{ "Event": { "analysis": "2", "date": "2021-02-16", "extends_uuid": "", "info": "CERT-FR report extended - sandworm intrusion set campaign targeting Centreon systems", "publish_timestamp": "1613463612", "published": true, "threat_level_id": "4", "timestamp": "1613463604", "uuid": "eb4ee171-8930-4c15-8917-9af8775417fb", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "name": "misp-galaxy:target-information=\"France\"" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#0029ff", "name": "estimative-language:confidence-in-analytic-judgment=\"high\"" }, { "colour": "#001fc2", "name": "estimative-language:likelihood-probability=\"almost-certain\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-ics-groups=\"Sandworm\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-intrusion-set=\"Sandworm Team - G0034\"" }, { "colour": "#0088cc", "name": "misp-galaxy:threat-actor=\"ELECTRUM\"" }, { "colour": "#12e300", "name": "misp-galaxy:threat-actor=\"Sandworm\"" }, { "colour": "#0088cc", "name": "misp-galaxy:threat-actor=\"TeleBots\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Server Software Component - T1505\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Abuse Elevation Control Mechanism - T1548\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"" } ], "Attribute": [ { "category": "Other", "comment": "Merged from event 82379", "deleted": false, "disable_correlation": false, "timestamp": "1613462412", "to_ids": true, "type": "comment", "uuid": "f978cd25-0c3e-439d-bf76-89816f091bd7", "value": "Backdoors related to Sandworm", "Tag": [ { "colour": "#00ae7a", "name": "DescriptionTechnique" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613462472", "to_ids": true, "type": "snort", "uuid": "b5ef5f9d-f210-4eb8-bdf9-b1afb94652a8", "value": "alert tcp any any -> any any ( sid:2000210015; msg:\"P.A.S. webshell - passwd BruteForce form parameters\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"br=&brp%5B%5D=\"; http_client_body; fast_pattern; \\\r\n pcre:\"/br=&brp%5B%5D=[hfmysp]&h%5B[hfmysp]%5D=.{1,64}&p%5B[hfmysp]%5D=[0-9]{1,5}/\"; http_client_body;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613462523", "to_ids": true, "type": "snort", "uuid": "407b6ae2-b350-49b4-84a3-c60706c3de45", "value": "alert tcp any any -> any any ( sid:2000210001; msg:\"P.A.S. webshell - Explorer - download file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fdw=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210002; msg:\"P.A.S. webshell - Explorer - copy file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fcf=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210003; msg:\"P.A.S. webshell - Explorer - move file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fm=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210004; msg:\"P.A.S. webshell - Explorer - del file\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fd=%2F\"; http_client_body; offset:0)\r\n\r\nalert tcp any any -> any any ( sid:2000210005; msg:\"P.A.S. webshell - Explorer - multi file download\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fdwa=Download\"; http_client_body; )\r\n\r\nalert tcp any any -> any any ( sid:2000210006; msg:\"P.A.S. webshell - Explorer - multi file copy\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fca=Copy\"; http_client_body;)\r\n\r\nalert tcp any any -> any any ( sid:2000210007; msg:\"P.A.S. webshell - Explorer - multi file move\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fma=Move\"; http_client_body; )\r\n\r\nalert tcp any any -> any any ( sid:2000210008; msg:\"P.A.S. webshell - Explorer - multi file delete\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; \\\r\n content:\"&fda=Delete\"; http_client_body; ) \r\n\r\nalert tcp any any -> any any ( sid:2000210009; msg:\"P.A.S. webshell - Explorer - paste\"; \\\r\n flow:to_server,established; content:\"POST\"; http_method; \\\r\n content:\"fe=&fbp=Paste\"; http_client_body; offset:0; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613462557", "to_ids": true, "type": "snort", "uuid": "9a2728e5-a907-4904-8067-9c373924678b", "value": "alert tcp any any -> any any ( sid:2000210000; msg:\"P.A.S. webshell - Response Footer\"; \\\r\n flow:to_client,established; content:\"200\"; http_stat_code; \\\r\n file_data; content:\"