{"Event": {"info": "OSINT - Threat Analysis: Recent Attack Technique Leveraging cmd.exe and PowerShell Demonstrates How Attackers Are Using Trusted Microsoft Applications for Malicious Behavior", "Tag": [{"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "publish_timestamp": "0", "timestamp": "1535704898", "Object": [{"comment": " Execute.bat variant", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b88e098-e068-4c2f-b6c0-4bd3950d210f", "sharing_group_id": "0", "timestamp": "1535697048", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b88e098-4b5c-4b4b-ba02-49e0950d210f", "timestamp": "1535697048", "to_ids": true, "value": "e03c0ac69a78dfc9920a88a5aac5f843", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5b88e099-8678-436d-8176-4c11950d210f", "timestamp": "1535697049", "to_ids": true, "value": "e952b9e53974c194794a36491af46c4a08ecebb08aed005eeab9d3b336e384a9", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5b88e099-981c-4651-8b0d-4e35950d210f", "timestamp": "1535697049", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "4613f07b-584f-484f-b1cd-f9fa7af0bac7", "sharing_group_id": "0", "timestamp": "1535702983", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "4613f07b-584f-484f-b1cd-f9fa7af0bac7", "uuid": "5b88f7c7-da64-4632-b475-413202de0b81", "timestamp": "1535702983", "referenced_uuid": "636acedc-64bd-4491-8889-24c878af025f", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "1e40bd9d-c35e-4a7d-97b0-ea58800a8e19", "timestamp": "1535702980", "to_ids": true, "value": "e03c0ac69a78dfc9920a88a5aac5f843", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "03a46250-7615-4a1c-bc82-a5ad437d6af0", "timestamp": "1535702981", "to_ids": true, "value": "42d5135642fbab5ba4d833b1b4534f3497acf0e1", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "e2fdd428-7b73-4137-8990-2cde173e5143", "timestamp": "1535702981", "to_ids": true, "value": "e952b9e53974c194794a36491af46c4a08ecebb08aed005eeab9d3b336e384a9", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "636acedc-64bd-4491-8889-24c878af025f", "sharing_group_id": "0", "timestamp": "1535702981", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "49175c59-f9fc-43d0-8568-d1ef024b8fd7", "timestamp": "1535702982", "to_ids": false, "value": "2018-07-19 23:13:18", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "0d4e90a9-2c72-434e-b03f-3383f8bbc6af", "timestamp": "1535702982", "to_ids": false, "value": "https://www.virustotal.com/file/e952b9e53974c194794a36491af46c4a08ecebb08aed005eeab9d3b336e384a9/analysis/1532041998/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "59d408a9-43c7-4c8a-b6ef-d12d0e409c05", "timestamp": "1535702982", "to_ids": false, "value": "8/59", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}], "analysis": "0", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5b885194-9944-4a58-b4f7-44e902de0b81", "timestamp": "1535703162", "to_ids": false, "value": "https://www.carbonblack.com/2018/08/27/threat-analysis-recent-attack-technique-leveraging-cmd-exe-and-powershell-demonstrates-how-attackers-are-using-trusted-microsoft-applications-for-malicious-behavior/", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "5b88f0af-0370-4c76-aa19-4e25950d210f", "timestamp": "1535701167", "to_ids": true, "value": "%WINDIR%\\Temp\\__PSScriptPolicyTest_mcnxgxch.sw5.ps1", "disable_correlation": false, "object_relation": null, "type": "filename"}], "extends_uuid": "", "published": false, "date": "2018-08-30", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5b885180-7750-44b8-84a0-4eb702de0b81"}}