653 lines
27 KiB
JSON
653 lines
27 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--56580480-2738-4888-98be-b742950d210b",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T08:16:15.000Z",
|
||
|
"modified": "2015-11-27T08:16:15.000Z",
|
||
|
"name": "CthulhuSPRL.be",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--56580480-2738-4888-98be-b742950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T08:16:15.000Z",
|
||
|
"modified": "2015-11-27T08:16:15.000Z",
|
||
|
"name": "OSINT Expansion on APT-28 - Evolving Threats: dissection of a Cyber-Espionage attack",
|
||
|
"published": "2016-07-11T14:11:38Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--565804a4-6bc8-4dbb-88c4-4b02950d210b",
|
||
|
"x-misp-attribute--565804a4-5b60-4e42-a2db-4a6c950d210b",
|
||
|
"x-misp-attribute--565804a5-7c14-4b8f-8ad5-40cc950d210b",
|
||
|
"indicator--565804d5-38bc-4e6e-9cc0-b791950d210b",
|
||
|
"indicator--565804d6-aa04-48b1-99ee-b791950d210b",
|
||
|
"indicator--565804d6-f130-4582-8c10-b791950d210b",
|
||
|
"indicator--565804d7-4408-4786-b006-b791950d210b",
|
||
|
"indicator--565804d7-d8f4-4eba-a35a-b791950d210b",
|
||
|
"indicator--565804d8-a4fc-4721-8b3a-b791950d210b",
|
||
|
"indicator--565804d8-e720-4012-b480-b791950d210b",
|
||
|
"indicator--565804d9-6174-41e1-a430-b791950d210b",
|
||
|
"indicator--565804d9-df2c-490e-95fb-b791950d210b",
|
||
|
"indicator--565804da-08a8-40f5-9bd1-b791950d210b",
|
||
|
"indicator--565804da-f894-4f3d-8fed-b791950d210b",
|
||
|
"observed-data--5658050b-9fe8-45be-bf50-b742950d210b",
|
||
|
"url--5658050b-9fe8-45be-bf50-b742950d210b",
|
||
|
"observed-data--5658050c-3aec-4100-b938-b742950d210b",
|
||
|
"url--5658050c-3aec-4100-b938-b742950d210b",
|
||
|
"indicator--565805ba-f6fc-43db-90bb-b376950d210b",
|
||
|
"indicator--565805bc-f64c-4cc5-b5a3-b376950d210b",
|
||
|
"indicator--565805bc-10fc-4f47-a3a9-b376950d210b",
|
||
|
"indicator--565805bd-6630-4743-ba10-b376950d210b",
|
||
|
"indicator--565805bd-4320-414c-9afd-b376950d210b",
|
||
|
"x-misp-attribute--56581095-fba8-4c69-bd27-b376950d210b",
|
||
|
"x-misp-attribute--565810e0-b624-4b74-9335-401f950d210b",
|
||
|
"indicator--5658114d-bc94-4a40-8080-485d950d210b",
|
||
|
"indicator--5658114e-9a4c-4fac-92a3-4868950d210b",
|
||
|
"indicator--5658114e-1b48-4304-87ec-4fc9950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--565804a4-6bc8-4dbb-88c4-4b02950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:22:12.000Z",
|
||
|
"modified": "2015-11-27T07:22:12.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "APT28"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--565804a4-5b60-4e42-a2db-4a6c950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:22:12.000Z",
|
||
|
"modified": "2015-11-27T07:22:12.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Sednit"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--565804a5-7c14-4b8f-8ad5-40cc950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:22:13.000Z",
|
||
|
"modified": "2015-11-27T07:22:13.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Sofacy"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804d5-38bc-4e6e-9cc0-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:01.000Z",
|
||
|
"modified": "2015-11-27T07:23:01.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[domain-name:value = 'microsofthelpcenter.info']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804d6-aa04-48b1-99ee-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:02.000Z",
|
||
|
"modified": "2015-11-27T07:23:02.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[domain-name:value = '1oo7.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804d6-f130-4582-8c10-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:02.000Z",
|
||
|
"modified": "2015-11-27T07:23:02.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[domain-name:value = 'microsoftdriver.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804d7-4408-4786-b006-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:03.000Z",
|
||
|
"modified": "2015-11-27T07:23:03.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.105.125.74']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804d7-d8f4-4eba-a35a-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:03.000Z",
|
||
|
"modified": "2015-11-27T07:23:03.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '66.172.12.133']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804d8-a4fc-4721-8b3a-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:04.000Z",
|
||
|
"modified": "2015-11-27T07:23:04.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.64.105.23']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804d8-e720-4012-b480-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:04.000Z",
|
||
|
"modified": "2015-11-27T07:23:04.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.112.10']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804d9-6174-41e1-a430-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:05.000Z",
|
||
|
"modified": "2015-11-27T07:23:05.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.96.178']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804d9-df2c-490e-95fb-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:05.000Z",
|
||
|
"modified": "2015-11-27T07:23:05.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '87.236.215.13']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804da-08a8-40f5-9bd1-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:06.000Z",
|
||
|
"modified": "2015-11-27T07:23:06.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.19.138.66']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565804da-f894-4f3d-8fed-b791950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:06.000Z",
|
||
|
"modified": "2015-11-27T07:23:06.000Z",
|
||
|
"description": "CnC list paragraph",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.199.171.58']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:23:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5658050b-9fe8-45be-bf50-b742950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:55.000Z",
|
||
|
"modified": "2015-11-27T07:23:55.000Z",
|
||
|
"first_observed": "2015-11-27T07:23:55Z",
|
||
|
"last_observed": "2015-11-27T07:23:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5658050b-9fe8-45be-bf50-b742950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5658050b-9fe8-45be-bf50-b742950d210b",
|
||
|
"value": "http://www.rsaconference.com/writable/presentations/file_upload/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5658050c-3aec-4100-b938-b742950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:23:56.000Z",
|
||
|
"modified": "2015-11-27T07:23:56.000Z",
|
||
|
"first_observed": "2015-11-27T07:23:56Z",
|
||
|
"last_observed": "2015-11-27T07:23:56Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5658050c-3aec-4100-b938-b742950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5658050c-3aec-4100-b938-b742950d210b",
|
||
|
"value": "https://github.com/gasgas4/APTnotes/blob/master/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565805ba-f6fc-43db-90bb-b376950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:26:50.000Z",
|
||
|
"modified": "2015-11-27T07:26:50.000Z",
|
||
|
"description": "Combing through screenshots",
|
||
|
"pattern": "[domain-name:value = 'militaryexponews.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:26:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565805bc-f64c-4cc5-b5a3-b376950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:26:52.000Z",
|
||
|
"modified": "2015-11-27T07:26:52.000Z",
|
||
|
"description": "Combing through screenshots",
|
||
|
"pattern": "[domain-name:value = 'irwing.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:26:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565805bc-10fc-4f47-a3a9-b376950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:26:52.000Z",
|
||
|
"modified": "2015-11-27T07:26:52.000Z",
|
||
|
"description": "Combing through screenshots",
|
||
|
"pattern": "[domain-name:value = 'eservicesystems.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:26:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565805bd-6630-4743-ba10-b376950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:26:53.000Z",
|
||
|
"modified": "2015-11-27T07:26:53.000Z",
|
||
|
"description": "Combing through screenshots",
|
||
|
"pattern": "[domain-name:value = 'windowsappstore.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:26:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--565805bd-4320-414c-9afd-b376950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T07:26:53.000Z",
|
||
|
"modified": "2015-11-27T07:26:53.000Z",
|
||
|
"description": "Combing through screenshots",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '131.72.136.10']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T07:26:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--56581095-fba8-4c69-bd27-b376950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T08:13:09.000Z",
|
||
|
"modified": "2015-11-27T08:13:09.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Additional IOCs found combing through screenshots & using threatCrowd.org"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--565810e0-b624-4b74-9335-401f950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T08:14:24.000Z",
|
||
|
"modified": "2015-11-27T08:14:24.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
],
|
||
|
"x_misp_category": "Network activity",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "GET to URLs containing the follwoing tokens: /find/?itwm= &from= &utm= &oprnd= &from=\r\nPOST to URLs containing the follwoing tokens: /open/?ags= &ags= &oprnd= &channel= &itwm="
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5658114d-bc94-4a40-8080-485d950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T08:16:13.000Z",
|
||
|
"modified": "2015-11-27T08:16:13.000Z",
|
||
|
"description": "Resolution of domain irwing.org",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '204.12.244.58']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T08:16:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5658114e-9a4c-4fac-92a3-4868950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T08:16:14.000Z",
|
||
|
"modified": "2015-11-27T08:16:14.000Z",
|
||
|
"description": "Resolution of domain irwing.org",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.200.17.202']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T08:16:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5658114e-1b48-4304-87ec-4fc9950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-27T08:16:14.000Z",
|
||
|
"modified": "2015-11-27T08:16:14.000Z",
|
||
|
"description": "Resolution of domain irwing.org",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.200.17.53']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-11-27T08:16:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:GREEN",
|
||
|
"definition": {
|
||
|
"tlp": "green"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|