adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/83e15192-96d8-476c-aa39-0317de8dba80.json

878 lines
264 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2022-09-18",
"extends_uuid": "",
"info": "OSINT - Uber Breach & Attack Analysis",
"publish_timestamp": "1666603139",
"published": true,
"threat_level_id": "4",
"timestamp": "1666020853",
"uuid": "83e15192-96d8-476c-aa39-0317de8dba80",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Credentials - T1589.001\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Multi-Factor Authentication Request Generation - T1621\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing via Service - T1194\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing via Service - T1566.003\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Credentials in Files - T1081\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#064d00",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Domain Accounts - T1078.002\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1087.002\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#064f00",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1136.002\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#203f00",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "circl:incident-classification=\"system-compromise\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#004646",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0071c3",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0087e8",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:certainty=\"50\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
],
"Object": [
{
"comment": "Acquisition of credentials, possibly in dark forums.",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1664371835",
"uuid": "232b4f89-e21f-4ba5-8687-925ebaec6e55",
"ObjectReference": [
{
"comment": "",
"object_uuid": "232b4f89-e21f-4ba5-8687-925ebaec6e55",
"referenced_uuid": "a62672ed-3102-40e4-a4b0-cf19df8f9f31",
"relationship_type": "followed-by",
"timestamp": "1664368901",
"uuid": "ce106779-e229-4bb5-9fc5-b51fa2efc6fb"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1664371835",
"to_ids": false,
"type": "text",
"uuid": "3f9b14cb-dffd-4240-a793-78f03924d601",
"value": "Acquisition of credentials, possibly in dark forums.",
"Tag": [
{
"colour": "#075300",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Accounts - T1586\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Credentials - T1589.001\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1664371430",
"to_ids": false,
"type": "boolean",
"uuid": "98131125-296f-4140-ac20-0e73e2ed537f",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1664371430",
"to_ids": false,
"type": "boolean",
"uuid": "15a01732-765f-4273-b7da-f4fb24196a72",
"value": "1"
}
]
},
{
"comment": "2FA/MFA Spamming",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1664372459",
"uuid": "a62672ed-3102-40e4-a4b0-cf19df8f9f31",
"ObjectReference": [
{
"comment": "",
"object_uuid": "a62672ed-3102-40e4-a4b0-cf19df8f9f31",
"referenced_uuid": "cadef9eb-7d4c-4a02-acde-c8b6d64650a9",
"relationship_type": "followed-by",
"timestamp": "1664368448",
"uuid": "a8ffd39b-86e5-4bbd-a028-ecfdf2d8bb2c"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1664372459",
"to_ids": false,
"type": "text",
"uuid": "5fa14e85-4323-44a3-a709-1da4071cc1ff",
"value": "2FA/MFA Spamming",
"Tag": [
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing via Service - T1194\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing via Service - T1566.003\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Multi-Factor Authentication Request Generation - T1621\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1664372431",
"to_ids": false,
"type": "boolean",
"uuid": "012442d3-ae33-4ca5-8d6f-36229a3d52a4",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1664372431",
"to_ids": false,
"type": "boolean",
"uuid": "3cf255cf-e173-4b37-ac86-74e424012a86",
"value": "1"
}
]
},
{
"comment": "VPN Access",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1664372476",
"uuid": "cadef9eb-7d4c-4a02-acde-c8b6d64650a9",
"ObjectReference": [
{
"comment": "",
"object_uuid": "cadef9eb-7d4c-4a02-acde-c8b6d64650a9",
"referenced_uuid": "49d141f4-81bc-4ad9-ac04-56a2b9ceb87e",
"relationship_type": "followed-by",
"timestamp": "1664368736",
"uuid": "fec71e90-ab4c-4c28-b01c-8acaf41dc698"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1664372476",
"to_ids": false,
"type": "text",
"uuid": "ee25fe1a-f768-4159-9929-77f6abd116f3",
"value": "VPN Access",
"Tag": [
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1664371596",
"to_ids": false,
"type": "boolean",
"uuid": "2768d169-eb78-4168-a4eb-fee043dd7729",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1664371596",
"to_ids": false,
"type": "boolean",
"uuid": "00389dcd-cb29-4043-ad8e-7817029a69f4",
"value": "1"
}
]
},
{
"comment": "Scanning Uber Infrastructure",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1664371348",
"uuid": "49d141f4-81bc-4ad9-ac04-56a2b9ceb87e",
"ObjectReference": [
{
"comment": "",
"object_uuid": "49d141f4-81bc-4ad9-ac04-56a2b9ceb87e",
"referenced_uuid": "1229857e-9b1a-4ea6-bcb3-ad1b9e001b06",
"relationship_type": "followed-by",
"timestamp": "1664368834",
"uuid": "fcf398d1-216e-44f4-b04f-690606029463"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1664371348",
"to_ids": false,
"type": "text",
"uuid": "4b38bded-0f2f-4c9f-a9d8-f65f6fc7acaa",
"value": "Adversary scans Uber infrastructure",
"Tag": [
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1664368703",
"to_ids": false,
"type": "boolean",
"uuid": "b0eb7844-4902-4081-adf6-c490bffa2544",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1664368703",
"to_ids": false,
"type": "boolean",
"uuid": "d211a22e-acba-4917-8651-c01906b3d197",
"value": "1"
}
]
},
{
"comment": "PowerShell scripts in Network share (credential leak)",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1664372490",
"uuid": "1229857e-9b1a-4ea6-bcb3-ad1b9e001b06",
"ObjectReference": [
{
"comment": "",
"object_uuid": "1229857e-9b1a-4ea6-bcb3-ad1b9e001b06",
"referenced_uuid": "22b4546b-2acd-4acc-973c-bca7108df7a7",
"relationship_type": "followed-by",
"timestamp": "1664369115",
"uuid": "dec52aa5-0d5b-4fb3-b10a-8fcfc26cbd5b"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1664372490",
"to_ids": false,
"type": "text",
"uuid": "d86bb6c9-8f68-4c87-8834-9afb045911ae",
"value": "PowerShell scripts in Network share (credential leak)",
"Tag": [
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1664368812",
"to_ids": false,
"type": "boolean",
"uuid": "15a25aba-d603-4599-9dfb-0796c95dcdf0",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1664368812",
"to_ids": false,
"type": "boolean",
"uuid": "d450ae87-a711-42d5-b640-45af2680c42b",
"value": "1"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1666020853",
"uuid": "3c0befee-55b2-457f-925e-74d1052ea063",
"ObjectReference": [
{
"comment": "",
"object_uuid": "3c0befee-55b2-457f-925e-74d1052ea063",
"referenced_uuid": "7e67259a-48ee-47b1-8b54-2807993972d7",
"relationship_type": "references",
"timestamp": "1666020853",
"uuid": "2a2349a7-e31d-4368-ae89-9f746bdffbe0"
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1664368021",
"to_ids": false,
"type": "link",
"uuid": "415a1219-4e22-4713-bcc8-3a83de329727",
"value": "https://whimsical.com/uber-breach-and-attack-analysis-7JNtVoq4Tu73kBXzoisuiQ"
},
{
"category": "External analysis",
"comment": "Original source",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1664368021",
"to_ids": false,
"type": "link",
"uuid": "cb58bdfb-5582-4412-8183-77f7a7256cc4",
"value": "https://twitter.com/MichalKoczwara/status/1571432800787759104"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1664368021",
"to_ids": false,
"type": "text",
"uuid": "e427e70a-9b5c-416d-b4a7-97026de598aa",
"value": "tweet"
},
{
"category": "External analysis",
"comment": "",
"data": "iVBORw0KGgoAAAANSUhEUgAAB38AAANKCAYAAACK2YQTAAAABHNCSVQICAgIfAhkiAAAABl0RVh0U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AACAASURBVHic7N11eNXl/8fx5znrDRgjN0ZtNIxukJIQUEZ3Ix3SgkhIS6eAhJSUpHRKCogoSJd0syDXO+f3x7bDDtvYQPz6E1+P69q187k/7zs+Mfxe3/e579tw94Gf2Wg0gsGAiIiIiIiIiIiIiIiIiIj8i5jNmEwmTGYTtkYbG4xGI4bo5K9BSWARERERERERERERERERkf/XzGbzy98GA0SCrdFotCR/lfgVEREREREREREREREREfl3MJvNliQwZjO2MUlfo9H4z45MRERERERERERERERERESSzGAwYDKZoib5GgzYxhTG/i0iIiIiIiIiIiIiIiIiIv+/mc1mqxyvpvuKiIiIiIiIiIiIiIiIiLwHjJrtKyIiIiIiIiIiIiIiIiLy7xWT89XMXxERERERERERERERERGR94CSvyIiIiIiIiIiIiIiIiIi7wElf0VERERERERERERERERE3gNK/oqIiIiIiIiIiIiIiIiIvAeU/BUREREREREREREREREReQ8o+SsiIiIiIiIiIiIiIiIi8h5Q8ldERERERERERERERERE5D2g5K+IiIiIiIiIiIiIiIiIyHvA9p8egMj/B2Wr1cFkMjHsiz5Ur1zR6tzUWfNZtW4jhQv6MGvSGE6ePkeX3gMxGAwc3L6eXgOHcvzEqQTb/vqrL3B1daVL74FW5SlSJCdf7px0ad+KHN5eAPToPzjBtqaNG06JooUT7Gf2giUsWbEGRwcHNv2wmGQuzpaxJiSHtxd9enRKNGbJ3GkAHDn2G7PmLebOvfvkzB5VN2c27zh1duzZz/I1G7h58zYuLi6UKVmUzp+2JFXKlMDL+/3NpNEUKZgfgDnfLWXx8tWkSJGcxXOm4Z4ujVWbC79fxdxFy8iUMQMrv5uF0fjyuyv+AQHUb9mR0NAwqzb/bt8uXMqiZaupVaMqg/r2+J/0KSIiIiIiIiIiIiIikhDN/BUBTCYTAKvWbrQqDwoKZvP23VExkZFWsWazOfrY/PrGzS/rANjZ2WFnZ8fTp884cuw3uvYZxCM/fwAio+OMRiP29nZWP0ajzWu72bn3AAAhoaEcPHIsqutY/cY7NLM5STEADx494ovhY7l55w6FCuTj1NkLDBw62nI+xsatO/lq7CQuXf6TkNBQ/AMC2LRtF517DSQkNBR4eT8iI6N+7zt4mMXLV2NrY8PYYQPjJH5j35tbt+9y9Nffrc79uGUnoaFhVm3+L7i6upIlc0bSpHL7n/UpIiIiIiIiIiIiIiKSEM38FYnlwqUrnDl/EZ88uYCoGawvgoJeW2fa+BGYohOOLTr04Nadu/Ts3I56vh8DYGdny4lTZy3xP23+AVsbGy79eZVufQbx/PkLtuz4iTbNG1piWjWtT6e2LZM87rMXLnL//kPL8d79h6hRpSKFC/qwf+taAHbvO8jI8VNJkSI5G1csxGAwYDAasLO1TTQG4NKVa4SGhlG2VHEmjhpC8/Y9uHr9BgGPH5PaLSr5GRlpYu7CZQBU+KA0vbp24MbNWwwa8TUhIaFcv3GL3DmzW439xs3bjJwQNbO4f88uSZq1u3rDZsqULGbp88ctO5J8r96lJvV8aVLP9x/pW0RERERERERERERE5FVK/oq8Yu2GLZbk77qNWxONt7WxAZuoWblGm6jJ9LZ2UbN142MgKpmaM5s3+fPl4cix37h99+5fGvPufYcAKFOiGIePHefo8RM8fxFEMhdnyzhifhsMBhwc7K3qJyUmRzZvjEYjv504xZzvlnL1+g08M7hbEr8A12/ewj8wEIBuHVrjni4N7unSsGDGJDw93bGztf4nJygoiIHDvyUoKJjG9X3xrVktSdd79NffuXX7LpkyZuDg4aM8jJ45HdtvJ0+x8PsfuHr9JsHBwaRPn5b6vjVpWOcT4OWSzWVLFScsLJzzFy+RM3s2urRvhU+eXISHh1OhZgPMZjNtmjdkx+59mExmPqzwAT06tcVgMMRZ9jnmuEzJYoSHR3D2wkUyZ/Tkiz7dyZk9anns3/84w7xF33Pl6nXy5cnFo0f+XL1xky/6dE/y9YuIiIiIiIiIiIiIiMRHyz6LxOLk6Mie/YcIePyYk6fPceXadZydHN9pHyZz1CzhcxcucerMeQDc06e1ilm0bDWlq/hafr5duDTB9sxmM3v3/wxA4/q1yOaVhfDwcA4dPfZOx+2eLg2N6/kSEhrK4uWrcXRwiLPPbUDgY8vn9GlfXlPWLBnjJH4Bps35jus3bgPgnSVzksbh5Bj1PNZGJ+Zjfr/6nB76BXD63Hk83NOROXNGbty8zeSZcy2zsGOWh/756K9cuHyF8IgIfv/jNENGTyAoKBiz+eWS14uWrSYsLIIHj/xYsWaDpc+YNiJfWcb68C/H8fcPwICBC5eu8NWYSQA8e/acoaMncvL0OUwmE3+cPsfVGzet6oqIiIiIiIiIiIiIiLwtJX9FYqlZ9UPCIyL4cctOy6zfGlUrv9M+ylevR+kqvnzavR8vgoJImyY1H39U1SrGxsaIs5Oj5cfWJv5ZxACnzl7gwSM/nJ2dKFzAh3JlSgBYEsLvSnBICJf/vGo5rlSuNEUK5ickNPRlEjR6X2R4OQv6de7df2D5vPD7lYSHhyda58MKZXFwsGfLjt1cuHSF4ydOkTNHNryyZLGKq165AptWLmLBzIksnj2F8mVLAXDp8hWruIyeHmxauYiVC+dgb2/H/fsP+ePMOauYQX26s3n1YupHL+W9fde+144xh7cXyxbMZPKYYQBcu3mLp0+f8dvJU/gHBODs5MjqpXNZ8/1cSzJbRERERERERERERETkr1LyVySWur41MBgMrFm/mX0HD+Phnp4yJYu+0z5cnF8uxZw8eTLmz5yAxyszf1s2qc+eTT9Yfj5t1STB9vbsOwhAqWJFsLOz44PSUcnfI7/+nuh+xW9i6qz5HD9xitIlipLazY1tu/exe99BPh8yms+HjiI8IgKbWAlfUxJmshoMBgb374mtjQ33H/qxcduuROu4pkhO1Urlef4iiIHDxgDQqM4nGAxmq7jrN28zZPREqtZuQukqvhz4+SgAYeERVnF5c+XAwcEe93RpyOSZAbCewQxQqIAPAMUK548+H/DaMebI7gVAdu+slrIXwcH4B0QtiZ05U0ZSpUxJajc3MmXyTPSaRUREREREREREREREkkLJX5FYPNzT80Gp4gQ8fkx4RAT1fWtiNL7bP5Pt65cxc8JoIGoZ4IcP/eLExOwLnBiTycRPBw4D8NOBnyldxZf23fsDRC39fOTXdzLmiMhIdu87SIoUyfn6q0EM/7IvRqORIaMm8OvvJ7G1tcXWxgY3t5SWOg8fvbyuW7fvEhFrVnCM5o3q8vFHlalR7UMAFi9fTWhoWKLjaVg7agbug0d+pEiRnCoVy8WJ+XL41xz77QSFC/jwWed2FPDJE29bZnN8ZeY3Oo7DYLD+bSmOepdiL/Fsioh7X0RERERERERERERERN6Gkr8ir2hQJyqx6OBgT63qVd55+wYM5M+Xm0L58wLw3fer4sSYSSS5GO3k6bP4BwRgMBhIlszF8hMzs/in/YfeyZgfP35CUFAwkRGRhIWHU8AnL3lzZQfAztaWgb26YjAY8MqcmVQpoxLAsxYswc8/gN9OnqJt1z40bNmBS5f/tGq3RNHCQNRMZ6PRyCM/f9Zv2Z7oeHLmyEb+fLkB8K1RFQcHe6vzz18Ece3mLQwGA18N6kfTBnVI6eoab1tnzl8kNDSMh35+3L57D4BUqVJaxfx28jQAv/9xJvp8qkTHGJ/06dIAcP3GTc5duMSZ8xe5fvPWW7UlIiIiIiIiIiIiIiLyKtt/egAi/98UL1KI7h3bkj5dGlKkSP639dO8UT1Onj7HkWO/ce7CJfLmzmk5t3TlWn5Yt8kqfvzIwRQtVMCqbHf0ks9lShZj4qghlvJfjp+g18BhHD0etfSzi7
"deleted": false,
"disable_correlation": false,
"object_relation": "report-file",
"timestamp": "1664368021",
"to_ids": false,
"type": "attachment",
"uuid": "dcac4fca-f0b9-46c6-b257-0756af43522c",
"value": "uber-breach.png"
}
]
},
{
"comment": "PowerShell script contained creds in clear-text ",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1664371397",
"uuid": "22b4546b-2acd-4acc-973c-bca7108df7a7",
"ObjectReference": [
{
"comment": "",
"object_uuid": "22b4546b-2acd-4acc-973c-bca7108df7a7",
"referenced_uuid": "7e67259a-48ee-47b1-8b54-2807993972d7",
"relationship_type": "followed-by",
"timestamp": "1664369413",
"uuid": "42c6a6d7-edb1-4f40-9e91-d0ab32416960"
},
{
"comment": "",
"object_uuid": "22b4546b-2acd-4acc-973c-bca7108df7a7",
"referenced_uuid": "8e394054-7c6b-452a-9fc3-039220bae131",
"relationship_type": "followed-by",
"timestamp": "1664369899",
"uuid": "dd6e5815-3e01-4638-af87-d881dafcc4b1"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1664371397",
"to_ids": false,
"type": "text",
"uuid": "aea70086-8e6c-45d9-bd79-2fc2062c81cb",
"value": "PowerShell script contained creds in clear-text",
"Tag": [
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1664369086",
"to_ids": false,
"type": "boolean",
"uuid": "331207a9-34f0-429d-8128-53e6a7f8af49",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1664369086",
"to_ids": false,
"type": "boolean",
"uuid": "e98fbf75-d2a7-4328-afac-2d7f9b44ea02",
"value": "1"
}
]
},
{
"comment": "Software abused by finding admin credentials",
"deleted": false,
"description": "The Software object represents high-level properties associated with software, including software products. STIX 2.1 - 6.14",
"meta-category": "misc",
"name": "software",
"template_uuid": "b1b5dc0e-73fe-443c-8d9d-0e208de3951e",
"template_version": "1",
"timestamp": "1664371456",
"uuid": "7e67259a-48ee-47b1-8b54-2807993972d7",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1664371456",
"to_ids": false,
"type": "text",
"uuid": "94e4d469-a363-46c9-8e29-86eba6c9e2b6",
"value": "Thycotic PAM"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "cpe",
"timestamp": "1664371456",
"to_ids": false,
"type": "cpe",
"uuid": "2f8c1065-6c03-4471-9a20-8e7318907b56",
"value": "cpe:2.3:a:thycotic:"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "vendor",
"timestamp": "1664371456",
"to_ids": false,
"type": "text",
"uuid": "93aa7bd3-64ec-4b58-be9e-63efe8bbda7f",
"value": "Thycotic"
}
]
},
{
"comment": "Access to Thycotic PAM",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1664371238",
"uuid": "8e394054-7c6b-452a-9fc3-039220bae131",
"ObjectReference": [
{
"comment": "",
"object_uuid": "8e394054-7c6b-452a-9fc3-039220bae131",
"referenced_uuid": "7e67259a-48ee-47b1-8b54-2807993972d7",
"relationship_type": "related-to",
"timestamp": "1664369920",
"uuid": "c85cdb00-00fb-4506-8eae-3cad37a60937"
},
{
"comment": "",
"object_uuid": "8e394054-7c6b-452a-9fc3-039220bae131",
"referenced_uuid": "75c311e2-6f7a-4812-a743-3feaa8b17864",
"relationship_type": "followed-by",
"timestamp": "1664371238",
"uuid": "63d2ae78-e635-4918-824c-4f50e1ff3294"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1664369345",
"to_ids": false,
"type": "text",
"uuid": "782af45c-030c-49b7-b37b-9f32417654f8",
"value": "Access to Thycotic PAM"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1664369345",
"to_ids": false,
"type": "boolean",
"uuid": "5853dc00-f10b-4a2f-aa5e-05235dc27bc0",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1664369345",
"to_ids": false,
"type": "boolean",
"uuid": "84280ecd-97e9-47a9-9d2c-cc5833f8c2a9",
"value": "1"
}
]
},
{
"comment": "Access to number of apps/infra",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1664371308",
"uuid": "75c311e2-6f7a-4812-a743-3feaa8b17864",
"ObjectReference": [
{
"comment": "",
"object_uuid": "75c311e2-6f7a-4812-a743-3feaa8b17864",
"referenced_uuid": "d5aa02f2-31c1-440a-bcd0-dca726039dee",
"relationship_type": "followed-by",
"timestamp": "1664371308",
"uuid": "8b3fe9ec-fe3b-4925-9fc8-59c89ad14494"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1664371216",
"to_ids": false,
"type": "text",
"uuid": "b3ef913e-252d-4d50-a7ff-d8121e18956b",
"value": "Access to number of apps/infra"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1664371216",
"to_ids": false,
"type": "boolean",
"uuid": "fc57c0ee-e5f9-4177-8ac2-7b26216e8fa6",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1664371216",
"to_ids": false,
"type": "boolean",
"uuid": "38999c55-b852-450b-b24a-d4aecb47df7f",
"value": "1"
}
]
},
{
"comment": "Data Exfiltration",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1664371478",
"uuid": "d5aa02f2-31c1-440a-bcd0-dca726039dee",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1664371478",
"to_ids": false,
"type": "text",
"uuid": "f508e853-4495-498a-b7ef-382e5ad42cb1",
"value": "Data Exfiltration",
"Tag": [
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1664371281",
"to_ids": false,
"type": "boolean",
"uuid": "09268db6-fe71-4202-ac2d-e56482b32976",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1664371281",
"to_ids": false,
"type": "boolean",
"uuid": "6835a600-c21a-4e82-b823-ad553d9d23ac",
"value": "1"
}
]
}
chg: [export] updated
2023-05-19 09:05:37 +00:00
],
"EventReport": [
{
"name": "Event report (1664371865)",
"content": "## OSINT - Uber Breach & Attack Analysis\n - *Date*: 2022-09-18\n - *Last update*: 2022-09-28 13:30:35\n - *Threat level*: Undefined\n - *Attribute count*: 32\n#### Tags\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Credentials in Files - T1081\")\n - @[tag](circl:incident-classification=\"system-compromise\")\n - @[tag](type:OSINT)\n - @[tag](osint:lifetime=\"perpetual\")\n - @[tag](osint:certainty=\"50\")\n - @[tag](tlp:white)\n#### Galaxies\n - *Name*: Attack Pattern\n - *Description*: ATT&CK Tactic\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Credentials - T1589.001\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Multi-Factor Authentication Request Generation - T1621\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Spearphishing via Service - T1194\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Spearphishing via Service - T1566.003\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Domain Accounts - T1078.002\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Domain Account - T1087.002\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Domain Account - T1136.002\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\")\n### Objects\n - @[object](232b4f89-e21f-4ba5-8687-925ebaec6e55)\n - @[object](a62672ed-3102-40e4-a4b0-cf19df8f9f31)\n - @[object](cadef9eb-7d4c-4a02-acde-c8b6d64650a9)\n - @[object](49d141f4-81bc-4ad9-ac04-56a2b9ceb87e)\n - @[object](1229857e-9b1a-4ea6-bcb3-ad1b9e001b06)\n - @[object](3c0befee-55b2-457f-925e-74d1052ea063)\n - @[object](22b4546b-2acd-4acc-973c-bca7108df7a7)\n - @[object](7e67259a-48ee-47b1-8b54-2807993972d7)\n - @[object](8e394054-7c6b-452a-9fc3-039220bae131)\n - @[object](75c311e2-6f7a-4812-a743-3feaa8b17864)\n - @[object](d5aa02f2-31c1-440a-bcd0-dca726039dee)\n### Attributes\n### ATT&CK Matrix\n@[galaxymatrix](c4e851fa-775f-11e7-8163-b774922098cd)",
"id": "135",
"event_id": "106311",
"timestamp": "1664371865",
"uuid": "b210c607-b7c0-44bb-bde3-60332204a074",
"deleted": false
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
}
}
Reference in a new issue Copy permalink