684 lines
30 KiB
JSON
684 lines
30 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2021-03-09",
|
||
|
"extends_uuid": "",
|
||
|
"info": "March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server",
|
||
|
"publish_timestamp": "1615361510",
|
||
|
"published": true,
|
||
|
"threat_level_id": "1",
|
||
|
"timestamp": "1615361330",
|
||
|
"uuid": "fd875781-262e-4159-a0cd-ac0241784cc7",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "413f1ac4-a532-4064-bade-e235aa47742b",
|
||
|
"value": "511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "fa5173da-5d57-4f33-9fc0-951c52af2604",
|
||
|
"value": "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "22995f5b-dc6a-4d28-a2ac-6ab03e2bb37e",
|
||
|
"value": "4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "def94d8e-d667-4919-9716-3bb647f170bc",
|
||
|
"value": "811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615296581",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "4efc6517-a3f4-4bf0-8e80-c7932fd9fe91",
|
||
|
"value": "65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "1e3175ea-2d41-4464-b782-acbea8acd3df",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\errorPages.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "e8dc44c3-ce63-4ead-adef-619093ef56a6",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\fatal-erro.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "1bfa394a-6c79-49a7-b323-d7219230016e",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\log.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "f18e4d36-14f3-4b8c-b52a-cec77044bdbc",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\logg.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "303d4ede-e32c-4770-86c5-5c03a1a29f99",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\logout.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "05022526-5ee3-45cd-a5ee-1d5dfd24eaf8",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\one.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "7ed74f81-dde6-49a1-918c-0d92925f1314",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\one1.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "18c5376a-1aef-4fe3-a66c-a4de1f901ad2",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\shel.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "83b7c9a1-9546-4465-b872-56cb3a3b5fa6",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\shel2.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "6ad50f9b-e3f2-48ca-81c9-d15808e6d738",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\shel90.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "51ce23e7-d6e1-4419-84e5-b7817fce917d",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\a.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "02e4616d-8cf1-4260-81d4-a36327463f6a",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\default.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "72337e5a-25cc-4433-95a8-425ad5e136a7",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\shell.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "9ae579fb-d41e-41cd-a561-ba21f57f2c80",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\Server.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5b77ffac-119a-44b9-9f8b-7490e1eb3ee0",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\aspnet_client.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "8ea73e39-6d7e-404b-8703-87c1642d1fc0",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\aspnet_iisstart.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "207eca01-fc05-4bcd-a202-8eddf6c7558d",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\aspnet_pages.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "8637d739-8966-4329-b50a-b9f0f4a1bcfa",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\aspnet_www.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "09e2769a-b35b-4cd0-b38d-52567ec988f3",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\default1.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "e84decaa-7940-4d67-9aaa-26208a0a8948",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\errorcheck.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "f7289972-ada1-4ded-ac14-0d4444e864b3",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\iispage.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "1815970d-ce0c-4353-b8d2-79b32c1b2df8",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\s.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "7b386da1-88b0-46d8-af3a-9702f117a49f",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\session.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "f644a2c3-c293-44b0-97ed-9abe8b6055aa",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\log.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "4ca0d6fb-8243-4a88-9007-26cda3eed84e",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\xclkmcfldfi948398430fdjkfdkj.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "404c05d7-91d0-4f62-b219-ea0a60ab2146",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\xx.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "279bb3c4-588e-43bc-bec5-7ea0f30abae2",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "3122f7b8-bf59-4b85-b304-0284f128dbd6",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\HttpProxy.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "d791b287-606e-4db3-9e18-fc6736a43d89",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\OutlookEN.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "64cf16e6-e1ce-4c3d-bc0d-b330ce04aebc",
|
||
|
"value": "C:\\inetpub\\wwwroot\\aspnet_client\\supp0rt.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1615361330",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "45665e5c-0234-4418-a741-9393cac6e8ad",
|
||
|
"value": "%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\OAB\\log.aspx"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Metadata used to generate an executive level report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "report",
|
||
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1615296611",
|
||
|
"uuid": "d58ee1a4-a9f4-4399-b0ee-ef6a56041d61",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "link",
|
||
|
"timestamp": "1615296611",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5e7f8c42-778d-474a-98f3-582638ff3227",
|
||
|
"value": "https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "summary",
|
||
|
"timestamp": "1615296611",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "e9d11c2c-3c7b-438b-ae41-ea254bcb5eab",
|
||
|
"value": "March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server\r\nTo help customers more quickly protect their environments in light of the March 2021 Exchange Server Security Updates, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don\u2019t have to keep your environment current. This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update."
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1615296695",
|
||
|
"uuid": "67c07ce5-44b3-4bc5-99b3-4aab41cb6a60",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "67c07ce5-44b3-4bc5-99b3-4aab41cb6a60",
|
||
|
"referenced_uuid": "dabe273c-c3c3-484d-86b8-b7faefc6794d",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1615296695",
|
||
|
"uuid": "be828823-85bd-4fe1-9e65-bcba39cda915"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "2d048a35-0c16-4308-8a1e-2a5c3dd573a3",
|
||
|
"value": "4b3039cf227c611c45d2242d1228a121"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "4f5c5cc8-9808-4598-af7f-2f113064d4cf",
|
||
|
"value": "0ba9a76f55aaa495670d74d21850d0155ff5d6a5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "a0461834-38d2-43e6-ad68-8bd4222a70ed",
|
||
|
"value": "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1615296695",
|
||
|
"uuid": "dabe273c-c3c3-484d-86b8-b7faefc6794d",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "c39f9cff-2004-4ddb-bf0b-73aa06ea2faa",
|
||
|
"value": "2021-03-09T12:43:18+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "3dacaf12-a071-45a8-a0a5-cca758123a83",
|
||
|
"value": "https://www.virustotal.com/gui/file/b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0/detection/f-b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0-1615293798"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "85789282-98cf-4c8d-b1aa-39e11d8f0707",
|
||
|
"value": "32/59"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1615296695",
|
||
|
"uuid": "7bc065a5-1635-4bcd-9150-d929f8f74d96",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "7bc065a5-1635-4bcd-9150-d929f8f74d96",
|
||
|
"referenced_uuid": "89dd3fc2-b2d9-407a-8001-d3567375f28f",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1615296695",
|
||
|
"uuid": "45ae5ace-089e-48b2-849e-00c7410ac7f8"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "eb2503a9-ca3d-4683-98d1-92edf97f61df",
|
||
|
"value": "5544ba9ad1b56101b5d52b5270421d4a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "0444154a-7c68-4eb7-a85b-7b1dc184351a",
|
||
|
"value": "fc6f5ce56166d9b4516ba207f3a653b722e1a8df"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "d805ef16-acb5-45b0-80fb-9387fd52a89d",
|
||
|
"value": "511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1615296695",
|
||
|
"uuid": "89dd3fc2-b2d9-407a-8001-d3567375f28f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "88c26491-1653-45de-b5ab-d8e0d486a105",
|
||
|
"value": "2021-03-09T10:02:47+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "ad5797bd-9107-4415-8867-1a38e32406d5",
|
||
|
"value": "https://www.virustotal.com/gui/file/511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1/detection/f-511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1-1615284167"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1615296580",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "cb6fe889-9985-488c-8213-0d0b65bfca71",
|
||
|
"value": "18/58"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|