{ "type": "bundle", "id": "bundle--eb4ee171-8930-4c15-8917-9af8775417fb", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-16T08:20:04.000Z", "modified": "2021-02-16T08:20:04.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--eb4ee171-8930-4c15-8917-9af8775417fb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-16T08:20:04.000Z", "modified": "2021-02-16T08:20:04.000Z", "name": "CERT-FR report extended - sandworm intrusion set campaign targeting Centreon systems", "published": "2021-02-16T08:20:12Z", "object_refs": [ "x-misp-attribute--f978cd25-0c3e-439d-bf76-89816f091bd7", "indicator--b5ef5f9d-f210-4eb8-bdf9-b1afb94652a8", "indicator--407b6ae2-b350-49b4-84a3-c60706c3de45", "indicator--9a2728e5-a907-4904-8067-9c373924678b", "indicator--817b4025-2723-4ec0-9a81-5be8713c9504", "indicator--daa160ad-5a32-45be-b252-8d23058982ab", "indicator--78938c6b-8c68-4363-aa87-739e5869f753", "indicator--3ece03fc-263e-4d22-b34f-fd2035ba23c2", "indicator--aeb6cc44-bf59-4d86-a682-1f1515766bf6", "x-misp-attribute--f769a073-b68f-4bc5-a69d-46b06d6e9e5d", "indicator--740dbb6b-8b31-4195-9b51-09215b9bddfc", "indicator--9bd1fa69-0f16-47e5-a523-3438b05453ce", "indicator--c0b6e59d-fa31-4244-8c97-1409523e0099", "indicator--17bc4c04-3561-421e-ada9-b4660c447caf", "indicator--ab537f1f-febd-4758-938d-ca5cc46f9690", "indicator--a93fa919-ce20-41f1-a187-98be6725ffa6", "indicator--fd1f5f5b-df65-4bcf-b7f8-42d1a2170bb1", "indicator--1ca2b37b-cd9c-43d3-a5de-4186a58324eb", "indicator--19207a94-6676-4c81-8cd1-df9f23fc4afd", "x-misp-object--ddbd7a0a-4e58-4a8d-bc5c-838f588a9dce" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:target-information=\"France\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "estimative-language:confidence-in-analytic-judgment=\"high\"", "estimative-language:likelihood-probability=\"almost-certain\"", "misp-galaxy:mitre-ics-groups=\"Sandworm\"", "misp-galaxy:mitre-intrusion-set=\"Sandworm Team - G0034\"", "misp-galaxy:threat-actor=\"ELECTRUM\"", "misp-galaxy:threat-actor=\"Sandworm\"", "misp-galaxy:threat-actor=\"TeleBots\"", "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "misp-galaxy:mitre-attack-pattern=\"Server Software Component - T1505\"", "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"", "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "misp-galaxy:mitre-attack-pattern=\"Abuse Elevation Control Mechanism - T1548\"", "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--f978cd25-0c3e-439d-bf76-89816f091bd7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-16T08:00:12.000Z", "modified": "2021-02-16T08:00:12.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Other\"", "misp:to_ids=\"True\"", "DescriptionTechnique" ], "x_misp_category": "Other", "x_misp_comment": "Merged from event 82379", "x_misp_type": "comment", "x_misp_value": "Backdoors related to Sandworm" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b5ef5f9d-f210-4eb8-bdf9-b1afb94652a8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-16T08:01:12.000Z", "modified": "2021-02-16T08:01:12.000Z", "pattern": "[alert tcp any any -> any any ( sid:2000210015; msg:\"P.A.S. webshell - passwd BruteForce form parameters\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"br=&brp%5B%5D=\"; http_client_body; fast_pattern; \\\r\n pcre:\"/br=&brp%5B%5D=[hfmysp]&h%5B[hfmysp]%5D=.{1,64}&p%5B[hfmysp]%5D=[0-9]{1,5}/\"; http_client_body;)]", "pattern_type": "snort", "pattern_version": "2.1", "valid_from": "2021-02-16T08:01:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--407b6ae2-b350-49b4-84a3-c60706c3de45", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-16T08:02:03.000Z", "modified": "2021-02-16T08:02:03.000Z", "pattern": "[alert tcp any any -> any any ( sid:2000210001; msg:\"P.A.S. webshell - Explorer - download file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fdw=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210002; msg:\"P.A.S. webshell - Explorer - copy file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fcf=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210003; msg:\"P.A.S. webshell - Explorer - move file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fm=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210004; msg:\"P.A.S. webshell - Explorer - del file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fd=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210005; msg:\"P.A.S. webshell - Explorer - multi file download\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fdwa=Download\"; http_client_body; )\r\n\r\nalert tcp any any -> any any ( sid:2000210006; msg:\"P.A.S. webshell - Explorer - multi file copy\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fca=Copy\"; http_client_body;)\r\n\r\nalert tcp any any -> any any ( sid:2000210007; msg:\"P.A.S. webshell - Explorer - multi file move\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fma=Move\"; http_client_body; )\r\n\r\nalert tcp any any -> any any ( sid:2000210008; msg:\"P.A.S. webshell - Explorer - multi file delete\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fda=Delete\"; http_client_body; ) \r\n\r\nalert tcp any any -> any any ( sid:2000210009; msg:\"P.A.S. webshell - Explorer - paste\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fbp=Paste\"; http_client_body; offset:0; )]", "pattern_type": "snort", "pattern_version": "2.1", "valid_from": "2021-02-16T08:02:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9a2728e5-a907-4904-8067-9c373924678b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-16T08:02:37.000Z", "modified": "2021-02-16T08:02:37.000Z", "pattern": "[alert tcp any any -> any any ( sid:2000210000; msg:\"P.A.S. webshell - Response Footer\"; \\\r\n flow:to_client,established; content:\"200\"; http_stat_code; \\\r\n file_data; content:\"