2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--761270e6-3a97-4c18-9a44-a844cb5b562b" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-10-24T09:22:25.000Z" ,
"modified" : "2022-10-24T09:22:25.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--761270e6-3a97-4c18-9a44-a844cb5b562b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-10-24T09:22:25.000Z" ,
"modified" : "2022-10-24T09:22:25.000Z" ,
"name" : "Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free" ,
"published" : "2022-10-24T09:22:35Z" ,
"object_refs" : [
"vulnerability--efce45a5-d17b-4da7-8e4a-02cc68b78064" ,
"indicator--00352f55-b2a8-4eb0-b764-9ce328ce4e81" ,
"indicator--6fba8d44-4605-4a77-aec4-ead4519463bf" ,
"indicator--9a5a18d7-4e2f-4748-ae25-2bf2cab5c1b6" ,
"indicator--a0e7bf5d-19f1-40a1-8ad3-fdcf115d0164" ,
"indicator--892a5cd0-0395-4491-b996-8d45fb4ac7cf" ,
"indicator--6549b64d-0f09-4813-b9eb-31ccdb09f9de" ,
"x-misp-object--62263df7-4b98-46f0-8925-c02d90716c82" ,
"indicator--eb00b3cf-fe12-4a16-b44b-21c2c89c72f6" ,
"indicator--47511f00-1ba7-4843-a276-a7174b6448b2" ,
"indicator--0ad373ea-22f7-4fd3-967a-52541d545ea1" ,
"indicator--b310d8a7-6e3d-4080-91b6-91d13b06d33a" ,
"indicator--e7caa4ad-275f-4622-803d-5a5bc059bef5" ,
"indicator--93d05fa9-55f4-4607-b7c6-16e2ec591700" ,
"indicator--7efd1d01-3ad0-450c-95e5-c02a1dd99b88" ,
"indicator--3dd56064-19ea-46f0-b3ce-3ac65d5ae66b" ,
"indicator--046432a6-3ff8-47de-b73c-2239f71798c5" ,
"indicator--66c1a496-fc3d-4160-86e2-11a8b120da5e" ,
"indicator--54e0dd10-1259-40f6-abbe-030482b53812" ,
"indicator--47a5ff44-cb7d-46c6-a522-8db93e1f379a" ,
"indicator--996361d8-5e7e-4e6f-8004-d40c38408096" ,
"indicator--1a6c2f52-af2e-4cbb-a487-0b249f970dc9" ,
"indicator--33bb1b75-b184-406b-b981-12bc9e86352c" ,
"indicator--69b405d5-2c50-46c2-9866-83e6c1dc8799" ,
"indicator--1cefa739-fd00-462e-a8ed-bd4964a10476"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"osint:source-type=\"blog-post\"" ,
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"" ,
"misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"" ,
"misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"" ,
"misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"" ,
"misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"" ,
"misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"" ,
"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"" ,
"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"" ,
"misp-galaxy:mitre-attack-pattern=\"Standard Non-Application Layer Protocol - T1095\"" ,
"misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"" ,
"misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"" ,
"misp-galaxy:mitre-attack-pattern=\"Domain Accounts - T1078.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"Local Accounts - T1078.003\"" ,
"misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"" ,
"misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"" ,
"misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"" ,
"misp-galaxy:malpedia=\"Chisel (ELF)\"" ,
"misp-galaxy:malpedia=\"Chisel (Windows)\"" ,
"misp-galaxy:malpedia=\"Lorenz\"" ,
"misp-galaxy:ransomware=\"Lorenz Ransomware\"" ,
"dnc:malware-type=\"Ransomware\"" ,
"enisa:nefarious-activity-abuse=\"ransomware\"" ,
"ecsirt:malicious-code=\"ransomware\"" ,
"malware_classification:malware-category=\"Ransomware\"" ,
"veris:action:malware:variety=\"Ransomware\"" ,
"Ransomware" ,
"ms-caro-malware:malware-type=\"Ransom\"" ,
"ms-caro-malware-full:malware-type=\"Ransom\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--efce45a5-d17b-4da7-8e4a-02cc68b78064" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T08:35:00.000Z" ,
"modified" : "2022-09-15T08:35:00.000Z" ,
"name" : "CVE-2022-29499" ,
"labels" : [
"misp:type=\"vulnerability\"" ,
"misp:category=\"External analysis\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2022-29499"
}
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--00352f55-b2a8-4eb0-b764-9ce328ce4e81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T11:29:38.000Z" ,
"modified" : "2022-09-15T11:29:38.000Z" ,
"description" : "Data exfiltration via FileZilla" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '138.197.218.11']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T11:29:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\"" ,
"misp-galaxy:country=\"united states\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--6fba8d44-4605-4a77-aec4-ead4519463bf" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T11:30:19.000Z" ,
"modified" : "2022-09-15T11:30:19.000Z" ,
"description" : "Data exfiltration via FileZilla" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '138.68.19.94']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T11:30:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\"" ,
"misp-galaxy:country=\"united states\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9a5a18d7-4e2f-4748-ae25-2bf2cab5c1b6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T08:35:00.000Z" ,
"modified" : "2022-09-15T08:35:00.000Z" ,
"description" : "Used to download Chisel" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '138.68.59.16']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T08:35:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a0e7bf5d-19f1-40a1-8ad3-fdcf115d0164" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T11:30:43.000Z" ,
"modified" : "2022-09-15T11:30:43.000Z" ,
"description" : "Data exfiltration via FileZilla" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.65.248.159']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T11:30:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\"" ,
"misp-galaxy:country=\"united states\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--892a5cd0-0395-4491-b996-8d45fb4ac7cf" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T11:33:49.000Z" ,
"modified" : "2022-09-15T11:33:49.000Z" ,
"description" : "Data exfiltration via FileZilla; HTTP POST requests to notify threat actors of encryption progress" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '206.188.197.125']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T11:33:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\"" ,
"misp-galaxy:country=\"netherlands\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--6549b64d-0f09-4813-b9eb-31ccdb09f9de" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T11:30:19.000Z" ,
"modified" : "2022-09-15T11:30:19.000Z" ,
"description" : "Data exfiltration via FileZilla" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.190.113.100']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T11:30:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\"" ,
"misp-galaxy:country=\"united states\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--62263df7-4b98-46f0-8925-c02d90716c82" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T07:43:15.000Z" ,
"modified" : "2022-09-15T07:43:15.000Z" ,
"labels" : [
"misp:name=\"report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "link" ,
"value" : "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/" ,
"category" : "External analysis" ,
"uuid" : "086cf17a-272e-405e-b4bb-24abe206d118"
} ,
{
"type" : "text" ,
"object_relation" : "summary" ,
"value" : "Arctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access" ,
"category" : "Other" ,
"uuid" : "8184f511-f31a-4fa5-9a74-d3df2998a0d5"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Blog" ,
"category" : "Other" ,
"uuid" : "260b4c23-6508-4b5d-bf02-b06183013575"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--eb00b3cf-fe12-4a16-b44b-21c2c89c72f6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T08:43:34.000Z" ,
"modified" : "2022-09-15T08:43:34.000Z" ,
"pattern" : "[file:hashes.SHA256 = '97ff99fd824a02106d20d167e2a2b647244712a558639524e7db1e6a2064a68d' AND file:name = 'mem']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T08:43:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--47511f00-1ba7-4843-a276-a7174b6448b2" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T08:45:02.000Z" ,
"modified" : "2022-09-15T08:45:02.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '137.184.181.252') AND network-traffic:dst_port = '8443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T08:45:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0ad373ea-22f7-4fd3-967a-52541d545ea1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T09:31:15.000Z" ,
"modified" : "2022-09-15T09:31:15.000Z" ,
"pattern" : "[file:hashes.SHA256 = '07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94' AND file:name = 'pdf_import_export.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T09:31:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b310d8a7-6e3d-4080-91b6-91d13b06d33a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T11:42:17.000Z" ,
"modified" : "2022-09-15T11:42:17.000Z" ,
"pattern" : "[autonomous-system:number = '14061' AND autonomous-system:name = 'DIGITALOCEAN-ASN' AND autonomous-system:x_misp_country = 'US' AND autonomous-system:x_misp_subnet_announced = '138.197.218.11' AND autonomous-system:x_misp_subnet_announced = '138.68.19.94' AND autonomous-system:x_misp_subnet_announced = '159.65.248.159']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T11:42:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"asn\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--e7caa4ad-275f-4622-803d-5a5bc059bef5" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T11:43:19.000Z" ,
"modified" : "2022-09-15T11:43:19.000Z" ,
"pattern" : "[autonomous-system:number = '399629' AND autonomous-system:name = 'BL Networks' AND autonomous-system:x_misp_country = 'NL' AND autonomous-system:x_misp_subnet_announced = '206.188.197.125']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T11:43:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"asn\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--93d05fa9-55f4-4607-b7c6-16e2ec591700" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T11:43:50.000Z" ,
"modified" : "2022-09-15T11:43:50.000Z" ,
"pattern" : "[autonomous-system:number = '399629' AND autonomous-system:name = 'BL Networks' AND autonomous-system:x_misp_country = 'US' AND autonomous-system:x_misp_subnet_announced = '64.190.113.100']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-15T11:43:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"asn\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--7efd1d01-3ad0-450c-95e5-c02a1dd99b88" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T11:46:52.000Z" ,
"modified" : "2022-09-15T11:46:52.000Z" ,
"pattern" : "alert http any any -> any any (msg:\\\\\"[Arctic Wolf Labs] Base64 POST via Curl User-Agent to PHP File\\\\\"; flow:established,to_server; content:\\\\\"POST\\\\\"; http_method; content:\\\\\".php\\\\\"; http_uri;content:\\\\\"/vhelp/pdf/\\\\\"; http_uri; content:\\\\\"curl\\\\\"; http_user_agent;pcre:\\\\\"/(?:[A-Za-z\\\\d+\\\\/]{4})*(?:[A-Za-z\\\\d+\\\\/]{3}=|[A-Za-z\\\\d+\\\\/]{2}==)?$/\\\\\"; sid:10001; rev:1; reference:url,https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in;)" ,
"pattern_type" : "snort" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T11:46:52Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"suricata\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
] ,
"external_references" : [
{
"source_name" : "url" ,
"url" : "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in"
}
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--3dd56064-19ea-46f0-b3ce-3ac65d5ae66b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T12:12:14.000Z" ,
"modified" : "2022-09-15T12:12:14.000Z" ,
"pattern" : "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\\\\\"ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)\\\\\"; flow:established,to_server; content:\\\\\"GET\\\\\"; http_method; content:\\\\\"/scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php?cmd=syncfile:db_files/\\\\\"; http_uri; http_header_names; content:!\\\\\"Referer\\\\\"; reference:url,www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; reference:cve,2022-29499; classtype:attempted-admin; sid:2037121; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_06_24, cve CVE_2022_29499, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)" ,
"pattern_type" : "snort" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T12:12:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"suricata\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
] ,
"external_references" : [
{
"source_name" : "url" ,
"url" : "https://threatintel.proofpoint.com/sid/2037121#references1"
}
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--046432a6-3ff8-47de-b73c-2239f71798c5" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T12:12:54.000Z" ,
"modified" : "2022-09-15T12:12:54.000Z" ,
"pattern" : "#alert tcp any any -> any !$SSH_PORTS (msg:\\\\\"ET POLICY SSH Client Banner Detected on Unusual Port\\\\\"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:\\\\\"SSH-\\\\\"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" ,
"pattern_type" : "snort" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T12:12:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"suricata\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
] ,
"external_references" : [
{
"source_name" : "url" ,
"url" : "https://threatintel.proofpoint.com/sid/2001980"
}
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--66c1a496-fc3d-4160-86e2-11a8b120da5e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T12:26:42.000Z" ,
"modified" : "2022-09-15T12:26:42.000Z" ,
"name" : "webshell_php_3b64command: Webshells PHP B64" ,
"pattern" : "rule webshell_php_3b64command: Webshells PHP B64 {\r\n meta:\r\n Description= \\\\\"Detects Possible PHP Webshell expecting triple base64 command\\\\\"\r\n Category = \\\\\"Malware\\\\\"\r\n Author = \\\\\"Arctic Wolf Labs\\\\\"\r\n Date = \\\\\"2022-09-12\\\\\"\r\n Hash = \\\\\"07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94\\\\\"\r\n Reference = \\\\\"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in\\\\\"\r\n strings:\r\n $decode = \\\\\"base64_decode(base64_decode(base64_decode(\\\\\" ascii\r\n $encode = \\\\\"base64_encode(base64_encode(base64_encode(\\\\\" ascii\r\n $s1 = \\\\\"popen(\\\\\" ascii\r\n $s2 = \\\\\"pclose\\\\\" ascii\r\n $s3 = \\\\\"fread(\\\\\" ascii\r\n $s4 = \\\\\"$_POST\\\\\" ascii\r\n condition:\r\n $decode and $encode\r\n and 3 of ($s*)\r\n and filesize < 2KB\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T12:26:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--54e0dd10-1259-40f6-abbe-030482b53812" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T12:27:07.000Z" ,
"modified" : "2022-09-15T12:27:07.000Z" ,
"name" : "hktl_chisel_artifacts: Chisel Hacktool Artifacts" ,
"pattern" : "rule hktl_chisel_artifacts: Chisel Hacktool Artifacts {\r\n meta:\r\n Description = \\\\\"looks for hacktool chisel artifacts potentially left in memory or unallocated space\\\\\"\r\n Category = \\\\\"Tool\\\\\"\r\n Author = \\\\\"Arctic Wolf Labs\\\\\"\r\n Date = \\\\\"2022-09-12\\\\\"\r\n Reference = \\\\\"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in\\\\\"\r\n strings:\r\n $chisel = \\\\\"chisel_1.\\\\\" ascii\r\n $s1 = \\\\\"client\\\\\" ascii\r\n $s2 = \\\\\"--tls-skip-verify\\\\\" ascii\r\n $s3 = \\\\\"--fingerprint\\\\\" ascii\r\n $s4 = \\\\\"R:socks\\\\\" ascii\r\n condition:\r\n $chisel or 3 of ($s*)\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T12:27:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--47a5ff44-cb7d-46c6-a522-8db93e1f379a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T12:28:12.000Z" ,
"modified" : "2022-09-15T12:28:12.000Z" ,
"name" : "Process Dump via Comsvcs DLL" ,
"pattern" : "title: Process Dump via Comsvcs DLL\r\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\r\nstatus: test\r\ndescription: Detects process memory dump via comsvcs.dll and rundll32\r\nauthor: Modexp (idea)\r\nreferences:\r\n - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\r\n - https://twitter.com/SBousseaden/status/1167417096374050817\r\ndate: 2019/09/02\r\nmodified: 2021/11/27\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n rundll_image:\r\n Image|endswith: \\'\\\\rundll32.exe\\'\r\n rundll_ofn:\r\n OriginalFileName: \\'RUNDLL32.EXE\\'\r\n selection:\r\n CommandLine|contains|all:\r\n - \\'comsvcs\\'\r\n - \\'MiniDump\\' #Matches MiniDump and MinidumpW\r\n - \\'full\\'\r\n condition: (rundll_image or rundll_ofn) and selection\r\nfields:\r\n - CommandLine\r\n - ParentCommandLine\r\nfalsepositives:\r\n - unknown\r\nlevel: medium\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1218.011\r\n - attack.credential_access\r\n - attack.t1003.001\r\n - attack.t1003 # an old one" ,
"pattern_type" : "sigma" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T12:28:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"sigma\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"external_references" : [
{
"source_name" : "url" ,
"url" : "https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_susp_comsvcs_procdump.yml"
}
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--996361d8-5e7e-4e6f-8004-d40c38408096" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T12:29:57.000Z" ,
"modified" : "2022-09-15T12:29:57.000Z" ,
"name" : "Encoded PowerShell Command Line Usage of ConvertTo-SecureString" ,
"pattern" : "title: Encoded PowerShell Command Line Usage of ConvertTo-SecureString\r\nid: 74403157-20f5-415d-89a7-c505779585cf\r\nstatus: test\r\ndescription: Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines\r\nauthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65\r\ndate: 2020/10/11\r\nmodified: 2022/07/14\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|endswith:\r\n - \\'\\\\powershell.exe\\'\r\n - \\'\\\\pwsh.exe\\'\r\n CommandLine|contains: \\'ConvertTo-SecureString\\'\r\n condition: selection\r\nfalsepositives:\r\n - Unlikely\r\nlevel: high\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1027\r\n - attack.execution\r\n - attack.t1059.001" ,
"pattern_type" : "sigma" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T12:29:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"sigma\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"external_references" : [
{
"source_name" : "url" ,
"url" : "https://github.com/SigmaHQ/sigma/blob/b24e7ae9846f53cbbf61adad72f17af317c860a4/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml"
}
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--1a6c2f52-af2e-4cbb-a487-0b249f970dc9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T12:33:14.000Z" ,
"modified" : "2022-09-15T12:33:14.000Z" ,
"name" : "CrackMapExec Process Patterns" ,
"pattern" : "title: CrackMapExec Process Patterns\r\nid: f26307d8-14cd-47e3-a26b-4b4769f24af6\r\ndescription: Detects suspicious process patterns found in logs when CrackMapExec is used\r\nstatus: experimental\r\nauthor: Florian Roth\r\nreferences:\r\n - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass\r\ndate: 2022/03/12\r\nmodified: 2022/05/27\r\ntags:\r\n - attack.credential_access\r\n - attack.t1003.001\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n selection_lsass_dump1:\r\n CommandLine|contains|all:\r\n - \\'cmd.exe /c \\'\r\n - \\'tasklist /fi \\'\r\n - \\'Imagename eq lsass.exe\\'\r\n User|contains: # covers many language settings\r\n - \\'AUTHORI\\'\r\n - \\'AUTORI\\'\r\n selection_lsass_dump2:\r\n CommandLine|contains|all:\r\n - \\'do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump\\'\r\n - \\'\\\\Windows\\\\Temp\\\\\\'\r\n - \\' full\\'\r\n - \\'\\\\%\\\\%B\\'\r\n selection_procdump:\r\n CommandLine|contains|all:\r\n - \\'tasklist /v /fo csv\\'\r\n - \\'findstr /i \\\\\"lsass\\\\\"\\'\r\n condition: 1 of selection*\r\nfalsepositives:\r\n - Unknown\r\nlevel: high" ,
"pattern_type" : "sigma" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T12:33:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"sigma\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"external_references" : [
{
"source_name" : "url" ,
"url" : "https://github.com/SigmaHQ/sigma/blob/1e16ed00905a496cbc3b0a1a03d4c2f6f4b63de2/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml"
}
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--33bb1b75-b184-406b-b981-12bc9e86352c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T12:55:36.000Z" ,
"modified" : "2022-09-15T12:55:36.000Z" ,
"name" : "PowerShell as a Service in Registry" ,
"pattern" : "title: PowerShell as a Service in Registry\r\nid: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d\r\ndescription: Detects that a powershell code is written to the registry as a service.\r\nstatus: experimental\r\nauthor: oscd.community, Natalia Shornikova\r\ndate: 2020/10/06\r\nmodified: 2021/05/21\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\r\ntags:\r\n - attack.execution\r\n - attack.t1569.002\r\nlogsource:\r\n category: registry_event\r\n product: windows\r\ndetection:\r\n selection:\r\n TargetObject|contains: \\'\\\\Services\\\\\\'\r\n TargetObject|endswith: \\'\\\\ImagePath\\'\r\n Details|contains:\r\n - \\'powershell\\'\r\n - \\'pwsh\\'\r\n condition: selection\r\nfalsepositives: \r\n - Unknown\r\nlevel: high" ,
"pattern_type" : "sigma" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T12:55:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"sigma\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"external_references" : [
{
"source_name" : "url" ,
"url" : "https://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_powershell_as_service.yml"
}
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--69b405d5-2c50-46c2-9866-83e6c1dc8799" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T12:56:34.000Z" ,
"modified" : "2022-09-15T12:56:34.000Z" ,
"name" : "Remote Task Creation via ATSVC Named Pipe" ,
"pattern" : "title: Remote Task Creation via ATSVC Named Pipe\r\nid: f6de6525-4509-495a-8a82-1f8b0ed73a00\r\ndescription: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe\r\nauthor: Samir Bousseaden\r\ndate: 2019/04/03\r\nreferences:\r\n - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\r\ntags:\r\n - attack.lateral_movement\r\n - attack.persistence\r\n - attack.t1053\r\n - car.2013-05-004\r\n - car.2015-04-001\r\nlogsource:\r\n product: windows\r\n service: security\r\n description: \\'The advanced audit policy setting \\\\\"Object Access > Audit Detailed File Share\\\\\" must be configured for Success/Failure\\'\r\ndetection:\r\n selection:\r\n EventID: 5145\r\n ShareName: \\\\\\\\*\\\\IPC$\r\n RelativeTargetName: atsvc\r\n Accesses: \\'*WriteData*\\'\r\n condition: selection\r\nfalsepositives:\r\n - pentesting\r\nlevel: medium" ,
"pattern_type" : "sigma" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T12:56:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"sigma\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"external_references" : [
{
"source_name" : "url" ,
"url" : "https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/builtin/win_atsvc_task.yml"
}
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--1cefa739-fd00-462e-a8ed-bd4964a10476" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T12:59:01.000Z" ,
"modified" : "2022-09-15T12:59:01.000Z" ,
"name" : "Accessing WinAPI in PowerShell for Credentials Dumping" ,
"pattern" : "title: Accessing WinAPI in PowerShell for Credentials Dumping\r\nid: 3f07b9d1-2082-4c56-9277-613a621983cc\r\ndescription: Detects Accessing to lsass.exe by Powershell\r\nstatus: experimental\r\nauthor: oscd.community, Natalia Shornikova\r\ndate: 2020/10/06\r\nmodified: 2022/07/14\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\r\ntags:\r\n - attack.credential_access\r\n - attack.t1003.001\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection:\r\n EventID:\r\n - 8\r\n - 10\r\n SourceImage|endswith:\r\n - \\'\\\\powershell.exe\\'\r\n - \\'\\\\pwsh.exe\\'\r\n TargetImage|endswith: \\'\\\\lsass.exe\\'\r\n condition: selection\r\nfalsepositives:\r\n - Unknown\r\nlevel: high" ,
"pattern_type" : "sigma" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-15T12:59:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"sigma\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"external_references" : [
{
"source_name" : "url" ,
"url" : "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml"
}
]
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}