adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5926c399-62fc-4fa6-9d16-432802de0b81.json

377 lines
16 KiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5926c399-62fc-4fa6-9d16-432802de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:47:11.000Z",
"modified": "2017-05-25T11:47:11.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5926c399-62fc-4fa6-9d16-432802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:47:11.000Z",
"modified": "2017-05-25T11:47:11.000Z",
"name": "OSINT - Tainted Leaks: Disinformation and Phishing With a Russian Nexus",
"published": "2017-05-25T11:47:26Z",
"object_refs": [
"x-misp-attribute--5926c3ad-dbdc-49ee-9045-4fc402de0b81",
"observed-data--5926c3bb-8cc8-4335-8b40-4bda02de0b81",
"url--5926c3bb-8cc8-4335-8b40-4bda02de0b81",
"indicator--5926c3fc-2cd0-4801-89b2-dd9502de0b81",
"indicator--5926c3fd-8468-4986-abae-dd9502de0b81",
"indicator--5926c3fd-ad64-4624-a45e-dd9502de0b81",
"indicator--5926c3fe-25cc-4129-bdbb-dd9502de0b81",
"indicator--5926c3fe-e788-4528-b1da-dd9502de0b81",
"indicator--5926c3ff-a718-47e3-9031-dd9502de0b81",
"indicator--5926c3ff-3590-45a0-be99-dd9502de0b81",
"indicator--5926c400-7b78-4846-b0e0-dd9502de0b81",
"indicator--5926c401-dd88-4d8e-9ed3-dd9502de0b81",
"indicator--5926c424-6844-4771-8278-4f0e02de0b81",
"indicator--5926c424-1f74-4e74-8d88-4e1802de0b81",
"indicator--5926c425-ab60-4b01-93bc-4af802de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5926c3ad-dbdc-49ee-9045-4fc402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:45:11.000Z",
"modified": "2017-05-25T11:45:11.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Documents stolen from a prominent journalist and critic of the Russian government were manipulated and then released as a \u00e2\u20ac\u0153leak\u00e2\u20ac\u009d to discredit domestic and foreign critics of the government. We call this technique \u00e2\u20ac\u0153tainted leaks.\u00e2\u20ac\u009d\r\nThe operation against the journalist led us to the discovery of a larger phishing operation, with over 200 unique targets spanning 39 countries (including members of 28 governments). The list includes a former Russian Prime Minister, members of cabinets from Europe and Eurasia, ambassadors, high ranking military officers, CEOs of energy companies, and members of civil society.\r\nAfter government targets, the second largest set (21%) are members of civil society including academics, activists, journalists, and representatives of non-governmental organizations.\r\nWe have no conclusive evidence that links these operations to a particular Russian government agency; however, there is clear overlap between our evidence and that presented by numerous industry and government reports concerning Russian-affiliated threat actors."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5926c3bb-8cc8-4335-8b40-4bda02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:45:11.000Z",
"modified": "2017-05-25T11:45:11.000Z",
"first_observed": "2017-05-25T11:45:11Z",
"last_observed": "2017-05-25T11:45:11Z",
"number_observed": 1,
"object_refs": [
"url--5926c3bb-8cc8-4335-8b40-4bda02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5926c3bb-8cc8-4335-8b40-4bda02de0b81",
"value": "https://citizenlab.org/2017/05/tainted-leaks-disinformation-phish/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c3fc-2cd0-4801-89b2-dd9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:04.000Z",
"modified": "2017-05-25T11:46:04.000Z",
"pattern": "[domain-name:value = 'id833.ga']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c3fd-8468-4986-abae-dd9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:05.000Z",
"modified": "2017-05-25T11:46:05.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.40.181.119']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c3fd-ad64-4624-a45e-dd9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:05.000Z",
"modified": "2017-05-25T11:46:05.000Z",
"pattern": "[domain-name:value = 'id834.ga']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c3fe-25cc-4129-bdbb-dd9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:06.000Z",
"modified": "2017-05-25T11:46:06.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.32.40.238']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c3fe-e788-4528-b1da-dd9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:06.000Z",
"modified": "2017-05-25T11:46:06.000Z",
"pattern": "[domain-name:value = 'id9954.gq']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c3ff-a718-47e3-9031-dd9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:07.000Z",
"modified": "2017-05-25T11:46:07.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '80.255.12.237']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c3ff-3590-45a0-be99-dd9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:07.000Z",
"modified": "2017-05-25T11:46:07.000Z",
"pattern": "[domain-name:value = 'id4242.ga']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c400-7b78-4846-b0e0-dd9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:08.000Z",
"modified": "2017-05-25T11:46:08.000Z",
"pattern": "[domain-name:value = 'mail-google-login.blogspot.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c401-dd88-4d8e-9ed3-dd9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:09.000Z",
"modified": "2017-05-25T11:46:09.000Z",
"pattern": "[domain-name:value = 'com-securitysettingpage.tk']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c424-6844-4771-8278-4f0e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:44.000Z",
"modified": "2017-05-25T11:46:44.000Z",
"pattern": "[email-message:from_ref.value = 'g.mail2017@yandex.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c424-1f74-4e74-8d88-4e1802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:44.000Z",
"modified": "2017-05-25T11:46:44.000Z",
"pattern": "[email-message:from_ref.value = 'annaablony@mail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5926c425-ab60-4b01-93bc-4af802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-25T11:46:45.000Z",
"modified": "2017-05-25T11:46:45.000Z",
"pattern": "[email-message:from_ref.value = 'myprimaryreger@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-25T11:46:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink