misp-circl-feed/feeds/circl/misp/59ec91ee-ae0c-4d5a-b149-4c0d02de0b81.json

{
  "Event": {
    "analysis": "2",
    "date": "2017-10-22",
    "extends_uuid": "",
    "info": "OSINT -  US CERT TA17-293A report - renamed PsExec execution (sigma/SIEM ruleset)",
    "publish_timestamp": "1508679034",
    "published": true,
    "threat_level_id": "2",
    "timestamp": "1508677312",
    "uuid": "59ec91ee-ae0c-4d5a-b149-4c0d02de0b81",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-intrusion-set=\"Dragonfly\"",
        "relationship_type": ""
      },
      {
        "colour": "#12e200",
        "local": false,
        "name": "misp-galaxy:threat-actor=\"Energetic Bear\"",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "Artifacts dropped",
        "comment": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1508676127",
        "to_ids": true,
        "type": "sigma",
        "uuid": "59ec921f-60d4-4693-8c63-43ad02de0b81",
        "value": "title: Ps.exe Renamed SysInternals Tool\r\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report\r\nreference: https://www.us-cert.gov/ncas/alerts/TA17-293A\r\nauthor: Florian Roth\r\ndate: 2017/10/22\r\nlogsource:\r\n    product: windows\r\n    service: sysmon\r\ndetection:\r\n    selection:\r\n        EventID: 1\r\n        CommandLine: 'ps.exe -accepteula'\r\n    condition: selection\r\nfalsepositives:\r\n    - Renamed SysInternals tool\r\nlevel: high"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1508676162",
        "to_ids": false,
        "type": "link",
        "uuid": "59ec9242-cfcc-4634-8fca-416c02de0b81",
        "value": "https://github.com/Neo23x0/sigma/blob/801d739a3ba81b9b080efe33aea52c6893790853/rules/apt/apt_ta17_293a_ps.yml"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1508676231",
        "to_ids": false,
        "type": "link",
        "uuid": "59ec9287-bc74-4c24-8c98-495c02de0b81",
        "value": "https://www.us-cert.gov/ncas/alerts/TA17-293A"
      }
    ]
  }
}