misp-circl-feed/feeds/circl/misp/b7f8805b-fec8-4491-b866-83a457212437.json

1908 lines
137 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2021-04-21",
"extends_uuid": "",
"info": "FireEye Mandiant PulseSecure Exploitation Countermeasures",
"publish_timestamp": "1618997908",
"published": true,
"threat_level_id": "1",
"timestamp": "1618997892",
"uuid": "b7f8805b-fec8-4491-b866-83a457212437",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0071c3",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0029ff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "estimative-language:confidence-in-analytic-judgment=\"high\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#001fc2",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "estimative-language:likelihood-probability=\"almost-certain\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1618992456",
"to_ids": false,
"type": "link",
"uuid": "5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04",
"value": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1618992728",
"to_ids": false,
"type": "link",
"uuid": "5cb95524-3fef-4334-9fef-e6d3f00982a4",
"value": "https://www.circl.lu/pub/tr-63"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1618995681",
"to_ids": true,
"type": "snort",
"uuid": "d584973b-e85b-431b-a2f2-c3cd33562245",
"value": "alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:\"APT.Webshell.PL.PULSECHECK callback\"; flow:to_server; content:\"POST \"; depth:5; content:\" HTTP/1.1|0d 0a|\"; distance:1; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; reference:mal_hash, a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1; reference:date_created,2021-04-16; sid:999999999; )"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1618995681",
"to_ids": true,
"type": "snort",
"uuid": "55301c17-7b0e-450d-89be-54eb3f096592",
"value": "alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.PULSECHECK.[X-CMD:]\"; content:\"POST \"; depth:5; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; content:!\"|0d 0a|Referer: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; sid: 999999999; )"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1618995681",
"to_ids": true,
"type": "snort",
"uuid": "e8e292e5-5fab-4e5b-afa0-89df4eb361d6",
"value": "alert tcp any $HTTP_PORTS -> any any ( msg:\"APT.Webshell.PL.STEADYPULSE.[<form action=]\"; flow:to_client; content:\"<form action=\\\"\\\" method=\\\"GET\\\">\"; content:\"<input type=\\\"text\\\" name=\\\"cmd\\\" \"; distance:0; content:\"<input type=\\\"text\\\" name=\\\"serverid\\\" \"; distance:0; fast_pattern; content:\"<input type=\\\"submit\\\" value=\\\"Run\\\">\"; distance:0; pcre:\"/<\\/form>\\s{0,512}<pre>/R\"; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; reference:date_created,2021-04-16; sid: 999999999; )"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1618995681",
"to_ids": true,
"type": "snort",
"uuid": "4ad4982e-87bf-4edc-915b-4ad84f3b13eb",
"value": "alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.STEADYPULSE.[<form action=]\"; content:\"<form action=\\\"\\\" method=\\\"GET\\\">\"; content:\"<input type=\\\"text\\\" name=\\\"cmd\\\" \"; distance:0; fast_pattern; content:\"<input type=\\\"text\\\" name=\\\"serverid\\\" \"; distance:0; content:\"<input type=\\\"submit\\\" value=\\\"Run\\\">\"; distance:0; content:!\"|0d 0a|Referer: \"; content:!\"|0d 0a|User-Agent: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; sid: 999999999; )"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1618995681",
"to_ids": true,
"type": "snort",
"uuid": "2b0bd4a3-3f4a-4e9a-b330-52a196385fc0",
"value": "alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.STEADYPULSE.[Results of]\"; content:\"|0d 0a|Results of '\"; content:\"' execution:|0a 0a|\"; distance:1; within:256; fast_pattern; content:!\"|0d 0a|Referer: \"; content:!\"|0d 0a|User-Agent: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; sid: 999999999; )"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1618995681",
"to_ids": true,
"type": "snort",
"uuid": "baccb07a-3ac5-4a08-89d0-5c02114ad60b",
"value": "alert tcp any $HTTP_PORTS -> any any ( msg:\"APT.Webshell.PL.STEADYPULSE. .[Results of]\"; flow:to_client; content:\"Results of '\"; content:\"' execution:|0a 0a|\"; distance:1; within:256; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; reference:date_created,2021-04-16; sid: 999999999; fast_pattern; )"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "3",
"timestamp": "1618992530",
"uuid": "57ffce5f-60a8-40ae-b11e-624ca218704d",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1618992530",
"to_ids": false,
"type": "link",
"uuid": "4fa4a70a-3aff-4432-ac42-9409399e196d",
"value": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1618992530",
"to_ids": false,
"type": "text",
"uuid": "eebfc2b8-6467-4cdd-8a31-041708d20a55",
"value": "Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.\r\n This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells.\r\n The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector.\r\n Pulse Secure\u2019s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.\r\n Pulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues.\r\n There is no indication the identified backdoors were introduced through a supply chain compromise of the company\u2019s network or software deployment process."
}
]
},
{
"comment": "SLOWPULSE V1 - libdsplibs.so ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618992906",
"uuid": "6854614c-df9f-4bb5-8de0-857c943be550",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618992906",
"to_ids": true,
"type": "md5",
"uuid": "b450f0cd-dbd3-4cb4-90f2-b04355d33d09",
"value": "23ff4df644aa408d6a074eb8fa9f0da3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618992906",
"to_ids": true,
"type": "sha256",
"uuid": "2e9d8332-758e-49a1-8678-57f73f34f5a3",
"value": "cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68"
}
]
},
{
"comment": "SLOWPULSE V2 \r\nlibdsplibs.so ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993022",
"uuid": "874ca0e5-827e-43f8-99f5-a2a5aa60e672",
"Attribute": [
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1618993022",
"to_ids": true,
"type": "filename",
"uuid": "7eb05728-7cfe-4be1-968b-6f1e8905f681",
"value": "libdsplibs.so"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993022",
"to_ids": true,
"type": "md5",
"uuid": "7c1cbe4a-6979-4922-9932-6f620bbbf7ec",
"value": "8bf3ebe60f393f4c2fe0bbeb4976fc46"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993022",
"to_ids": true,
"type": "sha256",
"uuid": "a15c7419-24c7-4d64-a9b3-4df029bcd606",
"value": "1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd"
}
]
},
{
"comment": "SLOWPULSE V3 \r\nlibdsplibs.so ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993069",
"uuid": "cd13cfd7-f4dc-4864-9009-30baa29551a6",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993069",
"to_ids": true,
"type": "md5",
"uuid": "06e0c098-fb13-4d75-a95c-a3d504d990c0",
"value": "8f5d87592f68d8350656f722f6f21e10"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993069",
"to_ids": true,
"type": "sha256",
"uuid": "28469570-b6fc-4997-8f81-6ae68aecae0a",
"value": "b1c2368773259fbfef425e0bb716be958faa7e74b3282138059f511011d3afd9"
}
]
},
{
"comment": "SLOWPULSE V2 Patcher \r\nunknown ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993162",
"uuid": "1d87313f-7519-4748-bfb1-fc8b60906cf6",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993162",
"to_ids": true,
"type": "md5",
"uuid": "85b43f16-5dda-419c-8b4a-66e679e7b0fa",
"value": "32a9bc24c6670a3cf880a8c0c9e9dfaf"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993162",
"to_ids": true,
"type": "sha256",
"uuid": "1ba2ad5b-ed88-44cd-9e0e-30a85d5b136a",
"value": "c9b323b9747659eac25cec078895d75f016e26a8b5858567c7fb945b7321722c"
}
]
},
{
"comment": "SLOWPULSE V3 Patcher \r\nunknown ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993200",
"uuid": "0b65ad47-db4b-4f58-a33c-e671746afa05",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993200",
"to_ids": true,
"type": "md5",
"uuid": "5deb6034-011d-4cd8-9159-212665dce222",
"value": "6272aa2f8f47e2a63f138d81e69fdba7"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993200",
"to_ids": true,
"type": "sha256",
"uuid": "1fffbd0a-6d4a-41f0-89d0-c879b8f72662",
"value": "06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7"
}
]
},
{
"comment": "SLOWPULSE V4 Patcher \r\nunknown ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993245",
"uuid": "5c9a0062-ee55-43b0-ad64-3c5f6fdf3d01",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993245",
"to_ids": true,
"type": "md5",
"uuid": "e7d65381-674f-4d5e-94bd-838be28f25b1",
"value": "beff02edb0f6a7c2b341aa780e88a48c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993245",
"to_ids": true,
"type": "sha256",
"uuid": "24648106-ebea-4788-b3d3-db4885b7852e",
"value": "e63ab6f82c711e4ecc8f5b36046eb7ea216f41eb90158165b82a6c90560ea415"
}
]
},
{
"comment": "SLOWPULSE V4 UnPatcher \r\nunknown ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993284",
"uuid": "efd7b1ec-0fff-498a-ad64-d1d259ebbf82",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993284",
"to_ids": true,
"type": "md5",
"uuid": "64585030-e6dd-461e-990f-bfa1ccb20bda",
"value": "ece3e2a6b6e3531b50cc74c7f87cdc8d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993284",
"to_ids": true,
"type": "sha256",
"uuid": "71d8e0e3-76bc-4dcc-b146-ef73c24bfb94",
"value": "b2350954b9484ae4eac42b95fae6edf7a126169d0b93d79f49d36c5e6497062a"
}
]
},
{
"comment": "PULSECHECK \r\nsecid_canceltoken.cgi",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993322",
"uuid": "35ae369e-4ab2-447c-819c-c366f547ca9c",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993322",
"to_ids": true,
"type": "md5",
"uuid": "d2da6559-edf7-44a9-b6ce-b11922fbfdac",
"value": "33c4947efe66ce8c175464b4e262fe16"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993322",
"to_ids": true,
"type": "sha256",
"uuid": "089726bf-6119-4870-8c16-70488206a96d",
"value": "a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1"
}
]
},
{
"comment": "PULSECHECK \r\nCompcheckjs.cgi ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993368",
"uuid": "5f99e163-f31e-4994-8a56-4b249d894012",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993368",
"to_ids": true,
"type": "md5",
"uuid": "ed249d94-f701-49ed-ad91-6d0273dcff30",
"value": "9aa378cbec161ccd168be212c8856749"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993368",
"to_ids": true,
"type": "sha256",
"uuid": "f4130d08-349e-40b8-902c-7f95c852e1fb",
"value": "6f4dec58548f5193b5e511ecc3c63154ae3c93f9345661a774cb69a1ce16c577"
}
]
},
{
"comment": "RADIALPULSE \r\napac_login.cgiunknown \r\n",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993417",
"uuid": "0690ab34-3ffe-4d37-b6a7-4ce477d4de60",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993417",
"to_ids": true,
"type": "md5",
"uuid": "f32d321a-0ac5-45b7-8b21-6c3a86c4a481",
"value": "1cd91b74f8d2d2fe952a97e9040073d8"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993417",
"to_ids": true,
"type": "sha256",
"uuid": "a52a0a5f-c6f3-449b-bf33-d023135ab2ce",
"value": "d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b"
}
]
},
{
"comment": "RADIALPULSE \r\nbasicauth_userpass.cgi ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993458",
"uuid": "30408119-108d-495f-89ca-cbe1dcf0b68b",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993458",
"to_ids": true,
"type": "md5",
"uuid": "0dfbe8a0-a1f3-47b7-8288-709a0a4032c8",
"value": "4a2a7cbc1c8855199a27a7a7b51d0117"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993458",
"to_ids": true,
"type": "sha256",
"uuid": "d2db7c8e-a087-489f-9c49-a6cad1a26eb6",
"value": "293cc71af317593e0e5d9f8c6fd7a732977c63174becc8dedadf8f8f4cc9c922"
}
]
},
{
"comment": "RADIALPULSE \r\ndswebserver.sh ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993506",
"uuid": "c0b88e1a-d76c-4226-bffa-45ca59bc2fa9",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993506",
"to_ids": true,
"type": "md5",
"uuid": "57bb0a19-2d7f-4a92-83cc-a4eadc687f76",
"value": "4d416e551821ccce8bc9c4457d10573b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993506",
"to_ids": true,
"type": "sha256",
"uuid": "a14d01f5-cde1-4bc0-96de-e8f8a2ecf00d",
"value": "b72fdae94e78fe51205966179573693c01eae98ece228af13041855cc4e255b1"
}
]
},
{
"comment": "RADIALPULSE \r\nunknown \r\n",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993548",
"uuid": "dbab04b4-1df0-4055-be1a-2ad6d47b15de",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993548",
"to_ids": true,
"type": "md5",
"uuid": "72d9831b-3edf-4501-89ba-b3510e37b804",
"value": "558090216cf8199802f11da4f70db897"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993548",
"to_ids": true,
"type": "sha256",
"uuid": "12593459-5515-45a7-b06f-f839da015a8e",
"value": "dea123cd0a48f01ef9176946f11e4b2b23218018ebcea7ff08d552f88906c52d"
}
]
},
{
"comment": "RADIALPULSE \r\nlogin.cgi ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993586",
"uuid": "5279454c-137c-4df2-ab40-d4f67be95f40",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993586",
"to_ids": true,
"type": "md5",
"uuid": "b9f1655a-aeb0-445d-bd69-d7abe5dc88aa",
"value": "56e2a1566c7989612320f4ef1669e7d5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993586",
"to_ids": true,
"type": "sha256",
"uuid": "b660374a-9db5-41cd-9fdd-2418de99cc53",
"value": "e9df4e13131c95c75ca41a95e08599b3d480e5e7a7922ff0a3fa00bef3bd6561"
}
]
},
{
"comment": "RADIALPULSE \r\nlogin.cgi ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993639",
"uuid": "61f23a4d-8a5f-4a4c-b846-4f87797fbb1a",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993639",
"to_ids": true,
"type": "md5",
"uuid": "02f508a1-8a0d-486c-9b9d-fdc7af003e80",
"value": "6c63b5c747e8e351426777b7de94da7c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993639",
"to_ids": true,
"type": "sha256",
"uuid": "ccd8ed79-2e55-4cab-8068-52ac047a3806",
"value": "61f9f6ae26bd3f4d6632bcc722022079aab1ef1d3ddeb71f0f7db2f14aed4ce4"
}
]
},
{
"comment": "RADIALPULSE \r\nrd.cgi ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993750",
"uuid": "44e27409-7862-42be-bf2b-4d18fa27243f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993750",
"to_ids": true,
"type": "md5",
"uuid": "e82b5fe1-cbd7-4c1e-93f0-af14abe50601",
"value": "957ca40755de8f1f68602476a62799f9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993750",
"to_ids": true,
"type": "sha256",
"uuid": "a46290eb-a4a9-4268-a40b-32cab5bac2f3",
"value": "b482dc4d07e0c11d047c25af3bd239b9c57eaa8648cebf639369ec143297b96a"
}
]
},
{
"comment": "RADIALPULSE \r\nuserpass.cgi ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993794",
"uuid": "3347af09-6558-4e07-ac68-c7abe87079b9",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993794",
"to_ids": true,
"type": "md5",
"uuid": "ea74b5d6-1ecc-4be1-9f32-907b83ca9c61",
"value": "d21705be48b4b38a66e731f6d4125708"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993794",
"to_ids": true,
"type": "sha256",
"uuid": "fba9669b-ac5e-40d6-bae5-f6fe7b880567",
"value": "d61d98a3a68a5a35d49c5c7a43d11d3e22bdb7d26bffb6f5aded83c07c90633a"
}
]
},
{
"comment": "PACEMAKER \r\nmemread \r\n",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618993941",
"uuid": "ec665abd-0414-4647-b4cd-9fa22e979ab8",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618993941",
"to_ids": true,
"type": "md5",
"uuid": "19c6a8f2-03aa-4619-9e43-42e3a48a9114",
"value": "d7881c4de4d57828f7e1cab15687274b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618993941",
"to_ids": true,
"type": "sha256",
"uuid": "f2b8195b-4b59-4b71-99d3-565d4f4e5a30",
"value": "68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2"
}
]
},
{
"comment": "PACEMAKER Launcher Utility \r\nunknown\r\n",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994067",
"uuid": "3e50f8b8-0dbc-4bec-80de-30e325671f95",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994067",
"to_ids": true,
"type": "md5",
"uuid": "4a86fcff-01d0-4385-9704-6c2f6e62146b",
"value": "4cb9bb1cdc1931c738843f7dfe63f5c4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994067",
"to_ids": true,
"type": "sha256",
"uuid": "1f59081e-0052-4ff6-be35-a347b4d91664",
"value": "4c5555955b2e6dc55f52b0c1a3326f3d07b325b112060329c503b294208960ec"
}
]
},
{
"comment": "THINBLOOD \r\ndsclslog ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994112",
"uuid": "2620c50d-6305-45cb-8aff-e37d50425358",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994112",
"to_ids": true,
"type": "md5",
"uuid": "19e96828-d0d0-4fa7-85de-92fdfbd7a5f8",
"value": "f38fe97c2a7419e62ce72439bdbb85b5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994112",
"to_ids": true,
"type": "sha256",
"uuid": "d055a2d4-e4db-4f71-8097-dffbe58d03d0",
"value": "88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079"
}
]
},
{
"comment": "THINBLOOD Variant \r\nclear_log.sh ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994171",
"uuid": "cfaa4938-1778-45cd-b95a-61be8ba0837e",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994171",
"to_ids": true,
"type": "md5",
"uuid": "54995171-1d7b-4a2e-8f6c-9626727673bd",
"value": "ecbd062c45d5fd38bb7f58289a8f5c86"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994171",
"to_ids": true,
"type": "sha256",
"uuid": "7aef64d6-8313-45da-be36-15f8d5f10454",
"value": "1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9"
}
]
},
{
"comment": "SLIGHTPULSE \r\nmeeting_testjs.cgi ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994208",
"uuid": "0da707a9-b329-4d30-b907-01fe6c1de17c",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994208",
"to_ids": true,
"type": "md5",
"uuid": "d4f286dc-da0a-4584-b635-02f376f71a93",
"value": "57df2d9468b66d7585f79b12d4249f22"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994208",
"to_ids": true,
"type": "sha256",
"uuid": "af6a9523-2844-499b-973a-1b961940fad2",
"value": "133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a"
}
]
},
{
"comment": "ATRIUM \r\ncompcheckresult.cgi ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994253",
"uuid": "df51083d-32e2-4812-89bb-f7036472920e",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994253",
"to_ids": true,
"type": "md5",
"uuid": "be2767ee-a29f-47c0-bde2-7bf622f21ebf",
"value": "ca0175d86049fa7c796ea06b413857a3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994253",
"to_ids": true,
"type": "sha256",
"uuid": "d9ad16cf-ca3b-41af-ad4f-5eecdc8a9392",
"value": "f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90"
}
]
},
{
"comment": "ATRIUM \r\ndo-install ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994293",
"uuid": "5151611d-c11d-47cf-9a9c-5ef132b1a303",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994293",
"to_ids": true,
"type": "md5",
"uuid": "dc5c127c-80b3-4740-8070-d1eca7427041",
"value": "a631b7a8a11e6df3fccb21f4d34dbd8a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994293",
"to_ids": true,
"type": "sha256",
"uuid": "1b53120d-eb41-40b6-9dff-df162eb8f1ad",
"value": "2202234643bcd4807f21fbe4eb9ef3be9a6857ef92fd5979abb2b97b3c113966"
}
]
},
{
"comment": "Persistence Patcher (ATRIUM)\r\nDSUpgrade.pm ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994365",
"uuid": "298449a1-8e86-409c-96fb-0c225d9f98a9",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994365",
"to_ids": true,
"type": "md5",
"uuid": "48574406-a20c-4d23-9aad-975e8eaaaa15",
"value": "d2ef3894c6e46453b7d9416ff0d4d6cc"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994365",
"to_ids": true,
"type": "sha256",
"uuid": "f2fe78d6-8d62-424f-a779-e4c964b06343",
"value": "224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450"
}
]
},
{
"comment": "Persistence Patcher (ATRIUM)\r\nDSUpgrade.pm ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994431",
"uuid": "cf564f32-56e9-4fe0-87ac-5e5df91b0c9f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994431",
"to_ids": true,
"type": "md5",
"uuid": "155a1c4f-4ba4-446a-9772-6e6f7b64ff64",
"value": "d855ebd2adeaf2b3c87b28e77e9ce4d4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994431",
"to_ids": true,
"type": "sha256",
"uuid": "9754f09c-928a-4432-8c64-b488be0859b0",
"value": "a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85"
}
]
},
{
"comment": "Persistence Patcher (STEADYPULSE)\r\nDSUpgrade.pm",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994483",
"uuid": "bbcc14ea-c7fc-4b15-a020-b619641add7e",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994483",
"to_ids": true,
"type": "md5",
"uuid": "a10b9032-e060-4c51-b80a-ecbf5ce34759",
"value": "5009b307214abc4ba5e24fa99133b934"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994483",
"to_ids": true,
"type": "sha256",
"uuid": "990e49fa-44bc-4aea-94b9-bdc09d2e8ea7",
"value": "64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7"
}
]
},
{
"comment": "Persistence Patcher (PULSECHECK)\r\nDSUpgrade.pm",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994521",
"uuid": "60b5f9a7-ffa3-4d56-a1a7-6642638be3e6",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994521",
"to_ids": true,
"type": "md5",
"uuid": "b44e849e-c240-4df8-a573-64871321bd1e",
"value": "de9184422b477ca3b6aae536979e8626"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994521",
"to_ids": true,
"type": "sha256",
"uuid": "1e09c762-78f4-4950-a703-5059f2a137a5",
"value": "705cda7d1ace8f4adeec5502aa311620b8d6c64046a1aed2ae833e2f2835154f"
}
]
},
{
"comment": "Persistence Patcher (UNKNOWN)\r\nDSUpgrade.pm",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994576",
"uuid": "04323a10-ee75-43ae-9150-001fe9a27ab7",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994576",
"to_ids": true,
"type": "md5",
"uuid": "cc71c34c-00c8-46ae-80d1-0032cf043d33",
"value": "22cc57df424cac79f5bf78109a443523"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994576",
"to_ids": true,
"type": "sha256",
"uuid": "32ce598f-64c0-49b1-86cb-f56107624fc4",
"value": "78d7c7c9f800f6824f63a99d935a4ad0112f97953d8c100deb29dae24d7da282"
}
]
},
{
"comment": "LOCKPICK \r\nlibcrypto.so ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994614",
"uuid": "bbdbb662-a8b1-4c13-85f2-898abde6d3f9",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994614",
"to_ids": true,
"type": "md5",
"uuid": "cd87c270-dbd0-43a8-8b25-290e878d5f65",
"value": "e8bfd3f5a2806104316902bbe1195ee8"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994614",
"to_ids": true,
"type": "sha256",
"uuid": "2267dfe7-a5c3-4caa-a410-c31fe6e44942",
"value": "2610d0372e0e107053bc001d278ef71f08562e5610691f18b978123c499a74d8"
}
]
},
{
"comment": "LOCKPICK Patcher\r\nunknown",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994653",
"uuid": "b4a44973-985c-4058-b968-9cd867f1bef6",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994653",
"to_ids": true,
"type": "md5",
"uuid": "12b43149-1987-4c61-9b41-30ff71195627",
"value": "0ac5571f69a1cb17110d7c5af772a5eb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994653",
"to_ids": true,
"type": "sha256",
"uuid": "aa7423da-ec78-4313-bd35-90b120b4acd9",
"value": "b990f79ce80c24625c97810cb8f161eafdcb10f1b8d9d538df4ca9be387c35e4"
}
]
},
{
"comment": "HARDPULSE \r\ncompcheckjava.cgi",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994698",
"uuid": "ca389b0d-fbe4-42bc-96e3-56b5f4886c9b",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994698",
"to_ids": true,
"type": "md5",
"uuid": "a4b2d624-8566-4708-a1e3-cdf4ea7a548a",
"value": "980cba9e82faf194edb6f3cc20dc73ff"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994698",
"to_ids": true,
"type": "sha256",
"uuid": "b4e8ec9f-d74c-4a4e-80a0-ef921f5a178e",
"value": "1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc"
}
]
},
{
"comment": "PULSEJUMP \r\nunknown ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994748",
"uuid": "34384af6-0071-435b-84c1-bf8c3420cd08",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994748",
"to_ids": true,
"type": "md5",
"uuid": "45037dc7-2ff9-428a-aea3-9d2ed2a16da8",
"value": "91ee23ee24e100ba4a943bb4c15adb4c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994748",
"to_ids": true,
"type": "sha256",
"uuid": "1cf777a9-7112-480d-ba7e-b9010b8a2ad7",
"value": "7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a"
}
]
},
{
"comment": "QUIETPULSE \r\ndsserver ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994789",
"uuid": "1fc8066f-98aa-4e70-b4ee-0710931cdac7",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994789",
"to_ids": true,
"type": "md5",
"uuid": "d7ee7d83-4dc5-41fe-a4b5-69e8352e20bc",
"value": "00575bec8d74e221ff6248228c509a16"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994789",
"to_ids": true,
"type": "sha256",
"uuid": "e299b096-b36f-4ba1-bfa4-5821152997d3",
"value": "9f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd"
}
]
},
{
"comment": "QUIETPULSE \r\ndshelper ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994864",
"uuid": "447d890e-3529-486e-b4f8-704b813d745f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994864",
"to_ids": true,
"type": "md5",
"uuid": "d6e6b881-b8e2-41f3-88c8-5ac7b8fac08e",
"value": "82e77d7ad4d39ed71981a3ddca4ff225"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994864",
"to_ids": true,
"type": "sha256",
"uuid": "cb469440-e27f-4041-82d3-f8cfd1459284",
"value": "c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4"
}
]
},
{
"comment": "STEADYPULSE \r\nlicenseserverproto.cgi ",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1618994905",
"uuid": "7bd70c6d-d345-45f3-a8ac-00e4a2149cea",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1618994905",
"to_ids": true,
"type": "md5",
"uuid": "0d02a2a1-b7ad-472e-a5d5-bb7ec8d88e59",
"value": "fb21828f490561810c205241b367095e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1618994905",
"to_ids": true,
"type": "sha256",
"uuid": "24018992-9619-459d-832d-b8c72571bcd6",
"value": "168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618994994",
"uuid": "8f5eaca0-34a1-4e85-b6b3-8082bce62175",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618994994",
"to_ids": true,
"type": "yara",
"uuid": "7c8863dc-7683-485a-bb49-f1e1d856bed3",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_Webshell_PL_ATRIUM_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2021-04-16\"\r\n md5 = \"ca0175d86049fa7c796ea06b413857a3\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings:\r\n $s1 = \"CGI::param(\"\r\n $s2 = \"system(\"\r\n $s3 = /if[\\x09\\x20]{0,32}\\(CGI::param\\([\\x22\\x27]\\w{1,64}[\\x22\\x27]\\)\\)\\s{0,128}\\{[\\x09\\x20]{0,32}print [\\x22\\x27]Cache-Control: no-cache\\\\n[\\x22\\x27][\\x09\\x20]{0,32};\\s{0,128}print [\\x22\\x27]Content-type: text\\/html\\\\n\\\\n[\\x22\\x27][\\x09\\x20]{0,32};\\s{0,128}my \\$\\w{1,64}[\\x09\\x20]{0,32}=[\\x09\\x20]{0,32}CGI::param\\([\\x22\\x27]\\w{1,64}[\\x22\\x27]\\)[\\x09\\x20]{0,32};\\s{0,128}system\\([\\x22\\x27]\\$/\r\n condition:\r\n all of them\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995030",
"uuid": "4f5204e2-efbe-4200-8f2c-bc6ebbb952da",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995030",
"to_ids": true,
"type": "yara",
"uuid": "5e918e09-7634-46a9-b33d-0cbb72ac48f9",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_Trojan_SH_ATRIUM_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2021-04-16\"\r\n md5 = \"a631b7a8a11e6df3fccb21f4d34dbd8a\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings:\r\n $s1 = \"CGI::param(\"\r\n $s2 = \"Cache-Control: no-cache\"\r\n $s3 = \"system(\"\r\n $s4 = /sed -i [^\\r\\n]{1,128}CGI::param\\([^\\r\\n]{1,128}print[\\x20\\x09]{1,32}[^\\r\\n]{1,128}Cache-Control: no-cache[^\\r\\n]{1,128}print[\\x20\\x09]{1,32}[^\\r\\n]{1,128}Content-type: text\\/html[^\\r\\n]{1,128}my [^\\r\\n]{1,128}=[\\x09\\x20]{0,32}CGI::param\\([^\\r\\n]{1,128}system\\(/\r\n condition:\r\n all of them\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995063",
"uuid": "c73a7441-1444-42a9-974d-3f3e64168bcc",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995063",
"to_ids": true,
"type": "yara",
"uuid": "da941f60-25f1-452e-a5b3-3d0e39eee059",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_HARDPULSE \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"980cba9e82faf194edb6f3cc20dc73ff\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $r1 = /if[\\x09\\x20]{0,32}\\(\\$\\w{1,64}[\\x09\\x20]{1,32}eq[\\x09\\x20]{1,32}[\\x22\\x27]\\w{1,64}[\\x22\\x27]\\)\\s{0,128}\\{\\s{1,128}my[\\x09\\x20]{1,32}\\$\\w{1,64}[\\x09\\x20]{0,32}\\x3b\\s{1,128}unless[\\x09\\x20]{0,32}\\(open\\(\\$\\w{1,64},[\\x09\\x20]{0,32}\\$\\w{1,64}\\)\\)\\s{0,128}\\{\\s{1,128}goto[\\x09\\x20]{1,32}\\w{1,64}[\\x09\\x20]{0,32}\\x3b\\s{1,128}return[\\x09\\x20]{1,32}0[\\x09\\x20]{0,32}\\x3b\\s{0,128}\\}/ \r\n $r2 = /open[\\x09\\x20]{0,32}\\(\\*\\w{1,64}[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}[\\x22\\x27]>/ \r\n $r3 = /if[\\x09\\x20]{0,32}\\(\\$\\w{1,64}[\\x09\\x20]{1,32}eq[\\x09\\x20]{1,32}[\\x22\\x27]\\w{1,64}[\\x22\\x27]\\)\\s{0,128}\\{\\s{1,128}print[\\x09\\x20]{0,32}[\\x22\\x27]Content-type/ \r\n $s1 = \"CGI::request_method()\" \r\n $s2 = \"CGI::param(\" \r\n $s3 = \"syswrite(\" \r\n $s4 = \"print $_\" \r\n condition: \r\n all of them \r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995096",
"uuid": "642cf927-5c24-4846-b8a7-5b895c87594f",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995096",
"to_ids": true,
"type": "yara",
"uuid": "c4174751-2ba7-4633-bfc4-f2e3c698002a",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux32_LOCKPICK_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2021-04-16\"\r\n md5 = \"e8bfd3f5a2806104316902bbe1195ee8\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings:\r\n $sb1 = { 83 ?? 63 0F 84 [4] 8B 45 ?? 83 ?? 01 89 ?? 24 89 44 24 04 E8 [4] 85 C0 }\r\n $sb2 = { 83 [2] 63 74 ?? 89 ?? 24 04 89 ?? 24 E8 [4] 83 [2] 01 85 C0 0F [5] EB 00 8B ?? 04 83 F8 02 7? ?? 83 E8 01 C1 E0 02 83 C0 00 89 44 24 08 8D 83 [4] 89 44 24 04 8B ?? 89 04 24 E8 }\r\n condition:\r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and (@sb1[1] < @sb2[1])\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995129",
"uuid": "c7b0b3ec-3c74-4329-abc4-0d4414228f90",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995129",
"to_ids": true,
"type": "yara",
"uuid": "f3991509-ef0a-4f91-8480-99f512140ad5",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux32_PACEMAKER \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"d7881c4de4d57828f7e1cab15687274b\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $s1 = \"\\x00/proc/%d/mem\\x00\" \r\n $s2 = \"\\x00/proc/%s/maps\\x00\" \r\n $s3 = \"\\x00/proc/%s/cmdline\\x00\" \r\n $sb1 = { C7 44 24 08 10 00 00 00 C7 44 24 04 00 00 00 00 8D 45 E0 89 04 24 E8 [4] 8B 45 F4 83 C0 0B C7 44 24 08 10 00 00 00 89 44 24 04 8D 45 E0 89 04 24 E8 [4] 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] EB } \r\n $sb2 = { 8B 95 [4] B8 [4] 8D 8D [4] 89 4C 24 10 8D 8D [4] 89 4C 24 0C 89 54 24 08 89 44 24 04 8D 85 [4] 89 04 24 E8 [4] C7 44 24 08 02 00 00 00 C7 44 24 04 00 00 00 00 8B 45 ?? 89 04 24 E8 [4] 89 45 ?? 8D 85 [4] 89 04 24 E8 [4] 89 44 24 08 8D 85 [4] 89 44 24 04 8B 45 ?? 89 04 24 E8 [4] 8B 45 ?? 89 45 ?? C7 45 ?? 00 00 00 00 [0-16] 83 45 ?? 01 8B 45 ?? 3B 45 0C } \r\n condition: \r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them \r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995157",
"uuid": "76f29c1c-c880-4baa-be5a-cecf57c18d38",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995157",
"to_ids": true,
"type": "yara",
"uuid": "5cf39ce1-27b2-485f-9ad2-e49970b71053",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux_PACEMAKER \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"d7881c4de4d57828f7e1cab15687274b\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $s1 = \"\\x00Name:%s || Pwd:%s || AuthNum:%s\\x0a\\x00\" \r\n $s2 = \"\\x00/proc/%d/mem\\x00\" \r\n $s3 = \"\\x00/proc/%s/maps\\x00\" \r\n $s4 = \"\\x00/proc/%s/cmdline\\x00\" \r\n condition: \r\n (uint32(0) == 0x464c457f) and all of them \r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995186",
"uuid": "12ee2578-f80b-4db9-b7c5-75c5f05215f2",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995186",
"to_ids": true,
"type": "yara",
"uuid": "19c91b92-4fd1-46ad-801a-f3823c11f5ad",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_PULSECHECK_1 \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n sha256 = \"a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $r1 = /while[\\x09\\x20]{0,32}\\(<\\w{1,64}>\\)[\\x09\\x20]{0,32}\\{\\s{1,256}\\$\\w{1,64}[\\x09\\x20]{0,32}\\.=[\\x09\\x20]{0,32}\\$_;\\s{0,256}\\}/ \r\n $s1 = \"use Crypt::RC4;\" \r\n $s2 = \"use MIME::Base64\" \r\n $s3 = \"MIME::Base64::decode(\" \r\n $s4 = \"popen(\" \r\n $s5 = \" .= $_;\" \r\n $s6 = \"print MIME::Base64::encode(RC4(\" \r\n $s7 = \"HTTP_X_\" \r\n condition: \r\n $s1 and $s2 and (@s3[1] < @s4[1]) and (@s4[1] < @s5[1]) and (@s5[1] < @s6[1]) and (#s7 > 2) and $r1 \r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995229",
"uuid": "ef28ce31-93a2-48a8-8ed8-b56b8caf60a7",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995229",
"to_ids": true,
"type": "yara",
"uuid": "f2392100-d4c8-4554-b7d9-20da95826507",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_PULSEJUMP_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2021-04-16\"\r\n md5 = \"91ee23ee24e100ba4a943bb4c15adb4c\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings:\r\n $s1 = \"open(\"\r\n $s2 = \">>/tmp/\"\r\n $s3 = \"syswrite(\"\r\n $s4 = /\\}[\\x09\\x20]{0,32}elsif[\\x09\\x20]{0,32}\\([\\x09\\x20]{0,32}\\$\\w{1,64}[\\x09\\x20]{1,32}eq[\\x09\\x20]{1,32}[\\x22\\x27](Radius|Samba|AD)[\\x22\\x27][\\x09\\x20]{0,32}\\)\\s{0,128}\\{\\s{0,128}@\\w{1,64}[\\x09\\x20]{0,32}=[\\x09\\x20]{0,32}&/\r\n condition:\r\n all of them\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995259",
"uuid": "d11dc00d-249a-4b44-a70d-8d1912c6b012",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995259",
"to_ids": true,
"type": "yara",
"uuid": "be80b924-9f86-4c8c-a5e5-28d7aef3a0b9",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_QUIETPULSE \r\n{\r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"00575bec8d74e221ff6248228c509a16\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $s1 = /open[\\x09\\x20]{0,32}\\(\\*STDOUT[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}[\\x22\\x27]>&CLIENT[\\x22\\x27]\\)/ \r\n $s2 = /open[\\x09\\x20]{0,32}\\(\\*STDERR[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}[\\x22\\x27]>&CLIENT[\\x22\\x27]\\)/ \r\n $s3 = /socket[\\x09\\x20]{0,32}\\(SERVER[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}PF_UNIX[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}SOCK_STREAM[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}0[\\x09\\x20]{0,32}\\)[\\x09\\x20]{0,32};\\s{0,128}unlink/ \r\n $s4 = /bind[\\x09\\x20]{0,32}\\([\\x09\\x20]{0,32}SERVER[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}sockaddr_un\\(/ \r\n $s5 = /listen[\\x09\\x20]{0,32}\\([\\x09\\x20]{0,32}SERVER[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}SOMAXCONN[\\x09\\x20]{0,32}\\)[\\x09\\x20]{0,32};/ \r\n $s6 = /my[\\x09\\x20]{1,32}\\$\\w{1,64}[\\x09\\x20]{0,32}=[\\x09\\x20]{0,32}fork\\([\\x09\\x20]{0,32}\\)[\\x09\\x20]{0,32};\\s{1,128}if[\\x09\\x20]{0,32}\\([\\x09\\x20]{0,32}\\$\\w{1,64}[\\x09\\x20]{0,32}==[\\x09\\x20]{0,32}0[\\x09\\x20]{0,32}\\)[\\x09\\x20]{0,32}\\{\\s{1,128}exec\\(/ \r\n condition: \r\n all of them \r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995292",
"uuid": "b78852fc-95f7-4ec5-a7ed-e001320e19b4",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995292",
"to_ids": true,
"type": "yara",
"uuid": "0796b36d-d4d7-4379-b475-1ce462e5766a",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_1 \r\n{\r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n sha256 = \"d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\" \r\n strings: \r\n $s1 = \"->getRealmInfo()->{name}\" \r\n $s2 = /open\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]>>/ \r\n $s3 = /syswrite\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]realm=\\$/ \r\n $s4 = /syswrite\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]username=\\$/ \r\n $s5 = /syswrite\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]password=\\$/ \r\n condition: \r\n (@s1[1] < @s2[1]) and (@s2[1] < @s3[1]) and $s4 and $s5 \r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995320",
"uuid": "9df4fc8c-7277-4488-9f3b-ff2a0f51aa66",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995320",
"to_ids": true,
"type": "yara",
"uuid": "05fe3a12-d1eb-48de-af91-f21fab1a3200",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_2 \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"4a2a7cbc1c8855199a27a7a7b51d0117\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $s1 = \"open(*fd,\" \r\n $s2 = \"syswrite(*fd,\" \r\n $s3 = \"close(*fd);\" \r\n $s4 = /open\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]>>\\/tmp\\/[\\w.]{1,128}[\\x22\\x27]\\);[\\x09\\x20]{0,32}syswrite\\(\\*fd,[\\x09\\x20]{0,32}/ \r\n $s5 = /syswrite\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27][\\w]{1,128}=\\$\\w{1,128} ?[\\x22\\x27],[\\x09\\x20]{0,32}5000\\)/ \r\n condition: \r\n all of them \r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995355",
"uuid": "b79a5423-1769-4be7-a580-909c99a08598",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995355",
"to_ids": true,
"type": "yara",
"uuid": "25930cf6-c47d-48c4-a3f1-5e3f66258200",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_3 \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"4a2a7cbc1c8855199a27a7a7b51d0117\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $s1 = \"open(*fd,\" \r\n $s2 = \"syswrite(*fd,\" \r\n $s3 = \"close(*fd);\" \r\n $s4 = /open\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]>>\\/tmp\\/dsstartssh\\.statementcounters[\\x22\\x27]\\);[\\x09\\x20]{0,32}syswrite\\(\\*fd,[\\x09\\x20]{0,32}/ \r\n $s5 = /syswrite\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27][\\w]{1,128}=\\$username ?[\\x22\\x27],[\\x09\\x20]{0,32}\\d{4}\\)/ \r\n condition: \r\n all of them \r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995387",
"uuid": "17e7dce5-405d-4cf1-8d2f-9f3de6653c75",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995387",
"to_ids": true,
"type": "yara",
"uuid": "2e8d68ef-a463-4af8-9b32-3f5fa6f6d52b",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Backdoor_Linux32_SLOWPULSE_1 \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\"\r\n sha256 = \"cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\" \r\n strings: \r\n $sb1 = {FC b9 [4] e8 00 00 00 00 5? 8d b? [4] 8b} \r\n $sb2 = {f3 a6 0f 85 [4] b8 03 00 00 00 5? 5? 5?} \r\n $sb3 = {9c 60 e8 00 00 00 00 5? 8d [5] 85 ?? 0f 8?} \r\n $sb4 = {89 13 8b 51 04 89 53 04 8b 51 08 89 53 08} \r\n $sb5 = {8d [5] b9 [4] f3 a6 0f 8?} \r\n condition: \r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them \r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995417",
"uuid": "95be007c-e7a2-45a6-a1ff-d0f334e662da",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995417",
"to_ids": true,
"type": "yara",
"uuid": "1040bf8f-d212-4d84-b89c-d8db89190042",
"value": "rule FE_APT_Backdoor_Linux32_SLOWPULSE_2\r\n{ \r\n meta: \r\n author = \"Strozfriedberg\" \r\n date_created = \"2021-04-16\"\r\n sha256 = \"cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\" \r\n strings: \r\n $sig = /[\\x20-\\x7F]{16}([\\x20-\\x7F\\x00]+)\\x00.{1,32}\\xE9.{3}\\xFF\\x00+[\\x20-\\x7F][\\x20-\\x7F\\x00]{16}/ \r\n\r\n // TOI_MAGIC_STRING \r\n $exc1 = /\\xED\\xC3\\x02\\xE9\\x98\\x56\\xE5\\x0C/ \r\n condition:\r\n uint32(0) == 0x464C457F and (1 of ($sig*)) and (not (1 of ($exc*)))\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1618995447",
"uuid": "40e78b71-1425-4450-aa39-08ecaa30f0df",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1618995447",
"to_ids": true,
"type": "yara",
"uuid": "ea766dc1-2087-4a38-9046-1d5788dd7259",
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_STEADYPULSE_1\r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n sha256 = \"168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\" \r\n strings: \r\n $s1 = \"parse_parameters\" \r\n $s2 = \"s/\\\\+/ /g\" \r\n $s3 = \"s/%(..)/pack(\" \r\n $s4 = \"MIME::Base64::encode($\" \r\n $s5 = \"$|=1;\" \r\n $s6 = \"RC4(\" \r\n $s7 = \"$FORM{'cmd'}\" \r\n condition: \r\n all of them \r\n}"
}
]
}
2023-05-19 09:05:37 +00:00
],
"EventReport": [
{
"name": "Report from - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html (1618992558)",
"content": "# Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day\r\n\r\n April 20, 2021 | by Dan Perez, Sarah Jones, Greg Wood, Stephen Eckels vulnerabilities \r\n Malware \r\n TTPs \r\n persistence \r\n bypass \r\n \r\n #### Executive Summary\r\n\r\n \r\n * Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.\r\n * This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells.\r\n * The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector.\r\n * Pulse Secure\u2019s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.\r\n * Pulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues.\r\n * There is no indication the identified backdoors were introduced through a supply chain compromise of the company\u2019s network or software deployment process.\r\n \r\n #### Introduction\r\n\r\n Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices. These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.\r\n\r\n The focus of this report is on the activities of UNC2630 against U.S. Defense Industrial base (DIB) networks, but detailed malware analysis and detection methods for all samples observed at U.S. and European victim organizations are provided in the technical annex to assist network defenders in identifying a large range of malicious activity on affected appliances. Analysis is ongoing to determine the extent of the activity.\r\n\r\n Mandiant continues to collaborate with the Ivanti and Pulse Secure teams, Microsoft Threat Intelligence Center (MSTIC), and relevant government and law enforcement agencies to investigate the threat, as well as develop recommendations and mitigations for affected Pulse Secure VPN appliance owners.\r\n\r\n As part of their investigation, Ivanti has released mitigations for a vulnerability exploited in relation to this campaign as well as the Pulse Connect Secure Integrity Tool to assist with determining if systems have been impacted.\r\n\r\n #### Details\r\n\r\n Early this year, Mandiant investigated multiple intrusions at defense, government, and financial organizations around the world. In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment.\r\n\r\n In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893.\r\n\r\n We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance. This was done to accomplish the followin
"id": "58",
"event_id": "85015",
"timestamp": "1618992603",
"uuid": "82e160db-f47a-433c-865a-fb667f3cff29",
"deleted": false
}
2023-04-21 13:25:09 +00:00
]
}
}