1385 lines
No EOL
57 KiB
JSON
1385 lines
No EOL
57 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--589327e5-227c-4236-a9b8-fafc950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T13:13:44.000Z",
|
|
"modified": "2017-02-02T13:13:44.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--589327e5-227c-4236-a9b8-fafc950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T13:13:44.000Z",
|
|
"modified": "2017-02-02T13:13:44.000Z",
|
|
"name": "OSINT - Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society",
|
|
"published": "2017-02-02T15:56:47Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--589328a6-8f58-41b7-861e-a72f950d210f",
|
|
"observed-data--589328b7-3598-41f9-a503-4837950d210f",
|
|
"url--589328b7-3598-41f9-a503-4837950d210f",
|
|
"indicator--58932917-4064-4830-a6d1-4b19950d210f",
|
|
"indicator--58932918-a200-4e93-a634-4275950d210f",
|
|
"indicator--58932918-e458-4a3c-9244-4e2e950d210f",
|
|
"indicator--58932919-39a8-49e9-9164-4c48950d210f",
|
|
"indicator--5893291a-1d70-4170-ba53-4576950d210f",
|
|
"indicator--5893291a-ac08-45da-aa57-402e950d210f",
|
|
"indicator--5893291b-db6c-490a-8b6e-4def950d210f",
|
|
"indicator--5893291c-1148-4945-980f-4287950d210f",
|
|
"indicator--5893291d-78e8-44ba-9d5c-4911950d210f",
|
|
"indicator--5893291d-7a60-4659-8fe1-4d85950d210f",
|
|
"indicator--5893291e-295c-4d72-861f-4ff8950d210f",
|
|
"indicator--5893291f-c728-420e-91fe-42bd950d210f",
|
|
"indicator--58932920-35b8-4f43-b2fd-43f2950d210f",
|
|
"indicator--58932920-d574-4b73-9d56-4c92950d210f",
|
|
"indicator--58932921-7ed4-4b05-a967-4b08950d210f",
|
|
"indicator--58932922-3680-4989-bf29-426e950d210f",
|
|
"indicator--58932922-c80c-4b4d-93c7-4b70950d210f",
|
|
"indicator--58932923-1d14-4cac-84a1-4c8b950d210f",
|
|
"indicator--58932924-1f3c-4ff0-b00c-4083950d210f",
|
|
"indicator--58932925-28dc-4dfc-b72c-4a79950d210f",
|
|
"indicator--58932925-8e18-41f9-b8d7-4d02950d210f",
|
|
"indicator--58932926-4ecc-43d7-be08-4605950d210f",
|
|
"indicator--58932927-5404-453e-80d9-4534950d210f",
|
|
"indicator--58932927-a878-4a7d-8f5b-490b950d210f",
|
|
"indicator--58932928-0654-4370-8eb0-49b1950d210f",
|
|
"indicator--58932929-1a48-4472-8e21-4e1b950d210f",
|
|
"indicator--5893292a-bd64-479e-b03b-4864950d210f",
|
|
"indicator--5893292a-b974-491b-a059-4268950d210f",
|
|
"indicator--5893292b-42bc-4b15-8ed4-4daa950d210f",
|
|
"indicator--5893292c-f15c-4d6c-8266-4f96950d210f",
|
|
"indicator--5893292c-ca04-483c-b3cf-47f4950d210f",
|
|
"indicator--5893292d-b614-409b-ad73-45e4950d210f",
|
|
"indicator--5893292e-1bf0-4b0e-b729-4696950d210f",
|
|
"indicator--5893292f-dbe8-4d18-854f-4835950d210f",
|
|
"indicator--5893292f-64a0-42d0-a008-47d9950d210f",
|
|
"indicator--5893295e-2ddc-436b-8a56-4f2f950d210f",
|
|
"indicator--5893295e-797c-42f1-9fa2-405e950d210f",
|
|
"indicator--5893295f-2d60-4e1d-9094-4b8d950d210f",
|
|
"indicator--589329cd-35f0-4f14-83a7-fafb950d210f",
|
|
"indicator--589329ce-157c-44b2-adf9-fafb950d210f",
|
|
"indicator--589329ce-ed50-4892-a636-fafb950d210f",
|
|
"indicator--589329cf-0348-4a7f-ab04-fafb950d210f",
|
|
"indicator--589329d0-9170-4a2f-9af1-fafb950d210f",
|
|
"indicator--589329d1-9b98-428f-bfab-fafb950d210f",
|
|
"indicator--589329d1-6b78-4b55-bbdb-fafb950d210f",
|
|
"indicator--589329d2-a5e8-4b0b-9a10-fafb950d210f",
|
|
"indicator--589329d3-b19c-4856-85df-fafb950d210f",
|
|
"indicator--589329d3-098c-4373-a4d0-fafb950d210f",
|
|
"indicator--589329d4-9778-4ea6-b9f9-fafb950d210f",
|
|
"indicator--589329d5-6548-4042-a2a8-fafb950d210f",
|
|
"indicator--589329d6-92f0-434e-a004-fafb950d210f",
|
|
"indicator--589329d7-ce6c-467e-b1c6-fafb950d210f"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"circl:incident-classification=\"phishing\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--589328a6-8f58-41b7-861e-a72f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:40:06.000Z",
|
|
"modified": "2017-02-02T12:40:06.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Egyptian NGOs are currently being targeted by Nile Phish, a large-scale phishing campaign.\r\nAlmost all of the targets we identified are also implicated in Case 173, a sprawling legal case brought by the Egyptian government against NGOs, at ich has been referred to as an \u00e2\u20ac\u0153unprecedented crackdown\u00e2\u20ac\u009d on Egypt\u00e2\u20ac\u2122s civil society.\r\nNile Phish operators demonstrate an intimate knowledge of Egyptian NGOs, and are able to roll out phishing attacks within hours of government actions, such as arrests."
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--589328b7-3598-41f9-a503-4837950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:40:23.000Z",
|
|
"modified": "2017-02-02T12:40:23.000Z",
|
|
"first_observed": "2017-02-02T12:40:23Z",
|
|
"last_observed": "2017-02-02T12:40:23Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--589328b7-3598-41f9-a503-4837950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--589328b7-3598-41f9-a503-4837950d210f",
|
|
"value": "https://citizenlab.org/2017/02/nilephish-report/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932917-4064-4830-a6d1-4b19950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:41:59.000Z",
|
|
"modified": "2017-02-02T12:41:59.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'account-google.serveftp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:41:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932918-a200-4e93-a634-4275950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:00.000Z",
|
|
"modified": "2017-02-02T12:42:00.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'aramex-shipping.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932918-e458-4a3c-9244-4e2e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:00.000Z",
|
|
"modified": "2017-02-02T12:42:00.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'device-activation.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932919-39a8-49e9-9164-4c48950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:01.000Z",
|
|
"modified": "2017-02-02T12:42:01.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'dropbox-service.serveftp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893291a-1d70-4170-ba53-4576950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:02.000Z",
|
|
"modified": "2017-02-02T12:42:02.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'dropbox-sign.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893291a-ac08-45da-aa57-402e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:02.000Z",
|
|
"modified": "2017-02-02T12:42:02.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'dropboxsupport.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893291b-db6c-490a-8b6e-4def950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:03.000Z",
|
|
"modified": "2017-02-02T12:42:03.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'fedex-mail.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893291c-1148-4945-980f-4287950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:04.000Z",
|
|
"modified": "2017-02-02T12:42:04.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'fedex-shipping.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893291d-78e8-44ba-9d5c-4911950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:05.000Z",
|
|
"modified": "2017-02-02T12:42:05.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'fedex-sign.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893291d-7a60-4659-8fe1-4d85950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:05.000Z",
|
|
"modified": "2017-02-02T12:42:05.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'googledriver-sign.ddns.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893291e-295c-4d72-861f-4ff8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:06.000Z",
|
|
"modified": "2017-02-02T12:42:06.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'googledrive-sign.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893291f-c728-420e-91fe-42bd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:07.000Z",
|
|
"modified": "2017-02-02T12:42:07.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'google-maps.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932920-35b8-4f43-b2fd-43f2950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:08.000Z",
|
|
"modified": "2017-02-02T12:42:08.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'googlesecure-serv.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932920-d574-4b73-9d56-4c92950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:08.000Z",
|
|
"modified": "2017-02-02T12:42:08.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'googlesignin.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932921-7ed4-4b05-a967-4b08950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:09.000Z",
|
|
"modified": "2017-02-02T12:42:09.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'googleverify-signin.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932922-3680-4989-bf29-426e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:10.000Z",
|
|
"modified": "2017-02-02T12:42:10.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'mailgooglesign.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932922-c80c-4b4d-93c7-4b70950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:10.000Z",
|
|
"modified": "2017-02-02T12:42:10.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'myaccount.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932923-1d14-4cac-84a1-4c8b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:11.000Z",
|
|
"modified": "2017-02-02T12:42:11.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'secure-team.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932924-1f3c-4ff0-b00c-4083950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:12.000Z",
|
|
"modified": "2017-02-02T12:42:12.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'security-myaccount.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932925-28dc-4dfc-b72c-4a79950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:13.000Z",
|
|
"modified": "2017-02-02T12:42:13.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'verification-acc.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932925-8e18-41f9-b8d7-4d02950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:13.000Z",
|
|
"modified": "2017-02-02T12:42:13.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'dropbox-verfy.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932926-4ecc-43d7-be08-4605950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:14.000Z",
|
|
"modified": "2017-02-02T12:42:14.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'fedex-s.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932927-5404-453e-80d9-4534950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:15.000Z",
|
|
"modified": "2017-02-02T12:42:15.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'watchyoutube.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932927-a878-4a7d-8f5b-490b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:15.000Z",
|
|
"modified": "2017-02-02T12:42:15.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'verification-team.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932928-0654-4370-8eb0-49b1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:16.000Z",
|
|
"modified": "2017-02-02T12:42:16.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'securityteam-notify.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58932929-1a48-4472-8e21-4e1b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:17.000Z",
|
|
"modified": "2017-02-02T12:42:17.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'secure-alert.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893292a-bd64-479e-b03b-4864950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:18.000Z",
|
|
"modified": "2017-02-02T12:42:18.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'quota-notification.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893292a-b974-491b-a059-4268950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:18.000Z",
|
|
"modified": "2017-02-02T12:42:18.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'notification-team.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893292b-42bc-4b15-8ed4-4daa950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:19.000Z",
|
|
"modified": "2017-02-02T12:42:19.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'fedex-notification.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893292c-f15c-4d6c-8266-4f96950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:20.000Z",
|
|
"modified": "2017-02-02T12:42:20.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'docs-mails.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893292c-ca04-483c-b3cf-47f4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:20.000Z",
|
|
"modified": "2017-02-02T12:42:20.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'restricted-videos.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893292d-b614-409b-ad73-45e4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:21.000Z",
|
|
"modified": "2017-02-02T12:42:21.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'dropboxnotification.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893292e-1bf0-4b0e-b729-4696950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:22.000Z",
|
|
"modified": "2017-02-02T12:42:22.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'moi-gov.serveftp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893292f-dbe8-4d18-854f-4835950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:23.000Z",
|
|
"modified": "2017-02-02T12:42:23.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'activate-google.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893292f-64a0-42d0-a008-47d9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:42:23.000Z",
|
|
"modified": "2017-02-02T12:42:23.000Z",
|
|
"description": "domains for this phishing attack",
|
|
"pattern": "[domain-name:value = 'googlemaps.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:42:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893295e-2ddc-436b-8a56-4f2f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:43:10.000Z",
|
|
"modified": "2017-02-02T12:43:10.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '108.61.176.96']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:43:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893295e-797c-42f1-9fa2-405e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:43:10.000Z",
|
|
"modified": "2017-02-02T12:43:10.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.238.191.204']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:43:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5893295f-2d60-4e1d-9094-4b8d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:43:11.000Z",
|
|
"modified": "2017-02-02T12:43:11.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.123.26.42']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:43:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329cd-35f0-4f14-83a7-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:01.000Z",
|
|
"modified": "2017-02-02T12:45:01.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'secure.policy.check@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329ce-157c-44b2-adf9-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:02.000Z",
|
|
"modified": "2017-02-02T12:45:02.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'aramex.shipment@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329ce-ed50-4892-a636-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:02.000Z",
|
|
"modified": "2017-02-02T12:45:02.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'fedex_tracking@outlook.sa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329cf-0348-4a7f-ab04-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:03.000Z",
|
|
"modified": "2017-02-02T12:45:03.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'mails.acc.noreply@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329d0-9170-4a2f-9af1-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:04.000Z",
|
|
"modified": "2017-02-02T12:45:04.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'fedex.noreply@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329d1-9b98-428f-bfab-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:05.000Z",
|
|
"modified": "2017-02-02T12:45:05.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'customerserviceonlineteam@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329d1-6b78-4b55-bbdb-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:05.000Z",
|
|
"modified": "2017-02-02T12:45:05.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'fedexcustomers.service@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329d2-a5e8-4b0b-9a10-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:06.000Z",
|
|
"modified": "2017-02-02T12:45:06.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'elnadeem.org@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329d3-b19c-4856-85df-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:07.000Z",
|
|
"modified": "2017-02-02T12:45:07.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'dropbox.noreplay@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329d3-098c-4373-a4d0-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:07.000Z",
|
|
"modified": "2017-02-02T12:45:07.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'mails.noreply.verify@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329d4-9778-4ea6-b9f9-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:08.000Z",
|
|
"modified": "2017-02-02T12:45:08.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'fedex.mails.shipping@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329d5-6548-4042-a2a8-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:09.000Z",
|
|
"modified": "2017-02-02T12:45:09.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'dropbox.notifications.mails@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329d6-92f0-434e-a004-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:10.000Z",
|
|
"modified": "2017-02-02T12:45:10.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'dropbox.notfication@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--589329d7-ce6c-467e-b1c6-fafb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-02-02T12:45:11.000Z",
|
|
"modified": "2017-02-02T12:45:11.000Z",
|
|
"description": "Phishing emails (claiming to be from legitimate services)",
|
|
"pattern": "[email-message:from_ref.value = 'drive.noreply.mail@gmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-02-02T12:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |