misp-circl-feed/feeds/circl/misp/59ec91ee-ae0c-4d5a-b149-4c0d02de0b81.json

72 lines
2.7 KiB
JSON
Raw Permalink Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2017-10-22",
"extends_uuid": "",
"info": "OSINT - US CERT TA17-293A report - renamed PsExec execution (sigma/SIEM ruleset)",
"publish_timestamp": "1508679034",
"published": true,
"threat_level_id": "2",
"timestamp": "1508677312",
"uuid": "59ec91ee-ae0c-4d5a-b149-4c0d02de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-intrusion-set=\"Dragonfly\"",
"relationship_type": ""
},
{
"colour": "#12e200",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:threat-actor=\"Energetic Bear\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Artifacts dropped",
"comment": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508676127",
"to_ids": true,
"type": "sigma",
"uuid": "59ec921f-60d4-4693-8c63-43ad02de0b81",
"value": "title: Ps.exe Renamed SysInternals Tool\r\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report\r\nreference: https://www.us-cert.gov/ncas/alerts/TA17-293A\r\nauthor: Florian Roth\r\ndate: 2017/10/22\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection:\r\n EventID: 1\r\n CommandLine: 'ps.exe -accepteula'\r\n condition: selection\r\nfalsepositives:\r\n - Renamed SysInternals tool\r\nlevel: high"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508676162",
"to_ids": false,
"type": "link",
"uuid": "59ec9242-cfcc-4634-8fca-416c02de0b81",
"value": "https://github.com/Neo23x0/sigma/blob/801d739a3ba81b9b080efe33aea52c6893790853/rules/apt/apt_ta17_293a_ps.yml"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508676231",
"to_ids": false,
"type": "link",
"uuid": "59ec9287-bc74-4c24-8c98-495c02de0b81",
"value": "https://www.us-cert.gov/ncas/alerts/TA17-293A"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}