{ "type": "bundle", "id": "bundle--b7f8805b-fec8-4491-b866-83a457212437", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-04-21T09:38:12.000Z", "modified": "2021-04-21T09:38:12.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--b7f8805b-fec8-4491-b866-83a457212437", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-04-21T09:38:12.000Z", "modified": "2021-04-21T09:38:12.000Z", "name": "FireEye Mandiant PulseSecure Exploitation Countermeasures", "published": "2021-04-21T09:38:28Z", "object_refs": [ "observed-data--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04", "url--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04", "observed-data--5cb95524-3fef-4334-9fef-e6d3f00982a4", "url--5cb95524-3fef-4334-9fef-e6d3f00982a4", "indicator--d584973b-e85b-431b-a2f2-c3cd33562245", "indicator--55301c17-7b0e-450d-89be-54eb3f096592", "indicator--e8e292e5-5fab-4e5b-afa0-89df4eb361d6", "indicator--4ad4982e-87bf-4edc-915b-4ad84f3b13eb", "indicator--2b0bd4a3-3f4a-4e9a-b330-52a196385fc0", "indicator--baccb07a-3ac5-4a08-89d0-5c02114ad60b", "x-misp-object--57ffce5f-60a8-40ae-b11e-624ca218704d", "indicator--6854614c-df9f-4bb5-8de0-857c943be550", "indicator--874ca0e5-827e-43f8-99f5-a2a5aa60e672", "indicator--cd13cfd7-f4dc-4864-9009-30baa29551a6", "indicator--1d87313f-7519-4748-bfb1-fc8b60906cf6", "indicator--0b65ad47-db4b-4f58-a33c-e671746afa05", "indicator--5c9a0062-ee55-43b0-ad64-3c5f6fdf3d01", "indicator--efd7b1ec-0fff-498a-ad64-d1d259ebbf82", "indicator--35ae369e-4ab2-447c-819c-c366f547ca9c", "indicator--5f99e163-f31e-4994-8a56-4b249d894012", "indicator--0690ab34-3ffe-4d37-b6a7-4ce477d4de60", "indicator--30408119-108d-495f-89ca-cbe1dcf0b68b", "indicator--c0b88e1a-d76c-4226-bffa-45ca59bc2fa9", "indicator--dbab04b4-1df0-4055-be1a-2ad6d47b15de", "indicator--5279454c-137c-4df2-ab40-d4f67be95f40", "indicator--61f23a4d-8a5f-4a4c-b846-4f87797fbb1a", "indicator--44e27409-7862-42be-bf2b-4d18fa27243f", "indicator--3347af09-6558-4e07-ac68-c7abe87079b9", "indicator--ec665abd-0414-4647-b4cd-9fa22e979ab8", "indicator--3e50f8b8-0dbc-4bec-80de-30e325671f95", "indicator--2620c50d-6305-45cb-8aff-e37d50425358", "indicator--cfaa4938-1778-45cd-b95a-61be8ba0837e", "indicator--0da707a9-b329-4d30-b907-01fe6c1de17c", "indicator--df51083d-32e2-4812-89bb-f7036472920e", "indicator--5151611d-c11d-47cf-9a9c-5ef132b1a303", "indicator--298449a1-8e86-409c-96fb-0c225d9f98a9", "indicator--cf564f32-56e9-4fe0-87ac-5e5df91b0c9f", "indicator--bbcc14ea-c7fc-4b15-a020-b619641add7e", "indicator--60b5f9a7-ffa3-4d56-a1a7-6642638be3e6", "indicator--04323a10-ee75-43ae-9150-001fe9a27ab7", "indicator--bbdbb662-a8b1-4c13-85f2-898abde6d3f9", "indicator--b4a44973-985c-4058-b968-9cd867f1bef6", "indicator--ca389b0d-fbe4-42bc-96e3-56b5f4886c9b", "indicator--34384af6-0071-435b-84c1-bf8c3420cd08", "indicator--1fc8066f-98aa-4e70-b4ee-0710931cdac7", "indicator--447d890e-3529-486e-b4f8-704b813d745f", "indicator--7bd70c6d-d345-45f3-a8ac-00e4a2149cea", "indicator--8f5eaca0-34a1-4e85-b6b3-8082bce62175", "indicator--4f5204e2-efbe-4200-8f2c-bc6ebbb952da", "indicator--c73a7441-1444-42a9-974d-3f3e64168bcc", "indicator--642cf927-5c24-4846-b8a7-5b895c87594f", "indicator--c7b0b3ec-3c74-4329-abc4-0d4414228f90", "indicator--76f29c1c-c880-4baa-be5a-cecf57c18d38", "indicator--12ee2578-f80b-4db9-b7c5-75c5f05215f2", "indicator--ef28ce31-93a2-48a8-8ed8-b56b8caf60a7", "indicator--d11dc00d-249a-4b44-a70d-8d1912c6b012", "indicator--b78852fc-95f7-4ec5-a7ed-e001320e19b4", "indicator--9df4fc8c-7277-4488-9f3b-ff2a0f51aa66", "indicator--b79a5423-1769-4be7-a580-909c99a08598", "indicator--17e7dce5-405d-4cf1-8d2f-9f3de6653c75", "indicator--95be007c-e7a2-45a6-a1ff-d0f334e662da", "indicator--40e78b71-1425-4450-aa39-08ecaa30f0df", "note--82e160db-f47a-433c-865a-fb667f3cff29" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "estimative-language:confidence-in-analytic-judgment=\"high\"", "estimative-language:likelihood-probability=\"almost-certain\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-04-21T08:07:36.000Z", "modified": "2021-04-21T08:07:36.000Z", "first_observed": "2021-04-21T08:07:36Z", "last_observed": "2021-04-21T08:07:36Z", "number_observed": 1, "object_refs": [ "url--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04", "value": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cb95524-3fef-4334-9fef-e6d3f00982a4", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-04-21T08:12:08.000Z", "modified": "2021-04-21T08:12:08.000Z", "first_observed": "2021-04-21T08:12:08Z", "last_observed": "2021-04-21T08:12:08Z", "number_observed": 1, "object_refs": [ "url--5cb95524-3fef-4334-9fef-e6d3f00982a4" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cb95524-3fef-4334-9fef-e6d3f00982a4", "value": "https://www.circl.lu/pub/tr-63" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d584973b-e85b-431b-a2f2-c3cd33562245", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-04-21T09:01:21.000Z", "modified": "2021-04-21T09:01:21.000Z", "pattern": "[alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:\"APT.Webshell.PL.PULSECHECK callback\"; flow:to_server; content:\"POST \"; depth:5; content:\" HTTP/1.1|0d 0a|\"; distance:1; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; reference:mal_hash, a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1; reference:date_created,2021-04-16; sid:999999999; )]", "pattern_type": "snort", "valid_from": "2021-04-21T09:01:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55301c17-7b0e-450d-89be-54eb3f096592", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-04-21T09:01:21.000Z", "modified": "2021-04-21T09:01:21.000Z", "pattern": "[alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.PULSECHECK.[X-CMD:]\"; content:\"POST \"; depth:5; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; content:!\"|0d 0a|Referer: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; sid: 999999999; )]", "pattern_type": "snort", "valid_from": "2021-04-21T09:01:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e8e292e5-5fab-4e5b-afa0-89df4eb361d6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-04-21T09:01:21.000Z", "modified": "2021-04-21T09:01:21.000Z", "pattern": "[alert tcp any $HTTP_PORTS -> any any ( msg:\"APT.Webshell.PL.STEADYPULSE.[