misp-circl-feed/feeds/circl/stix-2.1/eb4ee171-8930-4c15-8917-9af8775417fb.json

{
    "type": "bundle",
    "id": "bundle--eb4ee171-8930-4c15-8917-9af8775417fb",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:20:04.000Z",
            "modified": "2021-02-16T08:20:04.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--eb4ee171-8930-4c15-8917-9af8775417fb",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:20:04.000Z",
            "modified": "2021-02-16T08:20:04.000Z",
            "name": "CERT-FR report extended - sandworm intrusion set campaign targeting Centreon systems",
            "published": "2021-02-16T08:20:12Z",
            "object_refs": [
                "x-misp-attribute--f978cd25-0c3e-439d-bf76-89816f091bd7",
                "indicator--b5ef5f9d-f210-4eb8-bdf9-b1afb94652a8",
                "indicator--407b6ae2-b350-49b4-84a3-c60706c3de45",
                "indicator--9a2728e5-a907-4904-8067-9c373924678b",
                "indicator--817b4025-2723-4ec0-9a81-5be8713c9504",
                "indicator--daa160ad-5a32-45be-b252-8d23058982ab",
                "indicator--78938c6b-8c68-4363-aa87-739e5869f753",
                "indicator--3ece03fc-263e-4d22-b34f-fd2035ba23c2",
                "indicator--aeb6cc44-bf59-4d86-a682-1f1515766bf6",
                "x-misp-attribute--f769a073-b68f-4bc5-a69d-46b06d6e9e5d",
                "indicator--740dbb6b-8b31-4195-9b51-09215b9bddfc",
                "indicator--9bd1fa69-0f16-47e5-a523-3438b05453ce",
                "indicator--c0b6e59d-fa31-4244-8c97-1409523e0099",
                "indicator--17bc4c04-3561-421e-ada9-b4660c447caf",
                "indicator--ab537f1f-febd-4758-938d-ca5cc46f9690",
                "indicator--a93fa919-ce20-41f1-a187-98be6725ffa6",
                "indicator--fd1f5f5b-df65-4bcf-b7f8-42d1a2170bb1",
                "indicator--1ca2b37b-cd9c-43d3-a5de-4186a58324eb",
                "indicator--19207a94-6676-4c81-8cd1-df9f23fc4afd",
                "x-misp-object--ddbd7a0a-4e58-4a8d-bc5c-838f588a9dce"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "misp-galaxy:target-information=\"France\"",
                "type:OSINT",
                "osint:lifetime=\"perpetual\"",
                "estimative-language:confidence-in-analytic-judgment=\"high\"",
                "estimative-language:likelihood-probability=\"almost-certain\"",
                "misp-galaxy:mitre-ics-groups=\"Sandworm\"",
                "misp-galaxy:mitre-intrusion-set=\"Sandworm Team - G0034\"",
                "misp-galaxy:threat-actor=\"ELECTRUM\"",
                "misp-galaxy:threat-actor=\"Sandworm\"",
                "misp-galaxy:threat-actor=\"TeleBots\"",
                "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
                "misp-galaxy:mitre-attack-pattern=\"Server Software Component - T1505\"",
                "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"",
                "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"",
                "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"",
                "misp-galaxy:mitre-attack-pattern=\"Abuse Elevation Control Mechanism - T1548\"",
                "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
                "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"",
                "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"",
                "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"",
                "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--f978cd25-0c3e-439d-bf76-89816f091bd7",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:00:12.000Z",
            "modified": "2021-02-16T08:00:12.000Z",
            "labels": [
                "misp:type=\"comment\"",
                "misp:category=\"Other\"",
                "misp:to_ids=\"True\"",
                "DescriptionTechnique"
            ],
            "x_misp_category": "Other",
            "x_misp_comment": "Merged from event 82379",
            "x_misp_type": "comment",
            "x_misp_value": "Backdoors related to Sandworm"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--b5ef5f9d-f210-4eb8-bdf9-b1afb94652a8",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:01:12.000Z",
            "modified": "2021-02-16T08:01:12.000Z",
            "pattern": "[alert tcp any any -> any any ( sid:2000210015; msg:\"P.A.S. webshell - passwd BruteForce form parameters\"; \\\r\n    flow:to_server,established;  content:\"POST\"; http_method; \\\r\n    content:\"br=&brp%5B%5D=\"; http_client_body; fast_pattern; \\\r\n    pcre:\"/br=&brp%5B%5D=[hfmysp]&h%5B[hfmysp]%5D=.{1,64}&p%5B[hfmysp]%5D=[0-9]{1,5}/\"; http_client_body;)]",
            "pattern_type": "snort",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:01:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"snort\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--407b6ae2-b350-49b4-84a3-c60706c3de45",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:02:03.000Z",
            "modified": "2021-02-16T08:02:03.000Z",
            "pattern": "[alert tcp any any -> any any ( sid:2000210001; msg:\"P.A.S. webshell - Explorer - download file\"; \\\r\n    flow:to_server,established; content:\"POST\"; http_method; \\\r\n    content:\"fe=&fdw=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210002; msg:\"P.A.S. webshell - Explorer - copy file\"; \\\r\n    flow:to_server,established;  content:\"POST\"; http_method; \\\r\n    content:\"fe=&fcf=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210003; msg:\"P.A.S. webshell - Explorer - move file\"; \\\r\n    flow:to_server,established;  content:\"POST\"; http_method; \\\r\n    content:\"fe=&fm=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210004; msg:\"P.A.S. webshell - Explorer - del file\"; \\\r\n    flow:to_server,established;  content:\"POST\"; http_method; \\\r\n    content:\"fe=&fd=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210005; msg:\"P.A.S. webshell - Explorer - multi file download\"; \\\r\n    flow:to_server,established;  content:\"POST\"; http_method; \\\r\n    content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n    content:\"&fdwa=Download\"; http_client_body; )\r\n\r\nalert tcp any any -> any any ( sid:2000210006; msg:\"P.A.S. webshell - Explorer - multi file copy\"; \\\r\n    flow:to_server,established;  content:\"POST\"; http_method; \\\r\n    content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n    content:\"&fca=Copy\"; http_client_body;)\r\n\r\nalert tcp any any -> any any ( sid:2000210007; msg:\"P.A.S. webshell - Explorer - multi file move\"; \\\r\n    flow:to_server,established;  content:\"POST\"; http_method; \\\r\n    content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n    content:\"&fma=Move\"; http_client_body; )\r\n\r\nalert tcp any any -> any any ( sid:2000210008; msg:\"P.A.S. webshell - Explorer - multi file delete\"; \\\r\n    flow:to_server,established;  content:\"POST\"; http_method; \\\r\n    content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n    content:\"&fda=Delete\"; http_client_body; )    \r\n\r\nalert tcp any any -> any any ( sid:2000210009; msg:\"P.A.S. webshell - Explorer - paste\"; \\\r\n    flow:to_server,established;  content:\"POST\"; http_method; \\\r\n    content:\"fe=&fbp=Paste\"; http_client_body; offset:0; )]",
            "pattern_type": "snort",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:02:03Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"snort\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--9a2728e5-a907-4904-8067-9c373924678b",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:02:37.000Z",
            "modified": "2021-02-16T08:02:37.000Z",
            "pattern": "[alert tcp any any -> any any ( sid:2000210000; msg:\"P.A.S. webshell - Response Footer\"; \\\r\n    flow:to_client,established; content:\"200\"; http_stat_code; \\\r\n    file_data; content:\"<fieldset class=\\\"footer\\\"><table width=\\\"100%\\\" border=\\\"0\\\"><tr><td>P.A.S. v\";)]",
            "pattern_type": "snort",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:02:37Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"snort\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--817b4025-2723-4ec0-9a81-5be8713c9504",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:03:00.000Z",
            "modified": "2021-02-16T08:03:00.000Z",
            "pattern": "[alert tcp any any -> any any ( sid:2000210012; msg:\"P.A.S. webshell - Network Tools - Bind Port\"; \\\r\n    flow:to_server,established; content:\"POST\"; http_method; \\\r\n    content:\"pb=\"; offset:0; http_client_body; \\\r\n    pcre:\"/pb=[0-9]{1,5}&nt=bp/\"; )\r\n\r\nalert tcp any any -> any any ( sid:2000210013; msg:\"P.A.S. webshell - Network Tools - Back-connect\"; \\\r\n    flow:to_server,established; content:\"POST\"; http_method; \\\r\n    content:\"hbc=\"; offset:0; http_client_body; \\\r\n    pcre:\"/hbc=[a-z0-9.-]{4,63}&pbc=[0-9]{1,5}&nt=bc/\"; )\r\n\r\nalert tcp any any -> any any ( sid:2000210014; msg:\"P.A.S. webshell - Network Tools - Port scanner\"; \\\r\n    flow:to_server,established; content:\"POST\"; http_method; \\\r\n    content:\"hs=\"; offset:0; http_client_body; \\\r\n    pcre:\"/hs=[a-z0-9.-]{4,63}&pf=[0-9]{1,5}&pl=[0-9]{1,5}&sc=[0-9]{1,5}&nt=ps/\"; )]",
            "pattern_type": "snort",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:03:00Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"snort\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--daa160ad-5a32-45be-b252-8d23058982ab",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:03:22.000Z",
            "modified": "2021-02-16T08:03:22.000Z",
            "pattern": "[alert tcp any any -> any any ( sid:2000211001; msg:\"P.A.S. webshell - Password cookie\"; \\\r\n    flow:established; content:\"g__g_=\"; http_cookie; offset:0; )\r\n    \r\nalert tcp any any -> any any ( sid:2000211002; msg:\"P.A.S. webshell - Password form var\"; \\\r\n    flow:to_server,established; content:\"POST\"; http_method; \\\r\n    content:\"g__g_=\"; http_cookie; http_client_body; offset:0; )]",
            "pattern_type": "snort",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:03:22Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"snort\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--78938c6b-8c68-4363-aa87-739e5869f753",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:03:43.000Z",
            "modified": "2021-02-16T08:03:43.000Z",
            "pattern": "[alert tcp any any -> any any ( sid:2000210016; msg:\"P.A.S. webshell - Bind shell session\"; \\\r\n    content:\"Hello from P.A.S. Bind Port\"; )\r\n\r\nalert tcp any any -> any any ( sid:2000210017; msg:\"P.A.S. webshell - Reverse shell session\"; \\\r\n    content:\"Hello from P.A.S. BackConnect\"; )]",
            "pattern_type": "snort",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:03:43Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"snort\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--3ece03fc-263e-4d22-b34f-fd2035ba23c2",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:04:03.000Z",
            "modified": "2021-02-16T08:04:03.000Z",
            "pattern": "[alert tcp any any -> any any ( sid:2000210010; msg:\"P.A.S. webshell - Searcher form parameters\"; \\\r\n    flow:to_server,established;  content:\"POST\"; http_method; \\\r\n    content:\"fe=&fsr=\"; offset:0; fast_pattern; \\\r\n    pcre:\"/fe=&fsr=[0-2]&fst=[0-2]&fsn=(\\*|[A-Za-z0-9 *._%-]+)&fsp=[A-Za-z0-9 *._%-]+&fs=%3E&fss=.*/\";)]",
            "pattern_type": "snort",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:04:03Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"snort\"",
                "misp:category=\"Network activity\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--aeb6cc44-bf59-4d86-a682-1f1515766bf6",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:04:27.000Z",
            "modified": "2021-02-16T08:04:27.000Z",
            "pattern": "[alert tcp any any -> any any ( sid:2000210011; msg:\"P.A.S. webshell - SQL-client connect parameters\"; \\\r\n    flow:to_server,established; content:\"POST\"; http_method; \\\r\n    content:\"sc%5Btp%5D=\"; offset:0; http_client_body; fast_pattern; \\\r\n    pcre:\"/sc%5Btp%5D=(mysql|mssql|pg)&sc%5Bha%5D=/\"; http_client_body;)]",
            "pattern_type": "snort",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:04:27Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"snort\"",
                "misp:category=\"Network activity\""
            ]
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--f769a073-b68f-4bc5-a69d-46b06d6e9e5d",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:18:36.000Z",
            "modified": "2021-02-16T08:18:36.000Z",
            "labels": [
                "misp:type=\"target-org\"",
                "misp:category=\"Targeting data\""
            ],
            "x_misp_category": "Targeting data",
            "x_misp_type": "target-org",
            "x_misp_value": "Centreon"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--740dbb6b-8b31-4195-9b51-09215b9bddfc",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:00:12.000Z",
            "modified": "2021-02-16T08:00:12.000Z",
            "description": "Linux/Exaramel backdoor",
            "pattern": "[file:hashes.MD5 = '92ef0aaf5f622b1253e5763f11a08857' AND file:hashes.SHA1 = 'a739f44390037b3d0a3942cd43d161a7c45fd7e7' AND file:hashes.SHA256 = 'e1ff729f45b587a5ebbc8a8a97a7923fc4ada14de4973704c9b4b89c50fd1146' AND file:name = 'centreon_module_linux_app64']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:00:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\"",
                "cossi:fiabilite=\"Bonne\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--9bd1fa69-0f16-47e5-a523-3438b05453ce",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:00:12.000Z",
            "modified": "2021-02-16T08:00:12.000Z",
            "description": "P.A.S. webshell with LF lines",
            "pattern": "[file:hashes.MD5 = '84837778682450cdca43d1397afd2310' AND file:hashes.SHA1 = 'c69db1b120d21bd603f13006d87e817fed016667' AND file:hashes.SHA256 = '893750547255b848a273bd1668e128a5e169011e79a7f5c7bb86cc5d7b2153bc' AND file:name = 'search.php']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:00:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\"",
                "cossi:fiabilite=\"Bonne\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--c0b6e59d-fa31-4244-8c97-1409523e0099",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:00:12.000Z",
            "modified": "2021-02-16T08:00:12.000Z",
            "description": "P.A.S. webshell with CRLF lines",
            "pattern": "[file:hashes.MD5 = 'a89251cd4c15909a8e15256ead40584e' AND file:hashes.SHA1 = 'b7afb8c91f8f9df4f18764c25251576a0f8bef6f' AND file:hashes.SHA256 = '928d8dde63b0255feffc3d03db30aa76f7ed8913238321cc101083c2c5056ffa' AND file:name = 'DB-Drop.php']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:00:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\"",
                "cossi:fiabilite=\"Bonne\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--17bc4c04-3561-421e-ada9-b4660c447caf",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:00:12.000Z",
            "modified": "2021-02-16T08:00:12.000Z",
            "description": "SetUID Binary",
            "pattern": "[file:hashes.MD5 = '9885fcdda12167b2f598b2d22de07d5b' AND file:hashes.SHA1 = '5a58e46e5b8f468445f848f8eca741eddebcef3e' AND file:hashes.SHA256 = 'ebe98d5e1ab6966ec1e292fafbd5ef21c2b15bd7c7bb871d8e756971b8b6877a' AND file:name = '/bin/backup']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:00:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\"",
                "cossi:fiabilite=\"Bonne\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--ab537f1f-febd-4758-938d-ca5cc46f9690",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:05:55.000Z",
            "modified": "2021-02-16T08:05:55.000Z",
            "pattern": "/* configuration file */\r\n\r\nrule exaramel_configuration_key {\r\n\r\n\tmeta:\r\n\t\tauthor = \\\\\"FR/ANSSI/SDO\\\\\"\r\n\t\tdescription = \\\\\"Encryption key for the configuration file in sample e1ff72[...]\\\\\"\r\n\t\tTLP = \\\\\"White\\\\\"\r\n\r\n\tstrings:\r\n\t\t$ = \\\\\"odhyrfjcnfkdtslt\\\\\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_configuration_name_encrypted {\r\n\r\n\tmeta:\r\n\t\tauthor = \\\\\"FR/ANSSI/SDO\\\\\"\r\n\t\tdescription = \\\\\"Name of the configuration file in sample e1ff72[...]\\\\\"\r\n\t\tTLP = \\\\\"White\\\\\"\r\n\r\n\tstrings:\r\n\t\t$ = \\\\\"configtx.json\\\\\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_configuration_file_plaintext {\r\n\r\n\tmeta:\r\n\t\tauthor = \\\\\"FR/ANSSI/SDO\\\\\"\r\n\t\tdescription = \\\\\"Content of the configuration file (plaintext)\\\\\"\r\n\t\tTLP = \\\\\"White\\\\\"\r\n\r\n\tstrings:\r\n\t\t$ = /{\\\\\"Hosts\\\\\":\\\\[\\\\\".{10,512}\\\\\"\\\\],\\\\\"Proxy\\\\\":\\\\\".{0,512}\\\\\",\\\\\"Version\\\\\":\\\\\".{1,32}\\\\\",\\\\\"Guid\\\\\":\\\\\"/\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_configuration_file_ciphertext {\r\n\r\n\tmeta:\r\n\t\tauthor = \\\\\"FR/ANSSI/SDO\\\\\"\r\n\t\tdescription = \\\\\"Content of the configuration file (encrypted with key odhyrfjcnfkdtslt, sample e1ff72[...]\\\\\"\r\n\t\tTLP = \\\\\"White\\\\\"\r\n\r\n\tstrings:\r\n\t\t$ = {6F B6 08 E9 A3 0C 8D 5E DD BE D4} // encrypted with key odhyrfjcnfkdtslt\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\n/* persistence */\r\n\r\nprivate rule exaramel_persistence_file_systemd {\r\n\r\n\tmeta:\r\n\t\tauthor = \\\\\"FR/ANSSI/SDO\\\\\"\r\n\t\tdescription = \\\\\"Beginning of the file /etc/systemd/system/syslogd.service created for persistence with systemd\\\\\"\r\n\t\tTLP = \\\\\"White\\\\\"\r\n\r\n\tstrings:\r\n\t\t$ = /\\\\[Unit\\\\]\\\\nDescription=Syslog daemon\\\\n\\\\n\\\\[Service\\\\]\\\\nWorkingDirectory=.{1,512}\\\\nExecStartPre=\\\\/bin\\\\/rm \\\\-f \\\\/tmp\\\\/\\\\.applocktx\\\\n/\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nprivate rule exaramel_persistence_file_upstart {\r\n\r\n\tmeta:\r\n\t\tauthor = \\\\\"FR/ANSSI/SDO\\\\\"\r\n\t\tdescription = \\\\\"Part of the file /etc/init/syslogd.conf created for persistence with upstart\\\\\"\r\n\t\tTLP = \\\\\"White\\\\\"\r\n\r\n\tstrings:\r\n\t\t$ = /start on runlevel \\\\[2345\\\\]\\\\nstop on runlevel \\\\[06\\\\]\\\\n\\\\nrespawn\\\\n\\\\nscript\\\\nrm \\\\-f \\\\/tmp\\\\/\\\\.applocktx\\\\nchdir/\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nprivate rule exaramel_persistence_file_systemv {\r\n\r\n\tmeta:\r\n\t\tauthor = \\\\\"FR/ANSSI/SDO\\\\\"\r\n\t\tdescription = \\\\\"Part of the file /etc/init.d/syslogd created for persistence with upstart\\\\\"\r\n\t\tTLP = \\\\\"White\\\\\"\r\n\r\n\tstrings:\r\n\t\t$ = \\\\\"# Short-Description: Syslog service for monitoring \\\\n### END INIT INFO\\\\n\\\\nrm -f /tmp/.applocktx && cd \\\\\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_persistence_file {\r\n\r\n\tmeta:\r\n\t\tauthor = \\\\\"FR/ANSSI/SDO\\\\\"\r\n\t\tdescription = \\\\\"File created for persistence. Depends on the environment\\\\\"\r\n\t\tTLP = \\\\\"White\\\\\"\r\n\r\n\tcondition:\r\n\t\texaramel_persistence_file_systemd or exaramel_persistence_file_upstart or exaramel_persistence_file_systemv\r\n}\r\n\r\n/* misc */\r\n\r\nrule exaramel_socket_path {\r\n\r\n\tmeta:\r\n\t\tauthor = \\\\\"FR/ANSSI/SDO\\\\\"\r\n\t\tdescription = \\\\\"Path of the unix socket created to prevent concurrent executions\\\\\"\r\n\t\tTLP = \\\\\"White\\\\\"\r\n\r\n\tstrings:\r\n\t\t$ = \\\\\"/tmp/.applocktx\\\\\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule exaramel_task_names {\r\n\r\n\tmeta:\r\n\t\tauthor = \\\\\"FR/ANSSI/SDO\\\\\"\r\n\t\tdescription = \\\\\"Name of the tasks received by the CC\\\\\"\r\n\t\tTLP = \\\\\"White\\\\\"\r\n\r\n\tstrings:\r\n\t\t$ = \\\\\"App.Delete\\\\\"\r\n\t\t$ = \\\\\"App.SetServer\\\\\"\r\n\t\t$ = \\\\\"App.SetProxy\\\\\"\r\n\t\t$ = \\\\\"App.SetTimeout\\\\\"\r\n\t\t$ = \\\
            "pattern_type": "yara",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:05:55Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "misc"
                }
            ],
            "labels": [
                "misp:name=\"yara\"",
                "misp:meta-category=\"misc\"",
                "misp:to_ids=\"True\""
            ],
            "x_misp_context": "all"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--a93fa919-ce20-41f1-a187-98be6725ffa6",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:06:43.000Z",
            "modified": "2021-02-16T08:06:43.000Z",
            "pattern": "rule PAS_webshell {\r\n\r\n    meta:\r\n        author = \\\\\"FR/ANSSI/SDO\\\\\"\r\n        description = \\\\\"Detects P.A.S. PHP webshell - Based on DHS/FBI JAR-16-2029 (Grizzly Steppe)\\\\\"\r\n        TLP = \\\\\"White\\\\\"\r\n\r\n    strings:\r\n\r\n        $php = \\\\\"<?php\\\\\"\r\n        $base64decode = /=\\'base\\'\\\\.\\\\(\\\\d+(\\\\*|\\\\/)\\\\d+\\\\)\\\\.\\'_de\\'\\\\.\\'code\\'/\r\n        $strreplace = \\\\\"(str_replace(\\\\\"\r\n        $md5 = \\\\\".substr(md5(strrev($\\\\\" nocase\r\n        $gzinflate = \\\\\"gzinflate\\\\\"\r\n        $cookie = \\\\\"_COOKIE\\\\\"\r\n        $isset = \\\\\"isset\\\\\"\r\n\r\n    condition:\r\n\r\n        (filesize > 20KB and filesize < 200KB) and\r\n        #cookie == 2 and\r\n        #isset == 3 and\r\n        all of them\r\n}",
            "pattern_type": "yara",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:06:43Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "misc"
                }
            ],
            "labels": [
                "misp:name=\"yara\"",
                "misp:meta-category=\"misc\"",
                "misp:to_ids=\"True\""
            ],
            "x_misp_context": "all"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--fd1f5f5b-df65-4bcf-b7f8-42d1a2170bb1",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:07:36.000Z",
            "modified": "2021-02-16T08:07:36.000Z",
            "pattern": "rule PAS_webshell_PerlNetworkScript {\r\n\r\n    meta:\r\n        author = \\\\\"FR/ANSSI/SDO\\\\\"\r\n        description = \\\\\"Detects PERL scripts created by P.A.S. webshell to supports network functionnalities\\\\\"\r\n        TLP = \\\\\"White\\\\\"\r\n\r\n    strings:\r\n        $pl_start = \\\\\"#!/usr/bin/perl\\\\n$SIG{\\'CHLD\\'}=\\'IGNORE\\'; use IO::Socket; use FileHandle;\\\\\"\r\n        $pl_status = \\\\\"$o=\\\\\\\\\" [OK]\\\\\\\\\";$e=\\\\\\\\\"      Error: \\\\\\\\\"\\\\\"\r\n        $pl_socket = \\\\\"socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print \\\\\\\\\"$l$e$!$l\\\\\"\r\n\r\n        $msg1 = \\\\\"print \\\\\\\\\"$l      OK! I\\\\\\\\\\'m successful connected.$l\\\\\\\\\"\\\\\"\r\n        $msg2 = \\\\\"print \\\\\\\\\"$l      OK! I\\\\\\\\\\'m accept connection.$l\\\\\\\\\"\\\\\"\r\n\r\n    condition:\r\n        filesize < 6000 and\r\n        ($pl_start at 0 and all of ($pl*)) or\r\n        any of ($msg*)\r\n}",
            "pattern_type": "yara",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:07:36Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "misc"
                }
            ],
            "labels": [
                "misp:name=\"yara\"",
                "misp:meta-category=\"misc\"",
                "misp:to_ids=\"True\""
            ],
            "x_misp_context": "all"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--1ca2b37b-cd9c-43d3-a5de-4186a58324eb",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:08:07.000Z",
            "modified": "2021-02-16T08:08:07.000Z",
            "pattern": "rule PAS_webshell_SQLDumpFile {\r\n\r\n    meta:\r\n        author = \\\\\"FR/ANSSI/SDO\\\\\"\r\n        description = \\\\\"Detects SQL dump file created by P.A.S. webshell\\\\\"\r\n        TLP = \\\\\"White\\\\\"\r\n\r\n     strings:\r\n        $ = \\\\\"-- [  SQL Dump created by P.A.S.  ] --\\\\\"\r\n\r\n     condition:\r\n        all of them\r\n}",
            "pattern_type": "yara",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:08:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "misc"
                }
            ],
            "labels": [
                "misp:name=\"yara\"",
                "misp:meta-category=\"misc\"",
                "misp:to_ids=\"True\""
            ],
            "x_misp_context": "all"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--19207a94-6676-4c81-8cd1-df9f23fc4afd",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:08:49.000Z",
            "modified": "2021-02-16T08:08:49.000Z",
            "pattern": "rule PAS_webshell_ZIPArchiveFile {\r\n\r\n    meta:\r\n        author = \\\\\"FR/ANSSI/SDO\\\\\"\r\n        description = \\\\\"Detects an archive file created by P.A.S. for download operation\\\\\"\r\n        TLP = \\\\\"White\\\\\"\r\n\r\n    strings:\r\n        $ = /Archive created by P\\\\.A\\\\.S\\\\. v.{1,30}\\\\nHost: : .{1,200}\\\\nDate : [0-9]{1,2}-[0-9]{1,2}-[0-9]{4}/\r\n\r\n    condition:\r\n        all of them\r\n}",
            "pattern_type": "yara",
            "pattern_version": "2.1",
            "valid_from": "2021-02-16T08:08:49Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "misc"
                }
            ],
            "labels": [
                "misp:name=\"yara\"",
                "misp:meta-category=\"misc\"",
                "misp:to_ids=\"True\""
            ],
            "x_misp_context": "all"
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--ddbd7a0a-4e58-4a8d-bc5c-838f588a9dce",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-16T08:13:30.000Z",
            "modified": "2021-02-16T08:13:30.000Z",
            "labels": [
                "misp:name=\"report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "link",
                    "object_relation": "link",
                    "value": "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-002/",
                    "category": "External analysis",
                    "uuid": "ae39afb5-bc43-43bb-8334-38a67dc00205"
                },
                {
                    "type": "link",
                    "object_relation": "link",
                    "value": "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-004/",
                    "category": "External analysis",
                    "uuid": "07000b9e-35ef-438d-aa91-b3510ade46e9"
                },
                {
                    "type": "text",
                    "object_relation": "summary",
                    "value": "The following indicators, SNORT rules and YARA rules are from ANSSI\u2019s analysis of an intrusion campaign targeting the monitoring software Centreon attributed to the intrusion set Sandworm which resulted in the breach of several French entities. This intrusion campaign is described in the following report CERTFR-2021-CTI-005. These technical elements are provided to help detecting malicious activities in logs, on systems and inside live network trafic. Every detection with these elements cannot be considered as a proof of intrusion and should be investigated to confirm. Some elements are detecting tools shared between several attackers so their detection is not sufficient to link an intrusion to this campaign. ANSSI is interested in every incident discovered and linked to this campaign.",
                    "category": "Other",
                    "uuid": "4efc79c7-3d3b-4875-b1d4-e142d1f853e9"
                },
                {
                    "type": "attachment",
                    "value": "CERTFR-2021-CTI-004.pdf",
                    "object_relation": "report-file",
                    "category": "External analysis",
                    "uuid": "c5cf2d0e-8598-4e73-bf04-8057fa985c91",
                    "data": "JVBERi0xLjUKJeTw7fgKNSAwIG9iago8PC9UeXBlL1hPYmplY3QvU3VidHlwZS9JbWFnZS9XaWR0aCAxMjQwL0hlaWdodCAxNzU0L0NvbG9yU3BhY2UvRGV2aWNlR3JheS9CaXRzUGVyQ29tcG9uZW50CjgvRGVjb2RlUGFybXM8PC9CaXRzUGVyQ29tcG9uZW50IDgvQ29sb3JzIDEvQ29sdW1ucyAxMjQwL1ByZWRpY3RvciAyPj4vRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aAo0MzQwPj4Kc3RyZWFtCnja7dQxDQAADMOw8SfdkehV2RByJAewJRIAvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvSQD4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4mAeBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+JoEgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgaxIAvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvSQD4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4mAeBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+JoEgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgaxIAvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrgK8B+BqArwH4GoCvAb4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbgawC+BvgagK8B+BqArwH4GuBrAL4G4GsAvgbga4CvAfgagK8B+BqArwG+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GsAvgb4GoCvAfgagK8B+BrgawC+BuBrAL4G4GuArwH4GoCvAfgagK8BvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgawC+BuBrAL4G+BqArwH4GoCvAfga4GsAvgbgaw
                },
                {
                    "type": "text",
                    "object_relation": "case-number",
                    "value": "CERTFR-2021-CTI-004",
                    "category": "Other",
                    "uuid": "08ac3f99-4fb5-4a67-b03b-7238bc17a1c8"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "report"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}