{ "type": "bundle", "id": "bundle--fd875781-262e-4159-a0cd-ac0241784cc7", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--fd875781-262e-4159-a0cd-ac0241784cc7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "name": "March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server", "published": "2021-03-10T07:31:50Z", "object_refs": [ "indicator--413f1ac4-a532-4064-bade-e235aa47742b", "indicator--fa5173da-5d57-4f33-9fc0-951c52af2604", "indicator--22995f5b-dc6a-4d28-a2ac-6ab03e2bb37e", "indicator--def94d8e-d667-4919-9716-3bb647f170bc", "indicator--4efc6517-a3f4-4bf0-8e80-c7932fd9fe91", "indicator--1e3175ea-2d41-4464-b782-acbea8acd3df", "indicator--e8dc44c3-ce63-4ead-adef-619093ef56a6", "indicator--1bfa394a-6c79-49a7-b323-d7219230016e", "indicator--f18e4d36-14f3-4b8c-b52a-cec77044bdbc", "indicator--303d4ede-e32c-4770-86c5-5c03a1a29f99", "indicator--05022526-5ee3-45cd-a5ee-1d5dfd24eaf8", "indicator--7ed74f81-dde6-49a1-918c-0d92925f1314", "indicator--18c5376a-1aef-4fe3-a66c-a4de1f901ad2", "indicator--83b7c9a1-9546-4465-b872-56cb3a3b5fa6", "indicator--6ad50f9b-e3f2-48ca-81c9-d15808e6d738", "indicator--51ce23e7-d6e1-4419-84e5-b7817fce917d", "indicator--02e4616d-8cf1-4260-81d4-a36327463f6a", "indicator--72337e5a-25cc-4433-95a8-425ad5e136a7", "indicator--9ae579fb-d41e-41cd-a561-ba21f57f2c80", "indicator--5b77ffac-119a-44b9-9f8b-7490e1eb3ee0", "indicator--8ea73e39-6d7e-404b-8703-87c1642d1fc0", "indicator--207eca01-fc05-4bcd-a202-8eddf6c7558d", "indicator--8637d739-8966-4329-b50a-b9f0f4a1bcfa", "indicator--09e2769a-b35b-4cd0-b38d-52567ec988f3", "indicator--e84decaa-7940-4d67-9aaa-26208a0a8948", "indicator--f7289972-ada1-4ded-ac14-0d4444e864b3", "indicator--1815970d-ce0c-4353-b8d2-79b32c1b2df8", "indicator--7b386da1-88b0-46d8-af3a-9702f117a49f", "indicator--f644a2c3-c293-44b0-97ed-9abe8b6055aa", "indicator--4ca0d6fb-8243-4a88-9007-26cda3eed84e", "indicator--404c05d7-91d0-4f62-b219-ea0a60ab2146", "indicator--279bb3c4-588e-43bc-bec5-7ea0f30abae2", "indicator--3122f7b8-bf59-4b85-b304-0284f128dbd6", "indicator--d791b287-606e-4db3-9e18-fc6736a43d89", "indicator--64cf16e6-e1ce-4c3d-bc0d-b330ce04aebc", "indicator--45665e5c-0234-4418-a741-9393cac6e8ad", "x-misp-object--d58ee1a4-a9f4-4399-b0ee-ef6a56041d61", "indicator--67c07ce5-44b3-4bc5-99b3-4aab41cb6a60", "x-misp-object--dabe273c-c3c3-484d-86b8-b7faefc6794d", "indicator--7bc065a5-1635-4bcd-9150-d929f8f74d96", "x-misp-object--89dd3fc2-b2d9-407a-8001-d3567375f28f", "relationship--e03a4477-5fe3-4a51-9499-a7a10d714616", "relationship--93af7e84-a73b-4740-bbf9-36ee3563c4c5" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--413f1ac4-a532-4064-bade-e235aa47742b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-09T13:29:40.000Z", "modified": "2021-03-09T13:29:40.000Z", "description": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "pattern": "[file:hashes.SHA256 = '511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-09T13:29:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fa5173da-5d57-4f33-9fc0-951c52af2604", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-09T13:29:40.000Z", "modified": "2021-03-09T13:29:40.000Z", "description": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "pattern": "[file:hashes.SHA256 = 'b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-09T13:29:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--22995f5b-dc6a-4d28-a2ac-6ab03e2bb37e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-09T13:29:40.000Z", "modified": "2021-03-09T13:29:40.000Z", "description": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "pattern": "[file:hashes.SHA256 = '4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-09T13:29:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--def94d8e-d667-4919-9716-3bb647f170bc", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-09T13:29:40.000Z", "modified": "2021-03-09T13:29:40.000Z", "description": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "pattern": "[file:hashes.SHA256 = '811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-09T13:29:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4efc6517-a3f4-4bf0-8e80-c7932fd9fe91", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-09T13:29:41.000Z", "modified": "2021-03-09T13:29:41.000Z", "description": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "pattern": "[file:hashes.SHA256 = '65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-09T13:29:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e3175ea-2d41-4464-b782-acbea8acd3df", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\errorPages.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e8dc44c3-ce63-4ead-adef-619093ef56a6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\fatal-erro.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1bfa394a-6c79-49a7-b323-d7219230016e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\log.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f18e4d36-14f3-4b8c-b52a-cec77044bdbc", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\logg.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--303d4ede-e32c-4770-86c5-5c03a1a29f99", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\logout.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--05022526-5ee3-45cd-a5ee-1d5dfd24eaf8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\one.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7ed74f81-dde6-49a1-918c-0d92925f1314", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\one1.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--18c5376a-1aef-4fe3-a66c-a4de1f901ad2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\shel.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--83b7c9a1-9546-4465-b872-56cb3a3b5fa6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\shel2.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6ad50f9b-e3f2-48ca-81c9-d15808e6d738", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\shel90.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--51ce23e7-d6e1-4419-84e5-b7817fce917d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\a.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--02e4616d-8cf1-4260-81d4-a36327463f6a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\default.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--72337e5a-25cc-4433-95a8-425ad5e136a7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\shell.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9ae579fb-d41e-41cd-a561-ba21f57f2c80", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\Server.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b77ffac-119a-44b9-9f8b-7490e1eb3ee0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\aspnet_client.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8ea73e39-6d7e-404b-8703-87c1642d1fc0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\aspnet_iisstart.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--207eca01-fc05-4bcd-a202-8eddf6c7558d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\aspnet_pages.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8637d739-8966-4329-b50a-b9f0f4a1bcfa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\aspnet_www.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--09e2769a-b35b-4cd0-b38d-52567ec988f3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\default1.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e84decaa-7940-4d67-9aaa-26208a0a8948", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\errorcheck.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f7289972-ada1-4ded-ac14-0d4444e864b3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\iispage.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1815970d-ce0c-4353-b8d2-79b32c1b2df8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\s.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b386da1-88b0-46d8-af3a-9702f117a49f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\session.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f644a2c3-c293-44b0-97ed-9abe8b6055aa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\system_web\\\\log.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4ca0d6fb-8243-4a88-9007-26cda3eed84e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\xclkmcfldfi948398430fdjkfdkj.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--404c05d7-91d0-4f62-b219-ea0a60ab2146", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\xx.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--279bb3c4-588e-43bc-bec5-7ea0f30abae2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\discover.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3122f7b8-bf59-4b85-b304-0284f128dbd6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\HttpProxy.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d791b287-606e-4db3-9e18-fc6736a43d89", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\OutlookEN.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--64cf16e6-e1ce-4c3d-bc0d-b330ce04aebc", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = 'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\supp0rt.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--45665e5c-0234-4418-a741-9393cac6e8ad", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-10T07:28:50.000Z", "modified": "2021-03-10T07:28:50.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\OAB\\\\log.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-10T07:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--d58ee1a4-a9f4-4399-b0ee-ef6a56041d61", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-09T13:30:11.000Z", "modified": "2021-03-09T13:30:11.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020", "category": "External analysis", "uuid": "5e7f8c42-778d-474a-98f3-582638ff3227" }, { "type": "text", "object_relation": "summary", "value": "March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server\r\nTo help customers more quickly protect their environments in light of the March 2021 Exchange Server Security Updates, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don\u2019t have to keep your environment current. This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.", "category": "Other", "uuid": "e9d11c2c-3c7b-438b-ae41-ea254bcb5eab" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--67c07ce5-44b3-4bc5-99b3-4aab41cb6a60", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-09T13:31:35.000Z", "modified": "2021-03-09T13:31:35.000Z", "pattern": "[file:hashes.MD5 = '4b3039cf227c611c45d2242d1228a121' AND file:hashes.SHA1 = '0ba9a76f55aaa495670d74d21850d0155ff5d6a5' AND file:hashes.SHA256 = 'b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-09T13:31:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--dabe273c-c3c3-484d-86b8-b7faefc6794d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-09T13:31:35.000Z", "modified": "2021-03-09T13:31:35.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-03-09T12:43:18+00:00", "category": "Other", "comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "uuid": "c39f9cff-2004-4ddb-bf0b-73aa06ea2faa" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0/detection/f-b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0-1615293798", "category": "Payload delivery", "comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "uuid": "3dacaf12-a071-45a8-a0a5-cca758123a83" }, { "type": "text", "object_relation": "detection-ratio", "value": "32/59", "category": "Payload delivery", "comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "uuid": "85789282-98cf-4c8d-b1aa-39e11d8f0707" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7bc065a5-1635-4bcd-9150-d929f8f74d96", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-09T13:31:35.000Z", "modified": "2021-03-09T13:31:35.000Z", "pattern": "[file:hashes.MD5 = '5544ba9ad1b56101b5d52b5270421d4a' AND file:hashes.SHA1 = 'fc6f5ce56166d9b4516ba207f3a653b722e1a8df' AND file:hashes.SHA256 = '511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-03-09T13:31:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--89dd3fc2-b2d9-407a-8001-d3567375f28f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-03-09T13:31:35.000Z", "modified": "2021-03-09T13:31:35.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-03-09T10:02:47+00:00", "category": "Other", "comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "uuid": "88c26491-1653-45de-b5ab-d8e0d486a105" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1/detection/f-511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1-1615284167", "category": "Payload delivery", "comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "uuid": "ad5797bd-9107-4415-8867-1a38e32406d5" }, { "type": "text", "object_relation": "detection-ratio", "value": "18/58", "category": "Payload delivery", "comment": "To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.", "uuid": "cb6fe889-9985-488c-8213-0d0b65bfca71" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e03a4477-5fe3-4a51-9499-a7a10d714616", "created": "2021-03-09T13:31:35.000Z", "modified": "2021-03-09T13:31:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--67c07ce5-44b3-4bc5-99b3-4aab41cb6a60", "target_ref": "x-misp-object--dabe273c-c3c3-484d-86b8-b7faefc6794d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--93af7e84-a73b-4740-bbf9-36ee3563c4c5", "created": "2021-03-09T13:31:35.000Z", "modified": "2021-03-09T13:31:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--7bc065a5-1635-4bcd-9150-d929f8f74d96", "target_ref": "x-misp-object--89dd3fc2-b2d9-407a-8001-d3567375f28f" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }