HTA"
ms-caro-malware-full:malware-platform="HTML"
ms-caro-malware-full:malware-platform="INF"
Install scripts
314
ms-caro-malware-full:malware-platform="IRC"
mIRC/pIRC scripts
ms-caro-malware-full:malware-platform="Java"
ms-caro-malware-full:malware-platform="JS"
Javascript scripts
ms-caro-malware-full:malware-platform="LOGO"
LOGO scripts
ms-caro-malware-full:malware-platform="MPB"
MapBasic scripts
ms-caro-malware-full:malware-platform="MSH"
ms-caro-malware-full:malware-platform="MSIL"
ms-caro-malware-full:malware-platform="Perl"
Net intermediate language scripts
Perl scripts
ms-caro-malware-full:malware-platform="PHP"
ms-caro-malware-full:malware-platform="Python"
Python scripts
ms-caro-malware-full:malware-platform="SAP"
ms-caro-malware-full:malware-platform="SH"
Shell scripts
315
ms-caro-malware-full:malware-platform="VBA"
ms-caro-malware-full:malware-platform="VBS"
ms-caro-malware-full:malware-platform="WinBAT"
Winbatch scripts
ms-caro-malware-full:malware-platform="WinHlp"
ms-caro-malware-full:malware-platform="WinREG"
ms-caro-malware-full:malware-platform="A97M"
ms-caro-malware-full:malware-platform="HE"
macro scripting
ms-caro-malware-full:malware-platform="O97M"
Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
ms-caro-malware-full:malware-platform="PP97M"
ms-caro-malware-full:malware-platform="V5M"
Visio5 macros
ms-caro-malware-full:malware-platform="W1M"
Word1Macro
ms-caro-malware-full:malware-platform="W2M"
Word2Macro
316
ms-caro-malware-full:malware-platform="W97M"
ms-caro-malware-full:malware-platform="WM"
Word 95 macros
ms-caro-malware-full:malware-platform="X97M"
ms-caro-malware-full:malware-platform="XF"
Excel formulas
ms-caro-malware-full:malware-platform="XM"
Excel 95 macros
ms-caro-malware-full:malware-platform="ASX"
ms-caro-malware-full:malware-platform="HC"
ms-caro-malware-full:malware-platform="MIME"
MIME packets
ms-caro-malware-full:malware-platform="Netware"
ms-caro-malware-full:malware-platform="QT"
Quicktime files
ms-caro-malware-full:malware-platform="SB"
ms-caro-malware-full:malware-platform="SWF"
317
ms-caro-malware-full:malware-platform="TSQL"
ms-caro-malware-full:malware-platform="XML"
XML files
malware-family
ms-caro-malware-full:malware-family="Zlob"
2008 - A family of trojans that often pose as downloadable media codecs. When installed,
Win32/Zlob displays frequent pop-up advertisements for rogue security software
ms-caro-malware-full:malware-family="Vundo"
2008 - A multiplecomponent family of programs that deliver pop-up advertisements and may
download and execute arbitrary files. Vundo is often installed as a browser helper object (BHO)
without a user’s consent
ms-caro-malware-full:malware-family="Virtumonde"
2008 - multi-component malware family that displays pop-up advertisements for rogue security
software
ms-caro-malware-full:malware-family="Bancos"
2008 - A data-stealing trojan that captures online banking credentials and relays
them to the attacker. Most variants target customers of Brazilian banks.
ms-caro-malware-full:malware-family="Cutwail"
2008 - A trojan that downloads and executes arbitrary files, usually to send spam. Win32/Cutwail
has also been observed to transmit Win32/Newacc
ms-caro-malware-full:malware-family="Oderoor"
2008 - a backdoor trojan that allows an attacker access and control of the compromised computer.
This trojan may connect with remote web sites and SMTP servers.
ms-caro-malware-full:malware-family="Newacc"
2008 - An attacker tool that automatically registers new e-mail accounts on Hotmail, AOL, Gmail,
Lycos and other account service providers, using a Web service to decode CAPTCHA protection.
318
ms-caro-malware-full:malware-family="Captiya"
2008 - A trojan that transmits CAPTCHA images to a botnet, in what is believed to be an effort to
improve the botnet’s ability to detect characters and break CAPTCHAs more successfully
ms-caro-malware-full:malware-family="Taterf"
2008 - A family of worms that spread through mapped drives in order to steal login and account
details for popular online games.
ms-caro-malware-full:malware-family="Frethog"
2008 - A large family of password-stealing trojans that target confidential data, such as account
information, from massively multiplayer online games
ms-caro-malware-full:malware-family="Tilcun"
2008 - A family of trojans that steals online game passwords and sends this captured data to remote
sites.
ms-caro-malware-full:malware-family="Ceekat"
2008 - A collection of trojans that steal information such as passwords for online games, usually by
reading information directly from running processes in memory. Different variants target different
processes.
ms-caro-malware-full:malware-family="Corripio"
2008 - a loosely-related family of trojans that attempt to steal passwords for popular online games.
Detections containing the name Win32/Corripio are generic, and hence may be reported for a large
number of different malicious password-stealing trojans that are otherwise behaviorally dissimilar.
ms-caro-malware-full:malware-family="Zuten"
ms-caro-malware-full:malware-family="Lolyda"
2008 - A family of trojans that sends account information from popular online games to a remote
server. They may also download and execute arbitrary files.
ms-caro-malware-full:malware-family="Storark"
2008 - A family of trojans that steals online game passwords and sends this captured data to remote
sites.
ms-caro-malware-full:malware-family="Renos"
319
ms-caro-malware-full:malware-family="ZangoSearchAssistant"
2008 - Adware that monitors the user’s Web-browsing activity and displays pop-up advertisements
related to the Internet sites the user is viewing.
ms-caro-malware-full:malware-family="ZangoShoppingReports"
2008 - Adware that displays targeted advertising to affected users while they browse the Internet,
based on search terms entered into search engines.
ms-caro-malware-full:malware-family="FakeXPA"
2008 - A rogue security software family that claims to scan for malware and then demands that the
user pay to remove nonexistent threats. Some variants unlawfully use Microsoft logos and
trademarks.
ms-caro-malware-full:malware-family="FakeSecSen"
2008 - A rogue security software family that claims to scan for malware and then demands that the
user pay to remove non-existent threats. It appears to be based on Win32/SpySheriff
ms-caro-malware-full:malware-family="Hotbar"
2008 - Adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of
Web-browsing activity.
ms-caro-malware-full:malware-family="Agent"
2008 - A generic detection for a number of trojans that may perform different malicious functions.
The behaviors exhibited by this family are highly variable
ms-caro-malware-full:malware-family="Wimad"
2008 - A detection for malicious Windows Media files that can be used to encourage users to
download and execute arbitrary files on an affected machine.
ms-caro-malware-full:malware-family="BaiduSobar"
2008 - A Chinese language Web browser toolbar that delivers pop-up and contextual
advertisements, blocks certain other advertisements, and changes the Internet Explorer search
page
ms-caro-malware-full:malware-family="VB"
2008 - A detection for various threats written in the Visual Basic programming language.
ms-caro-malware-full:malware-family="Antivirus2008"
2008 - A program that displays misleading security alerts in order to convince users to purchase
320
rogue security software. It may be installed by Win32/Renos or manually by a computer user.
ms-caro-malware-full:malware-family="Playmp3z"
2008 - An adware family that may display advertisements in connection with the use of a 'free
music player' from the site 'PlayMP3z.biz.'
ms-caro-malware-full:malware-family="Tibs"
2008 - a family of Trojans that may download and run other malicious software or may steal user
data and send it to the attacker via HTTP POST or email. The Win32/Tibs family frequently
downloads Trojans belonging to the Win32/Harnig and Win32/Passalert families, both of which are
families of Trojan downloaders which may in turn download and run other malicious software
ms-caro-malware-full:malware-family="SeekmoSearchAssistant"
2008 - Adware that displays targeted search results and pop-up advertisements based on terms that
the user enters for Web searches. The pop-up advertisements may include adult content.
ms-caro-malware-full:malware-family="RJump"
2008 - a worm that attempts to spread by copying itself to newly attached media (such as USB
memory devices or network drives). It also contains backdoor functionality that allows an attacker
unauthorized access to an affected computer
ms-caro-malware-full:malware-family="SpywareSecure"
2008 - A program that displays misleading warning messages in order to convince users to
purchase a product that removes spyware
ms-caro-malware-full:malware-family="Winfixer"
2008 - A program that locates various registry entries, Windows prefetch content, and other types
of data, identifies them as privacy violations, and urges the user to purchase the product to fix
them.
ms-caro-malware-full:malware-family="C2Lop"
2008 - a trojan that modifies Web browser settings, adds Web browser bookmarks to
advertisements, updates itself and delivers pop-up and contextual advertisements.
ms-caro-malware-full:malware-family="Matcash"
2008 - a multicomponent family of trojans that downloads and executes arbitrary files. Some
variants of this family may install a toolbar. observed to use the Win32/Slenfbot worm as a means
of distribution.
321
ms-caro-malware-full:malware-family="Horst"
2008 - CAPTCHA Breaker typically delivered through an executable application that masquerades as
an illegal software crack or key generator
ms-caro-malware-full:malware-family="Slenfbot"
2008 - A family of worms that can spread via instant messaging programs, and may spread via
removable drives. They also contain backdoor functionality that allows unauthorized access to an
affected machine. This worm does not spread automatically upon installation but must be ordered
to spread by a remote attacker.
ms-caro-malware-full:malware-family="Rustock"
ms-caro-malware-full:malware-family="Gimmiv"
2008 - a family of trojans that are sometimes installed by exploits of a vulnerability documented in
Microsoft Security Bulletin MS08-067.
ms-caro-malware-full:malware-family="Yektel"
2008 - A family of trojans that display fake warnings of spyware or malware in an attempt to lure
the user into installing or paying money to register rogue security products such as
Win32/FakeXPA.
ms-caro-malware-full:malware-family="Roron"
2008 - This virus spreads by attaching its code to other files on your PC or network. Some of the
infected programs might no longer run correctly. Attempts to send personal information to a
remote address. It may spread via e-mail, network shares, or peer-to-peer file sharing.
ms-caro-malware-full:malware-family="Swif"
2008 - A trojan that exploits a vulnerability in Adobe Flash Player to download malicious files.
Adobe has published security bulletin APSB08-11 addressing the vulnerability.
ms-caro-malware-full:malware-family="Mult"
2008 - A group of threats, written in JavaScript, that attempt to exploit multiple vulnerabilities on
affected computers in order to download, execute or otherwise run arbitrary code. The malicious
JavaScript may be hosted on compromised or malicious websites, embedded in specially crafted
PDF files, or could be called by other malicious scripts.
322
ms-caro-malware-full:malware-family="Wukill"
2008 - a family of mass-mailing e-mail and network worms. The Win32/Wukill worm spreads to
root directories on certain local and mapped drives. The worm also spreads by sending a copy of
itself as an attachment to e-mail addresses found on the infected computer.
ms-caro-malware-full:malware-family="Objsnapt"
2008 - A detection for a Javascript file that exploits a known vulnerability in the Microsoft Access
Snapshot Viewer ActiveX Control.
ms-caro-malware-full:malware-family="Redirector"
2008 - The threat is a piece of JavaScript code that is inserted on bad or hacked websites. It can
direct your browser to a website you don’t want to go to. You might see the detection for this threat
if you visit a bad or hacked website, or if you open an email message.
ms-caro-malware-full:malware-family="Xilos"
2008 - a detection for a proof-of-concept JavaScript obfuscation technique, which was originally
published in 2002 in the sixth issue of 29A, an early online magazine for virus creators
ms-caro-malware-full:malware-family="Decdec"
2008 - A detection for certain malicious JavaScript code injected in HTML pages. The virus will
execute on user computers that visit compromised websites.
ms-caro-malware-full:malware-family="BearShare"
2008 - A P2P file-sharing client that uses the decentralized Gnutella network. Free versions of
BearShare have come bundled with advertising supported and other potentially unwanted
software.
ms-caro-malware-full:malware-family="BitAccelerator"
2008 - A program that redirects Web search results to other Web sites and may display various
advertisements to users while browsing Web sites.
ms-caro-malware-full:malware-family="Blubtool"
2008 - An Internet browser search toolbar that may be installed by other third-party software, such
as a peer-to-peer file sharing application. It may modify Internet explorer search settings and
display unwanted advertisements.
ms-caro-malware-full:malware-family="RServer"
2008 - Commercial remote administration software that can be used to control a computer. These
programs are typically installed by the computer owner or administrator and should only be
removed if unexpected
323
ms-caro-malware-full:malware-family="UltraVNC"
2008 - A remote access program that can be used to control a computer. This program is typically
installed by the computer owner or administrator, and should only be removed if unexpected.
ms-caro-malware-full:malware-family="GhostRadmin"
2008 - A remote administration tool that can be used to control a computer. These programs are
typically installed by the computer owner or administrator and should only be removed if
unexpected
ms-caro-malware-full:malware-family="TightVNC"
2008 - A remote control program that allows full control of the computer. These programs are
typically installed by the computer owner or administrator and should only be removed if
unexpected
ms-caro-malware-full:malware-family="DameWareMiniRemoteControl"
2008 - A detection for the DameWare Mini Remote Control tools. This program was detected by
definitions prior to 1.147.1889.0 as it violated the guidelines by which Microsoft identified
unwanted software. Based on analysis using current guidelines, the program does not have
unwanted behaviors. Microsoft has released definition 1.147.1889.0 which no longer detects this
program.
ms-caro-malware-full:malware-family="SeekmoSearchAssistant_Repack"
2008 - A detection that is triggered by modified (that is, edited and re-packed) remote control
programs based on DameWare Mini Remote Control, a commercial software product
ms-caro-malware-full:malware-family="Nbar"
2008 - A program that may display advertisements and redirect user searches to a certain website.
It may also download malicious or unwanted content into the system without user consent.
ms-caro-malware-full:malware-family="Chir"
2008 - A family with a worm component and a virus component. The worm component spreads by
email and by exploiting a vulnerability addressed by Microsoft Security Bulletin MS01-020. The
virus component may infect .exe, .scr, and HTML files.
ms-caro-malware-full:malware-family="Sality"
2008 - A family of polymorphic file infectors that target executable files with the extensions .scr or
.exe. They may execute a damaging payload that deletes files with certain extensions and
terminates security-related processes and services.
324
ms-caro-malware-full:malware-family="Obfuscator"
2008 - A detection for programs that use a combination of obfuscation techniques to hinder analysis
or detection by antivirus scanners
ms-caro-malware-full:malware-family="ByteVerify"
2008 - a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual
Machine (VM). This flaw enables attackers to execute arbitrary code on a user’s machine such as
writing, downloading and executing additional malware. This vulnerability is addressed by update
MS03-011, released in 2003.
ms-caro-malware-full:malware-family="Autorun"
2008 - A family of worms that spreads by copying itself to the mapped drives of an infected
computer. The mapped drives may include network or removable drives.
ms-caro-malware-full:malware-family="Hamweq"
2008 - A worm that spreads through removable drives, such as USB memory sticks. It may contain
an IRC-based backdoor enabling the computer to be controlled remotely by an attacker
ms-caro-malware-full:malware-family="Brontok"
2008 - a family of mass-mailing e-mail worms. The worm spreads by sending a copy of itself as an e-
mail attachment to e-mail addresses that it gathers from files on the infected computer. It can also
copy itself to USB and pen drives. Win32/Brontok can disable antivirus and security software,
immediately terminate certain applications, and cause Windows to restart immediately when
certain applications run. The worm may also conduct denial of service (DoS) attacks against certain
Web sites
ms-caro-malware-full:malware-family="SpywareProtect"
2008 - A rogue security software family that may falsely claim that the user’s computer is infected
and encourages the user to buy a product for cleaning the alleged malware from the computer
ms-caro-malware-full:malware-family="Cbeplay"
2008 - A trojan that may upload computer operating system details to a remote Web site, download
additional malware, and terminate debugging utilities
ms-caro-malware-full:malware-family="InternetAntivirus"
2008 - A program that displays false and misleading malware alerts to convince users to purchase
rogue security software. This program also displays a fake Windows Security Center message
ms-caro-malware-full:malware-family="Nuwar"
2008 - A family of trojan droppers that install a distributed P2P downloader trojan. This
325
downloader trojan in turn downloads an e-mail worm component.
ms-caro-malware-full:malware-family="Rbot"
2008 - A family of backdoor trojans that allows attackers to control the computer through an IRC
channel
ms-caro-malware-full:malware-family="IRCbot"
2008 - A large family of backdoor trojans that drops malicious software and connects to IRC servers
via a backdoor to receive commands from attackers.
ms-caro-malware-full:malware-family="SkeemoSearchAssistant"
2008 - A program that displays targeted search results and pop-up advertisements based on terms
that the user enters for Web searches. The pop-up advertisements may include adult content
ms-caro-malware-full:malware-family="RealVNC"
2008 - A management tool that allows a computer to be controlled remotely. It can be installed for
legitimate purposes, but can also be installed from a remote location by an attacker.
ms-caro-malware-full:malware-family="MoneyTree"
2008 - A family of software that provides the ability to search for adult content on local disk. It may
also install other potentially unwanted software, such as programs that display pop-up ads.
ms-caro-malware-full:malware-family="Tracur"
2008 - A trojan that downloads and executes arbitrary files. It is sometimes distributed by
ASX/Wimad.
ms-caro-malware-full:malware-family="Meredrop"
2008 - This is a generic detection for trojans that install and run malware on your PC. These trojans
have been deliberately created in a complex way to hide their purpose and make them difficult to
analyze.
ms-caro-malware-full:malware-family="Banker"
2008 - A family of data-stealing trojans that captures banking credentials such as account numbers
and passwords from computer users and relays them to the attacker. Most variants target
customers of Brazilian banks; some variants target customers of other banks.
ms-caro-malware-full:malware-family="Ldpinch"
2008 - a family of password-stealing trojans. This trojan gathers private user data such as
passwords from the host computer and sends the data to the attacker at a preset e-mail address.
The Win32/Ldpinch trojans use their own Simple Mail Transfer Protocol (SMTP) engine or a web-
326
based proxy for sending the e-mail, thus copies of the sent e-mail will not appear in the affected
user’s e-mail client.
ms-caro-malware-full:malware-family="Advantage"
2008 - a family of adware that displays pop-up advertisements and contacts a remote server to
download updates
ms-caro-malware-full:malware-family="Parite"
2008 - a family of polymorphic file infectors that targets computers running Microsoft Windows.
The virus infects .exe and .scr executable files on the local file system and on writeable network
shares. In turn, the infected executable files perform operations that cause other .exe and .scr files
to become infected.
ms-caro-malware-full:malware-family="PossibleHostsFileHijack"
2008 - an indicator that the computer’s HOSTS file may have been modified by malicious or
potentially unwanted software
ms-caro-malware-full:malware-family="Alureon"
2008 - A data-stealing trojan that gathers confidential information such as user names, passwords,
and credit card data from incoming and outgoing Internet traffic. It may also download malicious
data and modify DNS settings.
ms-caro-malware-full:malware-family="PowerRegScheduler"
2008 - This program was detected by definitions prior to 1.159.567.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors. Microsoft has released definition 1.159.567.0 which no
longer detects this program.
ms-caro-malware-full:malware-family="APSB08-11"
2008 - A trojan that attempts to exploit a vulnerability in Adobe Flash Player. In the wild, this trojan
has been used to download and execute arbitrary files, including other malware.
ms-caro-malware-full:malware-family="ConHook"
2008 - A family of Trojans that installs themselves as Browser Helper Objects (BHOs), and connects
to the Internet without user consent. They also terminate specific security services, and download
additional malware to the computer.
ms-caro-malware-full:malware-family="Starware"
2008 - This program was detected by definitions prior to 1.159.567.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors. Microsoft has released definition 1.159.567.0 which no
327
longer detects this program.
ms-caro-malware-full:malware-family="WinSpywareProtect"
2008 - A program that may falsely claim that the user’s system is infected and encourages the user
to buy a promoted product for cleaning the alleged malware from the computer.
ms-caro-malware-full:malware-family="MessengerSkinner"
2008 - A program, that may be distributed in the form of a freeware application, that displays
advertisements, downloads additional files, and uses stealth to hide its presence
ms-caro-malware-full:malware-family="Skintrim"
2008 - A trojan that downloads and executes arbitrary files. It may be distributed by as a Microsoft
Office Outlook addon used to display emoticons or other animated icons within e-mail messages.
ms-caro-malware-full:malware-family="AdRotator"
2008 - delivers advertisements, and as the name suggests, rotates advertisements among sponsors.
AdRotator contacts remote Web sites in order to deliver updated content. This application also
displays fake error messages that encourage users to download and install additional applications.
ms-caro-malware-full:malware-family="Wintrim"
2008 - A family of trojans that display pop-up advertisements depending on the user’s keywords
and browsing history. Its variants can monitor the user’s activities, download applications, and
send system information back to a remote server.
ms-caro-malware-full:malware-family="Busky"
2008 - A family of Trojans that monitor and redirect Internet traffic, gather system information and
download unwanted software such as Win32/Renos and Win32/SpySheriff. Win32/Busky may be
installed by a Web browser exploit or other vulnerability when visiting a malicious Web site.
ms-caro-malware-full:malware-family="WhenU"
2008 - This program was detected by definitions prior to 1.173.303.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="Mobis"
2008 - This program was detected by definitions prior to 1.175.2037.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
328
ms-caro-malware-full:malware-family="Sogou"
2008 - Detected by definitions prior to 1.155.995.0 as it violated the guidelines by which Microsoft
identified unwanted software. Based on analysis using current guidelines, the program does not
have unwanted behaviors. Microsoft has released definition 1.155.995.0 which no longer detects
this program.
ms-caro-malware-full:malware-family="Sdbot"
ms-caro-malware-full:malware-family="DelfInject"
2008 - This threat can download and run files on your PC.
ms-caro-malware-full:malware-family="Vapsup"
2008 - This threat can perform a number of actions of a malicious hacker’s choice on your PC.
ms-caro-malware-full:malware-family="BrowsingEnhancer"
2008 - This program was detected by definitions prior to 1.175.1834.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="Jeefo"
2008 - virus infects executable files, such as files with a .exe extension. When an infected file runs,
the virus tries to run the original content of the file while it infects other executable files on your
PC. This threat might have got on your PC if you inserted a removable disk or accessed a network
connection that was infected.
ms-caro-malware-full:malware-family="Sezon"
ms-caro-malware-full:malware-family="RuPass"
2008 - a DLL component which may be utilized by adware or malicious programs in order to
monitor an affected user’s Internet usage and to capture sensitive information. Win32/RuPass has
been distributed as a 420,352 byte DLL file, with the file name 'ConnectionServices.dll'.
ms-caro-malware-full:malware-family="OneStepSearch"
2008 - Modifies the user’s browser to deliver targeted advertisements when the user enters search
keywords. It may also replace or override web browser error pages that would otherwise be
displayed when unresolvable web addresses are entered into the browser’s address bar.
329
ms-caro-malware-full:malware-family="GameVance"
2008 - Software that displays advertisements and tracks anonymous usage information in exchange
for a free online gaming experience at the Web address 'gamevance.com.'
ms-caro-malware-full:malware-family="E404"
2008 - is a browser helper object (BHO) that takes advantage of invalid or mistyped URLs entered in
the address bar by redirecting the browser to Web sites containing adware
ms-caro-malware-full:malware-family="Mirar"
2008 - This program was detected by definitions prior to 1.175.2037.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="Fotomoto"
2008 - A Trojan that lowers security settings, delivers advertisements, and sends system and
network configuration details to a remote Web site.
ms-caro-malware-full:malware-family="Ardamax"
2008 - The tool can capture your activity on your PC (such as the keys you press when typing in
passwords) and might send this information to a hacker.
ms-caro-malware-full:malware-family="Hupigon"
2008 - A family of trojans that uses a dropper to install one or more backdoor files and sometimes
installs a password stealer or other malicious programs.
ms-caro-malware-full:malware-family="CNNIC"
2008 - enables Chinese keyword searching in Internet Explorer and adds support for other
applications to use Chinese domain names that registered with CNNIC. Also contains a kernel driver
that protects its files and registry settings from being modified or deleted
ms-caro-malware-full:malware-family="MotePro"
2008 - May display advertisement pop-ups, and download programs from predefined Web sites.
When installed, Win32/MotePro runs as a Web Browser Helper Object (BHO).
ms-caro-malware-full:malware-family="CnsMin"
2008 - Installs a browser helper object (BHO) that redirects Internet Explorer searches to a Chinese
search portal. CnsMin may be installed without adequate user consent. It may prevent its files from
being removed or restore files that have been previously removed.
330
ms-caro-malware-full:malware-family="BaiduIebar"
2008 - A detection for an address line search tool. This program was detected by definitions prior to
1.153.956.0 as it violated the guidelines by which Microsoft identified unwanted software. Based on
analysis using current guidelines, the program does not have unwanted behaviors. Microsoft has
released definition 1.153.956.0 which no longer detects this program.
ms-caro-malware-full:malware-family="Ejik"
2008 - This program was detected by definitions prior to 1.175.1915.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="AlibabaIEToolBar"
2008 - This program was detected by definitions prior to 1.175.1834.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="BDPlugin"
ms-caro-malware-full:malware-family="Adialer"
2008 - A trojan dialer program that connects to a premium number, or attempts to connect to adult
websites via particular phone numbers without your permission, connects to remote hosts without
user consent.
ms-caro-malware-full:malware-family="EGroupSexDial"
2008 - A dialer program that may attempt to dial a premium number, thus possibly resulting in
international phone charges for the user.
ms-caro-malware-full:malware-family="Zonebac"
2008 - A family of backdoor Trojans that allows a remote attacker to download and run arbitrary
programs, and which may upload computer configuration information and other potentially
sensitive data to remote Web sites.
ms-caro-malware-full:malware-family="Antinny"
2008 - A family of worms that targets certain versions of Microsoft Windows. The worm spreads
using a Japanese peer-to-peer file-sharing application named Winny. The worm creates a copy of
itself with a deceptive file name in the Winny upload folder so that it can be downloaded by other
Winny users.
331
ms-caro-malware-full:malware-family="RewardNetwork"
2008 - A program that monitors an affected user’s Internet usage and reports this usage to a remote
server. Win32/RewardNetwork may be visible as an Internet Explorer toolbar.
ms-caro-malware-full:malware-family="Virut"
2008 - A family of file infecting viruses that target and infect .exe and .scr files accessed on infected
systems. Win32/Virut also opens a backdoor by connecting to an IRC server
ms-caro-malware-full:malware-family="Allaple"
ms-caro-malware-full:malware-family="VKit_DA"
2008 - This virus spreads by attaching its code to other files on your PC or network. Some of the
infected programs might no longer run correctly.
ms-caro-malware-full:malware-family="Small"
ms-caro-malware-full:malware-family="Netsky"
2008 - A mass-mailing worm that spreads by e-mailing itself to addresses found on an infected
computer. Some variants contain a backdoor component and perform DoS attacks.
ms-caro-malware-full:malware-family="Luder"
2008 - A virus that spreads by infecting executable files, by inserting itself into .RAR archive files,
and by sending a copy of itself as an attachment to e-mail addresses found on the infected
computer. This virus has a date-activated, file damaging payload, and may connect to a remote
server and accept commands from an attacker.
ms-caro-malware-full:malware-family="IframeRef"
2008 - A generic detection for specially formed IFrame tags that point to remote websites that
contain malicious content.
ms-caro-malware-full:malware-family="Lovelorn"
2008 - This threat is classified as a mass-mailing worm. A mass mailing email worm is self-
contained malicious code that propagates by sending itself through e-mail. Typically, a mass
mailing email worm uses its own SMTP engine to send itself, thus copies of the sent worm will not
appear in the infected user’s outgoing or sent email folders. Technical details are currently not
available.
332
ms-caro-malware-full:malware-family="Cekar"
2008 - This threat downloads and installs other programs, including other malware, onto your PC
without your consent.
ms-caro-malware-full:malware-family="Dialsnif"
2008 - This threat can perform a number of actions of a malicious hacker’s choice on your PC.
ms-caro-malware-full:malware-family="Conficker"
2008 - A worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067.
Some variants also spread via removable drives and by exploiting weak passwords. It disables
several important system services and security products and downloads arbitrary files.
ms-caro-malware-full:malware-family="LoveLetter"
2009 - A family of mass-mailing worms that targets computers running certain versions of
Windows. It can spread as an e-mail attachment and through an Internet Relay Chat (IRC) channel.
The worm can download, overwrite, delete, infect, and run files on the infected computer.
ms-caro-malware-full:malware-family="VBSWGbased"
2009 - A generic detection for VBScript code that is known to be automatically generated by a
particular malware tool.
ms-caro-malware-full:malware-family="Slammer"
2009 - A memory resident worm that spreads through a vulnerability present in computers running
either MSDE 2000 or SQL Server that have not applied Microsoft Security Bulletin MS02-039.
ms-caro-malware-full:malware-family="Msblast"
2009 - A family of network worms that exploit a vulnerability addressed by security bulletin MS03-
039. The worm may attempt Denial of Service (DoS) attacks on some server sites or create a
backdoor on the infected system
ms-caro-malware-full:malware-family="Sasser"
2009 - A family of network worms that exploit a vulnerability fixed by security bulletin MS04-011.
The worm spreads by randomly scanning IP addresses for vulnerable machines and infecting any
that are found
ms-caro-malware-full:malware-family="Nimda"
2009 - A family of worms that spread by exploiting a vulnerability addressed by Microsoft Security
Bulletin MS01-020. The worm compromises security by sharing the C drive and creating a Guest
account with administrator permissions.
333
ms-caro-malware-full:malware-family="Mydoom"
2009 - A family of massmailing worms that spread through e-mail. Some variants also spread
through P2P networks. It acts as a backdoor trojan and can sometimes be used to launch DoS
attacks against specific Web sites
ms-caro-malware-full:malware-family="Bagle"
2009 - A worm that spreads by e-mailing itself to addresses found on an infected computer. Some
variants also spread through peer-to-peer (P2P) networks. Bagle acts as a backdoor trojan and can
be used to distribute other malicious software.
ms-caro-malware-full:malware-family="Winwebsec"
2009 - A family of rogue security software programs that have been distributed with several
different names. The user interface varies to reflect each variant’s individual branding
ms-caro-malware-full:malware-family="Koobface"
2009 - A multicomponent family of malware used to compromise computers and use them to
perform various malicious tasks. It spreads through the internal messaging systems of popular
social networking sites
ms-caro-malware-full:malware-family="Pdfjsc"
2009 - a family of specially crafted PDF files that exploits vulnerabilities in Adobe Acrobat and
Adobe Reader. The files contain malicious JavaScript that executes when opened with a vulnerable
program.
ms-caro-malware-full:malware-family="Pointfree"
2009 - a browser modifier that redirects users when invalid Web site addresses or search terms are
entered in the Windows Internet Explorer address bar
ms-caro-malware-full:malware-family="Chadem"
2009 - A trojan that steals password details from an infected computer by monitoring network
traffic associated with FTP connections.
ms-caro-malware-full:malware-family="FakeIA"
2009 - A rogue security software family that impersonates the Windows Security Center. It may
display product names or logos in an apparently unlawful attempt to impersonate Microsoft
products
ms-caro-malware-full:malware-family="Waledac"
2009 - A trojan that is used to send spam. It also has the ability to download and execute arbitrary
files, harvest e-mail addresses from the local machine, perform denial-of-service attacks, proxy
334
network traffic, and sniff passwords
ms-caro-malware-full:malware-family="Provis"
2009 - This threat can perform a number of actions of a malicious hacker’s choice on your PC.
ms-caro-malware-full:malware-family="Prolaco"
2009 - A family of worms that spreads via email, removable drives, Peer-to-Peer (P2P) and network
shares. This worm may also drop and execute other malware.
ms-caro-malware-full:malware-family="Mywife"
2009 - A mass-mailing network worm that targets certain versions of Microsoft Windows. The
worm spreads through e-mail attachments and writeable network shares. It is designed to corrupt
the content of specific files on the third day of every month.
ms-caro-malware-full:malware-family="Melissa"
2009 - A macro worm that spreads via e-mail and by infecting Word documents and templates. It is
designed to work in Word 97 and Word 2000, and it uses Outlook to reach new targets through e-
mail
ms-caro-malware-full:malware-family="Rochap"
2009 - A family of multicomponent trojans that download and execute additional malicious files.
While downloading, some variants display a video from the Web site 'youtube.com' presumably to
distract the user
ms-caro-malware-full:malware-family="Gamania"
2009 - A family of trojans that steals online game passwords and sends them to remote sites.
ms-caro-malware-full:malware-family="Mabezat"
2009 - a polymorphic virus that infects Windows executable files. Apart from spreading through file
infection, it also attempts to spread through e-mail attachments, network shares, removable drives
and by CD-burning. It also contains a date-based payload that encrypts files with particular
extensions.
ms-caro-malware-full:malware-family="Helpud"
2009 - A family of trojans that steals login information for popular online games. The gathered
information is then sent to remote websites.
ms-caro-malware-full:malware-family="PrivacyCenter"
2009 - a family of programs that claims to scan for malware and displays fake warnings of
'malicious programs and viruses'. They then inform the user that they need to pay money to
335
register the software in order to remove these non-existent threats.
ms-caro-malware-full:malware-family="FakeRean"
2009 - This family of rogue security programs pretend to scan your PC for malware, and often
report lots of infections. The program will say you have to pay for it before it can fully clean your
PC. However, the program hasn’t really detected any malware at all and isn’t really an antivirus or
antimalware scanner. It just looks like one so you’ll send money to the people who made the
program. Some of these programs use product names or logos that unlawfully impersonate
Microsoft products.
ms-caro-malware-full:malware-family="Bredolab"
2009 - A downloader that can access and execute arbitrary files from a remote host. Bredolab has
been observed to download several other malware families to infected computers
ms-caro-malware-full:malware-family="Rugzip"
2009 - A trojan that downloads other malware from predefined Web sites. Rugzip may itself be
installed by other malware. Once it has performed its malicious routines, it deletes itself to avoid
detection.
ms-caro-malware-full:malware-family="Fakespypro"
2009 - A rogue security family that falsely claims that the affected computer is infected with
malware and encourages the user to buy a promoted product it claims will clean the computer.
ms-caro-malware-full:malware-family="Buzuz"
2009 - A trojan that downloads malware known as 'SpywareIsolator' a rogue security software
program.
ms-caro-malware-full:malware-family="PoisonIvy"
2009 - A family of backdoor trojans that allow unauthorized access to and control of an affected
machine. Poisonivy attempts to hide by injecting itself into other processes
ms-caro-malware-full:malware-family="AgentBypass"
2009 - A detection for files that attempt to inject possibly malicious code into the explorer.exe
process.
ms-caro-malware-full:malware-family="Enfal"
2009 - This threat can perform a number of actions of a malicious hacker’s choice on your PC.
ms-caro-malware-full:malware-family="SystemHijack"
2009 - A generic detection that uses advanced heuristics in the Microsoft Antivirus engine to detect
336
malware that displays particular types of malicious behavior.
ms-caro-malware-full:malware-family="ProcInject"
2009 - This threat can perform a number of actions of a malicious hacker’s choice on your PC.
ms-caro-malware-full:malware-family="Malres"
2009 - A trojan that drops another malware, detected as Virtool:WinNT/Malres.A, into the system.
ms-caro-malware-full:malware-family="Kirpich"
2009 - a trojan that drops malicious code into the system. It also infects two system files; the
infected files are detected as Virus:Win32/Kirpich.A, in the system. This does not constitute virus
behavior for the trojan as it does not infect any other files and therefore does not have any
conventional replication routines. TrojanDropper:Win32/Kirpich.A also disables Data Execution
Protection and steals specific system information.
ms-caro-malware-full:malware-family="Malagent"
ms-caro-malware-full:malware-family="Bumat"
ms-caro-malware-full:malware-family="Bifrose"
2009 - A backdoor trojan that allows a remote attacker to access the compromised computer and
injects its processes into the Windows shell and Internet Explorer.
ms-caro-malware-full:malware-family="Ripinip"
2009 - This threat can give a hacker unauthorized access and control of your PC.
ms-caro-malware-full:malware-family="Riler"
2009 - This threat can perform a number of actions of a malicious hacker’s choice on your PC.
ms-caro-malware-full:malware-family="Farfli"
2009 - A trojan that drops various files detected as malware into a system. It also has backdoor
capabilities that allow it to contact a remote attacker and wait for instructions.
ms-caro-malware-full:malware-family="PcClient"
2009 - A backdoor trojan family with several components including a key logger, backdoor, and a
rootkit.
337
ms-caro-malware-full:malware-family="Veden"
2009 - A name used for backdoor trojan detections that have been added to Microsoft signatures
after advanced automated analysis.
ms-caro-malware-full:malware-family="Banload"
2009 - A family of trojans that download other malware. Banload usually downloads Win32/Banker,
which steals banking credentials and other sensitive data and sends it back to a remote attacker.
ms-caro-malware-full:malware-family="Microjoin"
2009 - a tool that is used to deploy malware without being detected. It is used to bundle multiple
files, consisting of a clean file and malware files, into a single executable.
ms-caro-malware-full:malware-family="Killav"
2009 - a trojan that terminates a large number of security-related processes, including those for
antivirus, monitoring, or debugging tools, and may install certain exploits for the vulnerability
addressed by Microsoft Security Bulletin MS08-067
ms-caro-malware-full:malware-family="Cinmus"
2009 - This threat can perform a number of actions of a malicious hacker’s choice on your PC.
ms-caro-malware-full:malware-family="MessengerPlus"
2009 - A non-Microsoft add-on for Microsoft’s Windows Live Messenger, called Messenger Plus!. It
comes with an optional sponsor program installation, detected as Spyware:Win32/C2Lop.
ms-caro-malware-full:malware-family="Haxdoor"
2009 - a backdoor trojan that allows remote control of the machine over the Internet. The trojan is
rootkit-enabled, allowing it to hide processes and files related to the threat. Haxdoor lowers
security settings on the computer and gathers user and system information to send to a third party
ms-caro-malware-full:malware-family="Nieguide"
2009 - a detection for a DLL file that connects to a Web site and may display advertisements or
download other programs
ms-caro-malware-full:malware-family="Ithink"
ms-caro-malware-full:malware-family="Pointad"
2009 - This program was detected by definitions prior to 1.175.2145.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
338
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="Webdir"
2009 - A Web Browser Helper Object (BHO) used to collect user information and display targeted
advertisings using Internet Explorer browser. Webdir attempts to modify certain visited urls to
include affiliate IDs.
ms-caro-malware-full:malware-family="Microbillsys"
2009 - a program that processes payments made to a billing Web site. It is considered potentially
unwanted software because it cannot be removed from the Add/Remove Programs list in Control
Panel; rather, a user requires an 'uninstall code' before the program can be removed.
ms-caro-malware-full:malware-family="Kerlofost"
2009 - a browser helper object (BHO) that may modify browsing behavior; redirect searches; report
user statistics, behavior, and searches back to a remote server; and display pop-up advertisements.
ms-caro-malware-full:malware-family="Zwangi"
2009 - A program that runs as a service in the background and modifies Web browser settings to
visit a particular Web site
ms-caro-malware-full:malware-family="DoubleD"
2009 - an adware program that displays pop-up advertising, runs at each system start and is
installed as an Internet Explorer toolbar.
ms-caro-malware-full:malware-family="ShopAtHome"
2009 - A browser redirector that monitors Web-browsing behavior and online purchases. It claims
to track points for ShopAtHome rebates when the user buys products directly from affiliated
merchant Web sites.
ms-caro-malware-full:malware-family="FakeVimes"
2009 - a downloading component of Win32/FakeVimes - a family of programs that claims to scan for
malware and displays fake warnings of 'malicious programs and viruses'. They then inform the
user that they need to pay money to register the software in order to remove these non-existent
threats.
ms-caro-malware-full:malware-family="FakeCog"
2009 - This threat claims to scan your PC for malware and then shows you fake warnings. They try
to convince you to pay to register the software to remove the non-existent threats.
339
ms-caro-malware-full:malware-family="FakeAdPro"
2009 - a program that may display false and misleading alerts regarding errors and malware to
entice users to purchase it.
ms-caro-malware-full:malware-family="FakeSmoke"
2009 - a family of trojans consisting of a fake Security Center interface and a fake antivirus
program.
ms-caro-malware-full:malware-family="FakeBye"
2009 - A rogue security software family that uses a Korean-language user interface.
ms-caro-malware-full:malware-family="Hiloti"
2009 - a generic detection for a trojan that interferes with an affected user’s browsing habits and
downloads and executes arbitrary files.
ms-caro-malware-full:malware-family="Tikayb"
2009 - A trojan that attempts to establish a secure network connection to various Web sites without
the user’s consent.
ms-caro-malware-full:malware-family="Ursnif"
2009 - A family of trojans that steals sensitive information from an affected computer
ms-caro-malware-full:malware-family="Rimecud"
2009 - A family of worms with multiple components that spreads via fixed and removable drives
and via instant messaging. It also contains backdoor functionality that allows unauthorized access
to an affected system
ms-caro-malware-full:malware-family="Lethic"
2009 - A trojan that connects to remote servers, which may lead to unauthorized access to an
affected system.
ms-caro-malware-full:malware-family="CeeInject"
2009 - This threat has been 'obfuscated', which means it has tried to hide its purpose so your
security software doesn’t detect it. The malware that lies underneath this obfuscation can have
almost any purpose.
ms-caro-malware-full:malware-family="Cmdow"
2009 - a detection for a command-line tool and violated the guidelines by which Microsoft identified
unwanted software.
340
ms-caro-malware-full:malware-family="Yabector"
2009 - This trojan can use your PC to click on online advertisements without your permission or
knowledge. This can earn money for a malicious hacker by making a website or application appear
more popular than it is.
ms-caro-malware-full:malware-family="Renocide"
2009 - a family of worms that spread via local, removable, and network drives and also using file
sharing applications. They have IRC-based backdoor functionality, which may allow a remote
attacker to execute commands on the affected computer.
ms-caro-malware-full:malware-family="Liften"
2009 - a trojan that is used to stop affected users from downloading security updates. It is
downloaded by Trojan:Win32/FakeXPA.
ms-caro-malware-full:malware-family="ShellCode"
2009 - A generic detection for JavaScript-enabled objects that contain exploit code and may exhibit
suspicious behavior. Malicious websites and malformed PDF documents may contain JavaScript
that attempts to execute code without the affected user’s consent.
ms-caro-malware-full:malware-family="FlyAgent"
2009 - A backdoor trojan program that is capable of performing several actions depending on the
commands of a remote attacker.
ms-caro-malware-full:malware-family="Psyme"
2009 - This threat downloads and installs other programs, including other malware, onto your PC
without your consent.
ms-caro-malware-full:malware-family="Orsam"
2009 - A generic detection for a variety of threats. A name used for trojans that have been added to
MS signatures after advanced automated analysis.
ms-caro-malware-full:malware-family="AgentOff"
2009 - This threat can perform a number of actions of a malicious hacker’s choice on your PC.
ms-caro-malware-full:malware-family="Nuj"
2009 - a worm that copies itself to fixed, removable or network drives. Some variants of this worm
may also terminate antivirus-related processes.
341
ms-caro-malware-full:malware-family="Sohanad"
2009 - Worms automatically spread to other PCs. They can do this in a number of ways, including by
copying themselves to removable drives, network folders, or spreading through email.
ms-caro-malware-full:malware-family="I2ISolutions"
2009 - This program was detected by definitions prior to 1.175.2037.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="Dpoint"
2009 - This program was detected by definitions prior to 1.175.1915.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="Silly_P2P"
2009 - Worms automatically spread to other PCs. They can do this in a number of ways, including by
copying themselves to removable drives, network folders, or spreading through email.
ms-caro-malware-full:malware-family="Vobfus"
2009 - This family of worms can download other malware onto your PC, including: Win32/Beebone,
Win32/Fareit, Win32/Zbot. Vobfus worms can be downloaded by other malware or spread via
removable drives, such as USB flash drives.
ms-caro-malware-full:malware-family="Daurso"
2009 - a family of trojans that attempts to steal sensitive information, including passwords and FTP
authentication details from affected computers. This family targets particular FTP applications and
also attempts to steal data from Protected Storage.
ms-caro-malware-full:malware-family="MyDealAssistant"
2009 - This program was detected by definitions prior to 1.175.2037.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="Adsubscribe"
2009 - This program was detected by definitions prior to 1.175.1834.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="MyCentria"
2009 - This program was detected by definitions prior to 1.175.2037.0 as it violated the guidelines by
342
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="Fierads"
2009 - This program was detected by definitions prior to 1.175.2037.0 as it violated the guidelines by
which Microsoft identified unwanted software. Based on analysis using current guidelines, the
program does not have unwanted behaviors.
ms-caro-malware-full:malware-family="VBInject"
2009 - This is a generic detection for malicious files that are obfuscated using particular techniques
to prevent their detection or analysis.
ms-caro-malware-full:malware-family="PerfectKeylogger"
2009 - a commercial monitoring program that monitors user activity, such as keystrokes typed.
MonitoringTool:Win32/PerfectKeylogger is available for purchase at the company’s website. It may
also have been installed without user consent by a Trojan or other malware.
ms-caro-malware-full:malware-family="AgoBot"
2010 VOL09 - A backdoor that communicates with a central server using IRC.
ms-caro-malware-full:malware-family="Bubnix"
2010 VOL09 - A generic detection for a kernel-mode driver installed by other malware that hides its
presence on an affected computer by blocking registry and file access to itself. The trojan may
report its installation to a remote server and download and distribute spam email messages and
could download and execute arbitrary files.
ms-caro-malware-full:malware-family="Citeary"
2010 VOL09 - A kernel mode driver installed by Win32/Citeary, a worm that spreads to all available
drives including the local drive, installs device drivers and attempts to download other malware
from a predefined website.
ms-caro-malware-full:malware-family="Fakeinit"
2010 VOL09 - A rogue security software family distributed under the names Internet Security 2010,
Security Essentials 2010, and others.
ms-caro-malware-full:malware-family="Oficla"
343
ms-caro-malware-full:malware-family="Pasur"
2010 VOL09 - a name used for backdoor trojan detections that have been added to Microsoft
signatures after advanced automated analysis.
ms-caro-malware-full:malware-family="PrettyPark"
2010 VOL09 - A worm that spreads via email attachments. It allows backdoor access and control of
an infected computer.
ms-caro-malware-full:malware-family="Prorat"
2010 VOL09 - A trojan that opens random ports that allow remote access from an attacker to the
affected computer. This backdoor may download and execute other malware from predefined
websites and may terminate several security applications or services.
ms-caro-malware-full:malware-family="Pushbot"
2010 VOL09 - A detection for a family of malware that spreads via MSN Messenger, Yahoo!
Messenger, and AIM when commanded by a remote attacker. It contains backdoor functionality
that allows unauthorized access and control of an affected machine.
ms-caro-malware-full:malware-family="Randex"
2010 VOL09 - A worm that scans randomly generated IP addresses to attempt to spread to network
shares with weak passwords. After the worm infects a computer, it connects to an IRC server to
receive commands from the attacker.
ms-caro-malware-full:malware-family="SDBot"
ms-caro-malware-full:malware-family="Trenk"
2010 VOL09 - a name used for backdoor trojan detections that have been added to Microsoft
signatures after advanced automated analysis.
ms-caro-malware-full:malware-family="Tofsee"
2010 VOL09 - A multi-component family of backdoor trojans that act as a spam and traffic relay.
ms-caro-malware-full:malware-family="Ursap"
2010 VOL09 - a name used for backdoor trojan detections that have been added to Microsoft
signatures after advanced automated analysis.
344
ms-caro-malware-full:malware-family="Zbot"
2010 VOL09 - A family of password stealing trojans that also contains backdoor functionality
allowing unauthorized access and control of an affected machine.
ms-caro-malware-full:malware-family="Ciucio"
2010 VOL10 - A family of trojans that connect to certain websites in order to download arbitrary
files.
ms-caro-malware-full:malware-family="ClickPotato"
2010 VOL10 - A program that displays popup and notification-style advertisements based on the
user’s browsing habits.
ms-caro-malware-full:malware-family="CVE-2010-0806"
2010 VOL10 - A detection for malicious JavaScript that attempts to exploit the vulnerability
addressed by Microsoft Security Bulletin MS10-018.
ms-caro-malware-full:malware-family="Delf"
2010 VOL10 - A detection for various threats written in the Delphi programming language. The
behaviors displayed by this malware family are highly variable.
ms-caro-malware-full:malware-family="FakePAV"
2010 VOL10 - A rogue security software family that masquerades as Microsoft Security Essentials.
ms-caro-malware-full:malware-family="Keygen"
2010 VOL10 - A generic detection for tools that generate product keys for illegally obtained versions
of various software products.
ms-caro-malware-full:malware-family="Onescan"
2010 VOL10 - A Korean-language rogue security software family distributed under the names One
Scan, Siren114, EnPrivacy, PC Trouble, My Vaccine, and others.
ms-caro-malware-full:malware-family="Pornpop"
2010 VOL10 - A generic detection for specially-crafted JavaScript-enabled objects that attempt to
display pop-under advertisements, usually with adult content.
ms-caro-malware-full:malware-family="Startpage"
2010 VOL10 - A detection for various threats that change the configured start page of the affected
user’s web browser, and may also perform other malicious actions.
345
ms-caro-malware-full:malware-family="Begseabug"
2011 VOL11 - A trojan that downloads and executes arbitrary files on an affected computer.
ms-caro-malware-full:malware-family="CVE-2010-0840"
2011 VOL11 - A detection for a malicious and obfuscated Java class that exploits a vulnerability
described in CVE-2010-0840. Oracle Corporation addressed the vulnerability with a security update
in March 2010.
ms-caro-malware-full:malware-family="Cycbot"
2011 VOL11 - A backdoor trojan that allows attackers unauthorized access and control of an
affected computer. After a computer is infected, the trojan connects to a specific remote server to
receive commands from attackers.
ms-caro-malware-full:malware-family="DroidDream"
2011 VOL11 - A malicious program that affects mobile devices running the Android operating
system. It may be bundled with clean applications, and is capable of allowing a remote attacker to
gain access to the mobile device.
ms-caro-malware-full:malware-family="FakeMacdef"
2011 VOL11 - A rogue security software family that affects Apple Mac OS X. It has been distributed
under the names MacDefender, MacSecurity, MacProtector, and possibly others.
ms-caro-malware-full:malware-family="GameHack"
2011 VOL11 - Malware that is often bundled with game applications. It commonly displays
unwanted pop-up advertisements and may be installed as a web browser helper object.
ms-caro-malware-full:malware-family="Loic"
2011 VOL11 - An open-source network attack tool designed to perform denial-ofservice (DoS)
attacks.
ms-caro-malware-full:malware-family="Lotoor"
2011 VOL11 - A detection for specially crafted Android programs that attempt to exploit
vulnerabilities in the Android operating system to gain root privilege.
ms-caro-malware-full:malware-family="Nuqel"
2011 VOL11 - A worm that spreads via mapped drives and certain instant messaging applications. It
may modify system settings, connect to certain websites, download arbitrary files, or take other
malicious actions.
346
ms-caro-malware-full:malware-family="OfferBox"
2011 VOL11 - A program that displays offers based on the user’s web browsing habits. Some
versions may display advertisements in a pop-under window. Win32/OfferBox may be installed
without adequate user consent by malware.
ms-caro-malware-full:malware-family="OpenCandy"
2011 VOL11 - An adware program that may be bundled with certain thirdparty software
installation programs. Some versions may send user-specific information, including a unique
machine code, operating system information, locale, and certain other information to a remote
server without obtaining adequate user consent.
ms-caro-malware-full:malware-family="Pameseg"
2011 VOL11 - A fake program installer that requires the user to send SMS messages to a premium
number to successfully install certain programs.
ms-caro-malware-full:malware-family="Pramro"
2011 VOL11 - A trojan that creates a proxy on the infected computer for email and HTTP traffic, and
is used to send spam email.
ms-caro-malware-full:malware-family="Ramnit"
2011 VOL11 - A family of multi-component malware that infects executable files, Microsoft Office
files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information
such as saved FTP credentials and browser cookies. It may also open a backdoor to await
instructions from a remote attacker.
ms-caro-malware-full:malware-family="Rlsloup"
2011 VOL11 - A family of trojans that are used to send spam email. Rlsloup consists of several
components, including an installation trojan component and a spamming payload component.
ms-caro-malware-full:malware-family="ShopperReports"
2011 VOL11 - Adware that displays targeted advertising to affected users while browsing the
Internet, based on search terms entered into search engines.
ms-caro-malware-full:malware-family="Sinowal"
2011 VOL11 - A family of password-stealing and backdoor trojans. It may try to install a fraudulent
SSL certificate on the computer. Sinowal may also capture user data such as banking credentials
from various user accounts and send the data to Web sites specified by the attacker.
ms-caro-malware-full:malware-family="Stuxnet"
2011 VOL11 - A multi-component family that spreads via removable volumes by exploiting the
347
vulnerability addressed by Microsoft Security Bulletin MS10-046.
ms-caro-malware-full:malware-family="Swimnag"
2011 VOL11 - A worm that spreads via removable drives and drops a randomly-named DLL in the
Windows system folder.
ms-caro-malware-full:malware-family="Tedroo"
2011 VOL11 - A trojan that sends spam email messages. Some variants may disable certain
Windows services or allow backdoor access by a remote attacker.
ms-caro-malware-full:malware-family="Yimfoca"
2011 VOL11 - A worm family that spreads via common instant messaging applications and social
networking sites. It is capable of connecting to a remote HTTP or IRC server to receive updated
configuration data. It also modifies certain system and security settings.
ms-caro-malware-full:malware-family="Bamital"
2011 VOL12 - A family of malware that intercepts web browser traffic and prevents access to
specific security-related websites by modifying the Hosts file. Bamital variants may also modify
specific legitimate Windows files in order to execute their payload.
ms-caro-malware-full:malware-family="Blacole"
2011 VOL12 - An exploit pack, also known as Blackhole, that is installed on a compromised web
server by an attacker and includes a number of exploits that target browser software. If a
vulnerable computer browses a compromised website containing the exploit pack, various
malware may be downloaded and run.
ms-caro-malware-full:malware-family="Bulilit"
2011 VOL12 - A trojan that silently downloads and installs other programs without consent.
Infection could involve the installation of additional malware or malware components to an
affected computer.
ms-caro-malware-full:malware-family="Dorkbot"
2011 VOL12 - A worm that spreads via instant messaging and removable drives. It also contains
backdoor functionality that allows unauthorized access and control of the affected computer.
Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser
exploits.
ms-caro-malware-full:malware-family="EyeStye"
2011 VOL12 - A trojan that attempts to steal sensitive data using a method known as form grabbing,
and sends it to a remote attacker. It may also download and execute arbitary files and use a rootkit
component to hide its activities.
348
ms-caro-malware-full:malware-family="FakeSysdef"
2011 VOL12 - A rogue security software family that claims to discover nonexistent hardware defects
related to system memory, hard drives, and overall system performance, and charges a fee to fix
the supposed problems.
ms-caro-malware-full:malware-family="Helompy"
2011 VOL12 - A worm that spreads via removable drives and attempts to capture and steal
authentication details for a number of different websites or online services, including Facebook
and Gmail.
ms-caro-malware-full:malware-family="Malf"
2011 VOL12 - A generic detection for malware that drops additional malicious files.
ms-caro-malware-full:malware-family="Rugo"
2011 VOL12 - A program that installs silently on the user’s computer and displays advertisements.
ms-caro-malware-full:malware-family="Sirefef"
2011 VOL12 - A rogue security software family distributed under the name Antivirus 2010 and
others.
ms-caro-malware-full:malware-family="Sisproc"
2011 VOL12 - A generic detection for a group of trojans that have been observed to perform a
number of various and common malware behaviors.
ms-caro-malware-full:malware-family="Swisyn"
2011 VOL12 - A trojan that drops and executes arbitrary files on an infected computer. The dropped
files may be potentially unwanted or malicious programs.
ms-caro-malware-full:malware-family="BlacoleRef"
2012 VOL13 - An obfuscated script, often found inserted into compromised websites, that uses a
hidden inline frame to redirect the browser to a Blacole exploit server.
ms-caro-malware-full:malware-family="CVE-2012-0507"
2012 VOL13 - A detection for a malicious Java applet that exploits the Java Runtime Environment
(JRE) vulnerability described in CVE-2012-0507, addressed by an Oracle security update in February
2012.
ms-caro-malware-full:malware-family="Flashback"
2012 VOL13 - A trojan that targets Java JRE vulnerability CVE-2012-0507 on Mac OS X to enroll the
349
infected computer in a botnet.
ms-caro-malware-full:malware-family="Gendows"
2012 VOL13 - A tool that attempts to activate Windows 7 and Windows Vista operating system
installations.
ms-caro-malware-full:malware-family="GingerBreak"
2012 VOL13 - A program that affects mobile devices running the Android operating system. It drops
and executes an exploit that, if run successfully, gains administrator privileges on the device.
ms-caro-malware-full:malware-family="GingerMaster"
2012 VOL13 - A malicious program that affects mobile devices running the Android operating
system. It may be bundled with clean applications, and is capable of allowing a remote attacker to
gain access to the mobile device.
ms-caro-malware-full:malware-family="Mult_JS"
2012 VOL13 - A generic detection for various exploits written in the JavaScript language.
ms-caro-malware-full:malware-family="Patch"
2012 VOL13 - A family of tools intended to modify, or 'patch' programs that may be evaluation
copies, or unregistered versions with limited features for the purpose of removing the limitations.
ms-caro-malware-full:malware-family="Phoex"
2012 VOL13 - A malicious script that exploits the Java Runtime Environment (JRE) vulnerability
discussed in CVE-2010-4452. If run in a computer running a vulnerable version of Java, it
downloads and executes arbitrary files.
ms-caro-malware-full:malware-family="Pluzoks"
2012 VOL13 - A trojan that silently downloads and installs other programs without consent. This
could include the installation of additional malware or malware components.
ms-caro-malware-full:malware-family="Popupper"
2012 VOL13 - A detection for a particular JavaScript script that attempts to display pop-under
advertisements.
ms-caro-malware-full:malware-family="Wizpop"
2012 VOL13 - Adware that may track user search habits and download executable programs
without user consent.
350
ms-caro-malware-full:malware-family="Wpakill"
2012 VOL13 - A family of tools that attempt to disable or bypass WPA (Windows Product Activation),
WGA (Windows Genuine Advantage) checks, or WAT (Windows Activation Technologies), by
altering Windows operating system files, terminating processes, or stopping services.
ms-caro-malware-full:malware-family="Yeltminky"
2012 VOL13 - A family of worms that spreads by making copies of itself on all available drives and
creating an autorun.inf file to execute that copy.
ms-caro-malware-full:malware-family="Aimesu"
2013 VOL15 - A threat that exploits vulnerabilities in unpatched versions of Java, Adobe Reader, or
Flash Player. It then installs other malare on the computer, including components of the Blackhole
and Cool exploit kits.
ms-caro-malware-full:malware-family="Bdaejec"
2013 VOL15 - A trojan that allows unauthorized access and control of an affected computer, and
that may download and install other programs without consent.
ms-caro-malware-full:malware-family="Bursted"
2013 VOL15 - A virus written in the AutoLISP scripting language used by the AutoCAD computer-
aided design program. It infects other AutoLISP files with the extension .lsp.
ms-caro-malware-full:malware-family="Colkit"
2013 VOL15 - A detection for obfuscated, malicious JavaScript code that redirects to or loads files
that may exploit a vulnerable version of Java, Adobe Reader, or Adobe Flash, possibly in an attempt
to load malware onto the computer.
ms-caro-malware-full:malware-family="Coolex"
2013 VOL15 - A detection for scripts from an exploit pack known as the Cool Exploit Kit. These
scripts are often used in ransomware schemes in which an attacker locks a victim’s computer or
encrypts the user’s data and demands money to make it available again.
ms-caro-malware-full:malware-family="CplLnk"
2013 VOL15 - A generic detection for specially crafted malicious shortcut files that attempt to
exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046, CVE-2010-2568.
ms-caro-malware-full:malware-family="CVE-2011-1823"
2013 VOL15 - A detection for specially crafted Android programs that attempt to exploit a
vulnerability in the Android operating system to gain root privilege.
351
ms-caro-malware-full:malware-family="CVE-2012-1723"
2013 VOL15 - A family of malicious Java applets that attempt to exploit vulnerability CVE-2012-1723
in the Java Runtime Environment (JRE) to download and install files of an attacker’s choice onto the
computer.
ms-caro-malware-full:malware-family="DealPly"
2013 VOL15 - Adware that displays offers related to the user’s web browsing habits. It may be
bundled with certain third-party software installation programs.
ms-caro-malware-full:malware-family="Fareit"
2013 VOL15 - A malware family that has multiple components: a password stealing component that
steals sensitive information and sends it to an attacker, and a DDoS component that could be used
against other computers.
ms-caro-malware-full:malware-family="FastSaveApp"
2013 VOL15 - An adware program that displays offers related to the user’s web browsing habits. It
may use the name 'SaveAs' or 'SaveByClick'.
ms-caro-malware-full:malware-family="FindLyrics"
2013 VOL15 - An adware program that displays ads related to the user’s web browsing habits.
ms-caro-malware-full:malware-family="Gamarue"
2013 VOL15 - A worm that is commonly distributed via exploit kits and social engineering. Variants
have been observed stealing information from the local computer and communicating with
command-and-control (C&C) servers managed by attackers.
ms-caro-malware-full:malware-family="Gisav"
2013 VOL15 - An adware program that displays offers related to the user’s web browsing habits. It
can be downloaded from the program’s website, and can be bundled with some third-party
software installation programs.
ms-caro-malware-full:malware-family="InfoAtoms"
2013 VOL15 - An adware program that displays advertisements related to the user’s web browsing
habits and inserts advertisements into websites.
ms-caro-malware-full:malware-family="Perl/IRCbot.E"
2013 VOL15 - A backdoor trojan that drops other malicious software and connects to IRC servers to
receive commands from attackers.
352
ms-caro-malware-full:malware-family="Javrobat"
2013 VOL15 - An exploit that tries to check whether certain versions of Adobe Acrobat or Adobe
Reader are installed on the computer. If so, it tries to install malware.
ms-caro-malware-full:malware-family="Kraddare"
ms-caro-malware-full:malware-family="PriceGong"
2013 VOL15 - An adware program that shows certain deals related to the search terms entered on
any web page.
ms-caro-malware-full:malware-family="Protlerdob"
2013 VOL15 - A software installer with a Portuguese language user interface. It presents itself as a
free movie download but bundles with it a number of programs that may charge for services.
ms-caro-malware-full:malware-family="Qhost"
2013 VOL15 - A generic detection for trojans that modify the HOSTS file on the computer to redirect
or limit Internet traffic to certain sites.
ms-caro-malware-full:malware-family="Reveton"
2013 VOL15 - A ransomware family that targets users from certain countries or regions. It locks the
computer and displays a location-specific webpage that covers the desktop and demands that the
user pay a fine for the supposed possession of illicit material.
ms-caro-malware-full:malware-family="Rongvhin"
2013 VOL15 - A family of malware that perpetrates click fraud. It might be delivered to the
computer via hack tools for the game CrossFire.
ms-caro-malware-full:malware-family="Seedabutor"
2013 VOL15 - A JavaScript trojan that attempts to redirect the browser to another website.
ms-caro-malware-full:malware-family="SMSer"
2013 VOL15 - A ransomware trojan that locks an affected user’s computer and requests that the
user send a text message to a premium-charge number to unlock it.
ms-caro-malware-full:malware-family="Tobfy"
2013 VOL15 - A family of ransomware trojans that targets users from certain countries. It locks the
computer and displays a localized message demanding the payment of a fine for the supposed
possession of illicit material. Some variants may also take webcam screenshots, play audio
353
messages, or affect certain processes or drivers.
ms-caro-malware-full:malware-family="Truado"
2013 VOL15 - A trojan that poses as an update for certain Adobe software.
ms-caro-malware-full:malware-family="Urausy"
2013 VOL15 - A family of ransomware trojans that locks the computer and displays a localized
message, supposedly from police authorities, demanding the payment of a fine for alleged criminal
activity.
ms-caro-malware-full:malware-family="Wecykler"
2013 VOL15 - A family of worms that spread via removable drives, such as USB drives, that may
stop security processes and other processes on the computer, and log keystrokes that are later sent
to a remote attacker.
ms-caro-malware-full:malware-family="Weelsof"
2013 VOL15 - A family of ransomware trojans that targets users from certain countries. It locks the
computer and displays a localized message demanding the payment of a fine for the alleged
possession of illicit material. Some variants may take steps that make it difficult to run or update
virus protection.
ms-caro-malware-full:malware-family="Yakdowpe"
2013 VOL15 - A family of trojans that connect to certain websites to silently download and install
other programs without consent.
ms-caro-malware-full:malware-family="Anogre"
2013 VOL16 - A threat that exploits a vulnerability addressed by Microsoft Security Bulletin MS11-
087. This vulnerability can allow a hacker to install programs, view, change, or delete data or create
new accounts with full administrative privileges.
ms-caro-malware-full:malware-family="Brantall"
2013 VOL16 - A family of trojans that download and install other programs, including Win32/Sefnit
and Win32/Rotbrow. Brantall often pretends to be an installer for other, legitimate programs.
ms-caro-malware-full:malware-family="Comame"
ms-caro-malware-full:malware-family="Crilock"
2013 VOL16 - A ransomware family that encrypts the computer’s files and displays a webpage that
demands a fee to unlock them.
354
ms-caro-malware-full:malware-family="CVE-2011-3874"
2013 VOL16 - A threat that attempts to exploit a vulnerability in the Android operating system to
gain access to and control of the device Java/CVE-2012-1723. A family of malicious Java applets that
attempt to exploit vulnerability CVE-2012-1723 in the Java Runtime Environment (JRE) in order to
download and install files of an attacker’s choice onto the computer.
ms-caro-malware-full:malware-family="Deminnix"
2013 VOL16 - A trojan that uses the computer for Bitcoin mining and changes the home page of the
web browser. It can accidentally be downloaded along with other files from torrent sites.
ms-caro-malware-full:malware-family="Detplock"
ms-caro-malware-full:malware-family="Dircrypt"
2013 VOL16 - Ransomware that encrypts the user’s files and demands payment to release them. It is
distributed through spam email messages and can be downloaded by other malware.
ms-caro-malware-full:malware-family="DonxRef"
2013 VOL16 - A generic detection for malicious JavaScript objects that construct shellcode. The
scripts may try to exploit vulnerabilities in Java, Adobe Flash Player, and Windows.
ms-caro-malware-full:malware-family="Faceliker"
2013 VOL16 - A malicious script that likes content on Facebook without the user’s knowledge or
consent.
ms-caro-malware-full:malware-family="FakeAlert"
2013 VOL16 - A malicious script that falsely claims that the computer is infected with viruses and
that additional software is needed to disinfect it.
ms-caro-malware-full:malware-family="Jenxcus"
2013 VOL16 - A worm that gives an attacker control of the computer. It is spread by infected
removable drives, like USB flash drives. It can also be downloaded within a torrent file.
ms-caro-malware-full:malware-family="Loktrom"
2013 VOL16 - Ransomware that locks the computer and displays a full-screen message pretending
to be from a national police force, demanding payment to unlock the computer.
ms-caro-malware-full:malware-family="Miposa"
2013 VOL16 - A trojan that downloads and runs malicious Windows Scripting Host (.wsh) files.
355
ms-caro-malware-full:malware-family="Nitol"
2013 VOL16 - A family of trojans that perform DDoS (distributed denial of service) attacks, allow
backdoor access and control, download and run files, and perform a number of other malicious
activities on the computer.
ms-caro-malware-full:malware-family="Oceanmug"
2013 VOL16 - A trojan that silently downloads and installs other programs without consent.
ms-caro-malware-full:malware-family="Proslikefan"
2013 VOL16 - A worm that spreads through removable drives, network shares, and P2P programs. It
can lower the computer’s security settings and disable antivirus products.
ms-caro-malware-full:malware-family="Rotbrow"
2013 VOL16 - A trojan that installs browser add-ons that claim to offer protection from other add-
ons. Rotbrow can change the browser’s home page, and can install the trojan Win32/Sefnit. It is
commonly installed by Win32/Brantall.
ms-caro-malware-full:malware-family="Sefnit"
2013 VOL16 - A family of trojans that can allow backdoor access, download files, and use the
computer and Internet connection for click fraud. Some variants can monitor web browsers and
hijack search results.
ms-caro-malware-full:malware-family="Urntone"
2013 VOL16 - A webpage component of the Neutrino exploit kit. It checks the version numbers of
popular applications installed on the computer, and attempts to install malware that targets
vulnerabilities in the software.
ms-caro-malware-full:malware-family="Wysotot"
2013 VOL16 - A threat that can change the start page of the user’s web browser, and may download
and install other files to the computer. It is installed by software bundlers that advertise free
software or games.
ms-caro-malware-full:malware-family="AddLyrics"
2014 VOL17 - A browser add-on that displays lyrics for songs on YouTube, and displays
advertisements in the browser window.
ms-caro-malware-full:malware-family="Adpeak"
2014 VOL17 - Adware that displays extra ads as the user browses the Internet, without revealing
where the ads are coming from. It may be bundled with some third-party software installation
programs.
356
ms-caro-malware-full:malware-family="Axpergle"
2014 VOL17 - A detection for the Angler exploit kit, which exploits vulnerabilities in recent versions
of Internet Explorer, Silverlight, Adobe Flash Player, and Java to install malware.
ms-caro-malware-full:malware-family="Bepush"
2014 VOL17 - A family of trojans that download and install add-ons for the Firefox and Chrome
browsers that post malicious links to social networking sites, track browser usage, and redirect the
browser to specific websites.
ms-caro-malware-full:malware-family="BetterSurf"
2014 VOL17 - Adware that displays unwanted ads on search engine results pages and other
websites. It may be included with software bundles that offer free applications or games.
ms-caro-malware-full:malware-family="Bladabindi"
2014 VOL17 - A family of backdoors created by a malicious hacker tool called NJ Rat. They can steal
sensitive information, download other malware, and allow backdoor access to an infected
computer.
ms-caro-malware-full:malware-family="Caphaw"
2014 VOL17 - A family of backdoors that spread via Facebook, YouTube, Skype, removable drives,
and drive-by download. They can make Facebook posts via the user’s account, and may steal online
banking details.
ms-caro-malware-full:malware-family="Clikug"
2014 VOL17 - A threat that uses a computer for click fraud. It has been observed using as much as a
gigabyte of bandwidth per hour.
ms-caro-malware-full:malware-family="CVE-2014-0322"
This threat uses a vulnerability MS14-012, CVE-2014-0322 in Internet Explorer 9 and 10 to download
and run files on your PC, including other malware.
ms-caro-malware-full:malware-family="CVE-2013-0422"
2014 VOL17 - A detection for a malicious Java applet that exploits the Java Runtime Environment
(JRE) vulnerability described in CVE-2013-0422, addressed by an Oracle security update in January
2013.
ms-caro-malware-full:malware-family="Dowque"
2014 VOL17 - A generic detection for malicious files that are capable of installing other malware.
357
ms-caro-malware-full:malware-family="Fashack"
2014 VOL17 - A detection for the Safehack exploit kit, also known as Flashpack. It uses
vulnerabilities in Adobe Flash Player, Java, and Silverlight to install malware on a computer.
ms-caro-malware-full:malware-family="Feven"
2014 VOL17 - A browser add-on for Internet Explorer, Firefox, or Chrome that displays ads on
search engine results pages and other websites, and redirects the browser to specific websites.
ms-caro-malware-full:malware-family="Fiexp"
2014 VOL17 - A detection for the Fiesta exploit kit, which attempts to exploit Java, Adobe Flash
Player, Adobe Reader, Silverlight, and Internet Explorer to install malware.
ms-caro-malware-full:malware-family="Filcout"
2014 VOL17 - An application that offers to locate and download programs to run unknown files. It
has been observed installing variants in the Win32/Sefnit family.
ms-caro-malware-full:malware-family="Genasom"
2014 VOL17 - A ransomware family that locks a computer and demands money to unlock it. It
usually targets Russian-language users, and may open pornographic websites.
ms-caro-malware-full:malware-family="Kegotip"
2014 VOL17 - A password-stealing trojan that can steal email addresses, personal information, or
user account information for certain programs.
ms-caro-malware-full:malware-family="Krypterade"
2014 VOL17 - Ransomware that fraudulently claims a computer has been used for unlawful activity,
locks it, and demands that the user pay to unlock it.
ms-caro-malware-full:malware-family="Lecpetex"
2014 VOL17 - A family of trojans that steal sensitive information, such as user names and
passwords. It can also use a computer for Litecoin mining, install other malware, and post
malicious content via the user’s Facebook account.
ms-caro-malware-full:malware-family="Lollipop"
2014 VOL17 - Adware that may be installed by third-party software bundlers. It displays ads based
on search engine searches, which can differ by geographic location and may be pornographic.
ms-caro-malware-full:malware-family="Meadgive"
2014 VOL17 - A detection for the Redkit exploit kit, also known as Infinity and Goon. It attempts to
358
exploit vulnerabilities in programs such as Java and Silverlight to install other malware.
ms-caro-malware-full:malware-family="Neclu"
2014 VOL17 - A detection for the Nuclear exploit kit, which attempts to exploit vulnerabilities in
programs such as Java and Adobe Reader to install other malware.
ms-caro-malware-full:malware-family="Ogimant"
2014 VOL17 - A threat that claims to help download items from the Internet, but actually downloads
and runs files that are specified by a remote attacker.
ms-caro-malware-full:malware-family="OptimizerElite"
2014 VOL17 - A misleading program that uses legitimate files in the Prefetch folder to claim that the
computer is damaged, and offers to fix the damage for a price.
ms-caro-malware-full:malware-family="Pangimop"
2014 VOL17 - A detection for the Magnitude exploit kit, also known as Popads. It attempts to exploit
vulnerabilities in programs such as Java and Adobe Flash Player to install other malware.
ms-caro-malware-full:malware-family="Phish"
2014 VOL17 - A password-stealing malicious webpage, known as a phishing page, that disguises
itself as a page from a legitimate website.
ms-caro-malware-full:malware-family="Prast"
ms-caro-malware-full:malware-family="Slugin"
2014 VOL17 - A file infector that infects .exe and .dll files. It may also perform backdoor actions.
ms-caro-malware-full:malware-family="Spacekito"
2014 VOL17 - A threat that steals information about the computer and installs browser add-ons that
display ads.
ms-caro-malware-full:malware-family="Tranikpik"
This threat is a backdoor that can give a hacker unauthorized access and control of your PC
ms-caro-malware-full:malware-family="Wordinvop"
2014 VOL17 - A detection for a specially-crafted Microsoft Word file that attempts to exploit the
vulnerability CVE-2006-6456, addressed by Microsoft Security Bulletin MS07-014.
359
ms-caro-malware-full:malware-family="Zegost"
2014 VOL17 - A backdoor that allows an attacker to remotely access and control a computer.
ms-caro-malware-full:malware-family="Archost"
2014 VOL18 - A downloader that installs other programs on the computer without the user’s
consent, including other malware.
ms-caro-malware-full:malware-family="Balamid"
2014 VOL18 - A trojan that can use the computer to click on online advertisements without the
user’s permission or knowledge. This can earn money for a malicious hacker by making a website
or application appear more popular than it is.
ms-caro-malware-full:malware-family="BeeVry"
2014 VOL18 - A trojan that modifies a number of settings to prevent the computer from accessing
security-related websites, and lower the computer’s security.
ms-caro-malware-full:malware-family="Bondat"
2014 VOL18 - A family of threats that collects information about the computer, infects removable
drives, and tries to stop the user from accessing files. It spreads by infecting removable drives, such
as USB thumb drives and flash drives.
ms-caro-malware-full:malware-family="Bregent"
2014 VOL18 - A downloader that injects malicious code into legitimate processes such as
explorer.exe and svchost.exe, and downloads other malware onto the computer.
ms-caro-malware-full:malware-family="Brolo"
2014 VOL18 - A ransomware family that locks the web browser and displays a message, often
pretending to be from a law enforcement agency, demanding money to unlock the browser.
ms-caro-malware-full:malware-family="CostMin"
2014 VOL18 - An adware family that installs itself as a browser extension for Internet Explorer,
Mozilla Firefox, and Google Chrome, and displays advertisements as the user browses the Internet.
ms-caro-malware-full:malware-family="CouponRuc"
2014 VOL18 - A browser modifier that changes browser settings and may also modify some
computer and Internet settings.
ms-caro-malware-full:malware-family="Crastic"
2014 VOL18 - A trojan that sends sensitive information to a remote attacker, such as user names,
360
passwords and information about the computer. It can also delete System Restore points, making it
harder to recover the computer to a pre-infected state.
ms-caro-malware-full:malware-family="Crowti"
2014 VOL18 - A ransomware family that encrypts files on the computer and demands that the user
pay a fee to decrypt them, using Bitcoins.
ms-caro-malware-full:malware-family="CVE-2013-1488"
2014 VOL18 - A detection for threats that use a Java vulnerability to download and run files on your
PC, including other malware. Oracle addressed the vulnerability with a security update in April
2013.
ms-caro-malware-full:malware-family="DefaultTab"
2014 VOL18 - A browser modifier that redirects web browser searches and prevents the user from
changing browser settings.
ms-caro-malware-full:malware-family="Ippedo"
2014 VOL18 - A worm that can send sensitive information to a malicious hacker. It spreads through
infected removable drives, such as USB flash drives.
ms-caro-malware-full:malware-family="Kilim"
2014 VOL18 - A trojan that hijacks the user’s Facebook, Twitter, or YouTube account to promote
pages. It may post hyperlinks or like pages on Facebook, post comments on YouTube videos, or
follow profiles and send direct messages on Twitter without permission.
ms-caro-malware-full:malware-family="Mofin"
2014 VOL18 - A worm that can steal files from your PC and send them to a malicious hacker. It
spreads via infected removable drives, such as USB flash drives.
ms-caro-malware-full:malware-family="MpTamperSrp"
2014 VOL18 - A generic detection for an attempt to add software restriction policies to restrict
Microsoft antimalware products, such as Microsoft Security Essentials and Windows Defender,
from functioning properly.
ms-caro-malware-full:malware-family="Mujormel"
2014 VOL18 - A password stealer that can steal personal information, such as user names and
passwords, and send the stolen information to a malicious hacker.
ms-caro-malware-full:malware-family="PennyBee"
2014 VOL18 - Adware that shows ads as the user browses the web. It can be installed from the
361
program’s website or bundled with some third-party software installation programs.
ms-caro-malware-full:malware-family="Phdet"
2014 VOL18 - A family of backdoor trojans that is used to perform distributed denial-of service
(DDoS) attacks against specified targets.
ms-caro-malware-full:malware-family="Rimod"
2014 VOL18 - A generic detection for files that change various security settings in the computer
Win32/Rotbrow. A trojan that installs browser add-ons that claim to offer protection from other
add-ons. Rotbrow can change the browser’s home page, and can install the trojan Win32/Sefnit. It is
commonly installed by Win32/Brantall.
ms-caro-malware-full:malware-family="Sigru"
2014 VOL18 - A virus that can stop some files from working correctly in Windows XP and earlier
operating systems. It spreads by infecting the master boot record (MBR) on connected hard disks
and floppy disks.
ms-caro-malware-full:malware-family="SimpleShell"
2014 VOL18 - A backdoor that can give a malicious hacker unauthorized access to and control of the
computer.
ms-caro-malware-full:malware-family="Softpulse"
2014 VOL18 - A software bundler that no longer meets Microsoft detection criteria for unwanted
software following a program update in September of 2014.
ms-caro-malware-full:malware-family="SquareNet"
2014 VOL18 - A software bundler that installs other unwanted software, including adware and
click-fraud malware.
ms-caro-malware-full:malware-family="Tugspay"
2014 VOL18 - A downloader that spreads by posing as an installer for legitimate software, such as a
Java update, or through other malware. When installed, it downloads unwanted software to the
computer.
ms-caro-malware-full:malware-family="Tupym"
2014 VOL18 - A worm that copies itself to the system folder of the affected computer, and attempts
to contact remote hosts.
ms-caro-malware-full:malware-family="Vercuser"
2014 VOL18 - A worm that typically spreads via drive-by download. It also receives commands from
362
a remote server, and has been observed dropping other malware on the infected computer.
ms-caro-malware-full:malware-family="Adnel"
2015 VOL19 - A family of macro malware that can download other threats to the computer,
including TrojanDownloader:Win32/Drixed.
ms-caro-malware-full:malware-family="Adodb"
2015 VOL19 - A generic detection for script trojans that exploit a vulnerability in Microsoft Data
Access Components (MDAC) that allows remote code execution. Microsoft released Security Bulletin
MS06-014 in April 2006 to address the vulnerability.
ms-caro-malware-full:malware-family="AlterbookSP"
2015 VOL19 - A browser add-on that formerly displayed behaviors of unwanted software. Recent
versions of the add-on no longer meet Microsoft detection criteria, and are no longer considered
unwanted software.
ms-caro-malware-full:malware-family="BrobanDel"
2015 VOL19 - A family of trojans that can modify boletos bancários, a common payment method in
Brazil. They can be installed on the computer when a user opens a malicious spam email
attachment.
ms-caro-malware-full:malware-family="CompromisedCert"
2015 VOL19 - A detection for the Superfish VisualDiscovery advertising program that was
preinstalled on some Lenovo laptops sold in 2014 and 2015. It installs a compromised trusted root
certificate on the computer, which can be used to conduct man-in-the-middle attacks on the
computer.
ms-caro-malware-full:malware-family="CouponRuc_new"
2015 VOL19 - A browser modifier that changes browser settings and may also modify some
computer and Internet settings.
ms-caro-malware-full:malware-family="CVE-2014-6332"
2015 VOL19 - This threat uses a Microsoft vulnerability MS14-064 to download and run files on your
PC, including other malware.
ms-caro-malware-full:malware-family="Dyzap"
2015 VOL19 - A threat that steals login credentials for a long list of banking websites using man-in-
the-browser (MITB) attacks. It is usually installed on the infected computer by
TrojanDownloader:Win32/Upatre.
363
ms-caro-malware-full:malware-family="EoRezo"
2015 VOL19 - Adware that displays targeted advertising to affected users while browsing the
Internet, based on downloaded pre-configured information.
ms-caro-malware-full:malware-family="FakeCall"
2015 VOL19 - This threat is a webpage that claims your PC is infected with malware. It asks you to
phone a number to receive technical support to help remove the malware.
ms-caro-malware-full:malware-family="Foosace"
2015 VOL19 - A threat that creates files on the compromised computer and contacts a remote host.
Observed in the STRONTIUM APT.
ms-caro-malware-full:malware-family="IeEnablerCby"
2015 VOL19 - A browser modifier that installs additional browser addons without the user’s
consent. It bypasses the normal prompts or dialogs that ask for consent to install add-ons.
ms-caro-malware-full:malware-family="InstalleRex"
2015 VOL19 - A software bundler that installs unwanted software, including Win32/CouponRuc and
Win32/SaverExtension. It alters its own 'Installed On' date in Programs and Features to make it
more difficult for a user to locate it and remove it.
ms-caro-malware-full:malware-family="JackTheRipper"
2015 VOL19 - A virus that can stop some files from working correctly in Windows XP and earlier
operating systems. It spreads by infecting the master boot record (MBR) on connected hard disks
and floppy disks.
ms-caro-malware-full:malware-family="Kenilfe"
2015 VOL19 - A worm written in AutoCAD Lisp that only runs if AutoCAD is installed on the
computer or network. It renames and deletes certain AutoCAD files, and may download and
execute arbitrary files from a remote host.
ms-caro-malware-full:malware-family="KipodToolsCby"
2015 VOL19 - A browser modifier that installs additional browser addons without the user’s
consent. It bypasses the normal prompts or dialogs that ask for consent to install add-ons.
ms-caro-malware-full:malware-family="Macoute"
2015 VOL19 - A worm that can spread itself to removable USB drives, and may communicate with a
remote host.
364
ms-caro-malware-full:malware-family="NeutrinoEK"
2015 VOL19 - This threat is a webpage that spreads the exploit kit known as Neutrino.
ms-caro-malware-full:malware-family="Peaac"
2015 VOL19 - A generic detection for various threats that display trojan characteristics.
ms-caro-malware-full:malware-family="Peals"
2015 VOL19 - A generic detection for various threats that display trojan characteristics.
ms-caro-malware-full:malware-family="Radonskra"
2015 VOL19 - A family of threats that perform a variety of malicious acts, including stealing
information about the computer, showing extra advertisements as the user browses the web,
performing click fraud, and downloading other programs without consent.
ms-caro-malware-full:malware-family="SaverExtension"
2015 VOL19 - A browser add-on that shows ads in the browser without revealing their source, and
prevents itself from being removed normally.
ms-caro-malware-full:malware-family="Sdbby"
2015 VOL19 - A threat that exploits a bypass to gain administrative privileges on a machine without
going through a User Access Control prompt.
ms-caro-malware-full:malware-family="Simda"
2015 VOL19 - A threat that can give an attacker backdoor access and control of an infected
computer. It can then steal passwords and gather information about the computer to send to the
attacker.
ms-caro-malware-full:malware-family="Skeeyah"
2015 VOL19 - A generic detection for various threats that display trojan characteristics.
ms-caro-malware-full:malware-family="Wordjmp"
2015 VOL19 - An exploit that targets a vulnerability in Word 2002 and 2003 that could allow an
attacker to remotely execute arbitrary code. Microsoft released Security Bulletin MS06-027 in June
2006 to address the vulnerability.
ms-caro-malware-full:malware-family="Bayads"
2015 VOL20 - A program that displays ads as the user browses the web. It can be bundled with other
software. It may call itself bdraw, delta, dlclient, Pay-ByAds, or pricehorse in Programs and
Features.
365
ms-caro-malware-full:malware-family="CandyOpen"
2015 VOL20 - This application can also affect the quality of your computing experience. We have
seen this leading to the following potentially unwanted behaviors on PCs: Adds files that run at
startup, Modifies boot configuration data, Modifies file associations, Injects into other processes on
your system, Changes browser settings, Adds a local proxy, Modifies your system DNS settings,
Stops Windows Update, Disables User Access Control (UAC), These applications are most commonly
software bundlers or installers for applications such as toolbars, adware, or system optimizers. We
have observed this application installing software that you might not have intended on your PC.
ms-caro-malware-full:malware-family="Colisi"
ms-caro-malware-full:malware-family="Creprote"
2015 VOL20 - These programs are most commonly software bundlers or installers for software such
as toolbars, adware, or system optimizers. The software might modify your homepage, your search
provider, or perform other actions that you might not have intended.
ms-caro-malware-full:malware-family="Diplugem"
2015 VOL20 - A browser modifier that installs browser add-ons without obtaining the user’s
consent. The add-ons show extra advertisements as the user browses the web, and can inject
additional ads into web search results pages.
ms-caro-malware-full:malware-family="Dipsind"
2015 VOL20 - A threat that is often used in targeted attacks. It can give an attacker access to the
computer to download and run files, steal domain credentials, and perform other malicious
actions.
ms-caro-malware-full:malware-family="Donoff"
2015 VOL20 - A threat that uses an infected Microsoft Office file to download other malware onto
the computer. It can arrive as a spam email attachment, usually as a Word file (.doc).
ms-caro-malware-full:malware-family="Dorv"
2015 VOL20 - A trojan is a type of malware that can’t spread on its own. It relies on you to run them
on your PC by mistake, or visit a hacked or malicious webpage. They can steal your personal
information, download more malware, or give a malicious hacker access to your PC.
ms-caro-malware-full:malware-family="Dowadmin"
2015 VOL20 - A software bundler that does not provide the user with the option to decline
installation of unwanted software.
366
ms-caro-malware-full:malware-family="Fourthrem"
2015 VOL20 - A program that installs unwanted software without adequate consent on the
computer at the same time as the software the user is trying to install.
ms-caro-malware-full:malware-family="Hao123"
2015 VOL20 - This threat is a modified Internet Explorer shortcut that changes your Internet
Explorer homepage. It might arrive on your PC through bundlers that offer free software. The
threat will run a separate threat-related file that changes the Internet Explorer.
ms-caro-malware-full:malware-family="Mizenota"
2015 VOL20 - This program is a software bundler that installs unwanted software on your PC at the
same time as the software you are trying to install. It may install one of the following:
BrowserModifier:Win32/SupTab, BrowserModifier:Win32/Sasquor,
BrowserModifier:Win32/Smudplu, SoftwareBundler:Win32/Pokavampo,
BrowserModifier:Win32/Shopperz, Adware:Win32/EoRezo
ms-caro-malware-full:malware-family="Mytonel"
2015 VOL20 - A program that downloads and installs other programs onto the computer without the
user’s consent, including other malware.
ms-caro-malware-full:malware-family="OutBrowse"
2015 VOL20 - A software bundler that installs additional unwanted programs alongside software
that the user wishes to install. It can remove or hide the installer’s close button, leaving no way to
decline the additional applications.
ms-caro-malware-full:malware-family="Peapoon"
2015 VOL20 - An adware program that shows users ads that they cannot control as they browse the
web. It may identify itself as Coupon in Programs and Features.
ms-caro-malware-full:malware-family="Pokki"
2015 VOL20 - A browser add-on that formerly displayed behaviors of unwanted software. Recent
versions of the add-on no longer meet Microsoft detection criteria, and are no longer considered
unwanted software.
ms-caro-malware-full:malware-family="Putalol"
2015 VOL20 - An adware program that shows users ads that they cannot control as they browse the
web. It may identify itself as Lolliscan in Programs and Features.
ms-caro-malware-full:malware-family="SpigotSearch"
2015 VOL20 - This application can affect the quality of your computing experience. For example,
367
some potentially unwanted applications can: Install additional bundled software, Modify your
homepage, Modify your search provider. These applications are most commonly software bundlers
or installers for applications such as toolbars, adware, or system optimizers. We have observed this
application installing software that you might not have intended on your PC.
ms-caro-malware-full:malware-family="Spursint"
2015 VOL20 - This threat has been detected as one of the executable malware that are distributed
through URLs.
ms-caro-malware-full:malware-family="Sulunch"
2015 VOL20 - A generic detection for a group of trojans that perform a number of common
malware behaviors.
ms-caro-malware-full:malware-family="SupTab"
2015 VOL20 - A browser modifier that installs itself and changes the browser’s default search
provider, without obtaining the user’s consent for either action.
ms-caro-malware-full:malware-family="Sventore"
2015 VOL20 - This trojan can install other malware or unwanted software onto your PC.
ms-caro-malware-full:malware-family="Tillail"
2015 VOL20 - A software bundler that installs unwanted software alongside the software the user is
trying to install. It has been observed to install the browser modifier Win32/SupTab.
ms-caro-malware-full:malware-family="VOPackage"
2015 VOL20 - This application can also affect the quality of your computing experience. We have
seen this leading to the following potentially unwanted behaviors on PCs: Adds files that run at
startup, Installs a driver, Injects into other processes on your system, Injects into browsers, Changes
browser settings, Changes browser shortcuts, Installs browser extensions, Adds a local proxy,
Tampers with root certificate trust, Modifies the system hosts file, Modifies your system DNS
settings, Disables anti-virus products, Tampers with system Group Policy settings, These
applications are most commonly software bundlers or installers for applications such as toolbars,
adware, or system optimizers. We have observed this application installing software that you might
not have intended on your PC.
ms-caro-malware-full:malware-family="Xiazai"
2015 VOL20 - A program that installs unwanted software on the computer at the same time as the
software the user is trying to install, without adequate consent.
368
nato
nato namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
classification
nato:classification="CTS"
nato:classification="CTS-B"
nato:classification="NS"
NATO SECRET
nato:classification="NC"
NATO CONFIDENTIAL
nato:classification="NR"
NATO RESTRICTED
nato:classification="NU"
NATO UNCLASSIFIED
nato:classification="CTS-A"
nato:classification="NS-A"
SECRET ATOMAL
nato:classification="NC-A"
CONFIDENTIAL ATOMAL
369
nis
nis namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission
Recommendation of 13 September 2017, also known as the blueprint. It has two core parts: The
nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the
incident, i.e. the impact on services, in which sector(s) of economy and society.
impact-sectors-impacted
The impact on services, in the real world, indicating the sectors of the society and economy, where
there is an impact on the services.
nis:impact-sectors-impacted="energy"
Energy
The impact is in the Energy sector and its subsectors such as electricity, oil, or gas, for example,
impacting electricity suppliers, power plants, distribution system operators, transmission system
operators, oil transmission, natural gas distribution, etc.
nis:impact-sectors-impacted="transport"
Transport
The impact is in the transport sector and subsectors such as air, rail, water, road, for example,
impacting air traffic control systems, railway companies, maritime port authorities, road traffic
management systems, etc.
nis:impact-sectors-impacted="banking"
Banking
The impact is in the Banking sector, for example impacting banks, online banking, credit services,
payment services, etc.
nis:impact-sectors-impacted="financial"
Financial
The impact is in the Financial market infrastructure sector, for example, impacting traders, trading
platforms, clearing services, etc.
nis:impact-sectors-impacted="health"
Health
370
The impact is in the Health sector, for example, impacting hospitals, medical devices, medicine
supply, pharmacies, etc.
nis:impact-sectors-impacted="drinking-water"
Drinking water
The impact is in the Drinking water supply and distribution sector, for example impacting drinking
water supply, drinking water distribution systems, etc.
nis:impact-sectors-impacted="digital-infrastructure"
Digital infrastructure
The impact is in the Digital infrastructure sector, for example impacting internet exchange points,
domain name systems, top level domain registries, etc.
nis:impact-sectors-impacted="communications"
Communications
The impact is in the Electronic communications sector, for example,impacting mobile network
services, fixed telephone lines, satellite communications, etc.
nis:impact-sectors-impacted="digital-services"
Digital services
The impact is in the digital services sector, for example, impacting cloud services, online market
places, online search engines, etc.
nis:impact-sectors-impacted="trust-and-identification-services"
The impact is in the electronic trust and identification services, for example, impacting certificate
authorities, electronic identity systems, smartcards, etc.
nis:impact-sectors-impacted="government"
Government
The impact is in the government sector, for example, impacting the functioning of public
administrations, elections, or emergency services
impact-severity
The severity of the impact, nationally, in the real world, for society and/or the economy, i.e. the level
of disruption for the country or a large region of the country, the level of risks for health and/or
371
safety, the level of physical damages and/or financial costs.
Exclusive flag set which means the values or predicate below must be set
exclusively.
nis:impact-severity="red"
Red
nis:impact-severity="yellow"
Yellow
Large impact.
nis:impact-severity="green"
Green
Minor impact.
nis:impact-severity="white"
White
No impact.
impact-outlook
The outlook for the incident, the prognosis, for the coming hours, considering the impact in the real
world, the impact on services, for the society and/or the economy
Exclusive flag set which means the values or predicate below must be set
exclusively.
nis:impact-outlook="improving"
Improving
nis:impact-outlook="stable"
Stable
372
nis:impact-outlook="worsening"
Worsening
nature-root-cause
The Root cause category is used to indicate what type event or threat triggered the incident.
Exclusive flag set which means the values or predicate below must be set
exclusively.
nis:nature-root-cause="system-failures"
System failures
The incident is due to a failure of a system, i.e. without external causes. For example a hardware
failure, software bug, a flaw in a procedure, etc. triggered the incident.
nis:nature-root-cause="natural-phenomena"
Natural phenomena
The incident is due to a natural phenomenon. For example a storm, lightning, solar flare, flood,
earthquake, wildfire, etc. triggered the incident.
nis:nature-root-cause="human-errors"
Human errors
The incident is due to a human error, i.e. system worked correctly, but was used wrong. For
example, a mistake, or carelessness triggered the incident.
nis:nature-root-cause="malicious-actions"
Malicious actions
The incident is due to a malicious action. For example, a cyber-attack or physical attack, vandalism,
sabotage, insider attack, theft, etc., triggered the incident.
nis:nature-root-cause="third-party-failures"
The incident is due to a disruption of a third party service, like a utility. For example a power cut, or
an internet outage, etc. triggered the incident.
373
nature-severity
The severity of the threat is used to indicate, from a technical perspective, the potential impact, the
risk associated with the threat. For example, the severity is high if an upcoming storm is
exceptionally strong, if an observed DDoS attack is exceptionally powerful, or if a software
vulnerability is easily exploited and present in many different systems. For example, in certain
situations a critical software vulnerability would require concerted and urgent work by different
organizations.
Exclusive flag set which means the values or predicate below must be set
exclusively.
nis:nature-severity="high"
High
nis:nature-severity="medium"
Medium
nis:nature-severity="low"
Low
test
A test predicate meant to test interoperability between tools. Tags contained within this predicate
are to be ignored.
nis:test="test"
Test
Test value meant for testing interoperability. Tags with this value are to be ignored.
open_threat
open_threat namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
374
Open Threat Taxonomy v1.1 base on James Tarala of SANS
http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf, https://files.sans.org/
summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Using-Open-Tools-to-Convert-
Threat-Intelligence-into-Practical-Defenses-James-Tarala-SANS-Institute.pdf,
https://www.youtube.com/watch?v=5rdGOOFC_yE, and https://www.rsaconference.com/writable/
presentations/file_upload/str-r04_using-an-open-source-threat-model-for-prioritized-defense-
final.pdf
threat-category
open_threat:threat-category="Physical"
Threats to the confidentiality, integrity, or availability of information systems that are physical in
nature. These threats generally describe actions that could lead to the theft, harm, or destruction of
information systems.
open_threat:threat-category="Resource"
Threats to the confidentiality, integrity, or availability of information systems that are the result of a
lack of resources required by the information system. These threats often cause failures of
information systems through a disruption of resources required for operations.
open_threat:threat-category="Personal"
Threats to the confidentiality, integrity, or availability of information systems that are the result of
failures or actions performed by an organization’s personnel. These threats can be the result of
deliberate or accidental actions that cause harm to information systems.
open_threat:threat-category="Technical"
Threats to the confidentiality, integrity, or availability of information systems that are technical in
nature. These threats are most often considered when identifying threats and constitute the
technical actions performed by a threat actor that can cause harm to an information system.
threat-name
open_threat:threat-name="PHY-001"
open_threat:threat-name="PHY-002"
open_threat:threat-name="PHY-003"
375
open_threat:threat-name="PHY-004"
open_threat:threat-name="PHY-005"
open_threat:threat-name="PHY-006"
open_threat:threat-name="PHY-007"
open_threat:threat-name="PHY-008"
open_threat:threat-name="PHY-009"
open_threat:threat-name="PHY-010"
open_threat:threat-name="PHY-011"
open_threat:threat-name="PHY-012"
open_threat:threat-name="PHY-013"
open_threat:threat-name="PHY-014"
open_threat:threat-name="RES-001"
376
open_threat:threat-name="RES-002"
open_threat:threat-name="RES-003"
open_threat:threat-name="RES-004"
open_threat:threat-name="RES-005"
open_threat:threat-name="RES-006"
open_threat:threat-name="RES-007"
open_threat:threat-name="RES-008"
open_threat:threat-name="RES-009"
open_threat:threat-name="RES-010"
open_threat:threat-name="RES-011"
open_threat:threat-name="RES-012"
open_threat:threat-name="RES-013"
377
open_threat:threat-name="PER-001"
open_threat:threat-name="PER-002"
open_threat:threat-name="PER-003"
open_threat:threat-name="PER-004"
open_threat:threat-name="PER-005"
open_threat:threat-name="PER-006"
open_threat:threat-name="PER-007"
open_threat:threat-name="TEC-001"
open_threat:threat-name="TEC-002"
open_threat:threat-name="TEC-003"
open_threat:threat-name="TEC-004"
open_threat:threat-name="TEC-005"
378
open_threat:threat-name="TEC-006"
open_threat:threat-name="TEC-007"
open_threat:threat-name="TEC-008"
open_threat:threat-name="TEC-009"
open_threat:threat-name="TEC-010"
open_threat:threat-name="TEC-011"
open_threat:threat-name="TEC-012"
open_threat:threat-name="TEC-013"
open_threat:threat-name="TEC-014"
open_threat:threat-name="TEC-015"
open_threat:threat-name="TEC-016"
open_threat:threat-name="TEC-017"
379
open_threat:threat-name="TEC-018"
open_threat:threat-name="TEC-019"
open_threat:threat-name="TEC-020"
open_threat:threat-name="TEC-021"
open_threat:threat-name="TEC-022"
open_threat:threat-name="TEC-023"
open_threat:threat-name="TEC-024"
open_threat:threat-name="TEC-025"
open_threat:threat-name="TEC-026"
open_threat:threat-name="TEC-027"
open_threat:threat-name="TEC-028"
open_threat:threat-name="TEC-029"
380
open_threat:threat-name="TEC-030"
open_threat:threat-name="TEC-031"
open_threat:threat-name="TEC-032"
open_threat:threat-name="TEC-033"
open_threat:threat-name="TEC-034"
open_threat:threat-name="TEC-035"
open_threat:threat-name="TEC-036"
open_threat:threat-name="TEC-037"
open_threat:threat-name="TEC-038"
open_threat:threat-name="TEC-039"
open_threat:threat-name="TEC-040"
open_threat:threat-name="TEC-041"
381
osint
osint namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
source-type
osint:source-type="blog-post"
Blog post
osint:source-type="microblog-post"
osint:source-type="technical-report"
osint:source-type="presentation"
Presentation or slidedeck
osint:source-type="news-report"
News report
osint:source-type="pastie-website"
Pastie-like website
osint:source-type="electronic-forum"
Electronic forum
osint:source-type="mailing-list"
Mailing-list
osint:source-type="block-or-filter-list"
382
osint:source-type="source-code-repository"
osint:source-type="accessible-evidence"
Infrastructure allowing the gathering of the evidences such as open directories, public web services
or left over on public services
osint:source-type="expansion"
Expansion
osint:source-type="automatic-analysis"
osint:source-type="automatic-collection"
osint:source-type="manual-analysis"
osint:source-type="manual-collection"
Manual collection from crawlers, honeypots, spamtraps, gathering tools or equivalent technologies
osint:source-type="unknown"
Unknown
osint:source-type="other"
lifetime
osint:lifetime="perpetual"
Perpetual
osint:lifetime="ephemeral"
Ephemeral
383
Information available publicly on short-term
certainty
osint:certainty="100"
Certainty
osint:certainty="93"
Almost certain
osint:certainty="75"
Probable
osint:certainty="50"
osint:certainty="30"
Probably not
osint:certainty="7"
384
osint:certainty="0"
Impossibility
passivetotal
passivetotal namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
sinkholed
passivetotal:sinkholed="yes"
Yes
passivetotal:sinkholed="no"
No
ever-compromised
passivetotal:ever-compromised="yes"
Yes
passivetotal:ever-compromised="no"
No
dynamic-dns
passivetotal:dynamic-dns="yes"
Yes
passivetotal:dynamic-dns="no"
No
385
class
passivetotal:class="malicious"
Malicious
passivetotal:class="suspicious"
Suspicious
passivetotal:class="non-malicious"
Non Malicious
passivetotal:class="unknown"
Unknown
pentest
pentest namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
approach
This is group is dealing with differents types of pentest
pentest:approach="blackbox"
Blackbox penetration test requires no prior information about the target network or application
and is actually performed keeping it as a real world hacker attack scenario. (https://www.evolution-
sec.com/en/products/blackbox-penetration-testing)
pentest:approach="greybox"
Gray box testing lies between black and white. Testers will have knowledge of some areas but not
others. These areas are defined at the start of an engagement.(https://www.intelisecure.com/
security-assessments-pen-testing/approaches/)
pentest:approach="whitebox"
White box, or authenticated tests, target the security of your underlying technology with full
knowledge of your IT department. Information typically shared with the tester includes: network
diagrams, IP addresses, system configurations and access credentials.(https://www.intelisecure.com/
security-assessments-pen-testing/approaches/)
386
pentest:approach="vulnerability_scanning"
pentest:approach="redteam"
A red team is an group that challenges an organization to improve its effectiveness by assuming an
adversarial role or point of view without any predefined scope. (https://en.wikipedia.org/wiki/
Red_team)
scan
Automated tool that perform network checks
pentest:scan="vertical"
pentest:scan="horizontal"
pentest:scan="network_scan"
pentest:scan="vulnerability"
exploit
Exploitation of a vulnerability
pentest:exploit="type confusion"
When a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without
type-checking, it leads to type confusion. (https://cloudblogs.microsoft.com/microsoftsecure/2015/06/
17/understanding-type-confusion-vulnerabilities-cve-2015-0336/)
pentest:exploit="format_strings"
The format string exploit occurs when the submitted data of an input string leads to arbitrary read
or write in the memory. In this way, the attacker could execute code, read the stack, or cause a
segmentation fault in the running application, causing new behaviors that could compromise the
security or the stability of the system. (https://www.owasp.org/index.php/Format_string_attack)
387
pentest:exploit="stack_overflow"
In software, a stack overflow is type of buffer overflow that occurs if the call stack pointer exceeds
the stack bound. (https://en.wikipedia.org/wiki/Stack_overflow)
pentest:exploit="heap_overflow"
A heap overflow is a type of buffer overflow that occurs in the heap data area.
(https://en.wikipedia.org/wiki/Heap_overflow)
pentest:exploit="heap_spraying"
Heap spraying is a technique used in exploits to facilitate arbitrary code execution. In general, code
that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the
memory of a target process by having it allocate (large) blocks on the process’s heap and fill the
bytes in these blocks with the right values. (https://en.wikipedia.org/wiki/Heap_spraying)
pentest:exploit="fuzzing"
Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or
random data as inputs to a computer program. (https://en.wikipedia.org/wiki/Fuzzing)
pentest:exploit="ROP"
The Return-Oriented Programming (ROP) is a computer security exploit technique in which the
attacker uses control of the call stack to indirectly execute cherry-picked machine instructions or
groups of machine instructions immediately prior to the return instruction in subroutines within
the existing program code, in a way similar to the execution of a threaded code interpreter.
(https://en.wikipedia.org/wiki/Return-oriented_programming)
pentest:exploit="null_pointer_dereference"
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to
be valid, but is NULL, typically causing a crash or exit. (https://cwe.mitre.org/data/definitions/
476.html)
post_exploitation
Utilizing post exploitation techniques will ensure that a penetration tester maintains some level of
access and can potentially lead to deeper footholds into the targets trusted infrastructure.
(https://www.offensive-security.com/metasploit-unleashed/msf-post-exploitation/)
pentest:post_exploitation="privilege_escalation"
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an
operating system or software application to gain elevated access to resources that are normally
protected from an application or user. (https://en.wikipedia.org/wiki/Privilege_escalation)
388
pentest:post_exploitation="pivoting"
Pivoting refers to a method used by penetration testers that uses the compromised system to attack
other systems on the same network to avoid restrictions such as firewall configurations, which may
prohibit direct access to all machines. (https://en.wikipedia.org/wiki/Exploit_(computer_security)#
Pivoting)
pentest:post_exploitation="password_cracking"
Password cracking is the process of recovering passwords from data that have been stored in or
transmitted by a computer system. (https://en.wikipedia.org/wiki/Password_cracking)
pentest:post_exploitation="persistence"
The persistence is when a penetration tester let him a way to keep its exploitation on a machine or
a domain even if the system is rebooted.
pentest:post_exploitation="data_exfiltration"
After an exploitation of a machine, a penetration tester will try to exfiltrate sensitive data.
web
This is group is dealing with web vulnerabilities
pentest:web="injection"
Code injection is the exploitation of a computer bug that is caused by processing invalid data.
Injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program
and change the course of execution. (https://en.wikipedia.org/wiki/Code_injection)
pentest:web="SQLi"
pentest:web="NoSQLi"
pentest:web="XML injection"
XML Injection is an attack technique used to manipulate or compromise the logic of an XML
application or service. The injection of unintended XML content and/or structures into an XML
389
message can alter the intend logic of the application. Further, XML injection can cause the insertion
of malicious content into the resulting message/document.(http://projects.webappsec.org/w/page/
13247004/XML%20Injection)
pentest:web="CSRF"
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions
on a web application in which they’re currently authenticated. CSRF attacks specifically target
state-changing requests, not theft of data, since the attacker has no way to see the response to the
forged request.(https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))
pentest:web="SSRF"
Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted
request from a vulnerable web application. SSRF is usually used to target internal systems behind
firewalls that are normally inaccessible to an attacker from the external network.
(https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/)
pentest:web="XSS"
Cross-site scripting (XSS) is a security breach that takes advantage of dynamically generated Web
pages. In an XSS attack, a Web application is sent with a script that activates when it is read by an
unsuspecting user’s browser or by an application that has not protected itself against cross-site
scripting. (https://www.webopedia.com/TERM/X/XSS.html)
pentest:web="file_inclusion"
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic
file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to
the use of user-supplied input without proper validation. (https://www.owasp.org/index.php/
Testing_for_Local_File_Inclusion)
pentest:web="web_tree_discovery"
A web tree discovery is a brute force directories and files names on web/application server
pentest:web="bruteforce"
A brute-force attack consists of an attacker trying many passwords or passphrases with the hope of
eventually guessing correctly. (https://en.wikipedia.org/wiki/Brute-force_attack)
pentest:web="fuzzing"
Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or
random data as inputs to a computer program. (https://en.wikipedia.org/wiki/Fuzzing)
390
network
This is group is dealing with network vulnerabilities
pentest:network="sniffing"
Sniffing involves capturing, decoding, inspecting and interpreting the information inside a network
packet on a TCP/IP network. (http://www.valencynetworks.com/articles/cyber-security-attacks-
network-sniffing.html)
pentest:network="spoofing"
pentest:network="man_in_the_middle"
man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters
the communication between two parties who believe they are directly communicating with each
other. (https://en.wikipedia.org/wiki/Man-in-the-middle_attack)
pentest:network="network_discovery"
social_engineering
Social engineering is an attack vector that relies heavily on human interaction and often involves
tricking people into breaking normal security procedures. (https://krashconsulting.com/index.php/
services/sea/)
pentest:social_engineering="phishing"
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit
card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an
electronic communication. (https://en.wikipedia.org/wiki/Phishing)
pentest:social_engineering="malware"
Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of
harmful or intrusive software, including computer viruses, worms, Trojan horses, ransomware,
spyware, adware, scareware, and other malicious programs. (https://en.wikipedia.org/wiki/
Malware)
391
vulnerability
This is group is dealing with the classification of weaknesses and vulnerabilities
pentest:vulnerability="CWE"
Targeted to developers and security practitioners, the Common Weakness Enumeration (CWE) is a
formal list of software weakness types. (https://cwe.mitre.org/about/)
pentest:vulnerability="CVE"
Common Vulnerabilities and Exposures (CVE) is a dictionary-type list of standardized names for
vulnerabilities and other information related to security exposures. (https://en.wikipedia.org/wiki/
Common_Vulnerabilities_and_Exposures)
priority-level
priority-level namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with
NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This
priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting
requirements, and recommendations for leadership escalation. Generally, incident priority
distribution should follow a similar pattern to the graph below. Based on https://www.us-cert.gov/
NCCIC-Cyber-Incident-Scoring-System.
Exclusive flag set which means the values or predicate below must be set
exclusively.
emergency
An Emergency priority incident poses an imminent threat to the provision of wide-scale critical
infrastructure services, national government stability, or the lives of U.S. persons.
priority-level:emergency
Emergency
An Emergency priority incident poses an imminent threat to the provision of wide-scale critical
infrastructure services, national government stability, or the lives of U.S. persons.
100
392
severe
A Severe priority incident is likely to result in a significant impact to public health or safety,
national security, economic security, foreign relations, or civil liberties.
priority-level:severe
Severe
A Severe priority incident is likely to result in a significant impact to public health or safety,
national security, economic security, foreign relations, or civil liberties.
90
high
A High priority incident is likely to result in a demonstrable impact to public health or safety,
national security, economic security, foreign relations, civil liberties, or public confidence.
priority-level:high
High
A High priority incident is likely to result in a demonstrable impact to public health or safety,
national security, economic security, foreign relations, civil liberties, or public confidence.
85
medium
A Medium priority incident may affect public health or safety, national security, economic security,
foreign relations, civil liberties, or public confidence.
priority-level:medium
Medium
A Medium priority incident may affect public health or safety, national security, economic security,
foreign relations, civil liberties, or public confidence.
75
low
A Low priority incident is unlikely to affect public health or safety, national security, economic
security, foreign relations, civil liberties, or public confidence.
393
priority-level:low
Low
A Low priority incident is unlikely to affect public health or safety, national security, economic
security, foreign relations, civil liberties, or public confidence.
50
baseline-minor
A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or
safety, national security, economic security, foreign relations, civil liberties, or public confidence.
The potential for impact, however, exists and warrants additional scrutiny.
priority-level:baseline-minor
Baseline - Minor
A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or
safety, national security, economic security, foreign relations, civil liberties, or public confidence.
The potential for impact, however, exists and warrants additional scrutiny.
25
baseline-negligible
A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health
or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
priority-level:baseline-negligible
Baseline - Negligible
A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health
or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
ransomware
ransomware namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
Ransomware is used to define ransomware types and the elements that compose them.
394
type
Type is used to describe the type of a ransomware and how it works.
ransomware:type="scareware"
Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the
perception of a threat in order to manipulate users into buying unwanted software.
ransomware:type="locker-ransomware"
Locker ransomware, also called screen locker, denies access to the browser, computer or device.
ransomware:type="crypto-ransomware"
Crypto ransomware, also called data locker or cryptoware, prevents access to files or data. Crypto
ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but
the vast majority of it does.
element
Elements that composed or are linked to a ransomware and its execution.
ransomware:element="ransomnote"
A ransomnote is the message left by the attacker to threaten their victim and ask for a ransom. It is
usually seen as a text or HTML file, or a picture set as background.
ransomware:element="ransomware-appended-extension"
ransomware:element="ransomware-encrypted-extensions"
This is the list of extensions that will be encrypted by the ransomware. Beware to keep the order.
ransomware:element="ransomware-excluded-extensions"
This is the list of extensions that will not be encrypted by the ransomware. Beware to keep the
order.
ransomware:element="dropper"
A dropper is a means of getting malware into a machine while bypassing the security checks, often
by containing the malware inside of itself.
395
ransomware:element="downloader"
A downloader is a means of getting malware into a machine while bypassing the security checks, by
downloading it instead of containing it.
complexity-level
Level of complexity of the ransomware.
ransomware:complexity-level="no-actual-encryption-scareware"
ransomware:complexity-level="display-ransomnote-before-encrypting"
Displaying the ransom note before the encryption process commences. As seen in the case of
Nemucod, some ransomware will display a ransom note before file encryption. This is a serious
operational flaw in the ransomware. The victim or their antivirus solution could effectively take
prompt evasive action to prevent ransomware from commencing encryption.
ransomware:complexity-level="decryption-essentials-extracted-from-
binary"
Decryption essentials can be reverse engineered from ransomware code or the user’s system. For
example, if the ransomware uses a hard-coded key, then it becomes straight-forward for malware
analysts to extract the key by reverse engineering the ransomware binary.
ransomware:complexity-level="derived-encryption-key-predicted "
Another possibility of reverse engineering the key is demonstrated in the case of Linux.Encoder, a
type of ransomware where a timestamp on the system was used to create keys for encryption
resulting in easy decryption provided that the timestamp is still accessible.
ransomware:complexity-level="same-key used-for-each-infection"
Ransomware uses the same key for every victim. If the same key is used to encrypt all victims
during a campaign, then one victim can share the secret key with others.
ransomware:complexity-level="encryption-circumvented"
Decryption possible without key - files can be decrypted without the need for a key due to poor
choice or implementation of the encryption algorithm. Consider the case of desuCrypt that used an
RC4 stream cipher for encryption. Using a stream cipher with key reuse is vulnerable to known
plaintext attacks and known ciphertext attacks due to key reuse and hence this is a poor
implementation of an encryption algorithm.
396
ransomware:complexity-level="file-restoration-possible-using-shadow-
volume-copies"
Files can be restored using Shadow Volume Copies (“Previous Versions”) on the New Technology
File System (NTFS), that were neglected to be deleted by the ransomware.
ransomware:complexity-level="file-restoration-possible-using-backups"
Files can be restored using a System State backup, System Image backup or other means of backup
mechanisms (such as third-party backup software) that will render the ransomware’s extortion
attempt unsuccessful.
ransomware:complexity-level="key-recovered-from-file-system-or-
memory"
Decryption key can be retrieved from the host machine’s file structure or memory by an average
user without the need for an expert. In the case of CryptoDefense, the ransomware did not securely
delete keys from the host machine. The user can examine the right file or folder to discover the
decryption key.
ransomware:complexity-level="due-diligence-prevented-ransomware-from-
acquiring-key"
User can prevent ransomware from acquiring the encryption key. Ransomware belongs in this
category if its encryption procedure can be interrupted or blocked by due diligence on part of the
user. For example, CryptoLocker discussed above cannot commence operation until it receives a
key from the C&C server. A host or border firewall can block a list of known C&C servers hence
rendering ransomware ineffective.
ransomware:complexity-level="click-and-run-decryptor-exists"
Easy “Click-and-run” solutions such as a decryptor has been created by the security community
such that a user can simply run the program to decrypt all files.
ransomware:complexity-level="kill-switch-exists-outside-of-attacker-s-
control"
There exists a kill switch outside of an attacker’s control that renders the cryptoviral infection
ineffective. For example, in the case of WannaCry, a global kill switch existed in the form of a
domain name. The ransomware reached out to this domain before commencing encryption and if
the domain existed, the ransomware aborted execution. This kill switch was outside the attacker’s
control as anyone could register it and neutralize the ransomware outbreak.
ransomware:complexity-level="decryption-key-recovered-from-a-C&C-
server-or-network-communications"
Key can be retrieved from a central location such as a C&C server on a compromised host or
gleaned with some difficulty from communication between ransomware on the host and the C&C
397
server. For instance, in the case of CryptoLocker, authorities were able to seize a network of
compromised hosts used to spread CryptoLocker and gain access to decryption essentials of around
500,000 victims.
ransomware:complexity-level="custom-encryption-algorithm-used"
Ransomware uses custom encryption techniques and violates the fundamental rule of
cryptography: “do not roll your own crypto.” It is tempting to design a custom cipher that one
cannot break themselves, however it will likely not withstand the scrutiny of professional
cryptanalysts. Amateur custom cryptography in the ransomware implies there will likely soon be a
solution to decrypt files without paying the ransom. An example of this is an early variant of the
GPCode ransomware that emerged in 2005 with weak custom encryption.
ransomware:complexity-level="decryption-key-recovered-under-
specialized-lab-setting"
Key can only be retrieved under rare, specialized laboratory settings. For example, in the case of
WannaCry, a vulnerability in a cryptographic API on an unpatched Windows XP system allowed
users to acquire from RAM the prime numbers used to compute private keys and hence retrieve the
decryption key. However, the victim had to have been running a specific version of Windows XP
and be fortunate enough that the related address space in memory has not been reallocated to
another process. In another example, it is theoretically possible to reverse WannaCry encryption by
exploiting a flaw in the pseudo-random-number-generator (PRNG) in an unpatched Windows XP
system that reveals keys generated in the past. Naturally, these specialized conditions are not true
for most victims.
ransomware:complexity-level="small-subset-of-files-left-unencrypted"
A small subset of files left unencrypted by the ransomware for any number of reasons. Certain
ransomware are known to only encrypt a file if its size exceeds a predetermined value. In addition,
ransomware might decrypt a few files for free to prove decryption is possible. In such cases, a small
number of victims may be lucky enough to only need these unencrypted files and can tolerate loss
of the rest.
ransomware:complexity-level="encryption-model-is-seemingly-flawless"
Encryption model is resistant to cryptographic attacks and has been implemented seemingly
flawlessly such that there are no known vulnerabilities in its execution. Simply put, there is no
proven way yet to decrypt the files without paying the ransom.
purpose
Purpose of the ransomware.
ransomware:purpose="deployed-as-ransomware-extortion"
This has been the traditional approach - ransomware is installed on the victim’s machine, and its
only purpose is to create income for the cybercriminal(s). In fact, ransomware is simple extortion,
398
but via digital means.
ransomware:purpose="deployed-to-showcase-skills-for-fun-or-for-testing-
purposes"
Some cybercriminals like to show off, and as such create the side-business of ransomware, or, more
particularly to showcase their coding skills. Another example may be to send ransomware 'as a
joke' or for fun to your friends, and giving them a bad time. Some cybercriminals may be testing the
waters by deploying ransomware in an organisation, to stress-test the defenses, or to test their own
programming skills, or the lack thereof.
ransomware:purpose="deployed-as-smokescreen"
A very interesting occurrence indeed: ransomware is installed to hide the real purpose of whatever
the cybercriminal or attacker is doing. This may be data exfiltration, lateral movement, or anything
else, in theory, everything is a possible scenario… except for the ransomware itself.
ransomware:purpose="deployed-to-cause-frustration"
Another possible angle that goes hand in hand with the classic extortion scheme - deploying
ransomware with intent of frustrating the victim. Basically, cyber bullying. While there may be a
request for a monetary amount, it is not the purpose.
ransomware:purpose="deployed-out-of-frustration"
Sometimes, an attacker may gain initial access to a server or other machine, but consequent
attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due
to a number of things, but often due to the access being discovered, and quickly patched. On the
other hand, it may have not been discovered yet, but the attacker is sitting with the same problem:
the purpose is not fulfilled. Then, out of frustration, or to gain at least something out of the victim,
the machine gets trashed with ransomware. Another possibility is a disgruntled employee, leaving
ransomware as a 'present' before leaving the company.
ransomware:purpose="deployed-as-a-cover-up"
This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is
already compromised, or has a running investigation. The company or organisation deploying
ransomware itself, is a viable way of destroying data forever, and any evidence may be lost.
Another possibility is, in order to cover up a much larger compromise, ransomware is installed, and
everything is formatted to hide what actually happened. Again, there is also the possibility of a
disgruntled employee, or even an intruder: which brings us back to 'deployed as a smokescreen'.
ransomware:purpose="deployed-as-a-penetration-test-or-user-awareness-
training"
Ransomware is very effective in the sense that most people know what its purpose is, and the
dangers it may cause. As such, it is an excellent tool that can be used for demonstration purposes,
such as a user awareness training. Another possibility is an external pentest, with same purpose.
399
ransomware:purpose="deployed-as-a-means-of-disruption-destruction"
Last but not least - while ransomware can have several purposes, it can also serve a particularly
nasty goal: destroy a company or organisation, or at least take them offline for several days, or even
weeks. Again, there are some possibilities, but this may be a rivalry company in a similar business,
again a disgruntled employee, or to disrupt large organisations on a worldwide scale.
retention
retention namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
Add a retenion time to events to automatically remove the IDS-flag on ip-dst or ip-src attributes. We
calculate the time elapsed based on the date of the event. Supported time units are: d(ays), w(eeks),
m(onths), y(ears). The numerical_value is just for sorting in the web-interface and is not used for
calculations.
expired
retention:expired
1d
retention:1d
1 day
2d
retention:2d
2 days
7d
retention:7d
7 days
400
7
2w
retention:2w
2 weeks
14
1m
retention:1m
1 month
30
2m
retention:2m
2 months
60
3m
retention:3m
3 months
90
6m
retention:6m
6 months
180
1y
401
retention:1y
1 year
365
rsit
rsit namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
abusive-content
Abusive Content.
rsit:abusive-content="spam"
Spam
Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for
the message to be sent and that the message is sent as part of a larger collection of messages, all
having a functionally comparable content.
rsit:abusive-content="harmful-speech"
Harmful Speech
Discreditation or discrimination of somebody, e.g. cyber stalking, racism or threats against one or
more individuals.
rsit:abusive-content="violence"
malicious-code
Software that is intentionally included or inserted in a system for a harmful purpose. A user
interaction is normally necessary to activate the code.
rsit:malicious-code="infected-system"
Infected System
System infected with malware, e.g. PC, smartphone or server infected with a rootkit.
402
rsit:malicious-code="c2-server"
C2 Server
rsit:malicious-code="malware-distribution"
Malware Distribution
URI used for malware distribution, e.g. a download URL included in fake invoice malware spam.
rsit:malicious-code="malware-configuration"
Malware Configuration
URI hosting a malware configuration file, e.g. webinjects for a banking trojan.
information-gathering
Information Gathering.
rsit:information-gathering="scanner"
Scanning
Attacks that send requests to a system to discover weaknesses. This also includes testing processes
to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP,
SMTP (EXPN, RCPT, …), port scanning.
rsit:information-gathering="sniffing"
Sniffing
rsit:information-gathering="social-engineering"
Social Engineering
Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or
threats).
intrusion-attempts
Intrusion Attempts.
403
rsit:intrusion-attempts="ids-alert"
rsit:intrusion-attempts="brute-force"
Login attempts
rsit:intrusion-attempts="exploit"
intrusions
A successful compromise of a system or application (service). This can have been caused remotely
by a known or new vulnerability, but also by an unauthorized local access. Also includes being part
of a botnet.
rsit:intrusions="privileged-account-compromise"
rsit:intrusions="unprivileged-account-compromise"
rsit:intrusions="application-compromise"
Application Compromise
rsit:intrusions="burglary"
Burglary
404
availability
By this kind of an attack a system is bombarded with so many packets that the operations are
delayed or the system crashes. DoS examples are ICMP and SYN floods, Teardrop attacks and mail-
bombing. DDoS often is based on DoS attacks originating from botnets, but also other scenarios
exist like DNS Amplification attacks. However, the availability also can be affected by local actions
(destruction, disruption of power supply, etc.) – or by Act of God, spontaneous failures or human
error, without malice or gross neglect being involved.
rsit:availability="dos"
Denial of Service
Denial of Service attack, e.g. sending specially crafted requests to a web application which causes
the application to crash or slow down.
rsit:availability="ddos"
rsit:availability="misconfiguration"
Misconfiguration
Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated
DNSSEC Root Zone KSK.
rsit:availability="sabotage"
Sabotage
rsit:availability="outage"
Outage
information-content-security
Besides a local abuse of data and systems the information security can be endangered by a
successful account or application compromise. Furthermore attacks are possible that intercept and
access information during transmission (wiretapping, spoofing or hijacking).
Human/configuration/software error can also be the cause.
405
rsit:information-content-security="unauthorised-information-access"
Unauthorized access to information, e.g. by abusing stolen login credentials for a system or
application, intercepting traffic or gaining access to physical documents.
rsit:information-content-security="unauthorised-information-
modification"
Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a
system or application or a ransomware encrypting data.
rsit:information-content-security="data-loss"
Data Loss
fraud
Fraud.
rsit:fraud="unauthorized-use-of-resources"
Using resources for unauthorized purposes including profit-making ventures, e.g. the use of e-mail
to participate in illegal profit chain letters or pyramid schemes.
rsit:fraud="copyright"
Copyright
rsit:fraud="masquerade"
Masquerade
Type of attack in which one entity illegitimately impersonates the identity of another in order to
benefit from it.
rsit:fraud="phishing"
Phishing
406
Masquerading as another entity in order to persuade the user to reveal private credentials.
vulnerable
Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus
signatures not up-to-date, etc
rsit:vulnerable="weak-crypto"
Weak crypto
Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK
attacks.
rsit:vulnerable="ddos-amplifier"
DDoS amplifier
Publicly accessible services that can be abused for conducting DDoS reflection/amplification
attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.
rsit:vulnerable="potentially-unwanted-accessible"
rsit:vulnerable="information-disclosure"
Information disclosure
Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.
rsit:vulnerable="vulnerable-system"
Vulnerable system
A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings
(example: WPAD), outdated operating system version, etc.
other
All incidents which don’t fit in one of the given categories should be put into this class. If the
number of incidents in this category increases, it is an indicator that the classification scheme must
be revised
rsit:other="other"
Other
407
All incidents which don’t fit in one of the given categories should be put into this class.
test
Meant for testing.
rsit:test="test"
Test
rt_event_status
rt_event_status namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
event-status
rt_event_status:event-status="new"
New
rt_event_status:event-status="open"
Open
rt_event_status:event-status="stalled"
Stalled
rt_event_status:event-status="rejected"
rejected
rt_event_status:event-status="resolved"
Resolved
rt_event_status:event-status="deleted"
Deleted
408
runtime-packer
runtime-packer namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
Runtime or software packer used to combine compressed data with the decompression code. The
decompression code can add additional obfuscations mechanisms including polymorphic-packer or
other obfuscation techniques. This taxonomy lists all the known or official packer used for
legitimate use or for packing malicious binaries.
portable-executable
runtime-packer:portable-executable=".netshrink"
runtime-packer:portable-executable="armadillo"
netshrink
Armadillo
runtime-packer:portable-executable="aspack"
ASPack
runtime-packer:portable-executable="aspr-asprotect"
ASPR (ASProtect)
runtime-packer:portable-executable="boxedapp-packer"
BoxedApp Packer
runtime-packer:portable-executable="cexe"
CExe
runtime-packer:portable-executable="dotbundle"
dotBundle
runtime-packer:portable-executable="enigma-protector"
Enigma Protector
runtime-packer:portable-executable="exe-bundle"
EXE Bundle
409
runtime-packer:portable-executable="exe-stealth"
EXE Stealth
runtime-packer:portable-executable="expressor"
eXPressor
runtime-packer:portable-executable="fsg"
FSG
runtime-packer:portable-executable="kkrunchy-src"
kkrunchy src
runtime-packer:portable-executable="mew"
MEW
runtime-packer:portable-executable="mpress"
MPRESS
runtime-packer:portable-executable="obsidium"
Obsidium
runtime-packer:portable-executable="pelock"
PELock
runtime-packer:portable-executable="pespin"
PESpin
runtime-packer:portable-executable="petite"
Petite
runtime-packer:portable-executable="rlpack-basic"
RLPack Basic
runtime-packer:portable-executable="smart-packer-pro"
410
runtime-packer:portable-executable="themida"
Themida
runtime-packer:portable-executable="upx"
UPX
runtime-packer:portable-executable="vmprotect"
VMProtect
runtime-packer:portable-executable="xcomp-xpack"
XComp/XPack
elf
cli-assembly
scrippsco2-fgc
scrippsco2-fgc namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
-3
Potentially Suspect Data Accepted
scrippsco2-fgc:-3
accepted-suspect
-2
Accepted value from continuous analyzer replacing flask data
scrippsco2-fgc:-2
accepted-continuous-analyzer
411
Accepted value from continuous analyzer replacing flask data
-1
Acepted Value retained although individual measurements deviated by more than selected
tolerance
scrippsco2-fgc:-1
accepted-deviated-tolerance
Acepted Value retained although individual measurements deviated by more than selected
tolerance
0
Accepted Value
scrippsco2-fgc:0
accepted
Accepted Value
1
Rejected during analysis
scrippsco2-fgc:1
rejected-during-analysis
2
Rejected unacceptably large flask-analyzer differences associated with night sampling (used only at
MLO between Dec 1962 and Sep 1968)
scrippsco2-fgc:2
rejected-legacy-difference-night-mlo
Rejected unacceptably large flask-analyzer differences associated with night sampling (used only at
MLO between Dec 1962 and Sep 1968)
412
3
Rejected flask measurement; used continuous data instead
scrippsco2-fgc:3
rejected-continuous-data
4
Rejected Replicates do not agree to selected tolerance or single flask
scrippsco2-fgc:4
rejected-tolerance-single-flask
5
Rejected Daily average deviates from fit by more than 3 standard deviations
scrippsco2-fgc:5
rejected-derivation
Rejected Daily average deviates from fit by more than 3 standard deviations
6
Rejected to improve local distribution of data such as too many data of generally poor quality (used
only at two stations: KUM Aug 1979 - Jun 1980 and LJO Apr 1979 - Sep 1985)
scrippsco2-fgc:6
rejected-legacy-poor-quality-kum-ljo
Rejected to improve local distribution of data such as too many data of generally poor quality (used
only at two stations: KUM Aug 1979 - Jun 1980 and LJO Apr 1979 - Sep 1985)
7
Rejected Unsteady air at site (La Jolla only)
413
scrippsco2-fgc:7
rejected-unsteady-ljo
8
Rejected manually (see input/flag_flasks.csv)
scrippsco2-fgc:8
rejected-manual
scrippsco2-fgi
scrippsco2-fgi namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
-3
Suspect but accepted isotopic measurement
scrippsco2-fgi:-3
accepted-suspect
0
Accepted isotopic measurement
scrippsco2-fgi:0
accepted
3
Rejected
414
scrippsco2-fgi:3
rejected
Rejected
5
Outlier from fit
scrippsco2-fgi:5
outlier
6
Other rejected, older data
scrippsco2-fgi:6
rejected-old-data
8
Flask extracted but not analyzed yet
scrippsco2-fgi:8
extracted-not-analyzed
9
Flask not extracted
scrippsco2-fgi:9
not-extracted
415
scrippsco2-sampling-stations
scrippsco2-sampling-stations namespace available in JSON format at this location.
The JSON format can be freely reused in your application or automatically enabled
in MISP taxonomy.
ALT
scrippsco2-sampling-stations:ALT
PTB
scrippsco2-sampling-stations:PTB
STP
scrippsco2-sampling-stations:STP
Station P
LJO
scrippsco2-sampling-stations:LJO
BCS
scrippsco2-sampling-stations:BCS
MLO
scrippsco2-sampling-stations:MLO
416
KUM
scrippsco2-sampling-stations:KUM
CHR
scrippsco2-sampling-stations:CHR
SAM
scrippsco2-sampling-stations:SAM
American Samoa
KER
scrippsco2-sampling-stations:KER
NZD
scrippsco2-sampling-stations:NZD
PSA
scrippsco2-sampling-stations:PSA
SPO
scrippsco2-sampling-stations:SPO
South Pole
417
smart-airports-threats
smart-airports-threats namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
human-errors
smart-airports-threats:human-errors="configuration-errors"
Configuration errors
smart-airports-threats:human-errors="operator-or-user-error"
Operator/user error
smart-airports-threats:human-errors="loss-of-hardware"
Loss of hardware
smart-airports-threats:human-errors="non-compliance-with-policies-or-
procedure"
system-failures
smart-airports-threats:system-failures="failures-of-devices-or-systems"
smart-airports-threats:system-failures="failures-or-disruptions-of-
communication-links"
smart-airports-threats:system-failures="failures-of-parts-of-devices"
418
smart-airports-threats:system-failures="failures-or-disruptions-of-main-
supply"
smart-airports-threats:system-failures="failures-or-disruptions-of-the-
power-supply"
smart-airports-threats:system-failures="malfunctions-of-parts-of-devices"
smart-airports-threats:system-failures="malfunctions-of-devices-or-
systems"
smart-airports-threats:system-failures="failures-of-hardware"
Failures of hardware
smart-airports-threats:system-failures="software-bugs"
Software bugs
natural-and-social-phenomena
smart-airports-threats:natural-and-social-phenomena="earthquakes"
Earthquakes
smart-airports-threats:natural-and-social-phenomena="fires"
Fires
smart-airports-threats:natural-and-social-phenomena="extreme-weather"
Extreme weather (e.g. flood, heavy snow, blizzard, high temperatures, fog, sandtorm)
smart-airports-threats:natural-and-social-phenomena="solar-flare"
Solar flare
smart-airports-threats:natural-and-social-phenomena="volcano-explosion"
Volcano explosion
419
smart-airports-threats:natural-and-social-phenomena="nuclear-incident"
Nuclear incident
smart-airports-threats:natural-and-social-phenomena="dangerous-
chemical-incidents"
smart-airports-threats:natural-and-social-phenomena="pandemic"
smart-airports-threats:natural-and-social-phenomena="social-disruptions"
Social disruptions (e.g. industrial actions, civil unrest, strikes, military actions, terrorist attacks,
political instability)
smart-airports-threats:natural-and-social-phenomena="shortage-of-fuel"
Shortage of fuel
smart-airports-threats:natural-and-social-phenomena="space-debris-and-
meteorites"
third-party-failures
smart-airports-threats:third-party-failures="internet-service-provider"
smart-airports-threats:third-party-failures="cloud-service-provider"
smart-airports-threats:third-party-failures="utilities-power-or-gas-or-
water"
smart-airports-threats:third-party-failures="remote-maintenance-
provider"
420
smart-airports-threats:third-party-failures="security-testing-companies"
malicious-actions
smart-airports-threats:malicious-actions="denial-of-service-attacks-via-
amplification-reflection"
smart-airports-threats:malicious-actions="denial-of-service-attacks-via-
flooding"
smart-airports-threats:malicious-actions="denial-of-service-attacks-via-
jamming"
smart-airports-threats:malicious-actions="malicious-software-on-it-assets-
malware"
Malicious software on IT assets (including passenger and staff devices) which can be Worm, Trojan,
Virus, Rootkit, Exploitkit…
smart-airports-threats:malicious-actions="malicious-software-on-it-assets-
remote-arbitrary-code-execution"
Malicious software on IT assets such as remote arbitrary code execution (device under attacker
control)
smart-airports-threats:malicious-actions="exploitation-of-software-
vulnerabilities-implementation-flaws"
smart-airports-threats:malicious-actions="exploitation-of-software-
vulnerabilities-design-flaws"
exploitation of known or unknown software vulnerabilities such as design flaws in IT assets (flaw
in logic)
421
smart-airports-threats:malicious-actions="exploitation-of-software-
vulnerabilities-apt"
smart-airports-threats:malicious-actions="misuse-of-authority-or-
authorisation-unauthorized-use-of-software"
smart-airports-threats:malicious-actions="misuse-of-authority-or-
authorisation-unauthorized-installation-of-software"
smart-airports-threats:malicious-actions="misuse-of-authority-or-
authorisation-repudiation-of-actions"
smart-airports-threats:malicious-actions="misuse-of-authority-or-
authorisation-abuse-of-personal-data"
smart-airports-threats:malicious-actions="misuse-of-authority-or-
authorisation-using-information-from-an-unreliable-source"
smart-airports-threats:malicious-actions="misuse-of-authority-or-
authorisation-unintentional-change-of-data-in-an-information-system"
smart-airports-threats:malicious-actions="misuse-of-authority-or-
authorisation-inadequate-design-and-planning-or-lack-of-adoption"
smart-airports-threats:malicious-actions="misuse-of-authority-or-
authorisation-data-leakage-or-sharing"
422
smart-airports-threats:malicious-actions="network-or-interception-attacks-
manipulation-of-routing-information"
smart-airports-threats:malicious-actions="network-or-interception-attacks-
spoofing"
smart-airports-threats:malicious-actions="network-or-interception-attacks-
unauthorized-access"
smart-airports-threats:malicious-actions="network-or-interception-attacks-
authentication-attacks"
smart-airports-threats:malicious-actions="network-or-interception-attacks-
replay-attacks"
smart-airports-threats:malicious-actions="network-or-interception-attacks-
repudiation-of-actions"
smart-airports-threats:malicious-actions="network-or-interception-attacks-
wiretaps"
smart-airports-threats:malicious-actions="network-or-interception-attacks-
wireless-comms"
smart-airports-threats:malicious-actions="network-or-interception-attacks-
network-reconnaissance-information-gathering"
423
smart-airports-threats:malicious-actions="social-attacks-phishing-
spearphishing"
smart-airports-threats:malicious-actions="social-attacks-pretexting"
smart-airports-threats:malicious-actions="social-attacks-untrusted-links"
smart-airports-threats:malicious-actions="social-attacks-baiting"
smart-airports-threats:malicious-actions="social-attacks-reverse-social-
engineering"
smart-airports-threats:malicious-actions="social-attacks-impersonation"
smart-airports-threats:malicious-actions="tampering-with-devices-
unauthorised-modification-of-data"
tampering with devices unauthorised modification of data (including compromising smart sensor
data or threat image projection
smart-airports-threats:malicious-actions="tampering-with-devices-
unauthorised-modification-of-hardware-or-software"
smart-airports-threats:malicious-actions="breach-of-physical-access-
controls-bypass-authentication"
smart-airports-threats:malicious-actions="breach-of-physical-access-
controls-privilege-escalation"
424
smart-airports-threats:malicious-actions="physical-attacks-on-airport-
assets-vandalism"
smart-airports-threats:malicious-actions="physical-attacks-on-airport-
assets-sabotage"
smart-airports-threats:malicious-actions="physical-attacks-on-airport-
assets-explosive-or-bomb-threats"
smart-airports-threats:malicious-actions="physical-attacks-on-airport-
assets-malicious-tampering"
Physical attacks on airport assets - malicious tampering or control of assets resulting in damage
stealth_malware
stealth_malware namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
type
stealth_malware:type="0"
No OS or system compromise. The malware runs as a normal user process using only official API
calls.
stealth_malware:type="I"
The malware modifies constant sections of the kernel and/or processes such as code sections.
stealth_malware:type="II"
The malware does not modify constant sections but only the dynamic sections of the kernel and/or
processes such as data sections.
425
stealth_malware:type="III"
The malware does not modify any sections of the kernel and/or processes but influences the system
without modifying the OS. For example using hardware virtualization techniques.
stix-ttp
stix-ttp namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
victim-targeting
stix-ttp:victim-targeting="business-professional-sector"
stix-ttp:victim-targeting="retail-sector"
Retail Sector
stix-ttp:victim-targeting="financial-sector"
stix-ttp:victim-targeting="media-entertainment-sector"
stix-ttp:victim-targeting="construction-engineering-sector"
stix-ttp:victim-targeting="government-international-organizations-sector"
stix-ttp:victim-targeting="legal-sector"
Legal Services
stix-ttp:victim-targeting="hightech-it-sector"
426
stix-ttp:victim-targeting="healthcare-sector"
Healthcare Sector
stix-ttp:victim-targeting="transportation-sector"
Transportation Sector
stix-ttp:victim-targeting="aerospace-defence-sector"
stix-ttp:victim-targeting="energy-sector"
Energy Sector
stix-ttp:victim-targeting="food-sector"
Food Sector
stix-ttp:victim-targeting="natural-resources-sector"
stix-ttp:victim-targeting="other-sector"
Other Sector
stix-ttp:victim-targeting="corporate-employee-information"
stix-ttp:victim-targeting="customer-pii"
Customer PII
stix-ttp:victim-targeting="email-lists-archives"
Email Lists/Archives
stix-ttp:victim-targeting="financial-data"
Financial Data
stix-ttp:victim-targeting="intellectual-property"
Intellectual Property
427
stix-ttp:victim-targeting="mobile-phone-contacts"
stix-ttp:victim-targeting="user-credentials"
User Credentials
stix-ttp:victim-targeting="authentification-cookies"
Authentication Cookies
targeted-threat-index
targeted-threat-index namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
The Targeted Threat Index is a metric for assigning an overall threat ranking score to email
messages that deliver malware to a victim’s computer. The TTI metric was first introduced at
SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie”
along with Katie Kleemola and Greg Wiseman.
targeting-sophistication-base-value
The base value of the score ranges from 0 to 5, based on the sophistication of the email’s social
engineering techniques used to get the victim to open the attachment. This score considers the
content and presentation of the message as well as the claimed sender identity. This determination
also includes the content of any associated files; many times malware is injected into legitimate
relevant documents.
targeted-threat-index:targeting-sophistication-base-value="not-targeted"
targeted-threat-index:targeting-sophistication-base-value="targeted-but-
not-customized"
Targeted but not customized. Sent with a message that is obviously false with little to no validation
required.
targeted-threat-index:targeting-sophistication-base-value="targeted-and-
poorly-customized"
Targeted and poorly customized. Content is generally relevant to the target. May look questionable.
428
Associated numerical value="2"
targeted-threat-index:targeting-sophistication-base-value="targeted-and-
customized"
Targeted and customized. May use a real person/organization or content to convince the target the
message is legitimate. Content is specifically relevant to the target and looks legitimate.
targeted-threat-index:targeting-sophistication-base-value="targeted-and-
well-customized"
Targeted and well-customized. Uses a real person/organization and content to convince the target
the message is legitimate. Probably directly addressing the recipient. Content is specifically relevant
to the target, looks legitimate, and can be externally referenced (e.g. by a website). May be sent
from a hacked account.
targeted-threat-index:targeting-sophistication-base-value="targeted-and-
highly-customized-using-sensitive-data"
Targeted and highly customized using sensitive data. Individually targeted and customized, likely
using inside/sensitive information that is directly relevant to the target.
technical-sophistication-multiplier
The technical sophistication score is a multiplier ranging from 1 to 2 based on how advanced the
associated malware is, including malicious file attachments as well as links to malware hosted on
another system. We use a multiplier because advanced malware requires significantly more effort
and time (or money, in the case of commercial solutions) to custom-tune for a particular target.
targeted-threat-index:technical-sophistication-multiplier="the-sample-
contains-no code-protection"
The sample contains no code protection such as packing, obfuscation (e.g. simple rotation of C2
names or other interesting strings), or anti-reversing tricks.
targeted-threat-index:technical-sophistication-multiplier="the-sample-
contains-a-simple-method-of-protection"
The sample contains a simple method of protection, such as one of the following: code protection
using publicly available tools where the reverse method is available, such as UPX packing; simple
429
anti-reversing techniques such as not using import tables, or a call to IsDebuggerPresent(); self-
disabling in the presence of AV software.
targeted-threat-index:technical-sophistication-multiplier="the-sample-
contains-multiple-minor-code-protection-techniques"
The sample contains multiple minor code protection techniques (anti-reversing tricks, packing, VM
/ reversing tools detection) that require some low-level knowledge. This level includes malware
where code that contains the core functionality of the program is decrypted only in memory.
targeted-threat-index:technical-sophistication-multiplier="the-sample-
contains-minor-code-protection-techniques-plus-one-advanced"
The sample contains minor code protection techniques along with at least one advanced protection
method such as rootkit functionality or a custom virtualized packer.
targeted-threat-index:technical-sophistication-multiplier="the-sample-
contains-multiple-advanced-protection-techniques"
The sample contains multiple advanced protection techniques, e.g. rootkit capability, virtualized
packer, multiple anti-reversing techniques, and is clearly designed by a professional software
engineering team.
threats-to-dns
threats-to-dns namespace available in JSON format at this location. The JSON
format can be freely reused in your application or automatically enabled in MISP
taxonomy.
An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A.,
Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A
Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 1–1.
doi:10.1109/comst.2018.2849614
dns-protocol-attacks
DNS protocol attacks
430
threats-to-dns:dns-protocol-attacks="man-in-the-middle-attack"
Man-in-the-middle attack
Man-in-the-middle attack
threats-to-dns:dns-protocol-attacks="dns-spoofing"
DNS spoofing
DNS spoofing
threats-to-dns:dns-protocol-attacks="dns-rebinding"
DNS rebinding
DNS rebinding
dns-server-attacks
DNS server attacks
threats-to-dns:dns-server-attacks="server-dos-and-ddos"
threats-to-dns:dns-server-attacks="server-hijacking"
Server hijacking
Server hijacking
threats-to-dns:dns-server-attacks="cache-poisoning"
Cache poisoning
Cache poisoning
dns-abuse-or-misuse
DNS abuse/misuse
threats-to-dns:dns-abuse-or-misuse="domain-name-registration-abuse-
cybersquatting"
431
Domain name registration abuse such as cybersquatting
threats-to-dns:dns-abuse-or-misuse="domain-name-registration-abuse-
typosquatting"
threats-to-dns:dns-abuse-or-misuse="domain-name-registration-abuse-
domain-reputation-and-re-registration"
threats-to-dns:dns-abuse-or-misuse="dns-reflection-dns-amplification"
threats-to-dns:dns-abuse-or-misuse="malicious-or-compromised-domains-
ips-malicious-botnets-c2"
threats-to-dns:dns-abuse-or-misuse="malicious-or-compromised-domains-
ips-fast-flux-domains"
threats-to-dns:dns-abuse-or-misuse="malicious-or-compromised-domains-
ips-malicious-dgas"
threats-to-dns:dns-abuse-or-misuse="covert-channels-malicious-dns-
tunneling"
432
threats-to-dns:dns-abuse-or-misuse="covert-channels-malicious-payload-
distribution"
threats-to-dns:dns-abuse-or-misuse="benign-services-applications-
malicious-dns-resolvers"
threats-to-dns:dns-abuse-or-misuse="benign-services-applications-
malicious-scanners"
threats-to-dns:dns-abuse-or-misuse="benign-services-applications-url-
shorteners"
tlp
tlp namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable
classification scheme for sharing sensitive information while keeping the control over its
distribution at the same time.
Exclusive flag set which means the values or predicate below must be set
exclusively.
red
Not for disclosure, restricted to participants only. Sources may use TLP:RED when information
cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s
privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with
any parties outside of the specific exchange, meeting, or conversation in which it was originally
disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present
433
at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.
tlp:red
(TLP:RED) Information exclusively and directly given to (a group of) individual recipients. Sharing
outside is not legitimate.
Not for disclosure, restricted to participants only. Sources may use TLP:RED when information
cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s
privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with
any parties outside of the specific exchange, meeting, or conversation in which it was originally
disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present
at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.
amber
Limited disclosure, restricted to participants’ organizations. Sources may use TLP:AMBER when
information requires support to be effectively acted upon, yet carries risks to privacy, reputation,
or operations if shared outside of the organizations involved. Recipients may only share
TLP:AMBER information with members of their own organization, and with clients or customers
who need to know the information to protect themselves or prevent further harm. Sources are at
liberty to specify additional intended limits of the sharing: these must be adhered to.
tlp:amber
Limited disclosure, restricted to participants’ organizations. Sources may use TLP:AMBER when
information requires support to be effectively acted upon, yet carries risks to privacy, reputation,
or operations if shared outside of the organizations involved. Recipients may only share
TLP:AMBER information with members of their own organization, and with clients or customers
who need to know the information to protect themselves or prevent further harm. Sources are at
liberty to specify additional intended limits of the sharing: these must be adhered to.
green
Limited disclosure, restricted to the community. Sources may use TLP:GREEN when information is
useful for the awareness of all participating organizations as well as with peers within the broader
community or sector. Recipients may share TLP:GREEN information with peers and partner
organizations within their sector or community, but not via publicly accessible channels.
Information in this category can be circulated widely within a particular community. TLP:GREEN
information may not be released outside of the community.
tlp:green
434
Limited disclosure, restricted to the community. Sources may use TLP:GREEN when information is
useful for the awareness of all participating organizations as well as with peers within the broader
community or sector. Recipients may share TLP:GREEN information with peers and partner
organizations within their sector or community, but not via publicly accessible channels.
Information in this category can be circulated widely within a particular community. TLP:GREEN
information may not be released outside of the community.
white
Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no
foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.
Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
tlp:white
Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no
foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.
Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
ex:chr
tlp:ex:chr
(TLP:EX:CHR) Information extended with a specific tag called Chatham House Rule (CHR). When
this specific CHR tag is mentioned, the attribution (the source of information) must not be disclosed.
This additional rule is at the discretion of the initial sender who can decide to apply or not the CHR
tag.
tor
tor namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
tor-relay-type
tor:tor-relay-type="entry-guard-relay"
tor:tor-relay-type="middle-relay"
435
tor:tor-relay-type="exit-relay"
Tor node relaying traffic outside of the Tor network to the original destination
tor:tor-relay-type="bridge-relay"
type
type namespace available in JSON format at this location. The JSON format can be
freely reused in your application or automatically enabled in MISP taxonomy.
Taxonomy to describe different types of intelligence gathering discipline which can be described
the origin of intelligence.
OSINT
gathered from open sources
type:OSINT
SIGINT
gathered from interception of signals
type:SIGINT
Signal Intelligence
TECHINT
gathered from analysis of weapons and equipment used by the armed forces of foreign nations, or
environmental conditions
type:TECHINT
Technical Intelligence
gathered from analysis of weapons and equipment used by the armed forces of foreign nations, or
environmental conditions
436
CYBINT
gathered from active or passive exploitation (CNE) in the cyberspace
type:CYBINT
Cyberspace Intelligence
DNINT
gathered from active or passive expoilation (CNE) in the digital network.
type:DNINT
HUMINT
gathered from a person in the location in question
type:HUMINT
Human Intelligence
MEDINT
gathered from analysis of medical records and/or actual physiological examinations to determine
health and/or particular ailments/allergetic conditions for consideration
type:MEDINT
Medical Intelligence
gathered from analysis of medical records and/or actual physiological examinations to determine
health and/or particular ailments/allergetic conditions for consideration
GEOINT
gathered from satellite, aerial photography, mapping/terrain data
437
type:GEOINT
Geospatial Intelligence
IMINT
gathered from satellite and aerial photography
type:IMINT
Imagery Intelligence
MASINT
gathered from electro-optical, nuclear survey, geophysical measurements, radar, materials analysis
type:MASINT
gathered from electro-optical, nuclear survey, geophysical measurements, radar, materials analysis
FININT
gathered from analysis of monetary or financial transactions
type:FININT
Financial Intelligence
use-case-applicability
use-case-applicability namespace available in JSON format at this location. The
JSON format can be freely reused in your application or automatically enabled in
MISP taxonomy.
The Use Case Applicability categories reflect standard resolution categories, to clearly display
alerting rule configuration problems.
438
announced-administrative/user-action
The process to communicate administrative activities or special user actions was in place and
working correctly. Internal sensors are working and detecting privileged or irregular
administrative behaviour.
use-case-applicability:announced-administrative/user-action
The process to communicate administrative activities or special user actions was in place and
working correctly. Internal sensors are working and detecting privileged or irregular
administrative behaviour.
unannounced-administrative/user-action
Internal sensors have detected privileged or user activity, which was not previously communicated.
This category also includes improper usage.
use-case-applicability:unannounced-administrative/user-action
Internal sensors have detected privileged or user activity, which was not previously communicated.
This category also includes improper usage.
log-management-rule-configuration-error
This category reflects false alerts that were raised due to configuration errors in the central log
management system, often a SIEM, rule.
use-case-applicability:log-management-rule-configuration-error
This category reflects false alerts that were raised due to configuration errors in the central log
management system, often a SIEM, rule.
detection-device/rule-configuration-error
This category reflects rules on detection devices, which are usually passive or active components of
network security.
use-case-applicability:detection-device/rule-configuration-error
This category reflects rules on detection devices, which are usually passive or active components of
439
network security.
bad-IOC/rule-pattern-value
Products often require external indicator information or security feeds to be applied on active or
passive infrastructure components to create alerts.
use-case-applicability:bad-IOC/rule-pattern-value
Products often require external indicator information or security feeds to be applied on active or
passive infrastructure components to create alerts.
test-alert
This alert reflects alerts created for testing purposes.
use-case-applicability:test-alert
Test alert
confirmed-attack-with-IR-actions
This alert represents the classic true positives, where all security controls in place were
circumvented, a security control was lacking or a misconfiguration of a security element occurred.
use-case-applicability:confirmed-attack-with-IR-actions
This alert represents the classic true positives, where all security controls in place were
circumvented, a security control was lacking or a misconfiguration of a security element occurred.
confirmed-attack-attempt-without-IR-actions
This category reflects an attempt by a threat actor, which in the end could be prevented by in place
security measures but passed security controls associated with the delivery phase of the Cyber Kill
Chain.
use-case-applicability:confirmed-attack-attempt-without-IR-actions
This category reflects an attempt by a threat actor, which in the end could be prevented by in place
security measures but passed security controls associated with the delivery phase of the Cyber Kill
440
Chain.
veris
veris namespace available in JSON format at this location. The JSON format can
be freely reused in your application or automatically enabled in MISP taxonomy.
confidence
veris:confidence="High"
High confidence
veris:confidence="Low"
Low confidence
veris:confidence="Medium"
Medium confidence
veris:confidence="None"
No confidence
cost_corrective_action
veris:cost_corrective_action="Difficult and expensive"
veris:cost_corrective_action="Something in-between"
Something in-between
veris:cost_corrective_action="Unknown"
Unknown
441
discovery_method
veris:discovery_method="Ext - actor disclosure"
veris:discovery_method="Ext - audit"
veris:discovery_method="Ext - customer"
veris:discovery_method="Ext - other"
442
veris:discovery_method="Ext - unknown"
External - unknown
veris:discovery_method="Int - HIDS"
veris:discovery_method="Int - IT review"
Any routine maintenance, testing or review of it assets. (Includes inspect of assets, vulnerability
scans, etc.)
veris:discovery_method="Int - NIDS"
Internal - All network-based security tool detection (including IPS, IDS, firewalls and other network-
based security tools)
veris:discovery_method="Int - antivirus"
Internal - Health and welfare monitoring of assets such as utilization, uptime, and SNMP alerts
443
veris:discovery_method="Int - log review"
veris:discovery_method="Int - other"
veris:discovery_method="Int - unknown"
Internal - unknown
veris:discovery_method="Other"
Other
veris:discovery_method="Prt - antivirus"
veris:discovery_method="Prt - audit"
veris:discovery_method="Prt - other"
veris:discovery_method="Prt - unknown"
Partner - Unknown
444
veris:discovery_method="Unknown"
Unknown
security_incident
veris:security_incident="Confirmed"
Yes - Confirmed
veris:security_incident="False positive"
veris:security_incident="Near miss"
veris:security_incident="Suspected"
Suspected
targeted
veris:targeted="NA"
Not applicable
veris:targeted="Opportunistic"
Opportunistic: victim attacked because they exhibited a weakness the actor knew how to exploit
veris:targeted="Targeted"
Targeted: victim chosen as target then actor determined what weaknesses could be exploited
veris:targeted="Unknown"
Unknown
asset:accessibility
veris:asset:accessibility="External"
Publicly accessible
445
veris:asset:accessibility="Internal"
Internally accessible
veris:asset:accessibility="Isolated"
veris:asset:accessibility="NA"
Not applicable
veris:asset:accessibility="Other"
veris:asset:accessibility="Unknown"
Unknown
asset:cloud
veris:asset:cloud="Customer attack"
veris:asset:cloud="Hosting error"
veris:asset:cloud="Hosting governance"
veris:asset:cloud="Hypervisor"
veris:asset:cloud="NA"
veris:asset:cloud="No"
It is known that a cloud asset was involved and it being a cloud asset did not affect the outcome
446
veris:asset:cloud="Other"
veris:asset:cloud="Partner application"
veris:asset:cloud="Unknown"
veris:asset:cloud="User breakout"
asset:country
veris:asset:country="AD"
Andorra
veris:asset:country="AE"
veris:asset:country="AF"
Afghanistan
veris:asset:country="AG"
veris:asset:country="AI"
Anguilla
veris:asset:country="AL"
Albania
veris:asset:country="AM"
Armenia
447
veris:asset:country="AO"
Angola
veris:asset:country="AQ"
Antarctica
veris:asset:country="AR"
Argentina
veris:asset:country="AS"
American Samoa
veris:asset:country="AT"
Austria
veris:asset:country="AU"
Australia
veris:asset:country="AW"
Aruba
veris:asset:country="AX"
Aland Islands
veris:asset:country="AZ"
Azerbaijan
veris:asset:country="BA"
veris:asset:country="BB"
Barbados
veris:asset:country="BD"
Bangladesh
448
veris:asset:country="BE"
Belgium
veris:asset:country="BF"
Burkina Faso
veris:asset:country="BG"
Bulgaria
veris:asset:country="BH"
Bahrain
veris:asset:country="BI"
Burundi
veris:asset:country="BJ"
Benin
veris:asset:country="BL"
Saint-Barthelemy
veris:asset:country="BM"
Bermuda
veris:asset:country="BN"
Brunei Darussalam
veris:asset:country="BO"
Bolivia
veris:asset:country="BQ"
veris:asset:country="BR"
Brazil
449
veris:asset:country="BS"
Bahamas
veris:asset:country="BT"
Bhutan
veris:asset:country="BV"
Bouvet Island
veris:asset:country="BW"
Botswana
veris:asset:country="BY"
Belarus
veris:asset:country="BZ"
Belize
veris:asset:country="CA"
Canada
veris:asset:country="CC"
veris:asset:country="CD"
veris:asset:country="CF"
veris:asset:country="CG"
Congo
veris:asset:country="CH"
Switzerland
450
veris:asset:country="CI"
Cote d’Ivoire
veris:asset:country="CK"
Cook Islands
veris:asset:country="CL"
Chile
veris:asset:country="CM"
Cameroon
veris:asset:country="CN"
China
veris:asset:country="CO"
Colombia
veris:asset:country="CR"
Costa Rica
veris:asset:country="CU"
Cuba
veris:asset:country="CV"
Cape Verde
veris:asset:country="CW"
Curacao
veris:asset:country="CX"
Christmas Island
veris:asset:country="CY"
Cyprus
451
veris:asset:country="CZ"
Czech Republic
veris:asset:country="DE"
Germany
veris:asset:country="DJ"
Djibouti
veris:asset:country="DK"
Denmark
veris:asset:country="DM"
Dominica
veris:asset:country="DO"
Dominican Republic
veris:asset:country="DZ"
Algeria
veris:asset:country="EC"
Ecuador
veris:asset:country="EE"
Estonia
veris:asset:country="EG"
Egypt
veris:asset:country="EH"
Western Sahara
veris:asset:country="ER"
Eritrea
452
veris:asset:country="ES"
Spain
veris:asset:country="ET"
Ethiopia
veris:asset:country="FI"
Finland
veris:asset:country="FJ"
Fiji
veris:asset:country="FK"
Faeroe Islands
veris:asset:country="FM"
veris:asset:country="FO"
veris:asset:country="FR"
France
veris:asset:country="GA"
Gabon
veris:asset:country="GB"
United Kingdom
veris:asset:country="GD"
Grenada
veris:asset:country="GE"
Georgia
453
veris:asset:country="GF"
French Guiana
veris:asset:country="GG"
Guernsey
veris:asset:country="GH"
Ghana
veris:asset:country="GI"
Gibraltar
veris:asset:country="GL"
Greenland
veris:asset:country="GM"
Gambia
veris:asset:country="GN"
Guinea
veris:asset:country="GP"
Guadeloupe
veris:asset:country="GQ"
Equatorial Guinea
veris:asset:country="GR"
Greece
veris:asset:country="GS"
veris:asset:country="GT"
Guatemala
454
veris:asset:country="GU"
Guam
veris:asset:country="GW"
Guinea-Bissau
veris:asset:country="GY"
Guyana
veris:asset:country="HK"
Hong Kong
veris:asset:country="HM"
veris:asset:country="HN"
Honduras
veris:asset:country="HR"
Croatia
veris:asset:country="HT"
Haiti
veris:asset:country="HU"
Hungary
veris:asset:country="ID"
Indonesia
veris:asset:country="IE"
Ireland
veris:asset:country="IL"
Israel
455
veris:asset:country="IM"
Isle of Man
veris:asset:country="IN"
India
veris:asset:country="IO"
veris:asset:country="IQ"
Iraq
veris:asset:country="IR"
veris:asset:country="IS"
Iceland
veris:asset:country="IT"
Italy
veris:asset:country="JE"
Jersey
veris:asset:country="JM"
Jamaica
veris:asset:country="JO"
Jordan
veris:asset:country="JP"
Japan
veris:asset:country="KE"
Kenya
456
veris:asset:country="KG"
Kyrgyzstan
veris:asset:country="KH"
Cambodia
veris:asset:country="KI"
Kiribati
veris:asset:country="KM"
Comoros
veris:asset:country="KN"
veris:asset:country="KP"
veris:asset:country="KR"
Korea, Republic of
veris:asset:country="KW"
Kuwait
veris:asset:country="KY"
Cayman Islands
veris:asset:country="KZ"
Kazakhstan
veris:asset:country="LA"
veris:asset:country="LB"
Lebanon
457
veris:asset:country="LC"
Saint Lucia
veris:asset:country="LI"
Liechtenstein
veris:asset:country="LK"
Sri Lanka
veris:asset:country="LR"
Liberia
veris:asset:country="LS"
Lesotho
veris:asset:country="LT"
Lithuania
veris:asset:country="LU"
Luxembourg
veris:asset:country="LV"
Latvia
veris:asset:country="LY"
Libya
veris:asset:country="MA"
Morocco
veris:asset:country="MC"
Monaco
veris:asset:country="MD"
Moldova, Republic of
458
veris:asset:country="ME"
Montenegro
veris:asset:country="MF"
veris:asset:country="MG"
Madagascar
veris:asset:country="MH"
Marshall Islands
veris:asset:country="MK"
veris:asset:country="ML"
Mali
veris:asset:country="MM"
Myanmar
veris:asset:country="MN"
Mongolia
veris:asset:country="MO"
Macao
veris:asset:country="MP"
veris:asset:country="MQ"
Martinique
veris:asset:country="MR"
Mauritania
459
veris:asset:country="MS"
Montserrat
veris:asset:country="MT"
Malta
veris:asset:country="MU"
Mauritius
veris:asset:country="MV"
Maldives
veris:asset:country="MW"
Malawi
veris:asset:country="MX"
Mexico
veris:asset:country="MY"
Malaysia
veris:asset:country="MZ"
Mozambique
veris:asset:country="NA"
Namibia
veris:asset:country="NC"
New Caledonia
veris:asset:country="NE"
Niger
veris:asset:country="NF"
Norfolk Island
460
veris:asset:country="NG"
Nigeria
veris:asset:country="NI"
Nicaragua
veris:asset:country="NL"
Netherlands
veris:asset:country="NO"
Norway
veris:asset:country="NP"
Nepal
veris:asset:country="NR"
Nauru
veris:asset:country="NU"
Niue
veris:asset:country="NZ"
New Zealand
veris:asset:country="OM"
Oman
veris:asset:country="Other"
Other
veris:asset:country="PA"
Panama
veris:asset:country="PE"
Peru
461
veris:asset:country="PF"
French Polynesia
veris:asset:country="PG"
veris:asset:country="PH"
Philippines
veris:asset:country="PK"
Pakistan
veris:asset:country="PL"
Poland
veris:asset:country="PM"
veris:asset:country="PN"
Pitcairn
veris:asset:country="PR"
Puerto Rico
veris:asset:country="PS"
veris:asset:country="PT"
Portugal
veris:asset:country="PW"
Palau
veris:asset:country="PY"
Paraguay
462
veris:asset:country="QA"
Qatar
veris:asset:country="RE"
Reunion
veris:asset:country="RO"
Romania
veris:asset:country="RS"
Serbia
veris:asset:country="RU"
Russian Federation
veris:asset:country="RW"
Rwanda
veris:asset:country="SA"
Saudi Arabia
veris:asset:country="SB"
Solomon Islands
veris:asset:country="SC"
Seychelles
veris:asset:country="SD"
Sudan
veris:asset:country="SE"
Sweden
veris:asset:country="SG"
Singapore
463
veris:asset:country="SH"
Saint Helena
veris:asset:country="SI"
Slovenia
veris:asset:country="SJ"
veris:asset:country="SK"
Slovakia
veris:asset:country="SL"
Sierra Leone
veris:asset:country="SM"
San Marino
veris:asset:country="SN"
Senegal
veris:asset:country="SO"
Somalia
veris:asset:country="SR"
Suriname
veris:asset:country="SS"
South Sudan
veris:asset:country="ST"
veris:asset:country="SV"
El Salvador
464
veris:asset:country="SX"
veris:asset:country="SY"
veris:asset:country="SZ"
Swaziland
veris:asset:country="TC"
veris:asset:country="TD"
Chad
veris:asset:country="TF"
veris:asset:country="TG"
Togo
veris:asset:country="TH"
Thailand
veris:asset:country="TJ"
Tajikistan
veris:asset:country="TK"
Tokelau
veris:asset:country="TL"
Timor-Leste
veris:asset:country="TM"
Turkmenistan
465
veris:asset:country="TN"
Tunisia
veris:asset:country="TO"
Tonga
veris:asset:country="TR"
Turkey
veris:asset:country="TT"
veris:asset:country="TV"
Tuvalu
veris:asset:country="TW"
veris:asset:country="TZ"
veris:asset:country="UA"
Ukraine
veris:asset:country="UG"
Uganda
veris:asset:country="UM"
veris:asset:country="US"
veris:asset:country="UY"
Uruguay
466
veris:asset:country="UZ"
Uzbekistan
veris:asset:country="Unknown"
Unknown
veris:asset:country="VA"
Holy See
veris:asset:country="VC"
veris:asset:country="VE"
veris:asset:country="VG"
veris:asset:country="VI"
veris:asset:country="VN"
Viet Nam
veris:asset:country="VU"
Vanuatu
veris:asset:country="WF"
veris:asset:country="WS"
Samoa
veris:asset:country="YE"
Yemen
467
veris:asset:country="YT"
Mayotte
veris:asset:country="ZA"
South Africa
veris:asset:country="ZM"
Zambia
veris:asset:country="ZW"
Zimbabwe
asset:governance
veris:asset:governance="3rd party hosted"
veris:asset:governance="Internally isolated"
veris:asset:governance="Other"
veris:asset:governance="Personally owned"
veris:asset:governance="Unknown"
Unknown
468
veris:asset:governance="Victim governed"
asset:hosting
veris:asset:hosting="External"
veris:asset:hosting="External dedicated"
veris:asset:hosting="External shared"
veris:asset:hosting="Internal"
Internally hosted
veris:asset:hosting="NA"
Not applicable
veris:asset:hosting="Other"
veris:asset:hosting="Unknown"
Unknown
asset:management
veris:asset:management="External"
Externally managed
veris:asset:management="Internal"
Internally managed
veris:asset:management="NA"
Not applicable
469
veris:asset:management="Other"
veris:asset:management="Unknown"
Unknown
asset:ownership
veris:asset:ownership="Customer"
Customer owned
veris:asset:ownership="Employee"
Employee owned
veris:asset:ownership="NA"
Not applicable
veris:asset:ownership="Other"
veris:asset:ownership="Partner"
Partner owned
veris:asset:ownership="Unknown"
Unknown
veris:asset:ownership="Victim"
Victim owned
impact:iso_currency_code
veris:impact:iso_currency_code="AED"
veris:impact:iso_currency_code="AFN"
AFN - Afghani
470
veris:impact:iso_currency_code="ALL"
ALL - Lek
veris:impact:iso_currency_code="AMD"
veris:impact:iso_currency_code="ANG"
veris:impact:iso_currency_code="AOA"
AOA - Kwanza
veris:impact:iso_currency_code="ARS"
veris:impact:iso_currency_code="AUD"
veris:impact:iso_currency_code="AWG"
veris:impact:iso_currency_code="AZN"
veris:impact:iso_currency_code="BAM"
veris:impact:iso_currency_code="BBD"
veris:impact:iso_currency_code="BDT"
BDT - Taka
veris:impact:iso_currency_code="BGN"
471
veris:impact:iso_currency_code="BHD"
veris:impact:iso_currency_code="BIF"
veris:impact:iso_currency_code="BMD"
veris:impact:iso_currency_code="BND"
veris:impact:iso_currency_code="BOB"
BOB - Boliviano
veris:impact:iso_currency_code="BRL"
veris:impact:iso_currency_code="BSD"
veris:impact:iso_currency_code="BTN"
BTN - Ngultrum
veris:impact:iso_currency_code="BWP"
BWP - Pula
veris:impact:iso_currency_code="BYR"
veris:impact:iso_currency_code="BZD"
veris:impact:iso_currency_code="CAD"
472
veris:impact:iso_currency_code="CDF"
veris:impact:iso_currency_code="CHF"
veris:impact:iso_currency_code="CLP"
veris:impact:iso_currency_code="CNY"
veris:impact:iso_currency_code="COP"
veris:impact:iso_currency_code="CRC"
veris:impact:iso_currency_code="CUC"
veris:impact:iso_currency_code="CUP"
veris:impact:iso_currency_code="CVE"
veris:impact:iso_currency_code="CZK"
veris:impact:iso_currency_code="DJF"
veris:impact:iso_currency_code="DKK"
473
veris:impact:iso_currency_code="DOP"
veris:impact:iso_currency_code="DZD"
veris:impact:iso_currency_code="EGP"
veris:impact:iso_currency_code="ERN"
ERN - Nakfa
veris:impact:iso_currency_code="ETB"
veris:impact:iso_currency_code="EUR"
EUR - Euro
veris:impact:iso_currency_code="FJD"
veris:impact:iso_currency_code="FKP"
veris:impact:iso_currency_code="GBP"
veris:impact:iso_currency_code="GEL"
GEL - Lari
veris:impact:iso_currency_code="GGP"
veris:impact:iso_currency_code="GHS"
474
veris:impact:iso_currency_code="GIP"
veris:impact:iso_currency_code="GMD"
GMD - Dalasi
veris:impact:iso_currency_code="GNF"
veris:impact:iso_currency_code="GTQ"
GTQ - Quetzal
veris:impact:iso_currency_code="GYD"
veris:impact:iso_currency_code="HKD"
veris:impact:iso_currency_code="HNL"
HNL - Lempira
veris:impact:iso_currency_code="HRK"
veris:impact:iso_currency_code="HTG"
HTG - Gourde
veris:impact:iso_currency_code="HUF"
HUF - Forint
veris:impact:iso_currency_code="IDR"
IDR - Rupiah
veris:impact:iso_currency_code="ILS"
475
veris:impact:iso_currency_code="IMP"
veris:impact:iso_currency_code="INR"
veris:impact:iso_currency_code="IQD"
veris:impact:iso_currency_code="IRR"
veris:impact:iso_currency_code="ISK"
veris:impact:iso_currency_code="JEP"
veris:impact:iso_currency_code="JMD"
veris:impact:iso_currency_code="JOD"
veris:impact:iso_currency_code="JPY"
JPY - Yen
veris:impact:iso_currency_code="KES"
veris:impact:iso_currency_code="KGS"
KGS - Som
veris:impact:iso_currency_code="KHR"
KHR - Riel
476
veris:impact:iso_currency_code="KMF"
veris:impact:iso_currency_code="KPW"
veris:impact:iso_currency_code="KRW"
veris:impact:iso_currency_code="KWD"
veris:impact:iso_currency_code="KYD"
veris:impact:iso_currency_code="KZT"
KZT - Tenge
veris:impact:iso_currency_code="LAK"
LAK - Kip
veris:impact:iso_currency_code="LBP"
veris:impact:iso_currency_code="LKR"
veris:impact:iso_currency_code="LRD"
veris:impact:iso_currency_code="LSL"
LSL - Loti
veris:impact:iso_currency_code="LTL"
477
veris:impact:iso_currency_code="LVL"
veris:impact:iso_currency_code="LYD"
veris:impact:iso_currency_code="MAD"
veris:impact:iso_currency_code="MDL"
veris:impact:iso_currency_code="MGA"
veris:impact:iso_currency_code="MKD"
MKD - Denar
veris:impact:iso_currency_code="MMK"
MMK - Kyat
veris:impact:iso_currency_code="MNT"
MNT - Tugrik
veris:impact:iso_currency_code="MOP"
MOP - Pataca
veris:impact:iso_currency_code="MRO"
MRO - Ouguiya
veris:impact:iso_currency_code="MUR"
veris:impact:iso_currency_code="MVR"
MVR - Rufiyaa
478
veris:impact:iso_currency_code="MWK"
MWK - Kwacha
veris:impact:iso_currency_code="MXN"
veris:impact:iso_currency_code="MYR"
veris:impact:iso_currency_code="MZN"
veris:impact:iso_currency_code="NAD"
veris:impact:iso_currency_code="NGN"
NGN - Naira
veris:impact:iso_currency_code="NIO"
veris:impact:iso_currency_code="NOK"
veris:impact:iso_currency_code="NPR"
veris:impact:iso_currency_code="NZD"
veris:impact:iso_currency_code="OMR"
veris:impact:iso_currency_code="PAB"
PAB - Balboa
479
veris:impact:iso_currency_code="PEN"
veris:impact:iso_currency_code="PGK"
PGK - Kina
veris:impact:iso_currency_code="PHP"
veris:impact:iso_currency_code="PKR"
veris:impact:iso_currency_code="PLN"
PLN - Zloty
veris:impact:iso_currency_code="PYG"
PYG - Guarani
veris:impact:iso_currency_code="QAR"
veris:impact:iso_currency_code="RON"
veris:impact:iso_currency_code="RSD"
veris:impact:iso_currency_code="RUB"
veris:impact:iso_currency_code="RWF"
veris:impact:iso_currency_code="SAR"
480
veris:impact:iso_currency_code="SBD"
veris:impact:iso_currency_code="SCR"
veris:impact:iso_currency_code="SDG"
veris:impact:iso_currency_code="SEK"
veris:impact:iso_currency_code="SGD"
veris:impact:iso_currency_code="SHP"
veris:impact:iso_currency_code="SLL"
SLL - Leone
veris:impact:iso_currency_code="SOS"
veris:impact:iso_currency_code="SPL"
veris:impact:iso_currency_code="SRD"
veris:impact:iso_currency_code="STD"
STD - Dobra
veris:impact:iso_currency_code="SVC"
481
veris:impact:iso_currency_code="SYP"
veris:impact:iso_currency_code="SZL"
SZL - Lilangeni
veris:impact:iso_currency_code="THB"
THB - Baht
veris:impact:iso_currency_code="TJS"
TJS - Somoni
veris:impact:iso_currency_code="TMT"
veris:impact:iso_currency_code="TND"
veris:impact:iso_currency_code="TOP"
TOP - Pa’anga
veris:impact:iso_currency_code="TRY"
veris:impact:iso_currency_code="TTD"
veris:impact:iso_currency_code="TVD"
veris:impact:iso_currency_code="TWD"
veris:impact:iso_currency_code="TZS"
482
veris:impact:iso_currency_code="UAH"
UAH - Hryvnia
veris:impact:iso_currency_code="UGX"
veris:impact:iso_currency_code="USD"
USD - US Dollar
veris:impact:iso_currency_code="UYU"
veris:impact:iso_currency_code="UZS"
veris:impact:iso_currency_code="VEF"
VEF - Bolivar
veris:impact:iso_currency_code="VND"
VND - Dong
veris:impact:iso_currency_code="VUV"
VUV - Vatu
veris:impact:iso_currency_code="WST"
WST - Tala
veris:impact:iso_currency_code="XAF"
veris:impact:iso_currency_code="XCD"
veris:impact:iso_currency_code="XDR"
483
veris:impact:iso_currency_code="XOF"
veris:impact:iso_currency_code="XPF"
veris:impact:iso_currency_code="YER"
veris:impact:iso_currency_code="ZAR"
veris:impact:iso_currency_code="ZMK"
veris:impact:iso_currency_code="ZWD"
impact:overall_rating
veris:impact:overall_rating="Catastrophic"
Catastrophic: A business-ending event (don’t choose this if the victim will continue operations)
veris:impact:overall_rating="Damaging"
Damaging: Real and serious effect on the "bottom line" and/or long-term ability to generate revenue
veris:impact:overall_rating="Distracting"
Distracting: Limited "hard costs", but impact felt through having to deal with the incident rather
than conducting normal duties
veris:impact:overall_rating="Insignificant"
veris:impact:overall_rating="Painful"
Painful: Moderate "hard costs", and impact felt through having to deal with the incident rather than
conducting normal duties has quantifiable indirect costs
484
veris:impact:overall_rating="Unknown"
Unknown
victim:country
veris:victim:country="AD"
Andorra
veris:victim:country="AE"
veris:victim:country="AF"
Afghanistan
veris:victim:country="AG"
veris:victim:country="AI"
Anguilla
veris:victim:country="AL"
Albania
veris:victim:country="AM"
Armenia
veris:victim:country="AO"
Angola
veris:victim:country="AQ"
Antarctica
veris:victim:country="AR"
Argentina
485
veris:victim:country="AS"
American Samoa
veris:victim:country="AT"
Austria
veris:victim:country="AU"
Australia
veris:victim:country="AW"
Aruba
veris:victim:country="AX"
Aland Islands
veris:victim:country="AZ"
Azerbaijan
veris:victim:country="BA"
veris:victim:country="BB"
Barbados
veris:victim:country="BD"
Bangladesh
veris:victim:country="BE"
Belgium
veris:victim:country="BF"
Burkina Faso
veris:victim:country="BG"
Bulgaria
486
veris:victim:country="BH"
Bahrain
veris:victim:country="BI"
Burundi
veris:victim:country="BJ"
Benin
veris:victim:country="BL"
Saint-Barthelemy
veris:victim:country="BM"
Bermuda
veris:victim:country="BN"
Brunei Darussalam
veris:victim:country="BO"
Bolivia
veris:victim:country="BQ"
veris:victim:country="BR"
Brazil
veris:victim:country="BS"
Bahamas
veris:victim:country="BT"
Bhutan
veris:victim:country="BV"
Bouvet Island
487
veris:victim:country="BW"
Botswana
veris:victim:country="BY"
Belarus
veris:victim:country="BZ"
Belize
veris:victim:country="CA"
Canada
veris:victim:country="CC"
veris:victim:country="CD"
veris:victim:country="CF"
veris:victim:country="CG"
Congo
veris:victim:country="CH"
Switzerland
veris:victim:country="CI"
Cote d’Ivoire
veris:victim:country="CK"
Cook Islands
veris:victim:country="CL"
Chile
488
veris:victim:country="CM"
Cameroon
veris:victim:country="CN"
China
veris:victim:country="CO"
Colombia
veris:victim:country="CR"
Costa Rica
veris:victim:country="CU"
Cuba
veris:victim:country="CV"
Cape Verde
veris:victim:country="CW"
Curacao
veris:victim:country="CX"
Christmas Island
veris:victim:country="CY"
Cyprus
veris:victim:country="CZ"
Czech Republic
veris:victim:country="DE"
Germany
veris:victim:country="DJ"
Djibouti
489
veris:victim:country="DK"
Denmark
veris:victim:country="DM"
Dominica
veris:victim:country="DO"
Dominican Republic
veris:victim:country="DZ"
Algeria
veris:victim:country="EC"
Ecuador
veris:victim:country="EE"
Estonia
veris:victim:country="EG"
Egypt
veris:victim:country="EH"
Western Sahara
veris:victim:country="ER"
Eritrea
veris:victim:country="ES"
Spain
veris:victim:country="ET"
Ethiopia
veris:victim:country="FI"
Finland
490
veris:victim:country="FJ"
Fiji
veris:victim:country="FK"
Faeroe Islands
veris:victim:country="FM"
veris:victim:country="FO"
veris:victim:country="FR"
France
veris:victim:country="GA"
Gabon
veris:victim:country="GB"
United Kingdom
veris:victim:country="GD"
Grenada
veris:victim:country="GE"
Georgia
veris:victim:country="GF"
French Guiana
veris:victim:country="GG"
Guernsey
veris:victim:country="GH"
Ghana
491
veris:victim:country="GI"
Gibraltar
veris:victim:country="GL"
Greenland
veris:victim:country="GM"
Gambia
veris:victim:country="GN"
Guinea
veris:victim:country="GP"
Guadeloupe
veris:victim:country="GQ"
Equatorial Guinea
veris:victim:country="GR"
Greece
veris:victim:country="GS"
veris:victim:country="GT"
Guatemala
veris:victim:country="GU"
Guam
veris:victim:country="GW"
Guinea-Bissau
veris:victim:country="GY"
Guyana
492
veris:victim:country="HK"
Hong Kong
veris:victim:country="HM"
veris:victim:country="HN"
Honduras
veris:victim:country="HR"
Croatia
veris:victim:country="HT"
Haiti
veris:victim:country="HU"
Hungary
veris:victim:country="ID"
Indonesia
veris:victim:country="IE"
Ireland
veris:victim:country="IL"
Israel
veris:victim:country="IM"
Isle of Man
veris:victim:country="IN"
India
veris:victim:country="IO"
493
veris:victim:country="IQ"
Iraq
veris:victim:country="IR"
veris:victim:country="IS"
Iceland
veris:victim:country="IT"
Italy
veris:victim:country="JE"
Jersey
veris:victim:country="JM"
Jamaica
veris:victim:country="JO"
Jordan
veris:victim:country="JP"
Japan
veris:victim:country="KE"
Kenya
veris:victim:country="KG"
Kyrgyzstan
veris:victim:country="KH"
Cambodia
veris:victim:country="KI"
Kiribati
494
veris:victim:country="KM"
Comoros
veris:victim:country="KN"
veris:victim:country="KP"
veris:victim:country="KR"
Korea, Republic of
veris:victim:country="KW"
Kuwait
veris:victim:country="KY"
Cayman Islands
veris:victim:country="KZ"
Kazakhstan
veris:victim:country="LA"
veris:victim:country="LB"
Lebanon
veris:victim:country="LC"
Saint Lucia
veris:victim:country="LI"
Liechtenstein
veris:victim:country="LK"
Sri Lanka
495
veris:victim:country="LR"
Liberia
veris:victim:country="LS"
Lesotho
veris:victim:country="LT"
Lithuania
veris:victim:country="LU"
Luxembourg
veris:victim:country="LV"
Latvia
veris:victim:country="LY"
Libya
veris:victim:country="MA"
Morocco
veris:victim:country="MC"
Monaco
veris:victim:country="MD"
Moldova, Republic of
veris:victim:country="ME"
Montenegro
veris:victim:country="MF"
veris:victim:country="MG"
Madagascar
496
veris:victim:country="MH"
Marshall Islands
veris:victim:country="MK"
veris:victim:country="ML"
Mali
veris:victim:country="MM"
Myanmar
veris:victim:country="MN"
Mongolia
veris:victim:country="MO"
Macao
veris:victim:country="MP"
veris:victim:country="MQ"
Martinique
veris:victim:country="MR"
Mauritania
veris:victim:country="MS"
Montserrat
veris:victim:country="MT"
Malta
veris:victim:country="MU"
Mauritius
497
veris:victim:country="MV"
Maldives
veris:victim:country="MW"
Malawi
veris:victim:country="MX"
Mexico
veris:victim:country="MY"
Malaysia
veris:victim:country="MZ"
Mozambique
veris:victim:country="NA"
Namibia
veris:victim:country="NC"
New Caledonia
veris:victim:country="NE"
Niger
veris:victim:country="NF"
Norfolk Island
veris:victim:country="NG"
Nigeria
veris:victim:country="NI"
Nicaragua
veris:victim:country="NL"
Netherlands
498
veris:victim:country="NO"
Norway
veris:victim:country="NP"
Nepal
veris:victim:country="NR"
Nauru
veris:victim:country="NU"
Niue
veris:victim:country="NZ"
New Zealand
veris:victim:country="OM"
Oman
veris:victim:country="Other"
Other
veris:victim:country="PA"
Panama
veris:victim:country="PE"
Peru
veris:victim:country="PF"
French Polynesia
veris:victim:country="PG"
veris:victim:country="PH"
Philippines
499
veris:victim:country="PK"
Pakistan
veris:victim:country="PL"
Poland
veris:victim:country="PM"
veris:victim:country="PN"
Pitcairn
veris:victim:country="PR"
Puerto Rico
veris:victim:country="PS"
veris:victim:country="PT"
Portugal
veris:victim:country="PW"
Palau
veris:victim:country="PY"
Paraguay
veris:victim:country="QA"
Qatar
veris:victim:country="RE"
Reunion
veris:victim:country="RO"
Romania
500
veris:victim:country="RS"
Serbia
veris:victim:country="RU"
Russian Federation
veris:victim:country="RW"
Rwanda
veris:victim:country="SA"
Saudi Arabia
veris:victim:country="SB"
Solomon Islands
veris:victim:country="SC"
Seychelles
veris:victim:country="SD"
Sudan
veris:victim:country="SE"
Sweden
veris:victim:country="SG"
Singapore
veris:victim:country="SH"
Saint Helena
veris:victim:country="SI"
Slovenia
veris:victim:country="SJ"
501
veris:victim:country="SK"
Slovakia
veris:victim:country="SL"
Sierra Leone
veris:victim:country="SM"
San Marino
veris:victim:country="SN"
Senegal
veris:victim:country="SO"
Somalia
veris:victim:country="SR"
Suriname
veris:victim:country="SS"
South Sudan
veris:victim:country="ST"
veris:victim:country="SV"
El Salvador
veris:victim:country="SX"
veris:victim:country="SY"
veris:victim:country="SZ"
Swaziland
502
veris:victim:country="TC"
veris:victim:country="TD"
Chad
veris:victim:country="TF"
veris:victim:country="TG"
Togo
veris:victim:country="TH"
Thailand
veris:victim:country="TJ"
Tajikistan
veris:victim:country="TK"
Tokelau
veris:victim:country="TL"
Timor-Leste
veris:victim:country="TM"
Turkmenistan
veris:victim:country="TN"
Tunisia
veris:victim:country="TO"
Tonga
veris:victim:country="TR"
Turkey
503
veris:victim:country="TT"
veris:victim:country="TV"
Tuvalu
veris:victim:country="TW"
veris:victim:country="TZ"
veris:victim:country="UA"
Ukraine
veris:victim:country="UG"
Uganda
veris:victim:country="UM"
veris:victim:country="US"
veris:victim:country="UY"
Uruguay
veris:victim:country="UZ"
Uzbekistan
veris:victim:country="Unknown"
Unknown
veris:victim:country="VA"
Holy See
504
veris:victim:country="VC"
veris:victim:country="VE"
veris:victim:country="VG"
veris:victim:country="VI"
veris:victim:country="VN"
Viet Nam
veris:victim:country="VU"
Vanuatu
veris:victim:country="WF"
veris:victim:country="WS"
Samoa
veris:victim:country="YE"
Yemen
veris:victim:country="YT"
Mayotte
veris:victim:country="ZA"
South Africa
veris:victim:country="ZM"
Zambia
505
veris:victim:country="ZW"
Zimbabwe
victim:employee_count
veris:victim:employee_count="1 to 10"
1 to 10 employees
veris:victim:employee_count="10001 to 25000"
veris:victim:employee_count="1001 to 10000"
veris:victim:employee_count="101 to 1000"
veris:victim:employee_count="11 to 100"
11 to 100 employees
veris:victim:employee_count="25001 to 50000"
veris:victim:employee_count="50001 to 100000"
veris:victim:employee_count="Large"
veris:victim:employee_count="Over 100000"
veris:victim:employee_count="Small"
506
veris:victim:employee_count="Unknown"
action:environmental:variety
veris:action:environmental:variety="Deterioration"
veris:action:environmental:variety="EMI"
veris:action:environmental:variety="ESD"
veris:action:environmental:variety="Earthquake"
Earthquake
veris:action:environmental:variety="Fire"
Fire
veris:action:environmental:variety="Flood"
Flood
veris:action:environmental:variety="Hazmat"
Hazardous material
veris:action:environmental:variety="Humidity"
Humidity
veris:action:environmental:variety="Hurricane"
Hurricane
veris:action:environmental:variety="Ice"
507
veris:action:environmental:variety="Landslide"
Landslide
veris:action:environmental:variety="Leak"
Water leak
veris:action:environmental:variety="Lightning"
Lightning
veris:action:environmental:variety="Meteorite"
Meteorite
veris:action:environmental:variety="Other"
Other
veris:action:environmental:variety="Particulates"
veris:action:environmental:variety="Pathogen"
Pathogen
veris:action:environmental:variety="Power failure"
veris:action:environmental:variety="Temperature"
Extreme temperature
veris:action:environmental:variety="Tornado"
Tornado
veris:action:environmental:variety="Tsunami"
Tsunami
veris:action:environmental:variety="Unknown"
Unknown
508
veris:action:environmental:variety="Vermin"
Vermin
veris:action:environmental:variety="Volcano"
Volcanic eruption
veris:action:environmental:variety="Wind"
Wind
action:error:variety
veris:action:error:variety="Capacity shortage"
veris:action:error:variety="Classification error"
veris:action:error:variety="Disposal error"
Disposal error
veris:action:error:variety="Gaffe"
veris:action:error:variety="Loss"
Loss or misplacement
veris:action:error:variety="Maintenance error"
Maintenance error
veris:action:error:variety="Malfunction"
509
veris:action:error:variety="Misconfiguration"
Misconfiguration
veris:action:error:variety="Misdelivery"
veris:action:error:variety="Misinformation"
veris:action:error:variety="Omission"
veris:action:error:variety="Other"
Other
veris:action:error:variety="Physical accidents"
veris:action:error:variety="Programming error"
veris:action:error:variety="Publishing error"
veris:action:error:variety="Unknown"
Unknown
action:error:vector
veris:action:error:vector="Carelessness"
Carelessness
veris:action:error:vector="Inadequate personnel"
510
veris:action:error:vector="Inadequate processes"
veris:action:error:vector="Inadequate technology"
veris:action:error:vector="Other"
Other
veris:action:error:vector="Random error"
veris:action:error:vector="Unknown"
Unknown
action:hacking:result
veris:action:hacking:result="Elevate"
veris:action:hacking:result="Exfiltrate"
veris:action:hacking:result="Infiltrate"
action:hacking:variety
veris:action:hacking:variety="Abuse of functionality"
Abuse of functionality
veris:action:hacking:variety="Brute force"
veris:action:hacking:variety="Buffer overflow"
Buffer overflow
511
veris:action:hacking:variety="CSRF"
veris:action:hacking:variety="Cache poisoning"
Cache poisoning
veris:action:hacking:variety="Cryptanalysis"
Cryptanalysis
veris:action:hacking:variety="DoS"
Denial of service
veris:action:hacking:variety="Footprinting"
veris:action:hacking:variety="Forced browsing"
veris:action:hacking:variety="Fuzz testing"
Fuzz testing
512
veris:action:hacking:variety="Integer overflows"
Integer overflows
veris:action:hacking:variety="LDAP injection"
LDAP injection
veris:action:hacking:variety="MitM"
Man-in-the-middle attack
veris:action:hacking:variety="OS commanding"
OS commanding
veris:action:hacking:variety="Offline cracking"
veris:action:hacking:variety="Other"
Other
veris:action:hacking:variety="Pass-the-hash"
Pass-the-hash
veris:action:hacking:variety="Path traversal"
Path traversal
veris:action:hacking:variety="RFI"
veris:action:hacking:variety="Reverse engineering"
Reverse engineering
513
veris:action:hacking:variety="Routing detour"
Routing detour
veris:action:hacking:variety="SQLi"
SQL injection
veris:action:hacking:variety="SSI injection"
SSI injection
veris:action:hacking:variety="Session fixation"
Session fixation
veris:action:hacking:variety="Session prediction"
veris:action:hacking:variety="Session replay"
Session replay
veris:action:hacking:variety="Unknown"
Unknown
514
veris:action:hacking:variety="Virtual machine escape"
veris:action:hacking:variety="XML injection"
XML injection
veris:action:hacking:variety="XPath injection"
XPath injection
veris:action:hacking:variety="XQuery injection"
XQuery injection
veris:action:hacking:variety="XSS"
Cross-site scripting
action:hacking:vector
veris:action:hacking:vector="3rd party desktop"
veris:action:hacking:vector="Backdoor or C2"
veris:action:hacking:vector="Command shell"
Remote shell
515
veris:action:hacking:vector="Desktop sharing"
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two
veris:action:hacking:vector="Other"
Other
veris:action:hacking:vector="Partner"
veris:action:hacking:vector="Physical access"
veris:action:hacking:vector="Unknown"
Unknown
veris:action:hacking:vector="VPN"
VPN
veris:action:hacking:vector="Web application"
Web application
action:malware:result
veris:action:malware:result="Elevate"
veris:action:malware:result="Exfiltrate"
veris:action:malware:result="Infiltrate"
516
action:malware:variety
veris:action:malware:variety="Adminware"
veris:action:malware:variety="Adware"
Adware
veris:action:malware:variety="Backdoor"
veris:action:malware:variety="Brute force"
veris:action:malware:variety="C2"
veris:action:malware:variety="Click fraud"
veris:action:malware:variety="Client-side attack"
veris:action:malware:variety="Destroy data"
veris:action:malware:variety="Disable controls"
517
veris:action:malware:variety="DoS"
DoS attack
veris:action:malware:variety="Downloader"
veris:action:malware:variety="Exploit vuln"
veris:action:malware:variety="Export data"
veris:action:malware:variety="Modify data"
Malware which compromises a legitimate file rather than creating new filess
veris:action:malware:variety="Other"
Other
veris:action:malware:variety="Packet sniffer"
veris:action:malware:variety="Password dumper"
veris:action:malware:variety="Ram scraper"
veris:action:malware:variety="Ransomware"
veris:action:malware:variety="Rootkit"
veris:action:malware:variety="SQL injection"
518
veris:action:malware:variety="Scan network"
veris:action:malware:variety="Spam"
Send spam
veris:action:malware:variety="Spyware/Keylogger"
veris:action:malware:variety="Unknown"
Unknown
veris:action:malware:variety="Worm"
action:malware:vector
veris:action:malware:vector="Direct install"
veris:action:malware:vector="Download by malware"
veris:action:malware:vector="Email attachment"
veris:action:malware:vector="Email autoexecute"
veris:action:malware:vector="Email link"
veris:action:malware:vector="Email unknown"
519
veris:action:malware:vector="Instant messaging"
Instant Messaging
veris:action:malware:vector="Network propagation"
Network propagation
veris:action:malware:vector="Other"
Other
veris:action:malware:vector="Remote injection"
veris:action:malware:vector="Removable media"
veris:action:malware:vector="Software update"
veris:action:malware:vector="Unknown"
Unknown
veris:action:malware:vector="Web download"
veris:action:malware:vector="Web drive-by"
action:misuse:result
veris:action:misuse:result="Elevate"
veris:action:misuse:result="Exfiltrate"
520
veris:action:misuse:result="Infiltrate"
action:misuse:variety
veris:action:misuse:variety="Data mishandling"
veris:action:misuse:variety="Email misuse"
veris:action:misuse:variety="Illicit content"
veris:action:misuse:variety="Knowledge abuse"
veris:action:misuse:variety="Net misuse"
veris:action:misuse:variety="Other"
Other
veris:action:misuse:variety="Possession abuse"
veris:action:misuse:variety="Privilege abuse"
veris:action:misuse:variety="Unapproved hardware"
veris:action:misuse:variety="Unapproved software"
521
veris:action:misuse:variety="Unapproved workaround"
veris:action:misuse:variety="Unknown"
Unknown
action:misuse:vector
veris:action:misuse:vector="LAN access"
veris:action:misuse:vector="Non-corporate"
veris:action:misuse:vector="Other"
Other
veris:action:misuse:vector="Physical access"
veris:action:misuse:vector="Remote access"
veris:action:misuse:vector="Unknown"
Unknown
action:physical:result
veris:action:physical:result="Elevate"
veris:action:physical:result="Exfiltrate"
veris:action:physical:result="Infiltrate"
522
action:physical:variety
veris:action:physical:variety="Assault"
veris:action:physical:variety="Bypassed controls"
veris:action:physical:variety="Connection"
Connection
veris:action:physical:variety="Destruction"
veris:action:physical:variety="Disabled controls"
veris:action:physical:variety="Other"
Other
veris:action:physical:variety="Skimmer"
veris:action:physical:variety="Snooping"
veris:action:physical:variety="Surveillance"
veris:action:physical:variety="Tampering"
veris:action:physical:variety="Theft"
523
veris:action:physical:variety="Unknown"
Unknown
veris:action:physical:variety="Wiretapping"
action:physical:vector
veris:action:physical:vector="Other"
Other
veris:action:physical:vector="Partner facility"
veris:action:physical:vector="Partner vehicle"
veris:action:physical:vector="Personal residence"
Personal residence
veris:action:physical:vector="Personal vehicle"
Personal vehicle
veris:action:physical:vector="Privileged access"
veris:action:physical:vector="Public facility"
veris:action:physical:vector="Public vehicle"
veris:action:physical:vector="Uncontrolled location"
524
veris:action:physical:vector="Unknown"
Unknown
veris:action:physical:vector="Victim grounds"
veris:action:physical:vector="Visitor privileges"
action:social:result
veris:action:social:result="Elevate"
veris:action:social:result="Exfiltrate"
veris:action:social:result="Infiltrate"
action:social:target
veris:action:social:target="Auditor"
Auditor
veris:action:social:target="Call center"
525
veris:action:social:target="Cashier"
veris:action:social:target="Customer"
Customer (B2C)
veris:action:social:target="Developer"
Software developer
veris:action:social:target="End-user"
veris:action:social:target="Executive"
veris:action:social:target="Finance"
veris:action:social:target="Former employee"
Former employee
veris:action:social:target="Guard"
Security guard
veris:action:social:target="Helpdesk"
Helpdesk staff
veris:action:social:target="Human resources"
veris:action:social:target="Maintenance"
veris:action:social:target="Manager"
Manager or supervisor
526
veris:action:social:target="Other"
Other
veris:action:social:target="Partner"
Partner (B2B)
veris:action:social:target="System admin"
veris:action:social:target="Unknown"
Unknown
action:social:variety
veris:action:social:variety="Baiting"
veris:action:social:variety="Bribery"
Bribery or solicitation
veris:action:social:variety="Elicitation"
veris:action:social:variety="Extortion"
Extortion or blackmail
veris:action:social:variety="Forgery"
veris:action:social:variety="Influence"
veris:action:social:variety="Other"
Other
527
veris:action:social:variety="Phishing"
veris:action:social:variety="Pretexting"
veris:action:social:variety="Propaganda"
Propaganda or disinformation
veris:action:social:variety="Scam"
veris:action:social:variety="Spam"
veris:action:social:variety="Unknown"
Unknown
action:social:vector
veris:action:social:vector="Documents"
Documents
veris:action:social:vector="Email"
veris:action:social:vector="IM"
Instant messaging
veris:action:social:vector="In-person"
In-person
veris:action:social:vector="Other"
Other
528
veris:action:social:vector="Phone"
Phone
veris:action:social:vector="Removable media"
veris:action:social:vector="SMS"
SMS or texting
veris:action:social:vector="Social media"
veris:action:social:vector="Software"
Software
veris:action:social:vector="Unknown"
Unknown
veris:action:social:vector="Website"
Website
action:unknown:result
veris:action:unknown:result="Elevate"
veris:action:unknown:result="Exfiltrate"
veris:action:unknown:result="Infiltrate"
actor:external:country
veris:actor:external:country="AD"
Andorra
529
veris:actor:external:country="AE"
veris:actor:external:country="AF"
Afghanistan
veris:actor:external:country="AG"
veris:actor:external:country="AI"
Anguilla
veris:actor:external:country="AL"
Albania
veris:actor:external:country="AM"
Armenia
veris:actor:external:country="AO"
Angola
veris:actor:external:country="AQ"
Antarctica
veris:actor:external:country="AR"
Argentina
veris:actor:external:country="AS"
American Samoa
veris:actor:external:country="AT"
Austria
veris:actor:external:country="AU"
Australia
530
veris:actor:external:country="AW"
Aruba
veris:actor:external:country="AX"
Aland Islands
veris:actor:external:country="AZ"
Azerbaijan
veris:actor:external:country="BA"
veris:actor:external:country="BB"
Barbados
veris:actor:external:country="BD"
Bangladesh
veris:actor:external:country="BE"
Belgium
veris:actor:external:country="BF"
Burkina Faso
veris:actor:external:country="BG"
Bulgaria
veris:actor:external:country="BH"
Bahrain
veris:actor:external:country="BI"
Burundi
veris:actor:external:country="BJ"
Benin
531
veris:actor:external:country="BL"
Saint-Barthelemy
veris:actor:external:country="BM"
Bermuda
veris:actor:external:country="BN"
Brunei Darussalam
veris:actor:external:country="BO"
Bolivia
veris:actor:external:country="BQ"
veris:actor:external:country="BR"
Brazil
veris:actor:external:country="BS"
Bahamas
veris:actor:external:country="BT"
Bhutan
veris:actor:external:country="BV"
Bouvet Island
veris:actor:external:country="BW"
Botswana
veris:actor:external:country="BY"
Belarus
veris:actor:external:country="BZ"
Belize
532
veris:actor:external:country="CA"
Canada
veris:actor:external:country="CC"
veris:actor:external:country="CD"
veris:actor:external:country="CF"
veris:actor:external:country="CG"
Congo
veris:actor:external:country="CH"
Switzerland
veris:actor:external:country="CI"
Cote d’Ivoire
veris:actor:external:country="CK"
Cook Islands
veris:actor:external:country="CL"
Chile
veris:actor:external:country="CM"
Cameroon
veris:actor:external:country="CN"
China
veris:actor:external:country="CO"
Colombia
533
veris:actor:external:country="CR"
Costa Rica
veris:actor:external:country="CU"
Cuba
veris:actor:external:country="CV"
Cape Verde
veris:actor:external:country="CW"
Curacao
veris:actor:external:country="CX"
Christmas Island
veris:actor:external:country="CY"
Cyprus
veris:actor:external:country="CZ"
Czech Republic
veris:actor:external:country="DE"
Germany
veris:actor:external:country="DJ"
Djibouti
veris:actor:external:country="DK"
Denmark
veris:actor:external:country="DM"
Dominica
veris:actor:external:country="DO"
Dominican Republic
534
veris:actor:external:country="DZ"
Algeria
veris:actor:external:country="EC"
Ecuador
veris:actor:external:country="EE"
Estonia
veris:actor:external:country="EG"
Egypt
veris:actor:external:country="EH"
Western Sahara
veris:actor:external:country="ER"
Eritrea
veris:actor:external:country="ES"
Spain
veris:actor:external:country="ET"
Ethiopia
veris:actor:external:country="FI"
Finland
veris:actor:external:country="FJ"
Fiji
veris:actor:external:country="FK"
Faeroe Islands
veris:actor:external:country="FM"
535
veris:actor:external:country="FO"
veris:actor:external:country="FR"
France
veris:actor:external:country="GA"
Gabon
veris:actor:external:country="GB"
United Kingdom
veris:actor:external:country="GD"
Grenada
veris:actor:external:country="GE"
Georgia
veris:actor:external:country="GF"
French Guiana
veris:actor:external:country="GG"
Guernsey
veris:actor:external:country="GH"
Ghana
veris:actor:external:country="GI"
Gibraltar
veris:actor:external:country="GL"
Greenland
veris:actor:external:country="GM"
Gambia
536
veris:actor:external:country="GN"
Guinea
veris:actor:external:country="GP"
Guadeloupe
veris:actor:external:country="GQ"
Equatorial Guinea
veris:actor:external:country="GR"
Greece
veris:actor:external:country="GS"
veris:actor:external:country="GT"
Guatemala
veris:actor:external:country="GU"
Guam
veris:actor:external:country="GW"
Guinea-Bissau
veris:actor:external:country="GY"
Guyana
veris:actor:external:country="HK"
Hong Kong
veris:actor:external:country="HM"
veris:actor:external:country="HN"
Honduras
537
veris:actor:external:country="HR"
Croatia
veris:actor:external:country="HT"
Haiti
veris:actor:external:country="HU"
Hungary
veris:actor:external:country="ID"
Indonesia
veris:actor:external:country="IE"
Ireland
veris:actor:external:country="IL"
Israel
veris:actor:external:country="IM"
Isle of Man
veris:actor:external:country="IN"
India
veris:actor:external:country="IO"
veris:actor:external:country="IQ"
Iraq
veris:actor:external:country="IR"
veris:actor:external:country="IS"
Iceland
538
veris:actor:external:country="IT"
Italy
veris:actor:external:country="JE"
Jersey
veris:actor:external:country="JM"
Jamaica
veris:actor:external:country="JO"
Jordan
veris:actor:external:country="JP"
Japan
veris:actor:external:country="KE"
Kenya
veris:actor:external:country="KG"
Kyrgyzstan
veris:actor:external:country="KH"
Cambodia
veris:actor:external:country="KI"
Kiribati
veris:actor:external:country="KM"
Comoros
veris:actor:external:country="KN"
veris:actor:external:country="KP"
539
veris:actor:external:country="KR"
Korea, Republic of
veris:actor:external:country="KW"
Kuwait
veris:actor:external:country="KY"
Cayman Islands
veris:actor:external:country="KZ"
Kazakhstan
veris:actor:external:country="LA"
veris:actor:external:country="LB"
Lebanon
veris:actor:external:country="LC"
Saint Lucia
veris:actor:external:country="LI"
Liechtenstein
veris:actor:external:country="LK"
Sri Lanka
veris:actor:external:country="LR"
Liberia
veris:actor:external:country="LS"
Lesotho
veris:actor:external:country="LT"
Lithuania
540
veris:actor:external:country="LU"
Luxembourg
veris:actor:external:country="LV"
Latvia
veris:actor:external:country="LY"
Libya
veris:actor:external:country="MA"
Morocco
veris:actor:external:country="MC"
Monaco
veris:actor:external:country="MD"
Moldova, Republic of
veris:actor:external:country="ME"
Montenegro
veris:actor:external:country="MF"
veris:actor:external:country="MG"
Madagascar
veris:actor:external:country="MH"
Marshall Islands
veris:actor:external:country="MK"
veris:actor:external:country="ML"
Mali
541
veris:actor:external:country="MM"
Myanmar
veris:actor:external:country="MN"
Mongolia
veris:actor:external:country="MO"
Macao
veris:actor:external:country="MP"
veris:actor:external:country="MQ"
Martinique
veris:actor:external:country="MR"
Mauritania
veris:actor:external:country="MS"
Montserrat
veris:actor:external:country="MT"
Malta
veris:actor:external:country="MU"
Mauritius
veris:actor:external:country="MV"
Maldives
veris:actor:external:country="MW"
Malawi
veris:actor:external:country="MX"
Mexico
542
veris:actor:external:country="MY"
Malaysia
veris:actor:external:country="MZ"
Mozambique
veris:actor:external:country="NA"
Namibia
veris:actor:external:country="NC"
New Caledonia
veris:actor:external:country="NE"
Niger
veris:actor:external:country="NF"
Norfolk Island
veris:actor:external:country="NG"
Nigeria
veris:actor:external:country="NI"
Nicaragua
veris:actor:external:country="NL"
Netherlands
veris:actor:external:country="NO"
Norway
veris:actor:external:country="NP"
Nepal
veris:actor:external:country="NR"
Nauru
543
veris:actor:external:country="NU"
Niue
veris:actor:external:country="NZ"
New Zealand
veris:actor:external:country="OM"
Oman
veris:actor:external:country="Other"
Other
veris:actor:external:country="PA"
Panama
veris:actor:external:country="PE"
Peru
veris:actor:external:country="PF"
French Polynesia
veris:actor:external:country="PG"
veris:actor:external:country="PH"
Philippines
veris:actor:external:country="PK"
Pakistan
veris:actor:external:country="PL"
Poland
veris:actor:external:country="PM"
544
veris:actor:external:country="PN"
Pitcairn
veris:actor:external:country="PR"
Puerto Rico
veris:actor:external:country="PS"
veris:actor:external:country="PT"
Portugal
veris:actor:external:country="PW"
Palau
veris:actor:external:country="PY"
Paraguay
veris:actor:external:country="QA"
Qatar
veris:actor:external:country="RE"
Reunion
veris:actor:external:country="RO"
Romania
veris:actor:external:country="RS"
Serbia
veris:actor:external:country="RU"
Russian Federation
veris:actor:external:country="RW"
Rwanda
545
veris:actor:external:country="SA"
Saudi Arabia
veris:actor:external:country="SB"
Solomon Islands
veris:actor:external:country="SC"
Seychelles
veris:actor:external:country="SD"
Sudan
veris:actor:external:country="SE"
Sweden
veris:actor:external:country="SG"
Singapore
veris:actor:external:country="SH"
Saint Helena
veris:actor:external:country="SI"
Slovenia
veris:actor:external:country="SJ"
veris:actor:external:country="SK"
Slovakia
veris:actor:external:country="SL"
Sierra Leone
veris:actor:external:country="SM"
San Marino
546
veris:actor:external:country="SN"
Senegal
veris:actor:external:country="SO"
Somalia
veris:actor:external:country="SR"
Suriname
veris:actor:external:country="SS"
South Sudan
veris:actor:external:country="ST"
veris:actor:external:country="SV"
El Salvador
veris:actor:external:country="SX"
veris:actor:external:country="SY"
veris:actor:external:country="SZ"
Swaziland
veris:actor:external:country="TC"
veris:actor:external:country="TD"
Chad
veris:actor:external:country="TF"
547
veris:actor:external:country="TG"
Togo
veris:actor:external:country="TH"
Thailand
veris:actor:external:country="TJ"
Tajikistan
veris:actor:external:country="TK"
Tokelau
veris:actor:external:country="TL"
Timor-Leste
veris:actor:external:country="TM"
Turkmenistan
veris:actor:external:country="TN"
Tunisia
veris:actor:external:country="TO"
Tonga
veris:actor:external:country="TR"
Turkey
veris:actor:external:country="TT"
veris:actor:external:country="TV"
Tuvalu
veris:actor:external:country="TW"
548
veris:actor:external:country="TZ"
veris:actor:external:country="UA"
Ukraine
veris:actor:external:country="UG"
Uganda
veris:actor:external:country="UM"
veris:actor:external:country="US"
veris:actor:external:country="UY"
Uruguay
veris:actor:external:country="UZ"
Uzbekistan
veris:actor:external:country="Unknown"
Unknown
veris:actor:external:country="VA"
Holy See
veris:actor:external:country="VC"
veris:actor:external:country="VE"
veris:actor:external:country="VG"
549
veris:actor:external:country="VI"
veris:actor:external:country="VN"
Viet Nam
veris:actor:external:country="VU"
Vanuatu
veris:actor:external:country="WF"
veris:actor:external:country="WS"
Samoa
veris:actor:external:country="YE"
Yemen
veris:actor:external:country="YT"
Mayotte
veris:actor:external:country="ZA"
South Africa
veris:actor:external:country="ZM"
Zambia
veris:actor:external:country="ZW"
Zimbabwe
actor:external:motive
veris:actor:external:motive="Convenience"
Convenience of expediency
550
veris:actor:external:motive="Espionage"
veris:actor:external:motive="Fear"
Fear or duress
veris:actor:external:motive="Financial"
veris:actor:external:motive="Fun"
veris:actor:external:motive="Grudge"
veris:actor:external:motive="Ideology"
Ideology or protest
veris:actor:external:motive="NA"
veris:actor:external:motive="Other"
Other
veris:actor:external:motive="Secondary"
veris:actor:external:motive="Unknown"
Unknown
actor:external:variety
veris:actor:external:variety="Acquaintance"
551
veris:actor:external:variety="Activist"
Activist group
veris:actor:external:variety="Auditor"
Auditor
veris:actor:external:variety="Competitor"
Competitor
veris:actor:external:variety="Customer"
Customer (B2C)
veris:actor:external:variety="Force majeure"
veris:actor:external:variety="Former employee"
veris:actor:external:variety="Nation-state"
Nation-state
veris:actor:external:variety="Organized crime"
veris:actor:external:variety="Other"
Other
veris:actor:external:variety="State-affiliated"
veris:actor:external:variety="Terrorist"
Terrorist group
veris:actor:external:variety="Unaffiliated"
Unaffiliated person(s)
552
veris:actor:external:variety="Unknown"
Unknown
actor:internal:job_change
veris:actor:internal:job_change="Demoted"
veris:actor:internal:job_change="Hired"
Recently hired
veris:actor:internal:job_change="Job eval"
veris:actor:internal:job_change="Lateral move"
Lateral move
veris:actor:internal:job_change="Let go"
veris:actor:internal:job_change="Other"
Other
veris:actor:internal:job_change="Passed over"
veris:actor:internal:job_change="Personal issues"
Personal issues
veris:actor:internal:job_change="Promoted"
Recently promoted
veris:actor:internal:job_change="Reprimanded"
Recently reprimanded
553
veris:actor:internal:job_change="Resigned"
veris:actor:internal:job_change="Unknown"
Unknown
actor:internal:motive
veris:actor:internal:motive="Convenience"
Convenience of expediency
veris:actor:internal:motive="Espionage"
veris:actor:internal:motive="Fear"
Fear or duress
veris:actor:internal:motive="Financial"
veris:actor:internal:motive="Fun"
veris:actor:internal:motive="Grudge"
veris:actor:internal:motive="Ideology"
Ideology or protest
veris:actor:internal:motive="NA"
veris:actor:internal:motive="Other"
Other
554
veris:actor:internal:motive="Secondary"
veris:actor:internal:motive="Unknown"
Unknown
actor:internal:variety
veris:actor:internal:variety="Auditor"
Auditor
veris:actor:internal:variety="Call center"
veris:actor:internal:variety="Cashier"
veris:actor:internal:variety="Developer"
Software developer
veris:actor:internal:variety="Doctor or nurse"
A doctor or a nurse
veris:actor:internal:variety="End-user"
veris:actor:internal:variety="Executive"
veris:actor:internal:variety="Finance"
veris:actor:internal:variety="Guard"
Security guard
555
veris:actor:internal:variety="Helpdesk"
Helpdesk staff
veris:actor:internal:variety="Human resources"
veris:actor:internal:variety="Maintenance"
veris:actor:internal:variety="Manager"
Manager or supervisor
veris:actor:internal:variety="Other"
Other
veris:actor:internal:variety="System admin"
veris:actor:internal:variety="Unknown"
Unknown
actor:partner:country
veris:actor:partner:country="AD"
Andorra
veris:actor:partner:country="AE"
veris:actor:partner:country="AF"
Afghanistan
veris:actor:partner:country="AG"
556
veris:actor:partner:country="AI"
Anguilla
veris:actor:partner:country="AL"
Albania
veris:actor:partner:country="AM"
Armenia
veris:actor:partner:country="AO"
Angola
veris:actor:partner:country="AQ"
Antarctica
veris:actor:partner:country="AR"
Argentina
veris:actor:partner:country="AS"
American Samoa
veris:actor:partner:country="AT"
Austria
veris:actor:partner:country="AU"
Australia
veris:actor:partner:country="AW"
Aruba
veris:actor:partner:country="AX"
Aland Islands
veris:actor:partner:country="AZ"
Azerbaijan
557
veris:actor:partner:country="BA"
veris:actor:partner:country="BB"
Barbados
veris:actor:partner:country="BD"
Bangladesh
veris:actor:partner:country="BE"
Belgium
veris:actor:partner:country="BF"
Burkina Faso
veris:actor:partner:country="BG"
Bulgaria
veris:actor:partner:country="BH"
Bahrain
veris:actor:partner:country="BI"
Burundi
veris:actor:partner:country="BJ"
Benin
veris:actor:partner:country="BL"
Saint-Barthelemy
veris:actor:partner:country="BM"
Bermuda
veris:actor:partner:country="BN"
Brunei Darussalam
558
veris:actor:partner:country="BO"
Bolivia
veris:actor:partner:country="BQ"
veris:actor:partner:country="BR"
Brazil
veris:actor:partner:country="BS"
Bahamas
veris:actor:partner:country="BT"
Bhutan
veris:actor:partner:country="BV"
Bouvet Island
veris:actor:partner:country="BW"
Botswana
veris:actor:partner:country="BY"
Belarus
veris:actor:partner:country="BZ"
Belize
veris:actor:partner:country="CA"
Canada
veris:actor:partner:country="CC"
veris:actor:partner:country="CD"
559
veris:actor:partner:country="CF"
veris:actor:partner:country="CG"
Congo
veris:actor:partner:country="CH"
Switzerland
veris:actor:partner:country="CI"
Cote d’Ivoire
veris:actor:partner:country="CK"
Cook Islands
veris:actor:partner:country="CL"
Chile
veris:actor:partner:country="CM"
Cameroon
veris:actor:partner:country="CN"
China
veris:actor:partner:country="CO"
Colombia
veris:actor:partner:country="CR"
Costa Rica
veris:actor:partner:country="CU"
Cuba
veris:actor:partner:country="CV"
Cape Verde
560
veris:actor:partner:country="CW"
Curacao
veris:actor:partner:country="CX"
Christmas Island
veris:actor:partner:country="CY"
Cyprus
veris:actor:partner:country="CZ"
Czech Republic
veris:actor:partner:country="DE"
Germany
veris:actor:partner:country="DJ"
Djibouti
veris:actor:partner:country="DK"
Denmark
veris:actor:partner:country="DM"
Dominica
veris:actor:partner:country="DO"
Dominican Republic
veris:actor:partner:country="DZ"
Algeria
veris:actor:partner:country="EC"
Ecuador
veris:actor:partner:country="EE"
Estonia
561
veris:actor:partner:country="EG"
Egypt
veris:actor:partner:country="EH"
Western Sahara
veris:actor:partner:country="ER"
Eritrea
veris:actor:partner:country="ES"
Spain
veris:actor:partner:country="ET"
Ethiopia
veris:actor:partner:country="FI"
Finland
veris:actor:partner:country="FJ"
Fiji
veris:actor:partner:country="FK"
Faeroe Islands
veris:actor:partner:country="FM"
veris:actor:partner:country="FO"
veris:actor:partner:country="FR"
France
veris:actor:partner:country="GA"
Gabon
562
veris:actor:partner:country="GB"
United Kingdom
veris:actor:partner:country="GD"
Grenada
veris:actor:partner:country="GE"
Georgia
veris:actor:partner:country="GF"
French Guiana
veris:actor:partner:country="GG"
Guernsey
veris:actor:partner:country="GH"
Ghana
veris:actor:partner:country="GI"
Gibraltar
veris:actor:partner:country="GL"
Greenland
veris:actor:partner:country="GM"
Gambia
veris:actor:partner:country="GN"
Guinea
veris:actor:partner:country="GP"
Guadeloupe
veris:actor:partner:country="GQ"
Equatorial Guinea
563
veris:actor:partner:country="GR"
Greece
veris:actor:partner:country="GS"
veris:actor:partner:country="GT"
Guatemala
veris:actor:partner:country="GU"
Guam
veris:actor:partner:country="GW"
Guinea-Bissau
veris:actor:partner:country="GY"
Guyana
veris:actor:partner:country="HK"
Hong Kong
veris:actor:partner:country="HM"
veris:actor:partner:country="HN"
Honduras
veris:actor:partner:country="HR"
Croatia
veris:actor:partner:country="HT"
Haiti
veris:actor:partner:country="HU"
Hungary
564
veris:actor:partner:country="ID"
Indonesia
veris:actor:partner:country="IE"
Ireland
veris:actor:partner:country="IL"
Israel
veris:actor:partner:country="IM"
Isle of Man
veris:actor:partner:country="IN"
India
veris:actor:partner:country="IO"
veris:actor:partner:country="IQ"
Iraq
veris:actor:partner:country="IR"
veris:actor:partner:country="IS"
Iceland
veris:actor:partner:country="IT"
Italy
veris:actor:partner:country="JE"
Jersey
veris:actor:partner:country="JM"
Jamaica
565
veris:actor:partner:country="JO"
Jordan
veris:actor:partner:country="JP"
Japan
veris:actor:partner:country="KE"
Kenya
veris:actor:partner:country="KG"
Kyrgyzstan
veris:actor:partner:country="KH"
Cambodia
veris:actor:partner:country="KI"
Kiribati
veris:actor:partner:country="KM"
Comoros
veris:actor:partner:country="KN"
veris:actor:partner:country="KP"
veris:actor:partner:country="KR"
Korea, Republic of
veris:actor:partner:country="KW"
Kuwait
veris:actor:partner:country="KY"
Cayman Islands
566
veris:actor:partner:country="KZ"
Kazakhstan
veris:actor:partner:country="LA"
veris:actor:partner:country="LB"
Lebanon
veris:actor:partner:country="LC"
Saint Lucia
veris:actor:partner:country="LI"
Liechtenstein
veris:actor:partner:country="LK"
Sri Lanka
veris:actor:partner:country="LR"
Liberia
veris:actor:partner:country="LS"
Lesotho
veris:actor:partner:country="LT"
Lithuania
veris:actor:partner:country="LU"
Luxembourg
veris:actor:partner:country="LV"
Latvia
veris:actor:partner:country="LY"
Libya
567
veris:actor:partner:country="MA"
Morocco
veris:actor:partner:country="MC"
Monaco
veris:actor:partner:country="MD"
Moldova, Republic of
veris:actor:partner:country="ME"
Montenegro
veris:actor:partner:country="MF"
veris:actor:partner:country="MG"
Madagascar
veris:actor:partner:country="MH"
Marshall Islands
veris:actor:partner:country="MK"
veris:actor:partner:country="ML"
Mali
veris:actor:partner:country="MM"
Myanmar
veris:actor:partner:country="MN"
Mongolia
veris:actor:partner:country="MO"
Macao
568
veris:actor:partner:country="MP"
veris:actor:partner:country="MQ"
Martinique
veris:actor:partner:country="MR"
Mauritania
veris:actor:partner:country="MS"
Montserrat
veris:actor:partner:country="MT"
Malta
veris:actor:partner:country="MU"
Mauritius
veris:actor:partner:country="MV"
Maldives
veris:actor:partner:country="MW"
Malawi
veris:actor:partner:country="MX"
Mexico
veris:actor:partner:country="MY"
Malaysia
veris:actor:partner:country="MZ"
Mozambique
veris:actor:partner:country="NA"
Namibia
569
veris:actor:partner:country="NC"
New Caledonia
veris:actor:partner:country="NE"
Niger
veris:actor:partner:country="NF"
Norfolk Island
veris:actor:partner:country="NG"
Nigeria
veris:actor:partner:country="NI"
Nicaragua
veris:actor:partner:country="NL"
Netherlands
veris:actor:partner:country="NO"
Norway
veris:actor:partner:country="NP"
Nepal
veris:actor:partner:country="NR"
Nauru
veris:actor:partner:country="NU"
Niue
veris:actor:partner:country="NZ"
New Zealand
veris:actor:partner:country="OM"
Oman
570
veris:actor:partner:country="Other"
Other
veris:actor:partner:country="PA"
Panama
veris:actor:partner:country="PE"
Peru
veris:actor:partner:country="PF"
French Polynesia
veris:actor:partner:country="PG"
veris:actor:partner:country="PH"
Philippines
veris:actor:partner:country="PK"
Pakistan
veris:actor:partner:country="PL"
Poland
veris:actor:partner:country="PM"
veris:actor:partner:country="PN"
Pitcairn
veris:actor:partner:country="PR"
Puerto Rico
veris:actor:partner:country="PS"
571
veris:actor:partner:country="PT"
Portugal
veris:actor:partner:country="PW"
Palau
veris:actor:partner:country="PY"
Paraguay
veris:actor:partner:country="QA"
Qatar
veris:actor:partner:country="RE"
Reunion
veris:actor:partner:country="RO"
Romania
veris:actor:partner:country="RS"
Serbia
veris:actor:partner:country="RU"
Russian Federation
veris:actor:partner:country="RW"
Rwanda
veris:actor:partner:country="SA"
Saudi Arabia
veris:actor:partner:country="SB"
Solomon Islands
veris:actor:partner:country="SC"
Seychelles
572
veris:actor:partner:country="SD"
Sudan
veris:actor:partner:country="SE"
Sweden
veris:actor:partner:country="SG"
Singapore
veris:actor:partner:country="SH"
Saint Helena
veris:actor:partner:country="SI"
Slovenia
veris:actor:partner:country="SJ"
veris:actor:partner:country="SK"
Slovakia
veris:actor:partner:country="SL"
Sierra Leone
veris:actor:partner:country="SM"
San Marino
veris:actor:partner:country="SN"
Senegal
veris:actor:partner:country="SO"
Somalia
veris:actor:partner:country="SR"
Suriname
573
veris:actor:partner:country="SS"
South Sudan
veris:actor:partner:country="ST"
veris:actor:partner:country="SV"
El Salvador
veris:actor:partner:country="SX"
veris:actor:partner:country="SY"
veris:actor:partner:country="SZ"
Swaziland
veris:actor:partner:country="TC"
veris:actor:partner:country="TD"
Chad
veris:actor:partner:country="TF"
veris:actor:partner:country="TG"
Togo
veris:actor:partner:country="TH"
Thailand
veris:actor:partner:country="TJ"
Tajikistan
574
veris:actor:partner:country="TK"
Tokelau
veris:actor:partner:country="TL"
Timor-Leste
veris:actor:partner:country="TM"
Turkmenistan
veris:actor:partner:country="TN"
Tunisia
veris:actor:partner:country="TO"
Tonga
veris:actor:partner:country="TR"
Turkey
veris:actor:partner:country="TT"
veris:actor:partner:country="TV"
Tuvalu
veris:actor:partner:country="TW"
veris:actor:partner:country="TZ"
veris:actor:partner:country="UA"
Ukraine
veris:actor:partner:country="UG"
Uganda
575
veris:actor:partner:country="UM"
veris:actor:partner:country="US"
veris:actor:partner:country="UY"
Uruguay
veris:actor:partner:country="UZ"
Uzbekistan
veris:actor:partner:country="Unknown"
Unknown
veris:actor:partner:country="VA"
Holy See
veris:actor:partner:country="VC"
veris:actor:partner:country="VE"
veris:actor:partner:country="VG"
veris:actor:partner:country="VI"
veris:actor:partner:country="VN"
Viet Nam
veris:actor:partner:country="VU"
Vanuatu
576
veris:actor:partner:country="WF"
veris:actor:partner:country="WS"
Samoa
veris:actor:partner:country="YE"
Yemen
veris:actor:partner:country="YT"
Mayotte
veris:actor:partner:country="ZA"
South Africa
veris:actor:partner:country="ZM"
Zambia
veris:actor:partner:country="ZW"
Zimbabwe
actor:partner:motive
veris:actor:partner:motive="Convenience"
Convenience of expediency
veris:actor:partner:motive="Espionage"
veris:actor:partner:motive="Fear"
Fear or duress
veris:actor:partner:motive="Financial"
577
veris:actor:partner:motive="Fun"
veris:actor:partner:motive="Grudge"
veris:actor:partner:motive="Ideology"
Ideology or protest
veris:actor:partner:motive="NA"
veris:actor:partner:motive="Other"
Other
veris:actor:partner:motive="Secondary"
veris:actor:partner:motive="Unknown"
Unknown
asset:assets:variety
veris:asset:assets:variety="E - Other"
veris:asset:assets:variety="E - Telematics"
veris:asset:assets:variety="E - Telemetry"
Embedded - A dedicated device that collects data about the physical world
veris:asset:assets:variety="E - Unknown"
578
veris:asset:assets:variety="M - Disk drive"
veris:asset:assets:variety="M - Documents"
Media - Documents
veris:asset:assets:variety="M - Fax"
veris:asset:assets:variety="M - Other"
veris:asset:assets:variety="M - Tapes"
veris:asset:assets:variety="M - Unknown"
veris:asset:assets:variety="N - Broadband"
579
veris:asset:assets:variety="N - Camera"
veris:asset:assets:variety="N - Firewall"
Network - Firewall
veris:asset:assets:variety="N - HSM"
veris:asset:assets:variety="N - IDS"
veris:asset:assets:variety="N - LAN"
veris:asset:assets:variety="N - NAS"
veris:asset:assets:variety="N - Other"
veris:asset:assets:variety="N - PBX"
veris:asset:assets:variety="N - PLC"
veris:asset:assets:variety="N - RTU"
580
veris:asset:assets:variety="N - Router or switch"
veris:asset:assets:variety="N - SAN"
veris:asset:assets:variety="N - Telephone"
Network - Telephone
veris:asset:assets:variety="N - Unknown"
veris:asset:assets:variety="N - WLAN"
veris:asset:assets:variety="Other"
Asset type known but not User Device, Server, Public Terminal, Server, People, Network, or Media
veris:asset:assets:variety="P - Auditor"
People - Auditor
veris:asset:assets:variety="P - Cashier"
People - Cashier
veris:asset:assets:variety="P - Customer"
People - Customer
veris:asset:assets:variety="P - Developer"
People - Developer
581
veris:asset:assets:variety="P - End-user"
People - End-user
veris:asset:assets:variety="P - Executive"
People - Executive
veris:asset:assets:variety="P - Finance"
People - Finance
veris:asset:assets:variety="P - Guard"
People - Guard
veris:asset:assets:variety="P - Helpdesk"
People - Helpdesk
veris:asset:assets:variety="P - Maintenance"
People - Maintenance
veris:asset:assets:variety="P - Manager"
People - Manager
veris:asset:assets:variety="P - Other"
veris:asset:assets:variety="P - Partner"
People - Partner
People - Administrator
582
veris:asset:assets:variety="P - Unknown"
veris:asset:assets:variety="S - Authentication"
Server - Authentication
veris:asset:assets:variety="S - Backup"
Server - Backup
veris:asset:assets:variety="S - DCS"
veris:asset:assets:variety="S - DHCP"
Server - DHCP
veris:asset:assets:variety="S - DNS"
Server - DNS
veris:asset:assets:variety="S - Database"
Server - Database
veris:asset:assets:variety="S - Directory"
veris:asset:assets:variety="S - File"
Server - File
veris:asset:assets:variety="S - ICS"
Server - Industrial Control System (ICS). Includes Supervisory Control And Data Acquisition
(SCADA) systems.
583
veris:asset:assets:variety="S - Log"
veris:asset:assets:variety="S - Mail"
Server - Mail
veris:asset:assets:variety="S - Mainframe"
Server - Mainframe
veris:asset:assets:variety="S - Other"
veris:asset:assets:variety="S - Print"
Server - Print
veris:asset:assets:variety="S - Proxy"
Server - Proxy
veris:asset:assets:variety="S - Unknown"
veris:asset:assets:variety="S - VM host"
584
veris:asset:assets:variety="T - ATM"
veris:asset:assets:variety="T - Kiosk"
veris:asset:assets:variety="T - Other"
veris:asset:assets:variety="T - Unknown"
veris:asset:assets:variety="U - Desktop"
veris:asset:assets:variety="U - Laptop"
veris:asset:assets:variety="U - Media"
veris:asset:assets:variety="U - Other"
585
veris:asset:assets:variety="U - POS terminal"
veris:asset:assets:variety="U - Peripheral"
veris:asset:assets:variety="U - Tablet"
veris:asset:assets:variety="U - Telephone"
veris:asset:assets:variety="U - Unknown"
veris:asset:assets:variety="Unknown"
attribute:availability:variety
veris:attribute:availability:variety="Acceleration"
Acceleration
veris:attribute:availability:variety="Degradation"
Performance degradation
veris:attribute:availability:variety="Destruction"
Destruction
veris:attribute:availability:variety="Interruption"
Interruption
586
veris:attribute:availability:variety="Loss"
Loss
veris:attribute:availability:variety="Obscuration"
Conversion or obscuration
veris:attribute:availability:variety="Other"
Other
veris:attribute:availability:variety="Unknown"
Unknown
attribute:confidentiality:data_disclosure
veris:attribute:confidentiality:data_disclosure="No"
No
veris:attribute:confidentiality:data_disclosure="Potentially"
veris:attribute:confidentiality:data_disclosure="Unknown"
Unknown
veris:attribute:confidentiality:data_disclosure="Yes"
Yes (confirmed)
attribute:confidentiality:data_victim
veris:attribute:confidentiality:data_victim="Customer"
Customer
veris:attribute:confidentiality:data_victim="Employee"
Employee
veris:attribute:confidentiality:data_victim="Other"
Other
587
veris:attribute:confidentiality:data_victim="Partner"
Partner
veris:attribute:confidentiality:data_victim="Patient"
Patient
veris:attribute:confidentiality:data_victim="Student"
Student
veris:attribute:confidentiality:data_victim="Unknown"
Unknown
attribute:confidentiality:state
veris:attribute:confidentiality:state="Other"
veris:attribute:confidentiality:state="Printed"
veris:attribute:confidentiality:state="Processed"
Processed
veris:attribute:confidentiality:state="Stored"
Stored
veris:attribute:confidentiality:state="Stored encrypted"
Stored encrypted
veris:attribute:confidentiality:state="Stored unencrypted"
Stored unencrypted
veris:attribute:confidentiality:state="Transmitted"
Transmitted
588
veris:attribute:confidentiality:state="Transmitted encrypted"
Transmitted encrypted
veris:attribute:confidentiality:state="Transmitted unencrypted"
Transmitted unencrypted
veris:attribute:confidentiality:state="Unknown"
attribute:integrity:variety
veris:attribute:integrity:variety="Alter behavior"
veris:attribute:integrity:variety="Created account"
veris:attribute:integrity:variety="Defacement"
Deface content
veris:attribute:integrity:variety="Fraudulent transaction"
veris:attribute:integrity:variety="Hardware tampering"
veris:attribute:integrity:variety="Log tampering"
veris:attribute:integrity:variety="Misrepresentation"
Misrepresentation
veris:attribute:integrity:variety="Modify configuration"
589
veris:attribute:integrity:variety="Modify data"
veris:attribute:integrity:variety="Modify privileges"
veris:attribute:integrity:variety="Other"
Other
veris:attribute:integrity:variety="Repurpose"
veris:attribute:integrity:variety="Software installation"
veris:attribute:integrity:variety="Unknown"
Unknown
impact:loss:rating
veris:impact:loss:rating="Major"
Major
veris:impact:loss:rating="Minor"
Minor
veris:impact:loss:rating="Moderate"
Moderate
veris:impact:loss:rating="None"
None
veris:impact:loss:rating="Unknown"
Unknown
590
impact:loss:variety
veris:impact:loss:variety="Asset and fraud"
veris:impact:loss:variety="Brand damage"
veris:impact:loss:variety="Business disruption"
Business disruption
veris:impact:loss:variety="Competitive advantage"
veris:impact:loss:variety="Operating costs"
veris:impact:loss:variety="Other"
timeline:compromise:unit
veris:timeline:compromise:unit="Days"
Days
veris:timeline:compromise:unit="Hours"
Hours
veris:timeline:compromise:unit="Minutes"
Minutes
591
veris:timeline:compromise:unit="Months"
Months
veris:timeline:compromise:unit="NA"
veris:timeline:compromise:unit="Never"
Never
veris:timeline:compromise:unit="Seconds"
Seconds
veris:timeline:compromise:unit="Unknown"
Unknown
veris:timeline:compromise:unit="Weeks"
Weeks
veris:timeline:compromise:unit="Years"
Years
timeline:containment:unit
veris:timeline:containment:unit="Days"
Days
veris:timeline:containment:unit="Hours"
Hours
veris:timeline:containment:unit="Minutes"
Minutes
veris:timeline:containment:unit="Months"
Months
592
veris:timeline:containment:unit="NA"
veris:timeline:containment:unit="Never"
Never
veris:timeline:containment:unit="Seconds"
Seconds
veris:timeline:containment:unit="Unknown"
Unknown
veris:timeline:containment:unit="Weeks"
Weeks
veris:timeline:containment:unit="Years"
Years
timeline:discovery:unit
veris:timeline:discovery:unit="Days"
Days
veris:timeline:discovery:unit="Hours"
Hours
veris:timeline:discovery:unit="Minutes"
Minutes
veris:timeline:discovery:unit="Months"
Months
veris:timeline:discovery:unit="NA"
593
veris:timeline:discovery:unit="Never"
Never
veris:timeline:discovery:unit="Seconds"
Seconds
veris:timeline:discovery:unit="Unknown"
Unknown
veris:timeline:discovery:unit="Weeks"
Weeks
veris:timeline:discovery:unit="Years"
Years
timeline:exfiltration:unit
veris:timeline:exfiltration:unit="Days"
Days
veris:timeline:exfiltration:unit="Hours"
Hours
veris:timeline:exfiltration:unit="Minutes"
Minutes
veris:timeline:exfiltration:unit="Months"
Months
veris:timeline:exfiltration:unit="NA"
veris:timeline:exfiltration:unit="Never"
Never
594
veris:timeline:exfiltration:unit="Seconds"
Seconds
veris:timeline:exfiltration:unit="Unknown"
Unknown
veris:timeline:exfiltration:unit="Weeks"
Weeks
veris:timeline:exfiltration:unit="Years"
Years
victim:revenue:iso_currency_code
veris:victim:revenue:iso_currency_code="AED"
veris:victim:revenue:iso_currency_code="AFN"
AFN - Afghani
veris:victim:revenue:iso_currency_code="ALL"
ALL - Lek
veris:victim:revenue:iso_currency_code="AMD"
veris:victim:revenue:iso_currency_code="ANG"
veris:victim:revenue:iso_currency_code="AOA"
AOA - Kwanza
veris:victim:revenue:iso_currency_code="ARS"
595
veris:victim:revenue:iso_currency_code="AUD"
veris:victim:revenue:iso_currency_code="AWG"
veris:victim:revenue:iso_currency_code="AZN"
veris:victim:revenue:iso_currency_code="BAM"
veris:victim:revenue:iso_currency_code="BBD"
veris:victim:revenue:iso_currency_code="BDT"
BDT - Taka
veris:victim:revenue:iso_currency_code="BGN"
veris:victim:revenue:iso_currency_code="BHD"
veris:victim:revenue:iso_currency_code="BIF"
veris:victim:revenue:iso_currency_code="BMD"
veris:victim:revenue:iso_currency_code="BND"
veris:victim:revenue:iso_currency_code="BOB"
BOB - Boliviano
596
veris:victim:revenue:iso_currency_code="BRL"
veris:victim:revenue:iso_currency_code="BSD"
veris:victim:revenue:iso_currency_code="BTN"
BTN - Ngultrum
veris:victim:revenue:iso_currency_code="BWP"
BWP - Pula
veris:victim:revenue:iso_currency_code="BYR"
veris:victim:revenue:iso_currency_code="BZD"
veris:victim:revenue:iso_currency_code="CAD"
veris:victim:revenue:iso_currency_code="CDF"
veris:victim:revenue:iso_currency_code="CHF"
veris:victim:revenue:iso_currency_code="CLP"
veris:victim:revenue:iso_currency_code="CNY"
veris:victim:revenue:iso_currency_code="COP"
597
veris:victim:revenue:iso_currency_code="CRC"
veris:victim:revenue:iso_currency_code="CUC"
veris:victim:revenue:iso_currency_code="CUP"
veris:victim:revenue:iso_currency_code="CVE"
veris:victim:revenue:iso_currency_code="CZK"
veris:victim:revenue:iso_currency_code="DJF"
veris:victim:revenue:iso_currency_code="DKK"
veris:victim:revenue:iso_currency_code="DOP"
veris:victim:revenue:iso_currency_code="DZD"
veris:victim:revenue:iso_currency_code="EGP"
veris:victim:revenue:iso_currency_code="ERN"
ERN - Nakfa
veris:victim:revenue:iso_currency_code="ETB"
598
veris:victim:revenue:iso_currency_code="EUR"
EUR - Euro
veris:victim:revenue:iso_currency_code="FJD"
veris:victim:revenue:iso_currency_code="FKP"
veris:victim:revenue:iso_currency_code="GBP"
veris:victim:revenue:iso_currency_code="GEL"
GEL - Lari
veris:victim:revenue:iso_currency_code="GGP"
veris:victim:revenue:iso_currency_code="GHS"
veris:victim:revenue:iso_currency_code="GIP"
veris:victim:revenue:iso_currency_code="GMD"
GMD - Dalasi
veris:victim:revenue:iso_currency_code="GNF"
veris:victim:revenue:iso_currency_code="GTQ"
GTQ - Quetzal
veris:victim:revenue:iso_currency_code="GYD"
599
veris:victim:revenue:iso_currency_code="HKD"
veris:victim:revenue:iso_currency_code="HNL"
HNL - Lempira
veris:victim:revenue:iso_currency_code="HRK"
veris:victim:revenue:iso_currency_code="HTG"
HTG - Gourde
veris:victim:revenue:iso_currency_code="HUF"
HUF - Forint
veris:victim:revenue:iso_currency_code="IDR"
IDR - Rupiah
veris:victim:revenue:iso_currency_code="ILS"
veris:victim:revenue:iso_currency_code="IMP"
veris:victim:revenue:iso_currency_code="INR"
veris:victim:revenue:iso_currency_code="IQD"
veris:victim:revenue:iso_currency_code="IRR"
veris:victim:revenue:iso_currency_code="ISK"
600
veris:victim:revenue:iso_currency_code="JEP"
veris:victim:revenue:iso_currency_code="JMD"
veris:victim:revenue:iso_currency_code="JOD"
veris:victim:revenue:iso_currency_code="JPY"
JPY - Yen
veris:victim:revenue:iso_currency_code="KES"
veris:victim:revenue:iso_currency_code="KGS"
KGS - Som
veris:victim:revenue:iso_currency_code="KHR"
KHR - Riel
veris:victim:revenue:iso_currency_code="KMF"
veris:victim:revenue:iso_currency_code="KPW"
veris:victim:revenue:iso_currency_code="KRW"
veris:victim:revenue:iso_currency_code="KWD"
veris:victim:revenue:iso_currency_code="KYD"
601
veris:victim:revenue:iso_currency_code="KZT"
KZT - Tenge
veris:victim:revenue:iso_currency_code="LAK"
LAK - Kip
veris:victim:revenue:iso_currency_code="LBP"
veris:victim:revenue:iso_currency_code="LKR"
veris:victim:revenue:iso_currency_code="LRD"
veris:victim:revenue:iso_currency_code="LSL"
LSL - Loti
veris:victim:revenue:iso_currency_code="LTL"
veris:victim:revenue:iso_currency_code="LVL"
veris:victim:revenue:iso_currency_code="LYD"
veris:victim:revenue:iso_currency_code="MAD"
veris:victim:revenue:iso_currency_code="MDL"
veris:victim:revenue:iso_currency_code="MGA"
602
veris:victim:revenue:iso_currency_code="MKD"
MKD - Denar
veris:victim:revenue:iso_currency_code="MMK"
MMK - Kyat
veris:victim:revenue:iso_currency_code="MNT"
MNT - Tugrik
veris:victim:revenue:iso_currency_code="MOP"
MOP - Pataca
veris:victim:revenue:iso_currency_code="MRO"
MRO - Ouguiya
veris:victim:revenue:iso_currency_code="MUR"
veris:victim:revenue:iso_currency_code="MVR"
MVR - Rufiyaa
veris:victim:revenue:iso_currency_code="MWK"
MWK - Kwacha
veris:victim:revenue:iso_currency_code="MXN"
veris:victim:revenue:iso_currency_code="MYR"
veris:victim:revenue:iso_currency_code="MZN"
veris:victim:revenue:iso_currency_code="NAD"
603
veris:victim:revenue:iso_currency_code="NGN"
NGN - Naira
veris:victim:revenue:iso_currency_code="NIO"
veris:victim:revenue:iso_currency_code="NOK"
veris:victim:revenue:iso_currency_code="NPR"
veris:victim:revenue:iso_currency_code="NZD"
veris:victim:revenue:iso_currency_code="OMR"
veris:victim:revenue:iso_currency_code="PAB"
PAB - Balboa
veris:victim:revenue:iso_currency_code="PEN"
veris:victim:revenue:iso_currency_code="PGK"
PGK - Kina
veris:victim:revenue:iso_currency_code="PHP"
veris:victim:revenue:iso_currency_code="PKR"
veris:victim:revenue:iso_currency_code="PLN"
PLN - Zloty
604
veris:victim:revenue:iso_currency_code="PYG"
PYG - Guarani
veris:victim:revenue:iso_currency_code="QAR"
veris:victim:revenue:iso_currency_code="RON"
veris:victim:revenue:iso_currency_code="RSD"
veris:victim:revenue:iso_currency_code="RUB"
veris:victim:revenue:iso_currency_code="RWF"
veris:victim:revenue:iso_currency_code="SAR"
veris:victim:revenue:iso_currency_code="SBD"
veris:victim:revenue:iso_currency_code="SCR"
veris:victim:revenue:iso_currency_code="SDG"
veris:victim:revenue:iso_currency_code="SEK"
veris:victim:revenue:iso_currency_code="SGD"
605
veris:victim:revenue:iso_currency_code="SHP"
veris:victim:revenue:iso_currency_code="SLL"
SLL - Leone
veris:victim:revenue:iso_currency_code="SOS"
veris:victim:revenue:iso_currency_code="SPL"
veris:victim:revenue:iso_currency_code="SRD"
veris:victim:revenue:iso_currency_code="STD"
STD - Dobra
veris:victim:revenue:iso_currency_code="SVC"
veris:victim:revenue:iso_currency_code="SYP"
veris:victim:revenue:iso_currency_code="SZL"
SZL - Lilangeni
veris:victim:revenue:iso_currency_code="THB"
THB - Baht
veris:victim:revenue:iso_currency_code="TJS"
TJS - Somoni
veris:victim:revenue:iso_currency_code="TMT"
606
veris:victim:revenue:iso_currency_code="TND"
veris:victim:revenue:iso_currency_code="TOP"
TOP - Pa’anga
veris:victim:revenue:iso_currency_code="TRY"
veris:victim:revenue:iso_currency_code="TTD"
veris:victim:revenue:iso_currency_code="TVD"
veris:victim:revenue:iso_currency_code="TWD"
veris:victim:revenue:iso_currency_code="TZS"
veris:victim:revenue:iso_currency_code="UAH"
UAH - Hryvnia
veris:victim:revenue:iso_currency_code="UGX"
veris:victim:revenue:iso_currency_code="USD"
USD - US Dollar
veris:victim:revenue:iso_currency_code="UYU"
veris:victim:revenue:iso_currency_code="UZS"
607
veris:victim:revenue:iso_currency_code="VEF"
VEF - Bolivar
veris:victim:revenue:iso_currency_code="VND"
VND - Dong
veris:victim:revenue:iso_currency_code="VUV"
VUV - Vatu
veris:victim:revenue:iso_currency_code="WST"
WST - Tala
veris:victim:revenue:iso_currency_code="XAF"
veris:victim:revenue:iso_currency_code="XCD"
veris:victim:revenue:iso_currency_code="XDR"
veris:victim:revenue:iso_currency_code="XOF"
veris:victim:revenue:iso_currency_code="XPF"
veris:victim:revenue:iso_currency_code="YER"
veris:victim:revenue:iso_currency_code="ZAR"
veris:victim:revenue:iso_currency_code="ZMK"
608
veris:victim:revenue:iso_currency_code="ZWD"
attribute:availability:duration:unit
veris:attribute:availability:duration:unit="Days"
Days
veris:attribute:availability:duration:unit="Hours"
Hours
veris:attribute:availability:duration:unit="Minutes"
Minutes
veris:attribute:availability:duration:unit="Months"
Months
veris:attribute:availability:duration:unit="NA"
NA
veris:attribute:availability:duration:unit="Never"
Never
veris:attribute:availability:duration:unit="Seconds"
Seconds
veris:attribute:availability:duration:unit="Unknown"
Unknown
veris:attribute:availability:duration:unit="Weeks"
Weeks
veris:attribute:availability:duration:unit="Years"
Years
609
attribute:confidentiality:data:variety
veris:attribute:confidentiality:data:variety="Bank"
veris:attribute:confidentiality:data:variety="Classified"
Classified information
veris:attribute:confidentiality:data:variety="Copyrighted"
Copyrighted material
veris:attribute:confidentiality:data:variety="Credentials"
veris:attribute:confidentiality:data:variety="Digital certificate"
Digital certificate
veris:attribute:confidentiality:data:variety="Internal"
veris:attribute:confidentiality:data:variety="Medical"
Medical records
veris:attribute:confidentiality:data:variety="Other"
Other
veris:attribute:confidentiality:data:variety="Payment"
veris:attribute:confidentiality:data:variety="Personal"
veris:attribute:confidentiality:data:variety="Secrets"
Trade secrets
610
veris:attribute:confidentiality:data:variety="Source code"
Source code
veris:attribute:confidentiality:data:variety="System"
veris:attribute:confidentiality:data:variety="Unknown"
Unknown
veris:attribute:confidentiality:data:variety="Virtual currency"
Virtual currency
vocabulaire-des-probabilites-estimatives
vocabulaire-des-probabilites-estimatives namespace available in JSON format at
this location. The JSON format can be freely reused in your application or
automatically enabled in MISP taxonomy.
degré-de-probabilité
Le tableau suivant attribue des valeurs en pourcentage à certains énoncés de probabilité. Les
pourcentages sont tirés de l’ouvrage de Sherman Kent intitulé « Words of Estimative Probability »
publié par le Centre for the Study of Intelligence de la CIA en 1964. 0% exprime une impossibilité et
100% exprime une certitude.
vocabulaire-des-probabilites-estimatives:degré-de-probabilité="presque-
aucune-chance"
Presque aucune chance - Quasi impossible Presque impossible Minces chances Très douteux Très
peu probable Très improbable Improbable Peu de chances - 7 % (marge d’erreur d’environ 5 %)
vocabulaire-des-probabilites-estimatives:degré-de-
probabilité="probablement-pas"
611
vocabulaire-des-probabilites-estimatives:degré-de-probabilité="chances-à-
peu-près-egales"
Chances à peu près égales - une chance sur deux - 50% (marge d’erreur d’environ 10 %)
vocabulaire-des-probabilites-estimatives:degré-de-probabilité="probable"
vocabulaire-des-probabilites-estimatives:degré-de-probabilité="quasi-
certaine"
Quasi certaine - Certain Presque certain Très probable - 93% (marge d’erreur d’environ 6 %)
workflow
workflow namespace available in JSON format at this location. The JSON format
can be freely reused in your application or automatically enabled in MISP
taxonomy.
Workflow support language is a common language to support intelligence analysts to perform their
analysis on data and information.
todo
Todo are the actions to be performed by one or more analyst(s) to apply cognitive methods,
evaluation(s), weightening information, to validate hypothesis or complete additional tasks to
improve the overall information or data being tagged with a todo.
workflow:todo="expansion"
workflow:todo="review"
Additional review is required to reach a certain level of validation of the information tagged
workflow:todo="review-for-privacy"
612
workflow:todo="review-before-publication"
workflow:todo="release-requested"
Release of the information tagged is requested (often after the review process
workflow:todo="review-for-false-positive"
Review the the information tagged to limit the number of false-positives and potentially remove
any IDS/automation flag to avoid automation of the false-positives
workflow:todo="review-the-source-credibility"
Review the source credibility and add the corresponding marking like admiralty-scale on the origin
workflow:todo="add-missing-misp-galaxy-cluster-values"
Add potential MISP galaxy cluster values missing about the information tagged
workflow:todo="create-missing-misp-galaxy-cluster"
workflow:todo="create-missing-misp-galaxy-cluster-relationship"
create missing MISP galaxy cluster relationships (e.g. relationships between MISP clusters)
workflow:todo="create-missing-misp-galaxy"
Create missing MISP galaxy at large about the information tagged (e.g. a new category of malware
or activity)
workflow:todo="create-missing-relationship"
Create missing relationship about the information tagged (e.g. create new relationship between
MISP objects)
workflow:todo="add-context"
workflow:todo="add-tagging"
613
workflow:todo="check-passive-dns-for-shared-hosting"
Check Passive DNS (or similar techniques) to review if the information tagged is used within shared
hosting
workflow:todo="review-classification"
Review the classification of the information tagged to ensure adequate marking of the information
before publication
workflow:todo="review-the-grammar"
Review the grammar of the information tagged to improve the overall quality
workflow:todo="do-not-delete"
workflow:todo="add-mitre-attack-cluster"
workflow:todo="additional-task"
Used to point an additional task that can not be describe by the rest of the taxonomy and need to be
done
workflow:todo="create-event"
workflow:todo="preserve-evidence"
state
State are the different states of the information or data being tagged.
workflow:state="incomplete"
Incomplete means that the information tagged is incomplete and has potential to be completed by
other analysts, technical processes or the current analysts performing the analysis
workflow:state="complete"
Complete means that the information tagged reach a state of completeness with the current
capabilities of the analyst
614
workflow:state="draft"
Draft means the information tagged can be released as a preliminary version or outline
workflow:state="ongoing"
Analyst is currently working on this analysis. To remove when there is no more work to be done by
the analyst.
Mapping of taxonomies
Analysts relying on taxonomies don’t always know the appropriate namespace to use but know
which value to use for classification. The MISP mapping taxonomy allows to map a single
classification into a series of machine-tag synonyms.
Adware
veris:action:malware:variety="Adware"
malware_classification:malware-category="Adware"
ms-caro-malware:malware-type="Adware"
Brute Force
ecsirt:intrusion-attempts="brute-force"
veris:action:malware:variety="Brute force"
europol-event:brute-force-attempt
enisa:nefarious-activity-abuse="brute-force"
DDoS
rsit:availability="dos"
rsit:availability="ddos"
rsit:vulnerable="ddos-amplifier"
ecsirt:availability="ddos"
europol-incident:availability="dos-ddos"
ms-caro-malware:malware-type="DDoS"
circl:incident-classification="denial-of-service"
enisa:nefarious-activity-abuse="denial-of-service"
Downloader
615
veris:action:malware:variety="Downloader"
malware_classification:malware-category="Downloader"
SQLi
circl:incident-classification="sql-injection"
veris:action:malware:variety="SQL injection"
veris:action:hacking:variety="SQLi"
enisa:nefarious-activity-abuse="web-application-attacks-injection-attacks-code-injection-SQL-XSS"
europol-event:sql-injection
Spyware
veris:action:malware:variety="Spyware/Keylogger"
malware_classification:malware-category="Spyware"
ms-caro-malware:malware-type="Spyware"
enisa:nefarious-activity-abuse="spyware-or-deceptive-adware"
Trojan
malware_classification:malware-category="Trojan"
ms-caro-malware:malware-type="Trojan"
ecsirt:malicious-code="trojan"
Virus
malware_classification:malware-category="Virus"
ms-caro-malware:malware-type="Virus"
ecsirt:malicious-code="virus"
Worm
veris:action:malware:variety="Worm"
malware_classification:malware-category="Worm"
ms-caro-malware:malware-type="Worm"
616
ecsirt:malicious-code="worm"
backdoor
ecsirt:intrusions="backdoor"
veris:action:malware:variety="Backdoor"
ms-caro-malware:malware-type="Backdoor"
brute force
rsit:intrusion-attempts="brute-force"
ecsirt:intrusion-attempts="brute-force"
veris:action:malware:variety="Brute force"
europol-event:brute-force-attempt
enisa:nefarious-activity-abuse="brute-force"
c&c
rsit:malicious-code="c2-server"
ecsirt:malicious-code="c&c"
europol-incident:malware="c&c"
europol-event:c&c-server-hosting
veris:action:malware:variety="C2"
content
rsit:abusive-content="harmful-speech"
rsit:abusive-content="violence"
rsit:fraud="copyright"
rsit:fraud="masquerade"
exploit
rsit:intrusion-attempts="exploit"
veris:action:malware:variety="Exploit vuln"
ecsirt:intrusion-attempts="exploit"
europol-event:exploit
europol-incident:intrusion="exploitation-vulnerability"
ms-caro-malware:malware-type="Exploit"
617
Table 16. Mapping table - malware
malware
rsit:malicious-code="malware-distribution"
rsit:malicious-code="malware-configuration"
ecsirt:malicious-code="malware"
circl:incident-classification="malware"
other
rsit:other="other"
phishing
rsit:fraud="phishing"
circl:incident-classification="phishing"
ecsirt:fraud="phishing"
veris:action:social:variety="Phishing"
europol-incident:information-gathering="phishing"
enisa:nefarious-activity-abuse="phishing-attacks"
ransomware
ecsirt:malicious-code="ransomware"
enisa:nefarious-activity-abuse="ransomware"
malware_classification:malware-category="Ransomware"
ms-caro-malware:malware-type="Ransom"
veris:action:malware:variety="Ransomware"
rootkit
veris:action:malware:variety="Rootkit"
enisa:nefarious-activity-abuse="rootkits"
malware_classification:malware-category="Rootkit"
scan
rsit:information-gathering="scanner"
circl:incident-classification="scan"
ecsirt:information-gathering="scanner"
618
europol-incident:information-gathering="scanning"
scan network
veris:action:malware:variety="Scan network"
europol-event:network-scanning
spam
rsit:abusive-content="spam"
circl:incident-classification="spam"
ecsirt:abusive-content="spam"
enisa:nefarious-activity-abuse="spam"
europol-event:spam
europol-incident:abusive-content="spam"
veris:action:malware:variety="Spam"
veris:action:social:variety="Spam"
test
rsit:test="test"
tlp-amber
tlp:amber
iep:traffic-light-protocol="AMBER"
tlp-green
tlp:green
iep:traffic-light-protocol="GREEN"
tlp-red
tlp:red
iep:traffic-light-protocol="RED"
tlp-white
tlp:white
619
iep:traffic-light-protocol="WHITE"
xss
circl:incident-classification="XSS"
europol-event:xss
620