2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-12-14 14:30:15 +00:00
|
|
|
"Event": {
|
|
|
|
"analysis": "2",
|
|
|
|
"date": "2017-10-22",
|
|
|
|
"extends_uuid": "",
|
|
|
|
"info": "OSINT - US CERT TA17-293A report - renamed PsExec execution (sigma/SIEM ruleset)",
|
|
|
|
"publish_timestamp": "1508679034",
|
|
|
|
"published": true,
|
|
|
|
"threat_level_id": "2",
|
|
|
|
"timestamp": "1508677312",
|
|
|
|
"uuid": "59ec91ee-ae0c-4d5a-b149-4c0d02de0b81",
|
|
|
|
"Orgc": {
|
|
|
|
"name": "CIRCL",
|
|
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
|
|
},
|
|
|
|
"Tag": [
|
|
|
|
{
|
|
|
|
"colour": "#ffffff",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "tlp:white",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "misp-galaxy:mitre-intrusion-set=\"Dragonfly\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#12e200",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "misp-galaxy:threat-actor=\"Energetic Bear\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1508676127",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sigma",
|
|
|
|
"uuid": "59ec921f-60d4-4693-8c63-43ad02de0b81",
|
|
|
|
"value": "title: Ps.exe Renamed SysInternals Tool\r\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report\r\nreference: https://www.us-cert.gov/ncas/alerts/TA17-293A\r\nauthor: Florian Roth\r\ndate: 2017/10/22\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection:\r\n EventID: 1\r\n CommandLine: 'ps.exe -accepteula'\r\n condition: selection\r\nfalsepositives:\r\n - Renamed SysInternals tool\r\nlevel: high"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1508676162",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "59ec9242-cfcc-4634-8fca-416c02de0b81",
|
|
|
|
"value": "https://github.com/Neo23x0/sigma/blob/801d739a3ba81b9b080efe33aea52c6893790853/rules/apt/apt_ta17_293a_ps.yml"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1508676231",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "59ec9287-bc74-4c24-8c98-495c02de0b81",
|
|
|
|
"value": "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
2023-12-14 14:30:15 +00:00
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
}
|