{ "Event": { "analysis": "0", "date": "2022-09-12", "extends_uuid": "", "info": "Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free", "publish_timestamp": "1666603355", "published": true, "threat_level_id": "4", "timestamp": "1666603345", "uuid": "761270e6-3a97-4c18-9a44-a844cb5b562b", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": false, "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": false, "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#064d00", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Accounts - T1078.002\"", "relationship_type": "" }, { "colour": "#064d00", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Accounts - T1078.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Chisel (ELF)\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Chisel (Windows)\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Lorenz\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Lorenz Ransomware\"", "relationship_type": "" }, { "colour": "#000000", "local": false, "name": "dnc:malware-type=\"Ransomware\"", "relationship_type": "" }, { "colour": "#39b300", "local": false, "name": "enisa:nefarious-activity-abuse=\"ransomware\"", "relationship_type": "" }, { "colour": "#006c6c", "local": false, "name": "ecsirt:malicious-code=\"ransomware\"", "relationship_type": "" }, { "colour": "#2c4f00", "local": false, "name": "malware_classification:malware-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#00acd1", "local": false, "name": "veris:action:malware:variety=\"Ransomware\"", "relationship_type": "" }, { "colour": "#000000", "local": false, "name": "Ransomware", "relationship_type": "" }, { "colour": "#420053", "local": false, "name": "ms-caro-malware:malware-type=\"Ransom\"", "relationship_type": "" }, { "colour": "#001739", "local": false, "name": "ms-caro-malware-full:malware-type=\"Ransom\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1663230900", "to_ids": false, "type": "vulnerability", "uuid": "efce45a5-d17b-4da7-8e4a-02cc68b78064", "value": "CVE-2022-29499" }, { "category": "Network activity", "comment": "Data exfiltration via FileZilla", "deleted": false, "disable_correlation": false, "timestamp": "1663241378", "to_ids": true, "type": "ip-dst", "uuid": "00352f55-b2a8-4eb0-b764-9ce328ce4e81", "value": "138.197.218.11", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Data exfiltration via FileZilla", "deleted": false, "disable_correlation": false, "timestamp": "1663241419", "to_ids": true, "type": "ip-dst", "uuid": "6fba8d44-4605-4a77-aec4-ead4519463bf", "value": "138.68.19.94", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Used to download Chisel", "deleted": false, "disable_correlation": false, "timestamp": "1663230900", "to_ids": true, "type": "ip-dst", "uuid": "9a5a18d7-4e2f-4748-ae25-2bf2cab5c1b6", "value": "138.68.59.16" }, { "category": "Network activity", "comment": "Data exfiltration via FileZilla", "deleted": false, "disable_correlation": false, "timestamp": "1663241443", "to_ids": true, "type": "ip-dst", "uuid": "a0e7bf5d-19f1-40a1-8ad3-fdcf115d0164", "value": "159.65.248.159", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Data exfiltration via FileZilla; HTTP POST requests to notify threat actors of encryption progress", "deleted": false, "disable_correlation": false, "timestamp": "1663241629", "to_ids": true, "type": "ip-dst", "uuid": "892a5cd0-0395-4491-b996-8d45fb4ac7cf", "value": "206.188.197.125", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"netherlands\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Data exfiltration via FileZilla", "deleted": false, "disable_correlation": false, "timestamp": "1663241419", "to_ids": true, "type": "ip-dst", "uuid": "6549b64d-0f09-4813-b9eb-31ccdb09f9de", "value": "64.190.113.100", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "7", "timestamp": "1663227795", "uuid": "62263df7-4b98-46f0-8925-c02d90716c82", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1663227795", "to_ids": false, "type": "link", "uuid": "086cf17a-272e-405e-b4bb-24abe206d118", "value": "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1663227795", "to_ids": false, "type": "text", "uuid": "8184f511-f31a-4fa5-9a74-d3df2998a0d5", "value": "Arctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1663227795", "to_ids": false, "type": "text", "uuid": "260b4c23-6508-4b5d-bf02-b06183013575", "value": "Blog" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1663231414", "uuid": "eb00b3cf-fe12-4a16-b44b-21c2c89c72f6", "Attribute": [ { "category": "Payload delivery", "comment": "Chisel", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1663231414", "to_ids": true, "type": "sha256", "uuid": "707c73ef-8bab-4d55-9287-830e67c92bee", "value": "97ff99fd824a02106d20d167e2a2b647244712a558639524e7db1e6a2064a68d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1663231414", "to_ids": true, "type": "filename", "uuid": "24c92a5d-8d6e-452a-94fe-14a0f4ab53cf", "value": "mem" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1663231502", "uuid": "47511f00-1ba7-4843-a276-a7174b6448b2", "Attribute": [ { "category": "Network activity", "comment": "Used to exploit the Mitel device (CVE-2022-29499)", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1663231502", "to_ids": true, "type": "ip-dst", "uuid": "cf262512-e7a6-4c58-ab98-501b6bbdbaed", "value": "137.184.181.252" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1663231502", "to_ids": false, "type": "port", "uuid": "65078267-d28d-4ca9-b743-ff34b1d5f3dd", "value": "8443" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1663234275", "uuid": "0ad373ea-22f7-4fd3-967a-52541d545ea1", "Attribute": [ { "category": "Payload delivery", "comment": "Webshell", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1663234275", "to_ids": true, "type": "sha256", "uuid": "4d9b1740-117c-484c-a65c-2d96de2dd6f4", "value": "07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1663234275", "to_ids": true, "type": "filename", "uuid": "d0ebe166-0da3-4700-8eb7-13d41b8d2d92", "value": "pdf_import_export.php" } ] }, { "comment": "", "deleted": false, "description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.", "meta-category": "network", "name": "asn", "template_uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587", "template_version": "3", "timestamp": "1663242137", "uuid": "b310d8a7-6e3d-4080-91b6-91d13b06d33a", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "asn", "timestamp": "1663242137", "to_ids": false, "type": "AS", "uuid": "9fc054f0-cffa-4a00-94d5-5ee5723ec47e", "value": "14061" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1663242137", "to_ids": false, "type": "text", "uuid": "bed2aa5b-01fc-4f7a-93e9-4de853023f38", "value": "DIGITALOCEAN-ASN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "country", "timestamp": "1663242137", "to_ids": false, "type": "text", "uuid": "4e594b04-59ac-408f-bc05-4b8cddf92947", "value": "US" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "subnet-announced", "timestamp": "1663242137", "to_ids": true, "type": "ip-src", "uuid": "aaead232-226d-4496-a022-b11398e33206", "value": "138.197.218.11" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "subnet-announced", "timestamp": "1663242137", "to_ids": true, "type": "ip-src", "uuid": "d2a1ca46-fbfe-43fb-ae75-4b4871f5bbdc", "value": "138.68.19.94" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "subnet-announced", "timestamp": "1663242137", "to_ids": true, "type": "ip-src", "uuid": "f2cbea0b-3a1a-422e-8666-ecbf932fe3dd", "value": "159.65.248.159" } ] }, { "comment": "", "deleted": false, "description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.", "meta-category": "network", "name": "asn", "template_uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587", "template_version": "3", "timestamp": "1663242199", "uuid": "e7caa4ad-275f-4622-803d-5a5bc059bef5", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "asn", "timestamp": "1663242199", "to_ids": false, "type": "AS", "uuid": "67858e0e-3a3d-4f3d-8dd7-fefa847deedd", "value": "399629" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1663242199", "to_ids": false, "type": "text", "uuid": "59d27e3b-b2b3-4b6b-ada2-3b2e55e05074", "value": "BL Networks" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "country", "timestamp": "1663242199", "to_ids": false, "type": "text", "uuid": "2e9f97bf-35cc-4c10-afac-278120060fa8", "value": "NL" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "subnet-announced", "timestamp": "1663242199", "to_ids": true, "type": "ip-src", "uuid": "0ea13694-5cc0-42b2-9cf9-f45676493691", "value": "206.188.197.125" } ] }, { "comment": "", "deleted": false, "description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.", "meta-category": "network", "name": "asn", "template_uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587", "template_version": "3", "timestamp": "1663242230", "uuid": "93d05fa9-55f4-4607-b7c6-16e2ec591700", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "asn", "timestamp": "1663242230", "to_ids": false, "type": "AS", "uuid": "ba396f22-2d05-4d3d-afe6-eebd3f31dd7e", "value": "399629" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1663242230", "to_ids": false, "type": "text", "uuid": "ff9921c9-1959-49c2-8839-e28e2f8e24e0", "value": "BL Networks" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "country", "timestamp": "1663242230", "to_ids": false, "type": "text", "uuid": "2bb9b0a4-2ca0-49bb-841d-5b53d92d781f", "value": "US" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "subnet-announced", "timestamp": "1663242231", "to_ids": true, "type": "ip-src", "uuid": "78d613c1-7197-468e-8f28-72d9acfdaf1a", "value": "64.190.113.100" } ] }, { "comment": "", "deleted": false, "description": "An object describing one or more Suricata rule(s) along with version and contextual information.", "meta-category": "network", "name": "suricata", "template_uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a", "template_version": "2", "timestamp": "1663242412", "uuid": "7efd1d01-3ad0-450c-95e5-c02a1dd99b88", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "suricata", "timestamp": "1663242412", "to_ids": true, "type": "snort", "uuid": "e2c67c4c-4cdf-4157-a13d-f48e7c58568b", "value": "alert tls any any -> $HOME_NET any (msg:\"[Arctic Wolf Labs] Possible Ncat shell via SSL/TLS\"; flow:established,to_client; content:\"|41 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 4e 63 61 74|\";tls_cert_issuer; content:\"CN=localhost\";depth:12;sid:10000;rev:1; reference:url,https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "suricata", "timestamp": "1663242412", "to_ids": true, "type": "snort", "uuid": "3d6283e0-6b14-46c3-93c2-460861d4c90d", "value": "alert http any any -> any any (msg:\"[Arctic Wolf Labs] Base64 POST via Curl User-Agent to PHP File\"; flow:established,to_server; content:\"POST\"; http_method; content:\".php\"; http_uri;content:\"/vhelp/pdf/\"; http_uri; content:\"curl\"; http_user_agent;pcre:\"/(?:[A-Za-z\\d+\\/]{4})*(?:[A-Za-z\\d+\\/]{3}=|[A-Za-z\\d+\\/]{2}==)?$/\"; sid:10001; rev:1; reference:url,https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in;)" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ref", "timestamp": "1663242412", "to_ids": false, "type": "link", "uuid": "c20ca78f-fabd-40f8-9ef6-154ee53f0bd0", "value": "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in" } ] }, { "comment": "", "deleted": false, "description": "An object describing one or more Suricata rule(s) along with version and contextual information.", "meta-category": "network", "name": "suricata", "template_uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a", "template_version": "2", "timestamp": "1663243934", "uuid": "3dd56064-19ea-46f0-b3ce-3ac65d5ae66b", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "suricata", "timestamp": "1663243934", "to_ids": true, "type": "snort", "uuid": "dcd14519-1c31-46c1-8d47-3e12939d6dc3", "value": "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)\"; flow:established,to_server; content:\"GET\"; http_method; content:\"/scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php?cmd=syncfile:db_files/\"; http_uri; http_header_names; content:!\"Referer\"; reference:url,www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; reference:cve,2022-29499; classtype:attempted-admin; sid:2037121; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_06_24, cve CVE_2022_29499, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ref", "timestamp": "1663243934", "to_ids": false, "type": "link", "uuid": "745896e2-7759-4d04-b42b-425f9d91ec6c", "value": "https://threatintel.proofpoint.com/sid/2037121#references1" } ] }, { "comment": "", "deleted": false, "description": "An object describing one or more Suricata rule(s) along with version and contextual information.", "meta-category": "network", "name": "suricata", "template_uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a", "template_version": "2", "timestamp": "1663243974", "uuid": "046432a6-3ff8-47de-b73c-2239f71798c5", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "suricata", "timestamp": "1663243974", "to_ids": true, "type": "snort", "uuid": "79c6eb51-9f8d-466d-b810-4d83121ab150", "value": "#alert tcp any any -> any !$SSH_PORTS (msg:\"ET POLICY SSH Client Banner Detected on Unusual Port\"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:\"SSH-\"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ref", "timestamp": "1663243975", "to_ids": false, "type": "link", "uuid": "3cc6c417-23b0-4207-a16c-aae84241f501", "value": "https://threatintel.proofpoint.com/sid/2001980" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1663244802", "uuid": "66c1a496-fc3d-4160-86e2-11a8b120da5e", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1663244802", "to_ids": false, "type": "link", "uuid": "54a4c0aa-bd23-4c3a-899a-8335a683a4c8", "value": "https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1663244802", "to_ids": true, "type": "yara", "uuid": "9f709927-e9e6-4328-a3a6-1cafb6f21d94", "value": "rule webshell_php_3b64command: Webshells PHP B64 {\r\n meta:\r\n Description= \"Detects Possible PHP Webshell expecting triple base64 command\"\r\n Category = \"Malware\"\r\n Author = \"Arctic Wolf Labs\"\r\n Date = \"2022-09-12\"\r\n Hash = \"07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94\"\r\n Reference = \"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in\"\r\n strings:\r\n $decode = \"base64_decode(base64_decode(base64_decode(\" ascii\r\n $encode = \"base64_encode(base64_encode(base64_encode(\" ascii\r\n $s1 = \"popen(\" ascii\r\n $s2 = \"pclose\" ascii\r\n $s3 = \"fread(\" ascii\r\n $s4 = \"$_POST\" ascii\r\n condition:\r\n $decode and $encode\r\n and 3 of ($s*)\r\n and filesize < 2KB\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1663244802", "to_ids": false, "type": "text", "uuid": "cf174050-e6f9-48fa-8610-2a39ac235a94", "value": "webshell_php_3b64command: Webshells PHP B64" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1663244827", "uuid": "54e0dd10-1259-40f6-abbe-030482b53812", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1663244827", "to_ids": false, "type": "link", "uuid": "9755b10d-6d25-4d21-a459-f6f1ac23c281", "value": "https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1663244827", "to_ids": true, "type": "yara", "uuid": "66724ad2-81e5-4912-b0ad-0763dfcb123f", "value": "rule hktl_chisel_artifacts: Chisel Hacktool Artifacts {\r\n meta:\r\n Description = \"looks for hacktool chisel artifacts potentially left in memory or unallocated space\"\r\n Category = \"Tool\"\r\n Author = \"Arctic Wolf Labs\"\r\n Date = \"2022-09-12\"\r\n Reference = \"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in\"\r\n strings:\r\n $chisel = \"chisel_1.\" ascii\r\n $s1 = \"client\" ascii\r\n $s2 = \"--tls-skip-verify\" ascii\r\n $s3 = \"--fingerprint\" ascii\r\n $s4 = \"R:socks\" ascii\r\n condition:\r\n $chisel or 3 of ($s*)\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1663244827", "to_ids": false, "type": "text", "uuid": "ef19bc84-ecaa-4aee-94b6-55744c61a49a", "value": "hktl_chisel_artifacts: Chisel Hacktool Artifacts" } ] }, { "comment": "", "deleted": false, "description": "An object describing a Sigma rule (or a Sigma rule name).", "meta-category": "misc", "name": "sigma", "template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", "template_version": "1", "timestamp": "1663244892", "uuid": "47a5ff44-cb7d-46c6-a522-8db93e1f379a", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1663244892", "to_ids": false, "type": "link", "uuid": "ba95c882-13a3-4152-93d3-78980d936608", "value": "https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_susp_comsvcs_procdump.yml" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma", "timestamp": "1663244892", "to_ids": true, "type": "sigma", "uuid": "a7287c83-f7ea-4616-adf0-5c2c46ca3144", "value": "title: Process Dump via Comsvcs DLL\r\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\r\nstatus: test\r\ndescription: Detects process memory dump via comsvcs.dll and rundll32\r\nauthor: Modexp (idea)\r\nreferences:\r\n - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\r\n - https://twitter.com/SBousseaden/status/1167417096374050817\r\ndate: 2019/09/02\r\nmodified: 2021/11/27\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n rundll_image:\r\n Image|endswith: '\\rundll32.exe'\r\n rundll_ofn:\r\n OriginalFileName: 'RUNDLL32.EXE'\r\n selection:\r\n CommandLine|contains|all:\r\n - 'comsvcs'\r\n - 'MiniDump' #Matches MiniDump and MinidumpW\r\n - 'full'\r\n condition: (rundll_image or rundll_ofn) and selection\r\nfields:\r\n - CommandLine\r\n - ParentCommandLine\r\nfalsepositives:\r\n - unknown\r\nlevel: medium\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1218.011\r\n - attack.credential_access\r\n - attack.t1003.001\r\n - attack.t1003 # an old one" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma-rule-name", "timestamp": "1663244892", "to_ids": false, "type": "text", "uuid": "c8e5f130-66dd-41c5-89d9-6acdeb07ab80", "value": "Process Dump via Comsvcs DLL" } ] }, { "comment": "", "deleted": false, "description": "An object describing a Sigma rule (or a Sigma rule name).", "meta-category": "misc", "name": "sigma", "template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", "template_version": "1", "timestamp": "1663244997", "uuid": "996361d8-5e7e-4e6f-8004-d40c38408096", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1663244997", "to_ids": false, "type": "link", "uuid": "31a24608-6691-457b-9f86-0256c2cb1f42", "value": "https://github.com/SigmaHQ/sigma/blob/b24e7ae9846f53cbbf61adad72f17af317c860a4/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma", "timestamp": "1663244997", "to_ids": true, "type": "sigma", "uuid": "c59fd0a8-5b13-4a94-b026-8a71a86e6497", "value": "title: Encoded PowerShell Command Line Usage of ConvertTo-SecureString\r\nid: 74403157-20f5-415d-89a7-c505779585cf\r\nstatus: test\r\ndescription: Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines\r\nauthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65\r\ndate: 2020/10/11\r\nmodified: 2022/07/14\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|endswith:\r\n - '\\powershell.exe'\r\n - '\\pwsh.exe'\r\n CommandLine|contains: 'ConvertTo-SecureString'\r\n condition: selection\r\nfalsepositives:\r\n - Unlikely\r\nlevel: high\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1027\r\n - attack.execution\r\n - attack.t1059.001" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma-rule-name", "timestamp": "1663244997", "to_ids": false, "type": "text", "uuid": "a97f98d5-dec3-4780-bd9e-c3ac9886133a", "value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString" } ] }, { "comment": "", "deleted": false, "description": "An object describing a Sigma rule (or a Sigma rule name).", "meta-category": "misc", "name": "sigma", "template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", "template_version": "1", "timestamp": "1663245194", "uuid": "1a6c2f52-af2e-4cbb-a487-0b249f970dc9", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1663245194", "to_ids": false, "type": "link", "uuid": "d44e0513-93eb-400f-82df-33da4b06927e", "value": "https://github.com/SigmaHQ/sigma/blob/1e16ed00905a496cbc3b0a1a03d4c2f6f4b63de2/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma", "timestamp": "1663245194", "to_ids": true, "type": "sigma", "uuid": "2f547dd0-7ed0-462b-9a32-5e1bbb68bb7b", "value": "title: CrackMapExec Process Patterns\r\nid: f26307d8-14cd-47e3-a26b-4b4769f24af6\r\ndescription: Detects suspicious process patterns found in logs when CrackMapExec is used\r\nstatus: experimental\r\nauthor: Florian Roth\r\nreferences:\r\n - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass\r\ndate: 2022/03/12\r\nmodified: 2022/05/27\r\ntags:\r\n - attack.credential_access\r\n - attack.t1003.001\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n selection_lsass_dump1:\r\n CommandLine|contains|all:\r\n - 'cmd.exe /c '\r\n - 'tasklist /fi '\r\n - 'Imagename eq lsass.exe'\r\n User|contains: # covers many language settings\r\n - 'AUTHORI'\r\n - 'AUTORI'\r\n selection_lsass_dump2:\r\n CommandLine|contains|all:\r\n - 'do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump'\r\n - '\\Windows\\Temp\\'\r\n - ' full'\r\n - '%%B'\r\n selection_procdump:\r\n CommandLine|contains|all:\r\n - 'tasklist /v /fo csv'\r\n - 'findstr /i \"lsass\"'\r\n condition: 1 of selection*\r\nfalsepositives:\r\n - Unknown\r\nlevel: high" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma-rule-name", "timestamp": "1663245194", "to_ids": false, "type": "text", "uuid": "5ee19a29-639e-4f9b-bab3-c64c901447a9", "value": "CrackMapExec Process Patterns" } ] }, { "comment": "", "deleted": false, "description": "An object describing a Sigma rule (or a Sigma rule name).", "meta-category": "misc", "name": "sigma", "template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", "template_version": "1", "timestamp": "1663246536", "uuid": "33bb1b75-b184-406b-b981-12bc9e86352c", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1663246536", "to_ids": false, "type": "link", "uuid": "00ecfc3b-94d9-41d2-800c-1bc50e05290e", "value": "https://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_powershell_as_service.yml" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma", "timestamp": "1663246536", "to_ids": true, "type": "sigma", "uuid": "a6bc8003-825c-4065-a9ea-baeddc728697", "value": "title: PowerShell as a Service in Registry\r\nid: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d\r\ndescription: Detects that a powershell code is written to the registry as a service.\r\nstatus: experimental\r\nauthor: oscd.community, Natalia Shornikova\r\ndate: 2020/10/06\r\nmodified: 2021/05/21\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\r\ntags:\r\n - attack.execution\r\n - attack.t1569.002\r\nlogsource:\r\n category: registry_event\r\n product: windows\r\ndetection:\r\n selection:\r\n TargetObject|contains: '\\Services\\'\r\n TargetObject|endswith: '\\ImagePath'\r\n Details|contains:\r\n - 'powershell'\r\n - 'pwsh'\r\n condition: selection\r\nfalsepositives: \r\n - Unknown\r\nlevel: high" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma-rule-name", "timestamp": "1663246536", "to_ids": false, "type": "text", "uuid": "a570bae1-a24e-4f04-a1c3-aa294d3471ab", "value": "PowerShell as a Service in Registry" } ] }, { "comment": "", "deleted": false, "description": "An object describing a Sigma rule (or a Sigma rule name).", "meta-category": "misc", "name": "sigma", "template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", "template_version": "1", "timestamp": "1663246594", "uuid": "69b405d5-2c50-46c2-9866-83e6c1dc8799", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1663246594", "to_ids": false, "type": "link", "uuid": "e1d515c5-2840-4cee-96d4-b075d220d8b8", "value": "https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/builtin/win_atsvc_task.yml" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma", "timestamp": "1663246594", "to_ids": true, "type": "sigma", "uuid": "4b53d570-8ff4-4413-a779-9531efa88b2b", "value": "title: Remote Task Creation via ATSVC Named Pipe\r\nid: f6de6525-4509-495a-8a82-1f8b0ed73a00\r\ndescription: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe\r\nauthor: Samir Bousseaden\r\ndate: 2019/04/03\r\nreferences:\r\n - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\r\ntags:\r\n - attack.lateral_movement\r\n - attack.persistence\r\n - attack.t1053\r\n - car.2013-05-004\r\n - car.2015-04-001\r\nlogsource:\r\n product: windows\r\n service: security\r\n description: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\r\ndetection:\r\n selection:\r\n EventID: 5145\r\n ShareName: \\\\*\\IPC$\r\n RelativeTargetName: atsvc\r\n Accesses: '*WriteData*'\r\n condition: selection\r\nfalsepositives:\r\n - pentesting\r\nlevel: medium" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma-rule-name", "timestamp": "1663246594", "to_ids": false, "type": "text", "uuid": "8f093294-6ebc-4806-9a2c-006dd723c874", "value": "Remote Task Creation via ATSVC Named Pipe" } ] }, { "comment": "", "deleted": false, "description": "An object describing a Sigma rule (or a Sigma rule name).", "meta-category": "misc", "name": "sigma", "template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", "template_version": "1", "timestamp": "1663246741", "uuid": "1cefa739-fd00-462e-a8ed-bd4964a10476", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1663246741", "to_ids": false, "type": "link", "uuid": "ee252939-235b-46f0-a2ef-7ed34bc6c030", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma", "timestamp": "1663246741", "to_ids": true, "type": "sigma", "uuid": "d14f0fef-e003-480f-8001-8303f34b498e", "value": "title: Accessing WinAPI in PowerShell for Credentials Dumping\r\nid: 3f07b9d1-2082-4c56-9277-613a621983cc\r\ndescription: Detects Accessing to lsass.exe by Powershell\r\nstatus: experimental\r\nauthor: oscd.community, Natalia Shornikova\r\ndate: 2020/10/06\r\nmodified: 2022/07/14\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\r\ntags:\r\n - attack.credential_access\r\n - attack.t1003.001\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection:\r\n EventID:\r\n - 8\r\n - 10\r\n SourceImage|endswith:\r\n - '\\powershell.exe'\r\n - '\\pwsh.exe'\r\n TargetImage|endswith: '\\lsass.exe'\r\n condition: selection\r\nfalsepositives:\r\n - Unknown\r\nlevel: high" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma-rule-name", "timestamp": "1663246741", "to_ids": false, "type": "text", "uuid": "131b2111-451c-41f5-b0b9-9f534b3927c1", "value": "Accessing WinAPI in PowerShell for Credentials Dumping" } ] } ] } }