{ "Event": { "analysis": "2", "date": "2021-04-21", "extends_uuid": "", "info": "FireEye Mandiant PulseSecure Exploitation Countermeasures", "publish_timestamp": "1618997908", "published": true, "threat_level_id": "1", "timestamp": "1618997892", "uuid": "b7f8805b-fec8-4491-b866-83a457212437", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#0029ff", "name": "estimative-language:confidence-in-analytic-judgment=\"high\"" }, { "colour": "#001fc2", "name": "estimative-language:likelihood-probability=\"almost-certain\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1618992456", "to_ids": false, "type": "link", "uuid": "5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04", "value": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1618992728", "to_ids": false, "type": "link", "uuid": "5cb95524-3fef-4334-9fef-e6d3f00982a4", "value": "https://www.circl.lu/pub/tr-63" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1618995681", "to_ids": true, "type": "snort", "uuid": "d584973b-e85b-431b-a2f2-c3cd33562245", "value": "alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:\"APT.Webshell.PL.PULSECHECK callback\"; flow:to_server; content:\"POST \"; depth:5; content:\" HTTP/1.1|0d 0a|\"; distance:1; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; reference:mal_hash, a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1; reference:date_created,2021-04-16; sid:999999999; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1618995681", "to_ids": true, "type": "snort", "uuid": "55301c17-7b0e-450d-89be-54eb3f096592", "value": "alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.PULSECHECK.[X-CMD:]\"; content:\"POST \"; depth:5; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; content:!\"|0d 0a|Referer: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; sid: 999999999; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1618995681", "to_ids": true, "type": "snort", "uuid": "e8e292e5-5fab-4e5b-afa0-89df4eb361d6", "value": "alert tcp any $HTTP_PORTS -> any any ( msg:\"APT.Webshell.PL.STEADYPULSE.[