{ "Event": { "analysis": "2", "date": "2021-01-05", "extends_uuid": "", "info": "C2-JARM - A list of JARM hashes for different ssl implementations used by some C2 tools.", "publish_timestamp": "1609857165", "published": true, "threat_level_id": "3", "timestamp": "1609857141", "uuid": "4ce77fdd-19a8-4037-ac75-4ece0c05d63f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#0c9900", "local": "0", "name": "cycat:type=\"fingerprint\"", "relationship_type": "" }, { "colour": "#13f200", "local": "0", "name": "cycat:scope=\"investigation\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:tool=\"Cobalt Strike\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:tool=\"metasploit\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1609856323", "to_ids": false, "type": "link", "uuid": "f572abd2-6032-4d7b-a43a-b7e3c02ec2cc", "value": "https://github.com/cedowens/C2-JARM" } ], "Object": [ { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609854971", "uuid": "ced5e867-1f14-4ffb-9689-8b567dc4fc67", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609854971", "to_ids": true, "type": "jarm-fingerprint", "uuid": "db1bef7e-6b94-40a6-94eb-e5b8c47ff6c5", "value": "2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609854971", "to_ids": false, "type": "text", "uuid": "2c127d4d-5c31-47c4-94fb-bff1bbb00674", "value": "Mythic" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609854971", "to_ids": false, "type": "link", "uuid": "6cfc5cd7-4bec-479d-96d2-05c708aafd77", "value": "https://github.com/its-a-feature/Mythic" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609854971", "to_ids": false, "type": "text", "uuid": "61ad29ea-41a7-45ad-81c6-6ac7c737254f", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609854971", "to_ids": false, "type": "text", "uuid": "c1257f87-04cc-412b-8643-bd77b0b3f620", "value": "python 3 w/aiohttp 3" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609855129", "uuid": "e93aa5ee-e092-4ef5-8e41-3429a83d2abe", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609855129", "to_ids": true, "type": "jarm-fingerprint", "uuid": "a764fde0-771a-49f3-9702-f553f0daa10b", "value": "07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609855129", "to_ids": false, "type": "text", "uuid": "706d348d-6db7-4fa9-afc3-1c79baeaf25b", "value": "Metasploit ssl listener" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609855129", "to_ids": false, "type": "link", "uuid": "4df63fc2-8887-4744-b28f-d9fe004434ce", "value": "https://github.com/rapid7/metasploit-framework" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609855129", "to_ids": false, "type": "text", "uuid": "c05806f2-43a0-4895-81f4-85c6e255f4f9", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609855129", "to_ids": false, "type": "text", "uuid": "10aff875-65e8-4d18-a105-bdd98197629d", "value": "ruby 2.7.0p0" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609855210", "uuid": "e6dd5ea7-3f49-4a62-bb21-b9ce07651d20", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609855210", "to_ids": true, "type": "jarm-fingerprint", "uuid": "b50ff3c6-6cd9-4371-be55-8a89a7fc545e", "value": "07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609855210", "to_ids": false, "type": "text", "uuid": "2fa1d211-4cb4-4b04-afae-4c51e96e08ff", "value": "Metasploit ssl listener" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609855210", "to_ids": false, "type": "link", "uuid": "fe088a1c-acc5-426c-9337-d756b9a98531", "value": "https://github.com/rapid7/metasploit-framework" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609855210", "to_ids": false, "type": "text", "uuid": "0cd2a53a-27f3-47d6-98c0-97c68ea4eb47", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609855210", "to_ids": false, "type": "text", "uuid": "2a80b9e7-8403-426e-8b7e-d8b10430e3a8", "value": "ruby" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609855535", "uuid": "a758246f-0986-4fe6-b97e-5abaa78aaa1c", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609855535", "to_ids": true, "type": "jarm-fingerprint", "uuid": "449c5134-2c5a-411d-b700-064ce3d0d5a1", "value": "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609855535", "to_ids": false, "type": "text", "uuid": "34040bae-2bad-4dd3-8dec-219ae06f87fb", "value": "Cobalt Strike" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609855535", "to_ids": false, "type": "link", "uuid": "5a8c65ce-a5ee-4a30-a05e-ccc4764bde6c", "value": "https://www.cobaltstrike.com/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609855535", "to_ids": false, "type": "text", "uuid": "94f82e21-704d-4b5d-bdfb-673d7d7d6210", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609855535", "to_ids": false, "type": "text", "uuid": "7f3f56cf-14e1-42c0-97e3-809fe3e7ad0c", "value": "Java 11" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609855804", "uuid": "14941eb1-e8eb-424e-baec-9bbe3484c37c", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609855804", "to_ids": true, "type": "jarm-fingerprint", "uuid": "08ca7b92-8172-4739-ac7c-3f972cc8a328", "value": "29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609855804", "to_ids": false, "type": "text", "uuid": "fad3fccb-ef05-4c4c-bd93-7dd5ea0d216a", "value": "Merlin" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609855804", "to_ids": false, "type": "link", "uuid": "99f11535-af75-480e-b4e5-23750e58a893", "value": "https://github.com/Ne0nd0g/merlin" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609855804", "to_ids": false, "type": "text", "uuid": "1887a168-ee89-4ce1-81a3-7ee8c64a0fa3", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609855804", "to_ids": false, "type": "text", "uuid": "1a340b19-e004-4912-8b89-a786b6eaf10e", "value": "go 1.15.2 linux/amd64" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609855865", "uuid": "149bb42e-13f3-40cd-86f2-a777bcd48e5c", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609855865", "to_ids": true, "type": "jarm-fingerprint", "uuid": "89af9cc4-f17a-4aae-b816-467f6fb4410b", "value": "00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609855865", "to_ids": false, "type": "text", "uuid": "9553b5f5-cd91-415f-9f3e-eb4ff4fb2e41", "value": "Deimos" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609855865", "to_ids": false, "type": "link", "uuid": "de402bf3-2c76-48dd-bbc4-1175f681b4e6", "value": "https://github.com/DeimosC2/DeimosC2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609855865", "to_ids": false, "type": "text", "uuid": "5559888d-fc30-4f6f-9410-9b779fd6aca7", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609855865", "to_ids": false, "type": "text", "uuid": "c1bbab5c-0986-406e-b8d3-ef943c916417", "value": "go 1.15.2 linux/amd64 with github.com/gorilla/websocket package" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609855929", "uuid": "71540ec8-7ab5-4101-833b-9581fa00aec3", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609855929", "to_ids": true, "type": "jarm-fingerprint", "uuid": "0d79a2ce-2bcc-4972-a162-edceab95f71e", "value": "2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609855929", "to_ids": false, "type": "text", "uuid": "a13f2baf-9827-489d-9674-3b06a5d06804", "value": "MacC2" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609855929", "to_ids": false, "type": "link", "uuid": "42f879f6-629d-4e43-8d5b-aaa98a0c9c03", "value": "https://github.com/cedowens/MacC2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609855929", "to_ids": false, "type": "text", "uuid": "8644069d-b351-4d10-904e-5783aaae069b", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609855929", "to_ids": false, "type": "text", "uuid": "d6f89037-50c0-4460-b1ca-b89311d5419b", "value": "python 3.8.6 w/aiohttp 3" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609855980", "uuid": "2167582f-1957-42e4-b487-07ab72472ebd", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609855980", "to_ids": true, "type": "jarm-fingerprint", "uuid": "ba06f416-b663-481e-89f7-eff6bd163088", "value": "2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609855980", "to_ids": false, "type": "text", "uuid": "c73119c6-0185-4ce4-9236-65d290d0873f", "value": "MacC2" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609855980", "to_ids": false, "type": "link", "uuid": "90b06fa0-129e-4218-b4e7-bca7209df738", "value": "https://github.com/cedowens/MacC2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609855980", "to_ids": false, "type": "text", "uuid": "c841489d-53f6-4a0c-a9c1-76368f92ebaf", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609855980", "to_ids": false, "type": "text", "uuid": "918e6d7a-670e-48c3-ae5e-2eaa1dbba809", "value": "python 3.8.2 w/aiohttp 3" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609856029", "uuid": "8217d319-e5d7-4060-84ac-3cf744310696", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609856029", "to_ids": true, "type": "jarm-fingerprint", "uuid": "d0c773b3-60a6-4f65-afee-9b62c8e7917e", "value": "2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609856029", "to_ids": false, "type": "text", "uuid": "ce2cd483-5478-413c-954d-09e0ccae2f19", "value": "MacShellSwift" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609856029", "to_ids": false, "type": "link", "uuid": "1e917e1a-8cfd-4f4d-8b4f-a9680a92b872", "value": "https://github.com/cedowens/MacShellSwift" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609856029", "to_ids": false, "type": "text", "uuid": "73e97aac-333e-46a0-82ff-96ef1fe6143d", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609856029", "to_ids": false, "type": "text", "uuid": "9ad1e43d-ed19-4e62-84f5-60e65fe943b4", "value": "python 3.8.6 socket" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609856074", "uuid": "34e5ca1e-c73e-4d3c-a0b6-d4050ed3333c", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609856074", "to_ids": true, "type": "jarm-fingerprint", "uuid": "eb638ebb-b415-42a5-a0ec-e921aba3e8f0", "value": "2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609856074", "to_ids": false, "type": "text", "uuid": "8ad8e0cc-ca3b-4254-bf54-27806f22587f", "value": "MacShell" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609856074", "to_ids": false, "type": "link", "uuid": "c54ba9b9-0bba-4068-8008-8adc23303b91", "value": "https://github.com/cedowens/MacShellSwift" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609856074", "to_ids": false, "type": "text", "uuid": "c0ff2c54-cb3b-47e5-8583-0a21bca31678", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609856074", "to_ids": false, "type": "text", "uuid": "c26b76fa-3580-43a3-9249-fcefe4d87388", "value": "python 3.8.6 socket" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609856129", "uuid": "673d0d58-9054-4746-88e6-4e6a0ba0dec6", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609856129", "to_ids": true, "type": "jarm-fingerprint", "uuid": "05fa1dff-6273-470a-b49c-431994743fdb", "value": "2ad2ad0002ad2ad00041d2ad2ad41da5207249a18099be84ef3c8811adc883" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609856129", "to_ids": false, "type": "text", "uuid": "e9af814d-14bc-427b-bfff-4405779c931a", "value": "Sliver" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609856129", "to_ids": false, "type": "link", "uuid": "21e9691b-95be-41a4-971b-11b08bf0fdea", "value": "https://github.com/BishopFox/sliver" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609856129", "to_ids": false, "type": "text", "uuid": "133624cd-879e-4695-a0fd-0423467dd688", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609856129", "to_ids": false, "type": "text", "uuid": "351e1c90-ee5f-4ea4-8f2a-71246084365c", "value": "go 1.15.2 linux/amd64" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609856197", "uuid": "961dd2b0-5313-4148-bb63-9b5ed35da7c0", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609856197", "to_ids": true, "type": "jarm-fingerprint", "uuid": "8c3f9ef9-70f8-44ee-9884-c963b2917b2c", "value": "20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609856197", "to_ids": false, "type": "text", "uuid": "ebf3ebf0-9d01-490b-a91e-587b2be69cd8", "value": "EvilGinx2" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609856197", "to_ids": false, "type": "link", "uuid": "9e987aac-60ed-490a-9250-a952a2dcda82", "value": "https://github.com/kgretzky/evilginx2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609856197", "to_ids": false, "type": "text", "uuid": "d62d2f32-f935-4f48-9121-c064cb2e06f8", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609856197", "to_ids": false, "type": "text", "uuid": "ef99db24-fa12-44f6-8ebe-ec984577bd87", "value": "go 1.10.4 linux/amd64" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609856245", "uuid": "3858ea64-da2d-4f65-a09e-8f6b8d6221aa", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609856245", "to_ids": true, "type": "jarm-fingerprint", "uuid": "7814567b-ad50-4351-8d2d-21ce8a382dd3", "value": "2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609856245", "to_ids": false, "type": "text", "uuid": "5e0e2530-9051-460a-8990-bb03e4791a90", "value": "Shad0w" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "reference", "timestamp": "1609856245", "to_ids": false, "type": "link", "uuid": "fc29c257-02dc-4c94-b27d-bbd4f2caa13f", "value": "https://github.com/bats3c/shad0w" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609856245", "to_ids": false, "type": "text", "uuid": "1365786b-5c55-4ec2-b140-5dfda158e75b", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609856245", "to_ids": false, "type": "text", "uuid": "7db599cc-c1a7-478b-9ea6-95d585ce5643", "value": "python 3.8 flask" } ] }, { "comment": "", "deleted": false, "description": "Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.", "meta-category": "network", "name": "jarm", "template_uuid": "8220ce60-ce3f-4be4-afa9-743f94ec37e0", "template_version": "1", "timestamp": "1609856289", "uuid": "992020a7-615a-444c-b1f7-7770dbd88f3d", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "jarm", "timestamp": "1609856289", "to_ids": true, "type": "jarm-fingerprint", "uuid": "3991d211-7c60-4c55-bf9d-1e8cb0e26eed", "value": "07d19d12d21d21d07c07d19d07d21da5a8ab90bcc6bf8bbc6fbec4bcaa8219" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tool", "timestamp": "1609856289", "to_ids": false, "type": "text", "uuid": "4ba185ae-af87-4a08-959d-3a6c1e2f83c1", "value": "Get2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scope", "timestamp": "1609856290", "to_ids": false, "type": "text", "uuid": "b2963c66-ff54-41fd-8484-a9271d710be2", "value": "Malicious - C2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "tls-implementation", "timestamp": "1609856290", "to_ids": false, "type": "text", "uuid": "814aaeef-74ae-48de-aaf5-745cc3e42a90", "value": "N/A" } ] }, { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "1", "timestamp": "1609857042", "uuid": "4d3e74f4-45fc-48b5-bed2-df9fee9a7546", "ObjectReference": [ { "comment": "", "object_uuid": "4d3e74f4-45fc-48b5-bed2-df9fee9a7546", "referenced_uuid": "f572abd2-6032-4d7b-a43a-b7e3c02ec2cc", "relationship_type": "references", "timestamp": "0", "uuid": "c3967118-f1c3-41d3-a51c-5ad6ac34cc4e" } ], "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1609857008", "to_ids": false, "type": "text", "uuid": "631bc767-1690-4513-bbb7-ab93acb34a34", "value": "A list of JARM hashes for different ssl implementations used by some C2 tools. Also adding other useful red team tools that use ssl (ex: EvilGinx2).\r\n\r\nFor more info on JARM hashing, check out the work by the Salesforce security team on their JARM github link here: https://github.com/salesforce/jarm\r\n\r\nThis is a neat way to fingerprint ssl servers by the software implementation. This alone would not be sufficient to detect C2 in a high fidelity manner, but JARM hashes coupled with other high value indicators would certainly be of value. This also highlights the need for red teams to ensure their C2 infra is not exposed for public access.\r\n\r\nI plan to add more to this list over time. Feel free to contribute!!" } ] } ] } }