{"Event":{"info":"OSINT - Connecting the dots: Exposing the arsenal and methods of the Winnti Group","Tag":[{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-enterprise-attack-malware=\"Winnti\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-enterprise-attack-malware=\"Winnti - S0141\""},{"colour":"#10c300","exportable":true,"name":"misp-galaxy:threat-actor=\"Axiom\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1038\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Hooking - T1179\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Code Signing - T1116\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1158\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Software Packing - T1045\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Disabling Security Tools - T1089\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Custom Cryptographic Protocol - T1024\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Multi-Stage Channels - T1104\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Stored Data Manipulation - T1492\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\""},{"colour":"#004646","exportable":true,"name":"type:OSINT"},{"colour":"#0071c3","exportable":true,"name":"osint:lifetime=\"perpetual\""},{"colour":"#0087e8","exportable":true,"name":"osint:certainty=\"50\""},{"colour":"#ffffff","exportable":true,"name":"tlp:white"},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:malpedia=\"ShadowPad\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:tool=\"ShadowPad\""},{"colour":"#3b0020","exportable":true,"name":"workflow:todo=\"expansion\""}],"publish_timestamp":"0","timestamp":"1572951336","Object":[{"comment":"","template_uuid":"8ec8c911-ddbe-4f5b-895b-fbff70c42a60","uuid":"5da81b53-15a4-4423-8709-4387950d210f","sharing_group_id":"0","timestamp":"1571298131","description":"Microblog post like a Twitter tweet or a post on a Facebook wall.","template_version":"8","Attribute":[{"comment":"","category":"Other","uuid":"5da81b53-e9c0-46d1-a9de-490f950d210f","timestamp":"1571298131","to_ids":false,"value":".@welivesecurity\r\nand@eset\r\nused@censysio\r\ntomeasurecontinuedwinntiattacks.Checkouttheirwhitepapertolearnaboutindicatorso
