2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-06-14 17:31:25 +00:00
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--5deea6f2-568c-4fe3-a457-0d230a0a019b",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2020-05-01T13:14:19.000Z",
|
|
|
|
"modified": "2020-05-01T13:14:19.000Z",
|
|
|
|
"name": "Hestat",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "report",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "report--5deea6f2-568c-4fe3-a457-0d230a0a019b",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2020-05-01T13:14:19.000Z",
|
|
|
|
"modified": "2020-05-01T13:14:19.000Z",
|
|
|
|
"name": "Tracking Powershell Empire C2 via Urlscan",
|
|
|
|
"published": "2020-05-11T07:18:19Z",
|
|
|
|
"object_refs": [
|
|
|
|
"indicator--5df81eb7-28ec-432c-89fb-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-01ac-44d8-bad9-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-34e8-48d9-9a36-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-12e8-4045-9f5d-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-ddc4-4a4b-919e-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-c760-439a-ad7c-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-ad54-4525-97ec-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-963c-4d8e-8ba5-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-2a60-40e8-b7bc-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-c554-4293-a9ca-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-fa94-4df0-ac46-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-6620-47d5-9114-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-21a4-4b94-aa08-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-52fc-4a89-b42d-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-68bc-41b0-8b00-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-2ae4-4385-86eb-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-2dc0-40c8-9e77-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-a170-4bfa-b839-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-7440-447a-8c99-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-069c-4a87-8da4-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-c4b8-4e11-bc0b-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-7c94-4580-810f-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-0e28-4f99-b6a6-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-a854-49d7-a119-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-9870-4ff9-90bf-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-63d4-47cd-bdf8-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-d6d4-4532-bbe1-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-3240-4cce-838e-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-9a2c-4ca6-b204-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-f744-4b24-815e-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-cbe4-44bb-81d1-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-4e60-4cdf-8b40-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-479c-4874-963d-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-0cc0-436c-8379-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-5110-4e84-a9a7-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-0c0c-470d-9ce6-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-d964-498c-a1d3-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-877c-42a1-a72b-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-78e8-41b3-b153-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-85ec-4921-803e-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-b238-4e68-bc0c-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-1f9c-4b16-ba3e-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-5dfc-4930-a726-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-bad4-4c62-ba90-e25974656a8a",
|
|
|
|
"indicator--5df81eb7-7954-42f7-bd57-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-3bfc-4e9c-a1b6-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-fb8c-495e-844a-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-782c-492a-a4ef-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-cfb0-4eae-af95-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-cf8c-4305-b802-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-4fa8-45bf-bcf8-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-1c84-4079-b4a3-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-79e4-41af-985d-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-95e4-49a9-9253-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-c548-4186-abb7-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-4160-4a11-9c0d-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-0f80-4f67-a82d-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-c630-4f92-9eb6-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-3a9c-4bd1-a80f-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-76e4-434d-8baa-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-8e34-486f-b581-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-5c14-4952-93e4-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-ddec-4516-a8e7-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-57d0-4be6-a206-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-964c-49c1-a9d2-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-f144-4510-bbb7-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-34b8-436d-8a0a-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-b58c-46ed-b06c-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-c824-462f-b356-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-87ec-499f-af6d-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-a450-4a31-af69-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-a454-4c89-90d4-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-d28c-48c4-adba-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-5378-44f6-ab08-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-23b0-4477-904f-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-7168-4dad-ad2c-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-7788-4c53-a223-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-7060-465c-86b1-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-d184-468d-b623-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-be1c-449c-a9b2-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-9ef4-42c5-92b0-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-5aec-46ee-ad66-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-0368-40f7-860b-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-b208-4d61-a7ec-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-8ec0-483c-b908-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-dd00-4d74-8a69-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-de0c-47bb-99a3-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-6944-4ef7-ad17-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-7540-4f27-ab4f-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-f824-4292-86bc-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-a95c-4f5c-955c-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-1ee4-4951-95a6-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-7060-4d25-bbd9-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-9ca4-4824-b05d-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-4abc-4db9-8948-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-caa0-44ed-ad86-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-dd54-4118-af3b-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-9fb4-4c26-8770-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-e788-494d-98f3-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-bb7c-4c05-89f2-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-2360-4e79-9484-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-030c-4185-b522-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-3de0-4705-a2c2-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-ce80-4423-a918-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-0020-4e85-8f87-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-99e8-4901-b250-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-1ab4-4422-98ba-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-53bc-442b-9ac3-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-64bc-45c9-9a68-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-7e70-4b2b-9a5c-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-3f88-4de0-bf7e-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-8b2c-497a-8cc9-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-9070-44b3-9a41-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-b27c-434a-a036-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-4278-4738-b119-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-f564-4a4b-b9ae-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-50ec-458b-8741-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-5de8-479e-bc8b-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-a4c4-4335-8e5c-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-ae28-4207-9043-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-8964-49e5-8c8b-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-39f8-4181-a5b6-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-5b68-4822-9bf8-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-f848-4842-8814-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-5424-49ca-8b38-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-49b8-4653-b855-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-0a2c-42a4-96d8-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-f18c-45ad-af6d-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-896c-4675-b339-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-096c-4847-8b3a-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-aaa0-417f-86f1-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-cf28-4963-ae56-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-ad50-416a-8e69-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-81a0-454e-98d4-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-9650-4783-88f8-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-55d8-467f-a767-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-7fe8-4a20-b9d4-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-bec8-4266-9038-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-2670-463a-9ece-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-e68c-4553-916b-e25974656a8a",
|
|
|
|
"indicator--5df81eb8-9378-4b37-aff9-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-6540-417f-a732-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-8b50-4a32-a064-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-a5bc-40d1-bc07-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-808c-4913-a68d-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-3674-47d1-8eeb-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-ced4-4574-9f4b-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-4408-49ea-af02-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-b640-4bdf-b242-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-3b90-407e-a6a3-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-a7f8-4ef6-b0fb-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-8a20-4bb1-b9b3-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-e648-455f-856f-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-1e38-4b2f-b993-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-8d24-4faa-ade0-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-a620-412b-9754-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-3a70-4cb7-bb18-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-d090-4b91-b395-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-7034-4d81-b4f1-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-8cfc-4f04-ba72-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-246c-4e51-99d9-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-22e0-4f1e-8d1e-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-8a08-4e30-abe3-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-bf1c-445a-82e5-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-9a58-4060-b490-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-5ac4-4df4-ac44-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-db70-4a10-987f-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-32f4-41b6-a331-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-ea64-4cc9-9eed-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-66bc-45bf-a42e-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-26a0-42aa-8730-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-43a0-4e41-8790-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-2970-45b1-85a6-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-432c-4322-b3f9-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-118c-4bd6-a81c-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-03dc-4c24-9c81-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-bd48-4ffe-bd19-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-1be8-402d-87ed-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-ada0-427c-81f2-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-17a4-4d42-9ed9-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-0398-4cc3-b1bd-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-3514-49bc-aeb9-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-d30c-4a9b-a90c-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-b5d8-4d73-959e-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-7d94-4944-973a-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-b314-4d1a-ac14-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-0e4c-490a-8a91-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-d0b4-4afe-a585-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-4178-4093-8ea0-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-9d00-4b83-919b-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-62c0-4285-9903-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-7310-4255-8750-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-ff2c-480a-92e0-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-5dd4-44ea-a8f1-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-4938-407e-b19c-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-61d0-49c9-93ea-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-315c-40f8-afd6-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-166c-4d73-bfc9-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-f300-49a8-8039-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-b054-4219-bbb2-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-6bd8-4cae-b421-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-6ef4-4a52-881e-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-efbc-4493-85af-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-8a4c-412b-b6a5-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-7554-4c5d-9290-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-bee4-4803-a7fe-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-c258-4c51-ab59-e25974656a8a",
|
|
|
|
"indicator--5df81eb9-abac-4350-9195-e25974656a8a",
|
|
|
|
"observed-data--5df81f9c-e444-4b18-b8d4-986e0a0a019b",
|
|
|
|
"file--5df81f9c-e444-4b18-b8d4-986e0a0a019b",
|
|
|
|
"observed-data--5df81f9c-db88-4915-bd59-986e0a0a019b",
|
|
|
|
"file--5df81f9c-db88-4915-bd59-986e0a0a019b",
|
|
|
|
"observed-data--5df81fca-fb1c-449f-ad16-986e0a0a019b",
|
|
|
|
"url--5df81fca-fb1c-449f-ad16-986e0a0a019b",
|
|
|
|
"observed-data--5df82023-b000-4d18-bd6a-deda0a0a019b",
|
|
|
|
"url--5df82023-b000-4d18-bd6a-deda0a0a019b",
|
|
|
|
"observed-data--5df82051-a630-4a54-bcc5-de9c0a0a019b",
|
|
|
|
"file--5df82051-a630-4a54-bcc5-de9c0a0a019b",
|
|
|
|
"artifact--5df82051-a630-4a54-bcc5-de9c0a0a019b",
|
|
|
|
"observed-data--5df8d8cf-a4a0-4391-9f86-4a11950d210f",
|
|
|
|
"url--5df8d8cf-a4a0-4391-9f86-4a11950d210f",
|
|
|
|
"indicator--5e2f32e8-68cc-423d-b58e-4a90950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"misp-galaxy:mitre-tool=\"Empire - S0363\"",
|
|
|
|
"Threat Source:OSINT",
|
|
|
|
"Source:Urlscan.io",
|
|
|
|
"type:OSINT",
|
|
|
|
"osint:lifetime=\"perpetual\"",
|
|
|
|
"osint:certainty=\"50\""
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-28ec-432c-89fb-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.99.22.145']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-01ac-44d8-bad9-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://194.99.22.145']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-34e8-48d9-9a36-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://194.99.22.145/']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-12e8-4045-9f5d-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.150.206.83']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-ddc4-4a4b-919e-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://81.150.206.83:443/']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-c760-439a-ad7c-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.172.197.56']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-ad54-4525-97ec-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://167.172.197.56']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-963c-4d8e-8ba5-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.150.137.138']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-2a60-40e8-b7bc-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://msofficeadvices.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-c554-4293-a9ca-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.166.19.143']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-fa94-4df0-ac46-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://188.166.19.143']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-6620-47d5-9114-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.67.231.104']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-21a4-4b94-aa08-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.67.231.104']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-52fc-4a89-b42d-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '34.65.152.49']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-68bc-41b0-8b00-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://updates.esiotrot.xyz']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-2ae4-4385-86eb-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.180.209.145']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-2dc0-40c8-9e77-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://healthcare-registration.xyz']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-a170-4bfa-b839-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://139.180.209.145/']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-7440-447a-8c99-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '18.222.125.41']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-069c-4a87-8da4-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://test.safedatasystems.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-c4b8-4e11-bc0b-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '13.58.172.43']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-7c94-4580-810f-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://drivesecure.safedatasystems.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-0e28-4f99-b6a6-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.36.190.54']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-a854-49d7-a119-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://194.36.190.54:443']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-9870-4ff9-90bf-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.33.104.234']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-63d4-47cd-bdf8-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://iot-config-engine.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-d6d4-4532-bbe1-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.46.227.15']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-3240-4cce-838e-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://red.csirt.fun/']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-9a2c-4ca6-b204-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.227.68.86']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-f744-4b24-815e-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://socialpolicies.org/']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-cbe4-44bb-81d1-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '123.116.96.233']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-4e60-4cdf-8b40-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://noteyi.com:8886/']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-479c-4874-963d-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.71.191.55']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-0cc0-436c-8379-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://lifeinsurancecoveragequotes.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-5110-4e84-a9a7-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://socialpolicies.org']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-0c0c-470d-9ce6-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.210.27.123']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-d964-498c-a1d3-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://62.210.27.123']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-877c-42a1-a72b-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.32.150.52']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-78e8-41b3-b153-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://nbk-trainings.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-85ec-4921-803e-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '77.81.110.76']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-b238-4e68-bc0c-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://venusidea.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-1f9c-4b16-ba3e-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '52.37.173.22']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-5dfc-4930-a726-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://airwatch.aeratechnolgy.com/']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-bad4-4c62-ba90-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:17:59.000Z",
|
|
|
|
"modified": "2019-12-17T00:17:59.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.216.35.182']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:17:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb7-7954-42f7-bd57-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'https://functiondiscovery.net']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-3bfc-4e9c-a1b6-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '207.148.85.242']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-fb8c-495e-844a-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://207.148.85.242']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-782c-492a-a4ef-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '142.93.137.2']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-cfb0-4eae-af95-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://142.93.137.2']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-cf8c-4305-b802-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '68.235.34.235']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-4fa8-45bf-bcf8-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://google-settingsapi.fbapp.link']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-1c84-4079-b4a3-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.167.109.246']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-79e4-41af-985d-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://104.167.109.246']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-95e4-49a9-9253-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '83.212.74.22']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-c548-4186-abb7-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://83.212.74.22']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-4160-4a11-9c0d-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '52.15.49.41']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-0f80-4f67-a82d-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://ur.owned.fyi']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-c630-4f92-9eb6-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '34.195.166.4']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-3a9c-4bd1-a80f-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://emp.fourhorsemen.tech:8080']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-76e4-434d-8baa-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '84.16.242.231']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-8e34-486f-b581-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'https://endpointreserve.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-5c14-4952-93e4-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '157.230.26.0']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-ddec-4516-a8e7-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://157.230.26.0']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-57d0-4be6-a206-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.201.23.134']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-964c-49c1-a9d2-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://check.wittmann-it-security.org/']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-f144-4510-bbb7-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv6-addr' AND network-traffic:dst_ref.value = '2606:4700:30::6812:3594']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-34b8-436d-8a0a-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://msdn.cloud']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-b58c-46ed-b06c-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.99.60.195']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-c824-462f-b356-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://167.99.60.195:80']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-87ec-499f-af6d-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '157.230.231.108']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-a450-4a31-af69-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'https://perksatwork.tk']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-a454-4c89-90d4-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '18.225.11.235']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-d28c-48c4-adba-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'https://fcbankfs01.departments.it.fisrv.help']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-5378-44f6-ab08-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.231.208.45']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-23b0-4477-904f-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'https://64.231.208.45']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-7168-4dad-ad2c-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.117.75.116']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-7788-4c53-a223-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://185.117.75.116']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-7060-465c-86b1-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.245.84.106']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-d184-468d-b623-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'https://officestorage.org/']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-be1c-449c-a9b2-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.226.139.30']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-9ef4-42c5-92b0-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'https://5.226.139.30']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-5aec-46ee-ad66-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.104.189.160']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-0368-40f7-860b-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://172.104.189.160']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-b208-4d61-a7ec-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.244.149.72']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-8ec0-483c-b908-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://185.244.149.72']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-dd00-4d74-8a69-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.76.81.45']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-de0c-47bb-99a3-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.76.81.45']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-6944-4ef7-ad17-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '51.144.106.161']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-7540-4f27-ab4f-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://pladderballe.westeurope.cloudapp.azure.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-f824-4292-86bc-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://localarea-search.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-a95c-4f5c-955c-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '142.4.212.73']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-1ee4-4951-95a6-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://142.4.212.73']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-7060-4d25-bbd9-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.128.104.195']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-9ca4-4824-b05d-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:44.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:44.000Z",
|
|
|
|
"pattern": "[url:value = 'http://zfsociety.duckdns.org']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-4abc-4db9-8948-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.215.18.19']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-caa0-44ed-ad86-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://timbaud.fr']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-dd54-4118-af3b-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://stade-rennais.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-9fb4-4c26-8770-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '199.247.14.183']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-e788-494d-98f3-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://safeserverltd.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-bb7c-4c05-89f2-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://offrespartenaires.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-2360-4e79-9484-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.30.125.135']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-030c-4185-b522-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://upload.secure-portal.de']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-3de0-4705-a2c2-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.250.97.147']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-ce80-4423-a918-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://update.missoulahealthcare.xyz']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-0020-4e85-8f87-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv6-addr' AND network-traffic:dst_ref.value = '2606:4700:30::6818:6720']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-99e8-4901-b250-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://ticketsmasters.win']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-1ab4-4422-98ba-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://testb.nsd.li']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-53bc-442b-9ac3-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:43.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:43.000Z",
|
|
|
|
"pattern": "[url:value = 'http://survey.fiduciaqad.de']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-64bc-45c9-9a68-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.105.219.17']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-7e70-4b2b-9a5c-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://sssvr.club']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-3f88-4de0-bf7e-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://ptir.g-statics.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-8b2c-497a-8cc9-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://privedsales.ignorelist.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-9070-44b3-9a41-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.100.147.70']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-b27c-434a-a036-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://ns503220.ip-198-100-147.net']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-4278-4738-b119-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://ns2.pentest.fr']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-f564-4a4b-b9ae-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '146.185.253.140']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-50ec-458b-8741-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://mediareleasedtoday.net']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-5de8-479e-bc8b-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://mail.geschenk-mit-herz.org']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-a4c4-4335-8e5c-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.100.18.249']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-ae28-4207-9043-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://magicum.eastus.cloudapp.azure.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-8964-49e5-8c8b-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://m.stade-rennais.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-39f8-4181-a5b6-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://kasperskylab.ignorelist.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-5b68-4822-9bf8-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.254.164.197']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-f848-4842-8814-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://hwsrv-298769.hostwindsdns.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-5424-49ca-8b38-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.244.13.123']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-49b8-4653-b855-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://hk.0-9.club']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-0a2c-42a4-96d8-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '87.213.173.189']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-f18c-45ad-af6d-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://gipsy.sarlaith.org']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-896c-4675-b339-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://geschenk-mit-herz.org']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-096c-4847-8b3a-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.244.72.144']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-aaa0-417f-86f1-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://frezer.mooo.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-cf28-4963-ae56-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://files.missoulahealthcare.xyz']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-ad50-416a-8e69-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://fiduciaqad.de']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-81a0-454e-98d4-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://fax.fiduciaqad.de']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-9650-4783-88f8-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '13.89.241.234']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-55d8-467f-a767-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://executivejewishdating.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-7fe8-4a20-b9d4-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.182.38.136']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-bec8-4266-9038-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://cylog.club']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-2670-463a-9ece-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://calcon.secure-portal.de']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-e68c-4553-916b-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://bw-spieibanken.de']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb8-9378-4b37-aff9-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:00.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:00.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '87.213.175.189']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-6540-417f-a732-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://backlash.sarlaith.org']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-8b50-4a32-a064-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://amazon.secure-portal.de']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-a5bc-40d1-bc07-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv6-addr' AND network-traffic:dst_ref.value = '2606:4700:30::6818:6620']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-808c-4913-a68d-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.140.116.216']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-3674-47d1-8eeb-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://94.140.116.216:443/admin']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-ced4-4574-9f4b-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.82.185.140']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-4408-49ea-af02-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://23.82.185.140:443/news.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-b640-4bdf-b242-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.147.228.91']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-3b90-407e-a6a3-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.147.228.91:443/login/process.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-a7f8-4ef6-b0fb-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.76.21.239']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-8a20-4bb1-b9b3-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.76.21.239:443/login/process.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-e648-455f-856f-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.76.21.239:443/admin/get.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-1e38-4b2f-b993-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.76.21.239:443/news.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-8d24-4faa-ade0-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.121.14.143']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-a620-412b-9754-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://176.121.14.143:9050/admin/get.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-3a70-4cb7-bb18-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '212.114.52.151']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-d090-4b91-b395-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:16.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:16.000Z",
|
|
|
|
"pattern": "[url:value = 'http://212.114.52.151:443/news.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:16Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-7034-4d81-b4f1-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.147.228.89']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-8cfc-4f04-ba72-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.147.228.89:443/admin/get.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-246c-4e51-99d9-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.22.45.235']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-22e0-4f1e-8d1e-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://81.22.45.235:80']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-8a08-4e30-abe3-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://81.22.45.235:8080']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-bf1c-445a-82e5-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.147.228.95']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-9a58-4060-b490-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.147.228.95:443/login/process.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-5ac4-4df4-ac44-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.76.27.238']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-db70-4a10-987f-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:16.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:16.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.76.27.238:443/admin/get.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:16Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-32f4-41b6-a331-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '66.42.70.193']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-ea64-4cc9-9eed-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:16.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:16.000Z",
|
|
|
|
"pattern": "[url:value = 'http://66.42.70.193:443/login/process.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:16Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-66bc-45bf-a42e-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.121.14.159']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-26a0-42aa-8730-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://176.121.14.159:443/admin/get.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-43a0-4e41-8790-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.77.64.186']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-2970-45b1-85a6-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.77.64.186:443/login/process.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-432c-4322-b3f9-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.235.129.170']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-118c-4bd6-a81c-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'https://91.235.129.170/news.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-03dc-4c24-9c81-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.123.212.217']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-bd48-4ffe-bd19-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://195.123.212.217/news.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-1be8-402d-87ed-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://195.123.212.217/login/process.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-ada0-427c-81f2-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '109.94.110.136']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-17a4-4d42-9ed9-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'https://109.94.110.136:443/admin/get.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-0398-4cc3-b1bd-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.243.103.89']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-3514-49bc-aeb9-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'https://192.243.103.89:443/news.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-d30c-4a9b-a90c-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.36.189.9']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-b5d8-4d73-959e-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'https://194.36.189.9/login/process.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-7d94-4944-973a-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.16.41.219']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-b314-4d1a-ac14-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'https://185.16.41.219:80/admin/get.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-0e4c-490a-8a91-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'https://185.16.41.219/news.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-d0b4-4afe-a585-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.189.154.85']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-4178-4093-8ea0-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'https://216.189.154.85:443/news.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-9d00-4b83-919b-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.25.51.48']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-62c0-4285-9903-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:18.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:18.000Z",
|
|
|
|
"pattern": "[url:value = 'http://185.25.51.48']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-7310-4255-8750-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://185.25.51.48/4ehkbatOFTTUYZV']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-ff2c-480a-92e0-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.188.231.109']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-5dd4-44ea-a8f1-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'https://5.188.231.109:443/login/process.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-4938-407e-b19c-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '162.244.32.42']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-61d0-49c9-93ea-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'https://162.244.32.42/news.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-315c-40f8-afd6-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '162.247.155.105']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-166c-4d73-bfc9-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://162.247.155.105:443/login/process.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-f300-49a8-8039-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '65.111.247.100']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-b054-4219-bbb2-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://65.111.247.100:4444/file.ps1']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-6bd8-4cae-b421-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '35.158.75.78']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-6ef4-4a52-881e-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://35.158.75.78/index.html']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-efbc-4493-85af-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '77.244.219.111']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-8a4c-412b-b6a5-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://77.244.219.111:8080/admin/get.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-7554-4c5d-9290-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.166.185.117']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-bee4-4803-a7fe-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:17.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:17.000Z",
|
|
|
|
"pattern": "[url:value = 'http://46.166.185.117:8080/admin/get.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-c258-4c51-ab59-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:18:01.000Z",
|
|
|
|
"modified": "2019-12-17T00:18:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '40.126.251.3']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:18:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5df81eb9-abac-4350-9195-e25974656a8a",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:19:16.000Z",
|
|
|
|
"modified": "2019-12-17T00:19:16.000Z",
|
|
|
|
"pattern": "[url:value = 'https://40.126.251.3/login/process.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-12-17T00:19:16Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"Powershell Empire",
|
|
|
|
"kill-chain:Command and Control"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5df81f9c-e444-4b18-b8d4-986e0a0a019b",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:21:48.000Z",
|
|
|
|
"modified": "2019-12-17T00:21:48.000Z",
|
|
|
|
"first_observed": "2019-12-17T00:21:48Z",
|
|
|
|
"last_observed": "2019-12-17T00:21:48Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5df81f9c-e444-4b18-b8d4-986e0a0a019b"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Artifacts dropped\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5df81f9c-e444-4b18-b8d4-986e0a0a019b",
|
|
|
|
"hashes": {
|
|
|
|
"SHA-256": "b8c892fbb49921529be6f6ce17685c31724f76959111b28f39e39dc299b8acaf"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5df81f9c-db88-4915-bd59-986e0a0a019b",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:21:48.000Z",
|
|
|
|
"modified": "2019-12-17T00:21:48.000Z",
|
|
|
|
"first_observed": "2019-12-17T00:21:48Z",
|
|
|
|
"last_observed": "2019-12-17T00:21:48Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5df81f9c-db88-4915-bd59-986e0a0a019b"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Artifacts dropped\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5df81f9c-db88-4915-bd59-986e0a0a019b",
|
|
|
|
"hashes": {
|
|
|
|
"SHA-256": "a58fb107072d9523114a1b1f17fbf5e7a8b96da7783f24d84f83df34abc48576"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5df81fca-fb1c-449f-ad16-986e0a0a019b",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:22:34.000Z",
|
|
|
|
"modified": "2019-12-17T00:22:34.000Z",
|
|
|
|
"first_observed": "2019-12-17T00:22:34Z",
|
|
|
|
"last_observed": "2019-12-17T00:22:34Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5df81fca-fb1c-449f-ad16-986e0a0a019b"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"Support Tool\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5df81fca-fb1c-449f-ad16-986e0a0a019b",
|
|
|
|
"value": "https://urlscan.io/search/#hash%3Aa58fb107072d9523114a1b1f17fbf5e7a8b96da7783f24d84f83df34abc48576"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5df82023-b000-4d18-bd6a-deda0a0a019b",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:24:03.000Z",
|
|
|
|
"modified": "2019-12-17T00:24:03.000Z",
|
|
|
|
"first_observed": "2019-12-17T00:24:03Z",
|
|
|
|
"last_observed": "2019-12-17T00:24:03Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5df82023-b000-4d18-bd6a-deda0a0a019b"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"Support Tool\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5df82023-b000-4d18-bd6a-deda0a0a019b",
|
|
|
|
"value": "https://urlscan.io/search/#hash%3Ab8c892fbb49921529be6f6ce17685c31724f76959111b28f39e39dc299b8acaf%20"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5df82051-a630-4a54-bcc5-de9c0a0a019b",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T00:24:49.000Z",
|
|
|
|
"modified": "2019-12-17T00:24:49.000Z",
|
|
|
|
"first_observed": "2019-12-17T00:24:49Z",
|
|
|
|
"last_observed": "2019-12-17T00:24:49Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5df82051-a630-4a54-bcc5-de9c0a0a019b",
|
|
|
|
"artifact--5df82051-a630-4a54-bcc5-de9c0a0a019b"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"attachment\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5df82051-a630-4a54-bcc5-de9c0a0a019b",
|
|
|
|
"name": "empire.csv",
|
|
|
|
"content_ref": "artifact--5df82051-a630-4a54-bcc5-de9c0a0a019b"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "artifact",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "artifact--5df82051-a630-4a54-bcc5-de9c0a0a019b",
|
|
|
|
"payload_bin": "RGF0ZSxVUkwsQ291bnRyeSxEb21haW4sQVNOLFBUUixJUCxTSEEyNTYNCjIwMTktMTItMTJUMTU6MzI6NDEuMDEzWiwgaHR0cHM6Ly8xOTQuOTkuMjIuMTQ1LERFLCAxOTQuOTkuMjIuMTQ1LCBBUzIwMjQ0OCwgbm8tcmV2ZXJzZS15ZXQubG9jYWwsIDE5NC45OS4yMi4xNDUsYjhjODkyZmJiNDk5MjE1MjliZTZmNmNlMTc2ODVjMzE3MjRmNzY5NTkxMTFiMjhmMzllMzlkYzI5OWI4YWNhZg0KMjAxOS0xMi0xMlQxNToyMzo0Ny40OTlaLCBodHRwczovLzE5NC45OS4yMi4xNDUvLERFLCAxOTQuOTkuMjIuMTQ1LCBBUzIwMjQ0OCwgbm8tcmV2ZXJzZS15ZXQubG9jYWwsIDE5NC45OS4yMi4xNDUsYjhjODkyZmJiNDk5MjE1MjliZTZmNmNlMTc2ODVjMzE3MjRmNzY5NTkxMTFiMjhmMzllMzlkYzI5OWI4YWNhZg0KMjAxOS0xMi0wM1QxNDozNToyNC43NThaLCBodHRwOi8vODEuMTUwLjIwNi44Mzo0NDMvLEdCLCA4MS4xNTAuMjA2LjgzLCBBUzI4NTYsIG1haWwxLnlhY2MuY28udWssIDgxLjE1MC4yMDYuODMsYjhjODkyZmJiNDk5MjE1MjliZTZmNmNlMTc2ODVjMzE3MjRmNzY5NTkxMTFiMjhmMzllMzlkYzI5OWI4YWNhZg0KMjAxOS0xMS0yN1QyMDowMjozNy44MjlaLCBodHRwOi8vMTY3LjE3Mi4xOTcuNTYsVVMsIDE2Ny4xNzIuMTk3LjU2LCBBUzE0MDYxLCAsIDE2Ny4xNzIuMTk3LjU2LGI4Yzg5MmZiYjQ5OTIxNTI5YmU2ZjZjZTE3Njg1YzMxNzI0Zjc2OTU5MTExYjI4ZjM5ZTM5ZGMyOTliOGFjYWYNCjIwMTktMTEtMjFUMTM6NTg6MDMuNTI3WiwgaHR0cHM6Ly9tc29mZmljZWFkdmljZXMuY29tLEdCLCBtc29mZmljZWFkdmljZXMuY29tLCBBUzIwODYwLCAsIDg4LjE1MC4xMzcuMTM4LGI4Yzg5MmZiYjQ5OTIxNTI5YmU2ZjZjZTE3Njg1YzMxNzI0Zjc2OTU5MTExYjI4ZjM5ZTM5ZGMyOTliOGFjYWYNCjIwMTktMTEtMTFUMTg6NDE6MjUuOTcxWiwgaHR0cHM6Ly8xODguMTY2LjE5LjE0MyxOTCwgMTg4LjE2Ni4xOS4xNDMsIEFTMTQwNjEsICwgMTg4LjE2Ni4xOS4xNDMsYjhjODkyZmJiNDk5MjE1MjliZTZmNmNlMTc2ODVjMzE3MjRmNzY5NTkxMTFiMjhmMzllMzlkYzI5OWI4YWNhZg0KMjAxOS0xMC0yMlQwMDoxODoxOC40MDRaLCBodHRwOi8vNDUuNjcuMjMxLjEwNCxOTCwgNDUuNjcuMjMxLjEwNCwgQVM2MjA4OCwgZGFya3JheS5jb20sIDQ1LjY3LjIzMS4xMDQsYjhjODkyZmJiNDk5MjE1MjliZTZmNmNlMTc2ODVjMzE3MjRmNzY5NTkxMTFiMjhmMzllMzlkYzI5OWI4YWNhZg0KMjAxOS0xMC0yMVQwMDoxMzo1MC40NDZaLCBodHRwczovL3VwZGF0ZXMuZXNpb3Ryb3QueHl6LFVTLCB1cGRhdGVzLmVzaW90cm90Lnh5eiwgQVMxNTE2OSwgNDkuMTUyLjY1LjM0LmJjLmdvb2dsZXVzZXJjb250ZW50LmNvbSwgMzQuNjUuMTUyLjQ5LGI4Yzg5MmZiYjQ5OTIxNTI5YmU2ZjZjZTE3Njg1YzMxNzI0Zjc2OTU5MTExYjI4ZjM5ZTM5ZGMyOTliOGFjYWYNCjIwMTktMTAtMTdUMTY6NTc6MTYuODY0WiwgaHR0cHM6Ly9oZWFsdGhjYXJlLXJlZ2lzdHJhdGlvbi54eXosU0csIGhlYWx0aGNhcmUtcmVnaXN0cmF0aW9uLnh5eiwgQVMyMDQ3MywgMTM5LjE4MC4yMDkuMTQ1LnZ1bHRyLmNvbSwgMTM5LjE4MC4yMDkuMTQ1LGI4Yzg5MmZiYjQ5OTIxNTI5YmU2ZjZjZTE3Njg1YzMxNzI0Zjc2OTU5MTExYjI4ZjM5ZTM5ZGMyOTliOGFjYWYNCjIwMTktMTAtMTdUMTY6NTY6NTIuOTI2WiwgaHR0cHM6Ly8xMzkuMTgwLjIwOS4xNDUvLFNHLCAxMzkuMTgwLjIwOS4xNDUsIEFTMjA0NzMsIDEzOS4xODAuMjA5LjE0NS52dWx0ci5jb20sIDEzOS4xODAuMjA5LjE0NSxiOGM4OTJmYmI0OTkyMTUyOWJlNmY2Y2UxNzY4NWMzMTcyNGY3Njk1OTExMWIyOGYzOWUzOWRjMjk5YjhhY2FmDQoyMDE5LTEwLTA0VDIwOjIxOjM5LjYzM1osIGh0dHBzOi8vdGVzdC5zYWZlZGF0YXN5c3RlbXMuY29tLFVTLCB0ZXN0LnNhZmVkYXRhc3lzdGVtcy5jb20sIEFTMTY1MDksIGVjMi0xOC0yMjItMTI1LTQxLnVzLWVhc3QtMi5jb21wdXRlLmFtYXpvbmF3cy5jb20sIDE4LjIyMi4xMjUuNDEsYjhjODkyZmJiNDk5MjE1MjliZTZmNmNlMTc2ODVjMzE3MjRmNzY5NTkxMTFiMjhmMzllMzlkYzI5OWI4YWNhZg0KMjAxOS0wOS0yNlQxMzo0OTo0OS41MzFaLCBodHRwczovL2RyaXZlc2VjdXJlLnNhZmVkYXRhc3lzdGVtcy5jb20sVVMsIGRyaXZlc2VjdXJlLnNhZmVkYXRhc3lzdGVtcy5jb20sIEFTMTY1MDksIGVjMi0xMy01OC0xNzItNDMudXMtZWFzdC0yLmNvbXB1dGUuYW1hem9uYXdzLmNvbSwgMTMuNTguMTcyLjQzLGI4Yzg5MmZiYjQ5OTIxNTI5YmU2ZjZjZTE3Njg1YzMxNzI0Zjc2OTU5MTExYjI4ZjM5ZTM5ZGMyOTliOGFjYWYNCjIwMTktMDktMTlUMTM6MDc6MTIuOTY2WiwgaHR0cHM6Ly8xOTQuMzYuMTkwLjU0OjQ0MyxOTCwgMTk0LjM2LjE5MC41NCwgQVM2MDExNywgLCAxOTQuMzYuMTkwLjU0LGI4Yzg5MmZiYjQ5OTIxNTI5YmU2ZjZjZTE3Njg1YzMxNzI0Zjc2OTU5MTExYjI4ZjM5ZTM5ZGMyOTliOGFjYWYNCjIwMTktMDktMDlUMjA6MzA6MzMuMzA1WiwgaHR0cDovL2lvdC1jb25maWctZW5naW5lLmNvbSxVUywgaW90LWNvbmZpZy1lbmdpbmUuY29tLCBBUzYzOTQ5LCBsaTE0MzEtMjM0Lm1lbWJlcnMubGlub2RlLmNvbSwgNDUuMzMuMTA0LjIzNCxiOGM4OTJmYmI0OTkyMTUyOWJlNmY2Y2UxNzY4NWMzMTcyNGY3Njk1OTExMWIyOGYzOWUzOWRjMjk5YjhhY2FmDQoyMDE5LTA4LTI4VDExOjAxOjAyLjA5OVosIGh0dHBzOi8vcmVkLmNzaXJ0LmZ1bi8sVVMsIHJlZC5jc2lydC5mdW4sIEFTMzYzNTIsIDE5OC0yNDUtNjktMTctaG9zdC5jb2xvY3Jvc3NpbmcuY29tLCAxOTguNDYuMjI3LjE1LGI4Yzg5MmZiYjQ5OTIxNTI5YmU2ZjZjZTE3Njg1YzMxNzI0Zjc2OTU5MTExYjI4ZjM5ZTM5ZGMyOTliOGFjYWYNCjIwMTktMDgtMjdUMDk6MDQ6MTEuMDc1WiwgaHR0cHM6Ly9zb2NpYWxwb2xpY2llcy5vcmcvLEZJLCBzb2NpYWxwb2xpY2llcy5vcmcsIEFTMjA2ODA0LCAsIDE4NS4yMjcuNjguODYsYjhjODkyZmJiNDk5MjE1MjliZTZmNmNlMTc2ODVjMzE3MjRmNzY5NTkxMTFiMjhmMzllMzlkYzI5OWI4YWNhZg0KMjA
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5df8d8cf-a4a0-4391-9f86-4a11950d210f",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2019-12-17T13:31:59.000Z",
|
|
|
|
"modified": "2019-12-17T13:31:59.000Z",
|
|
|
|
"first_observed": "2019-12-17T13:31:59Z",
|
|
|
|
"last_observed": "2019-12-17T13:31:59Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5df8d8cf-a4a0-4391-9f86-4a11950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5df8d8cf-a4a0-4391-9f86-4a11950d210f",
|
|
|
|
"value": "https://github.com/Hestat/intel-sharing/blob/master/powershell-empire-12-16-19/misp.event.7941.json"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5e2f32e8-68cc-423d-b58e-4a90950d210f",
|
|
|
|
"created_by_ref": "identity--5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9",
|
|
|
|
"created": "2020-05-01T13:14:19.000Z",
|
|
|
|
"modified": "2020-05-01T13:14:19.000Z",
|
|
|
|
"pattern": "[url:value = 'https://officestorage.org:443']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2020-05-01T13:14:19Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
|
|
|
}
|