123 lines
5.4 KiB
JSON
123 lines
5.4 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--59ec91ee-ae0c-4d5a-b149-4c0d02de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-22T13:01:52.000Z",
|
||
|
"modified": "2017-10-22T13:01:52.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--59ec91ee-ae0c-4d5a-b149-4c0d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-22T13:01:52.000Z",
|
||
|
"modified": "2017-10-22T13:01:52.000Z",
|
||
|
"name": "OSINT - US CERT TA17-293A report - renamed PsExec execution (sigma/SIEM ruleset)",
|
||
|
"published": "2017-10-22T13:30:34Z",
|
||
|
"object_refs": [
|
||
|
"indicator--59ec921f-60d4-4693-8c63-43ad02de0b81",
|
||
|
"observed-data--59ec9242-cfcc-4634-8fca-416c02de0b81",
|
||
|
"url--59ec9242-cfcc-4634-8fca-416c02de0b81",
|
||
|
"observed-data--59ec9287-bc74-4c24-8c98-495c02de0b81",
|
||
|
"url--59ec9287-bc74-4c24-8c98-495c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:mitre-intrusion-set=\"Dragonfly\"",
|
||
|
"misp-galaxy:threat-actor=\"Energetic Bear\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59ec921f-60d4-4693-8c63-43ad02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-22T12:42:07.000Z",
|
||
|
"modified": "2017-10-22T12:42:07.000Z",
|
||
|
"description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report",
|
||
|
"pattern": "[title: Ps.exe Renamed SysInternals Tool\r\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report\r\nreference: https://www.us-cert.gov/ncas/alerts/TA17-293A\r\nauthor: Florian Roth\r\ndate: 2017/10/22\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection:\r\n EventID: 1\r\n CommandLine: 'ps.exe -accepteula'\r\n condition: selection\r\nfalsepositives:\r\n - Renamed SysInternals tool\r\nlevel: high]",
|
||
|
"pattern_type": "sigma",
|
||
|
"valid_from": "2017-10-22T12:42:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sigma\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59ec9242-cfcc-4634-8fca-416c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-22T12:42:42.000Z",
|
||
|
"modified": "2017-10-22T12:42:42.000Z",
|
||
|
"first_observed": "2017-10-22T12:42:42Z",
|
||
|
"last_observed": "2017-10-22T12:42:42Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59ec9242-cfcc-4634-8fca-416c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59ec9242-cfcc-4634-8fca-416c02de0b81",
|
||
|
"value": "https://github.com/Neo23x0/sigma/blob/801d739a3ba81b9b080efe33aea52c6893790853/rules/apt/apt_ta17_293a_ps.yml"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59ec9287-bc74-4c24-8c98-495c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-22T12:43:51.000Z",
|
||
|
"modified": "2017-10-22T12:43:51.000Z",
|
||
|
"first_observed": "2017-10-22T12:43:51Z",
|
||
|
"last_observed": "2017-10-22T12:43:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59ec9287-bc74-4c24-8c98-495c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59ec9287-bc74-4c24-8c98-495c02de0b81",
|
||
|
"value": "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|