2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "0" ,
"date" : "2022-09-12" ,
"extends_uuid" : "" ,
"info" : "Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free" ,
"publish_timestamp" : "1666603355" ,
"published" : true ,
"threat_level_id" : "4" ,
"timestamp" : "1666603345" ,
"uuid" : "761270e6-3a97-4c18-9a44-a844cb5b562b" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#0071c3" ,
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0087e8" ,
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#00223b" ,
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Standard Non-Application Layer Protocol - T1095\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#064d00" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Domain Accounts - T1078.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#064d00" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Local Accounts - T1078.003\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"Chisel (ELF)\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"Chisel (Windows)\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"Lorenz\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:ransomware=\"Lorenz Ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#000000" ,
"local" : "0" ,
"name" : "dnc:malware-type=\"Ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#39b300" ,
"local" : "0" ,
"name" : "enisa:nefarious-activity-abuse=\"ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#006c6c" ,
"local" : "0" ,
"name" : "ecsirt:malicious-code=\"ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#2c4f00" ,
"local" : "0" ,
"name" : "malware_classification:malware-category=\"Ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#00acd1" ,
"local" : "0" ,
"name" : "veris:action:malware:variety=\"Ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#000000" ,
"local" : "0" ,
"name" : "Ransomware" ,
"relationship_type" : ""
} ,
{
"colour" : "#420053" ,
"local" : "0" ,
"name" : "ms-caro-malware:malware-type=\"Ransom\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#001739" ,
"local" : "0" ,
"name" : "ms-caro-malware-full:malware-type=\"Ransom\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1663230900" ,
"to_ids" : false ,
"type" : "vulnerability" ,
"uuid" : "efce45a5-d17b-4da7-8e4a-02cc68b78064" ,
"value" : "CVE-2022-29499"
} ,
{
"category" : "Network activity" ,
"comment" : "Data exfiltration via FileZilla" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1663241378" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "00352f55-b2a8-4eb0-b764-9ce328ce4e81" ,
"value" : "138.197.218.11" ,
"Tag" : [
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:country=\"united states\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Network activity" ,
"comment" : "Data exfiltration via FileZilla" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1663241419" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "6fba8d44-4605-4a77-aec4-ead4519463bf" ,
"value" : "138.68.19.94" ,
"Tag" : [
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:country=\"united states\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Network activity" ,
"comment" : "Used to download Chisel" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1663230900" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "9a5a18d7-4e2f-4748-ae25-2bf2cab5c1b6" ,
"value" : "138.68.59.16"
} ,
{
"category" : "Network activity" ,
"comment" : "Data exfiltration via FileZilla" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1663241443" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "a0e7bf5d-19f1-40a1-8ad3-fdcf115d0164" ,
"value" : "159.65.248.159" ,
"Tag" : [
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:country=\"united states\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Network activity" ,
"comment" : "Data exfiltration via FileZilla; HTTP POST requests to notify threat actors of encryption progress" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1663241629" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "892a5cd0-0395-4491-b996-8d45fb4ac7cf" ,
"value" : "206.188.197.125" ,
"Tag" : [
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:country=\"netherlands\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Network activity" ,
"comment" : "Data exfiltration via FileZilla" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1663241419" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "6549b64d-0f09-4813-b9eb-31ccdb09f9de" ,
"value" : "64.190.113.100" ,
"Tag" : [
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:country=\"united states\"" ,
"relationship_type" : ""
}
]
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "7" ,
"timestamp" : "1663227795" ,
"uuid" : "62263df7-4b98-46f0-8925-c02d90716c82" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1663227795" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "086cf17a-272e-405e-b4bb-24abe206d118" ,
"value" : "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1663227795" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8184f511-f31a-4fa5-9a74-d3df2998a0d5" ,
"value" : "Arctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1663227795" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "260b4c23-6508-4b5d-bf02-b06183013575" ,
"value" : "Blog"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1663231414" ,
"uuid" : "eb00b3cf-fe12-4a16-b44b-21c2c89c72f6" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "Chisel" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1663231414" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "707c73ef-8bab-4d55-9287-830e67c92bee" ,
"value" : "97ff99fd824a02106d20d167e2a2b647244712a558639524e7db1e6a2064a68d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1663231414" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "24c92a5d-8d6e-452a-94fe-14a0f4ab53cf" ,
"value" : "mem"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame." ,
"meta-category" : "network" ,
"name" : "ip-port" ,
"template_uuid" : "9f8cea74-16fe-4968-a2b4-026676949ac6" ,
"template_version" : "9" ,
"timestamp" : "1663231502" ,
"uuid" : "47511f00-1ba7-4843-a276-a7174b6448b2" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "Used to exploit the Mitel device (CVE-2022-29499)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1663231502" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "cf262512-e7a6-4c58-ab98-501b6bbdbaed" ,
"value" : "137.184.181.252"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "dst-port" ,
"timestamp" : "1663231502" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "65078267-d28d-4ca9-b743-ff34b1d5f3dd" ,
"value" : "8443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1663234275" ,
"uuid" : "0ad373ea-22f7-4fd3-967a-52541d545ea1" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "Webshell" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1663234275" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "4d9b1740-117c-484c-a65c-2d96de2dd6f4" ,
"value" : "07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1663234275" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "d0ebe166-0da3-4700-8eb7-13d41b8d2d92" ,
"value" : "pdf_import_export.php"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike." ,
"meta-category" : "network" ,
"name" : "asn" ,
"template_uuid" : "4ec55cc6-9e49-4c64-b794-03c25c1a6587" ,
"template_version" : "3" ,
"timestamp" : "1663242137" ,
"uuid" : "b310d8a7-6e3d-4080-91b6-91d13b06d33a" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "asn" ,
"timestamp" : "1663242137" ,
"to_ids" : false ,
"type" : "AS" ,
"uuid" : "9fc054f0-cffa-4a00-94d5-5ee5723ec47e" ,
"value" : "14061"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1663242137" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "bed2aa5b-01fc-4f7a-93e9-4de853023f38" ,
"value" : "DIGITALOCEAN-ASN"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "country" ,
"timestamp" : "1663242137" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4e594b04-59ac-408f-bc05-4b8cddf92947" ,
"value" : "US"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "subnet-announced" ,
"timestamp" : "1663242137" ,
"to_ids" : true ,
"type" : "ip-src" ,
"uuid" : "aaead232-226d-4496-a022-b11398e33206" ,
"value" : "138.197.218.11"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "subnet-announced" ,
"timestamp" : "1663242137" ,
"to_ids" : true ,
"type" : "ip-src" ,
"uuid" : "d2a1ca46-fbfe-43fb-ae75-4b4871f5bbdc" ,
"value" : "138.68.19.94"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "subnet-announced" ,
"timestamp" : "1663242137" ,
"to_ids" : true ,
"type" : "ip-src" ,
"uuid" : "f2cbea0b-3a1a-422e-8666-ecbf932fe3dd" ,
"value" : "159.65.248.159"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike." ,
"meta-category" : "network" ,
"name" : "asn" ,
"template_uuid" : "4ec55cc6-9e49-4c64-b794-03c25c1a6587" ,
"template_version" : "3" ,
"timestamp" : "1663242199" ,
"uuid" : "e7caa4ad-275f-4622-803d-5a5bc059bef5" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "asn" ,
"timestamp" : "1663242199" ,
"to_ids" : false ,
"type" : "AS" ,
"uuid" : "67858e0e-3a3d-4f3d-8dd7-fefa847deedd" ,
"value" : "399629"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1663242199" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "59d27e3b-b2b3-4b6b-ada2-3b2e55e05074" ,
"value" : "BL Networks"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "country" ,
"timestamp" : "1663242199" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "2e9f97bf-35cc-4c10-afac-278120060fa8" ,
"value" : "NL"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "subnet-announced" ,
"timestamp" : "1663242199" ,
"to_ids" : true ,
"type" : "ip-src" ,
"uuid" : "0ea13694-5cc0-42b2-9cf9-f45676493691" ,
"value" : "206.188.197.125"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike." ,
"meta-category" : "network" ,
"name" : "asn" ,
"template_uuid" : "4ec55cc6-9e49-4c64-b794-03c25c1a6587" ,
"template_version" : "3" ,
"timestamp" : "1663242230" ,
"uuid" : "93d05fa9-55f4-4607-b7c6-16e2ec591700" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "asn" ,
"timestamp" : "1663242230" ,
"to_ids" : false ,
"type" : "AS" ,
"uuid" : "ba396f22-2d05-4d3d-afe6-eebd3f31dd7e" ,
"value" : "399629"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1663242230" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ff9921c9-1959-49c2-8839-e28e2f8e24e0" ,
"value" : "BL Networks"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "country" ,
"timestamp" : "1663242230" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "2bb9b0a4-2ca0-49bb-841d-5b53d92d781f" ,
"value" : "US"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "subnet-announced" ,
"timestamp" : "1663242231" ,
"to_ids" : true ,
"type" : "ip-src" ,
"uuid" : "78d613c1-7197-468e-8f28-72d9acfdaf1a" ,
"value" : "64.190.113.100"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing one or more Suricata rule(s) along with version and contextual information." ,
"meta-category" : "network" ,
"name" : "suricata" ,
"template_uuid" : "3c177337-fb80-405a-a6c1-1b2ddea8684a" ,
"template_version" : "2" ,
"timestamp" : "1663242412" ,
"uuid" : "7efd1d01-3ad0-450c-95e5-c02a1dd99b88" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "suricata" ,
"timestamp" : "1663242412" ,
"to_ids" : true ,
"type" : "snort" ,
"uuid" : "e2c67c4c-4cdf-4157-a13d-f48e7c58568b" ,
"value" : "alert tls any any -> $HOME_NET any (msg:\"[Arctic Wolf Labs] Possible Ncat shell via SSL/TLS\"; flow:established,to_client; content:\"|41 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 4e 63 61 74|\";tls_cert_issuer; content:\"CN=localhost\";depth:12;sid:10000;rev:1; reference:url,https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in;)"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "suricata" ,
"timestamp" : "1663242412" ,
"to_ids" : true ,
"type" : "snort" ,
"uuid" : "3d6283e0-6b14-46c3-93c2-460861d4c90d" ,
"value" : "alert http any any -> any any (msg:\"[Arctic Wolf Labs] Base64 POST via Curl User-Agent to PHP File\"; flow:established,to_server; content:\"POST\"; http_method; content:\".php\"; http_uri;content:\"/vhelp/pdf/\"; http_uri; content:\"curl\"; http_user_agent;pcre:\"/(?:[A-Za-z\\d+\\/]{4})*(?:[A-Za-z\\d+\\/]{3}=|[A-Za-z\\d+\\/]{2}==)?$/\"; sid:10001; rev:1; reference:url,https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in;)"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ref" ,
"timestamp" : "1663242412" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "c20ca78f-fabd-40f8-9ef6-154ee53f0bd0" ,
"value" : "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing one or more Suricata rule(s) along with version and contextual information." ,
"meta-category" : "network" ,
"name" : "suricata" ,
"template_uuid" : "3c177337-fb80-405a-a6c1-1b2ddea8684a" ,
"template_version" : "2" ,
"timestamp" : "1663243934" ,
"uuid" : "3dd56064-19ea-46f0-b3ce-3ac65d5ae66b" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "suricata" ,
"timestamp" : "1663243934" ,
"to_ids" : true ,
"type" : "snort" ,
"uuid" : "dcd14519-1c31-46c1-8d47-3e12939d6dc3" ,
"value" : "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)\"; flow:established,to_server; content:\"GET\"; http_method; content:\"/scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php?cmd=syncfile:db_files/\"; http_uri; http_header_names; content:!\"Referer\"; reference:url,www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; reference:cve,2022-29499; classtype:attempted-admin; sid:2037121; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_06_24, cve CVE_2022_29499, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ref" ,
"timestamp" : "1663243934" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "745896e2-7759-4d04-b42b-425f9d91ec6c" ,
"value" : "https://threatintel.proofpoint.com/sid/2037121#references1"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing one or more Suricata rule(s) along with version and contextual information." ,
"meta-category" : "network" ,
"name" : "suricata" ,
"template_uuid" : "3c177337-fb80-405a-a6c1-1b2ddea8684a" ,
"template_version" : "2" ,
"timestamp" : "1663243974" ,
"uuid" : "046432a6-3ff8-47de-b73c-2239f71798c5" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "suricata" ,
"timestamp" : "1663243974" ,
"to_ids" : true ,
"type" : "snort" ,
"uuid" : "79c6eb51-9f8d-466d-b810-4d83121ab150" ,
"value" : "#alert tcp any any -> any !$SSH_PORTS (msg:\"ET POLICY SSH Client Banner Detected on Unusual Port\"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:\"SSH-\"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ref" ,
"timestamp" : "1663243975" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "3cc6c417-23b0-4207-a16c-aae84241f501" ,
"value" : "https://threatintel.proofpoint.com/sid/2001980"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1663244802" ,
"uuid" : "66c1a496-fc3d-4160-86e2-11a8b120da5e" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663244802" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54a4c0aa-bd23-4c3a-899a-8335a683a4c8" ,
"value" : "https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1663244802" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "9f709927-e9e6-4328-a3a6-1cafb6f21d94" ,
"value" : "rule webshell_php_3b64command: Webshells PHP B64 {\r\n meta:\r\n Description= \"Detects Possible PHP Webshell expecting triple base64 command\"\r\n Category = \"Malware\"\r\n Author = \"Arctic Wolf Labs\"\r\n Date = \"2022-09-12\"\r\n Hash = \"07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94\"\r\n Reference = \"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in\"\r\n strings:\r\n $decode = \"base64_decode(base64_decode(base64_decode(\" ascii\r\n $encode = \"base64_encode(base64_encode(base64_encode(\" ascii\r\n $s1 = \"popen(\" ascii\r\n $s2 = \"pclose\" ascii\r\n $s3 = \"fread(\" ascii\r\n $s4 = \"$_POST\" ascii\r\n condition:\r\n $decode and $encode\r\n and 3 of ($s*)\r\n and filesize < 2KB\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1663244802" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "cf174050-e6f9-48fa-8610-2a39ac235a94" ,
"value" : "webshell_php_3b64command: Webshells PHP B64"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1663244827" ,
"uuid" : "54e0dd10-1259-40f6-abbe-030482b53812" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663244827" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "9755b10d-6d25-4d21-a459-f6f1ac23c281" ,
"value" : "https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1663244827" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "66724ad2-81e5-4912-b0ad-0763dfcb123f" ,
"value" : "rule hktl_chisel_artifacts: Chisel Hacktool Artifacts {\r\n meta:\r\n Description = \"looks for hacktool chisel artifacts potentially left in memory or unallocated space\"\r\n Category = \"Tool\"\r\n Author = \"Arctic Wolf Labs\"\r\n Date = \"2022-09-12\"\r\n Reference = \"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in\"\r\n strings:\r\n $chisel = \"chisel_1.\" ascii\r\n $s1 = \"client\" ascii\r\n $s2 = \"--tls-skip-verify\" ascii\r\n $s3 = \"--fingerprint\" ascii\r\n $s4 = \"R:socks\" ascii\r\n condition:\r\n $chisel or 3 of ($s*)\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1663244827" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ef19bc84-ecaa-4aee-94b6-55744c61a49a" ,
"value" : "hktl_chisel_artifacts: Chisel Hacktool Artifacts"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a Sigma rule (or a Sigma rule name)." ,
"meta-category" : "misc" ,
"name" : "sigma" ,
"template_uuid" : "aa21a3cd-ab2c-442a-9999-a5e6626591ec" ,
"template_version" : "1" ,
"timestamp" : "1663244892" ,
"uuid" : "47a5ff44-cb7d-46c6-a522-8db93e1f379a" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663244892" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "ba95c882-13a3-4152-93d3-78980d936608" ,
"value" : "https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_susp_comsvcs_procdump.yml"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma" ,
"timestamp" : "1663244892" ,
"to_ids" : true ,
"type" : "sigma" ,
"uuid" : "a7287c83-f7ea-4616-adf0-5c2c46ca3144" ,
"value" : "title: Process Dump via Comsvcs DLL\r\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\r\nstatus: test\r\ndescription: Detects process memory dump via comsvcs.dll and rundll32\r\nauthor: Modexp (idea)\r\nreferences:\r\n - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\r\n - https://twitter.com/SBousseaden/status/1167417096374050817\r\ndate: 2019/09/02\r\nmodified: 2021/11/27\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n rundll_image:\r\n Image|endswith: '\\rundll32.exe'\r\n rundll_ofn:\r\n OriginalFileName: 'RUNDLL32.EXE'\r\n selection:\r\n CommandLine|contains|all:\r\n - 'comsvcs'\r\n - 'MiniDump' #Matches MiniDump and MinidumpW\r\n - 'full'\r\n condition: (rundll_image or rundll_ofn) and selection\r\nfields:\r\n - CommandLine\r\n - ParentCommandLine\r\nfalsepositives:\r\n - unknown\r\nlevel: medium\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1218.011\r\n - attack.credential_access\r\n - attack.t1003.001\r\n - attack.t1003 # an old one"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma-rule-name" ,
"timestamp" : "1663244892" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "c8e5f130-66dd-41c5-89d9-6acdeb07ab80" ,
"value" : "Process Dump via Comsvcs DLL"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a Sigma rule (or a Sigma rule name)." ,
"meta-category" : "misc" ,
"name" : "sigma" ,
"template_uuid" : "aa21a3cd-ab2c-442a-9999-a5e6626591ec" ,
"template_version" : "1" ,
"timestamp" : "1663244997" ,
"uuid" : "996361d8-5e7e-4e6f-8004-d40c38408096" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663244997" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "31a24608-6691-457b-9f86-0256c2cb1f42" ,
"value" : "https://github.com/SigmaHQ/sigma/blob/b24e7ae9846f53cbbf61adad72f17af317c860a4/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma" ,
"timestamp" : "1663244997" ,
"to_ids" : true ,
"type" : "sigma" ,
"uuid" : "c59fd0a8-5b13-4a94-b026-8a71a86e6497" ,
"value" : "title: Encoded PowerShell Command Line Usage of ConvertTo-SecureString\r\nid: 74403157-20f5-415d-89a7-c505779585cf\r\nstatus: test\r\ndescription: Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines\r\nauthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65\r\ndate: 2020/10/11\r\nmodified: 2022/07/14\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|endswith:\r\n - '\\powershell.exe'\r\n - '\\pwsh.exe'\r\n CommandLine|contains: 'ConvertTo-SecureString'\r\n condition: selection\r\nfalsepositives:\r\n - Unlikely\r\nlevel: high\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1027\r\n - attack.execution\r\n - attack.t1059.001"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma-rule-name" ,
"timestamp" : "1663244997" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a97f98d5-dec3-4780-bd9e-c3ac9886133a" ,
"value" : "Encoded PowerShell Command Line Usage of ConvertTo-SecureString"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a Sigma rule (or a Sigma rule name)." ,
"meta-category" : "misc" ,
"name" : "sigma" ,
"template_uuid" : "aa21a3cd-ab2c-442a-9999-a5e6626591ec" ,
"template_version" : "1" ,
"timestamp" : "1663245194" ,
"uuid" : "1a6c2f52-af2e-4cbb-a487-0b249f970dc9" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663245194" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "d44e0513-93eb-400f-82df-33da4b06927e" ,
"value" : "https://github.com/SigmaHQ/sigma/blob/1e16ed00905a496cbc3b0a1a03d4c2f6f4b63de2/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma" ,
"timestamp" : "1663245194" ,
"to_ids" : true ,
"type" : "sigma" ,
"uuid" : "2f547dd0-7ed0-462b-9a32-5e1bbb68bb7b" ,
"value" : "title: CrackMapExec Process Patterns\r\nid: f26307d8-14cd-47e3-a26b-4b4769f24af6\r\ndescription: Detects suspicious process patterns found in logs when CrackMapExec is used\r\nstatus: experimental\r\nauthor: Florian Roth\r\nreferences:\r\n - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass\r\ndate: 2022/03/12\r\nmodified: 2022/05/27\r\ntags:\r\n - attack.credential_access\r\n - attack.t1003.001\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n selection_lsass_dump1:\r\n CommandLine|contains|all:\r\n - 'cmd.exe /c '\r\n - 'tasklist /fi '\r\n - 'Imagename eq lsass.exe'\r\n User|contains: # covers many language settings\r\n - 'AUTHORI'\r\n - 'AUTORI'\r\n selection_lsass_dump2:\r\n CommandLine|contains|all:\r\n - 'do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump'\r\n - '\\Windows\\Temp\\'\r\n - ' full'\r\n - '%%B'\r\n selection_procdump:\r\n CommandLine|contains|all:\r\n - 'tasklist /v /fo csv'\r\n - 'findstr /i \"lsass\"'\r\n condition: 1 of selection*\r\nfalsepositives:\r\n - Unknown\r\nlevel: high"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma-rule-name" ,
"timestamp" : "1663245194" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5ee19a29-639e-4f9b-bab3-c64c901447a9" ,
"value" : "CrackMapExec Process Patterns"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a Sigma rule (or a Sigma rule name)." ,
"meta-category" : "misc" ,
"name" : "sigma" ,
"template_uuid" : "aa21a3cd-ab2c-442a-9999-a5e6626591ec" ,
"template_version" : "1" ,
"timestamp" : "1663246536" ,
"uuid" : "33bb1b75-b184-406b-b981-12bc9e86352c" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663246536" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "00ecfc3b-94d9-41d2-800c-1bc50e05290e" ,
"value" : "https://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_powershell_as_service.yml"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma" ,
"timestamp" : "1663246536" ,
"to_ids" : true ,
"type" : "sigma" ,
"uuid" : "a6bc8003-825c-4065-a9ea-baeddc728697" ,
"value" : "title: PowerShell as a Service in Registry\r\nid: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d\r\ndescription: Detects that a powershell code is written to the registry as a service.\r\nstatus: experimental\r\nauthor: oscd.community, Natalia Shornikova\r\ndate: 2020/10/06\r\nmodified: 2021/05/21\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\r\ntags:\r\n - attack.execution\r\n - attack.t1569.002\r\nlogsource:\r\n category: registry_event\r\n product: windows\r\ndetection:\r\n selection:\r\n TargetObject|contains: '\\Services\\'\r\n TargetObject|endswith: '\\ImagePath'\r\n Details|contains:\r\n - 'powershell'\r\n - 'pwsh'\r\n condition: selection\r\nfalsepositives: \r\n - Unknown\r\nlevel: high"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma-rule-name" ,
"timestamp" : "1663246536" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a570bae1-a24e-4f04-a1c3-aa294d3471ab" ,
"value" : "PowerShell as a Service in Registry"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a Sigma rule (or a Sigma rule name)." ,
"meta-category" : "misc" ,
"name" : "sigma" ,
"template_uuid" : "aa21a3cd-ab2c-442a-9999-a5e6626591ec" ,
"template_version" : "1" ,
"timestamp" : "1663246594" ,
"uuid" : "69b405d5-2c50-46c2-9866-83e6c1dc8799" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663246594" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "e1d515c5-2840-4cee-96d4-b075d220d8b8" ,
"value" : "https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/builtin/win_atsvc_task.yml"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma" ,
"timestamp" : "1663246594" ,
"to_ids" : true ,
"type" : "sigma" ,
"uuid" : "4b53d570-8ff4-4413-a779-9531efa88b2b" ,
"value" : "title: Remote Task Creation via ATSVC Named Pipe\r\nid: f6de6525-4509-495a-8a82-1f8b0ed73a00\r\ndescription: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe\r\nauthor: Samir Bousseaden\r\ndate: 2019/04/03\r\nreferences:\r\n - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\r\ntags:\r\n - attack.lateral_movement\r\n - attack.persistence\r\n - attack.t1053\r\n - car.2013-05-004\r\n - car.2015-04-001\r\nlogsource:\r\n product: windows\r\n service: security\r\n description: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\r\ndetection:\r\n selection:\r\n EventID: 5145\r\n ShareName: \\\\*\\IPC$\r\n RelativeTargetName: atsvc\r\n Accesses: '*WriteData*'\r\n condition: selection\r\nfalsepositives:\r\n - pentesting\r\nlevel: medium"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma-rule-name" ,
"timestamp" : "1663246594" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8f093294-6ebc-4806-9a2c-006dd723c874" ,
"value" : "Remote Task Creation via ATSVC Named Pipe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a Sigma rule (or a Sigma rule name)." ,
"meta-category" : "misc" ,
"name" : "sigma" ,
"template_uuid" : "aa21a3cd-ab2c-442a-9999-a5e6626591ec" ,
"template_version" : "1" ,
"timestamp" : "1663246741" ,
"uuid" : "1cefa739-fd00-462e-a8ed-bd4964a10476" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663246741" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "ee252939-235b-46f0-a2ef-7ed34bc6c030" ,
"value" : "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma" ,
"timestamp" : "1663246741" ,
"to_ids" : true ,
"type" : "sigma" ,
"uuid" : "d14f0fef-e003-480f-8001-8303f34b498e" ,
"value" : "title: Accessing WinAPI in PowerShell for Credentials Dumping\r\nid: 3f07b9d1-2082-4c56-9277-613a621983cc\r\ndescription: Detects Accessing to lsass.exe by Powershell\r\nstatus: experimental\r\nauthor: oscd.community, Natalia Shornikova\r\ndate: 2020/10/06\r\nmodified: 2022/07/14\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\r\ntags:\r\n - attack.credential_access\r\n - attack.t1003.001\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection:\r\n EventID:\r\n - 8\r\n - 10\r\n SourceImage|endswith:\r\n - '\\powershell.exe'\r\n - '\\pwsh.exe'\r\n TargetImage|endswith: '\\lsass.exe'\r\n condition: selection\r\nfalsepositives:\r\n - Unknown\r\nlevel: high"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma-rule-name" ,
"timestamp" : "1663246741" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "131b2111-451c-41f5-b0b9-9f534b3927c1" ,
"value" : "Accessing WinAPI in PowerShell for Credentials Dumping"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}