{ "type": "bundle", "id": "bundle--59ec91ee-ae0c-4d5a-b149-4c0d02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-22T13:01:52.000Z", "modified": "2017-10-22T13:01:52.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59ec91ee-ae0c-4d5a-b149-4c0d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-22T13:01:52.000Z", "modified": "2017-10-22T13:01:52.000Z", "name": "OSINT - US CERT TA17-293A report - renamed PsExec execution (sigma/SIEM ruleset)", "published": "2017-10-22T13:30:34Z", "object_refs": [ "indicator--59ec921f-60d4-4693-8c63-43ad02de0b81", "observed-data--59ec9242-cfcc-4634-8fca-416c02de0b81", "url--59ec9242-cfcc-4634-8fca-416c02de0b81", "observed-data--59ec9287-bc74-4c24-8c98-495c02de0b81", "url--59ec9287-bc74-4c24-8c98-495c02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-intrusion-set=\"Dragonfly\"", "misp-galaxy:threat-actor=\"Energetic Bear\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59ec921f-60d4-4693-8c63-43ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-22T12:42:07.000Z", "modified": "2017-10-22T12:42:07.000Z", "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report", "pattern": "[title: Ps.exe Renamed SysInternals Tool\r\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report\r\nreference: https://www.us-cert.gov/ncas/alerts/TA17-293A\r\nauthor: Florian Roth\r\ndate: 2017/10/22\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection:\r\n EventID: 1\r\n CommandLine: 'ps.exe -accepteula'\r\n condition: selection\r\nfalsepositives:\r\n - Renamed SysInternals tool\r\nlevel: high]", "pattern_type": "sigma", "pattern_version": "2.1", "valid_from": "2017-10-22T12:42:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sigma\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59ec9242-cfcc-4634-8fca-416c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-22T12:42:42.000Z", "modified": "2017-10-22T12:42:42.000Z", "first_observed": "2017-10-22T12:42:42Z", "last_observed": "2017-10-22T12:42:42Z", "number_observed": 1, "object_refs": [ "url--59ec9242-cfcc-4634-8fca-416c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59ec9242-cfcc-4634-8fca-416c02de0b81", "value": "https://github.com/Neo23x0/sigma/blob/801d739a3ba81b9b080efe33aea52c6893790853/rules/apt/apt_ta17_293a_ps.yml" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59ec9287-bc74-4c24-8c98-495c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-22T12:43:51.000Z", "modified": "2017-10-22T12:43:51.000Z", "first_observed": "2017-10-22T12:43:51Z", "last_observed": "2017-10-22T12:43:51Z", "number_observed": 1, "object_refs": [ "url--59ec9287-bc74-4c24-8c98-495c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59ec9287-bc74-4c24-8c98-495c02de0b81", "value": "https://www.us-cert.gov/ncas/alerts/TA17-293A" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }