-
Notifications
You must be signed in to change notification settings - Fork 415
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing malware SDO #74
Comments
Hi @cobsec, Thank you for pointing out the issue. It stems from the odd behavior of cross-domain objects. The malware in question (malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878, AKA Pallas or S0399) is in the mobile domain, while Dark Caracal is in both mobile and enterprise. For some reason there's a relationship targeting Pallas from in the enterprise domain even though the object doesn't exist in that domain. This is probably a bug from our internal systems: we assign domains for groups, software and mitigations based on their relationships with techniques (which inherently have domains unlike groups, software and mitigations). I'll look into how this came about in our internal systems. In the meantime, you can find the data for Pallas in the mobile domain here. |
@isaisabel thanks for getting back to me. Ah, that makes sense! Confirmed I'm only working with the enterprise data set at the moment. Certainly not a blocker for me as I plan to expand out to all data sets in future anyway so having cross-domain references is totally fine. I'd go so far as to say it is perfectly good behaviour for stix datasets - but if it's something that shouldn't happen for your dissemination approach, then glad I could help. For what it's worth, I'm pretty sure that the way I'm checking this is holistic, so this should be the only instance of an external reference in the enterprise dataset...at least, assuming I didn't do something weird. xD |
Just checking in to note that this bug is still present in the v7.0 release. We still need to track down the cause. |
Hi @cobsec, This has been fixed in ATT&CK v7.1. There were a few other occurrences of this bug which are noted in the update log. |
Hey all,
So I might be missing something here, but it seems there is a SRO that refers to a malware SDO that isn't in the repo. Appreciate that it could refer to an object in another repo, but it doesn't seem intentional, so just thought I would let you know it was missing.
Details:
relationship--53364899-1ea5-47fa-afde-c210aed64120: intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12 uses malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878
The intrusion set is Dark Caracal and the relationship has a reference to the lookout report:
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
There are a few references to different malware in that report so I'd need to do a fair bit of reverse engineering through the rest of the data set to figure out what is missing...hoping that someone at your end might be able to fill in the gaps rather than spending time on that?
Thanks,
Chris
The text was updated successfully, but these errors were encountered: