adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/581efd8c-7320-42e1-93b6-430102de0b81.json

866 lines
No EOL
58 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--581efd8c-7320-42e1-93b6-430102de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:07:33.000Z",
"modified": "2016-11-06T10:07:33.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--581efd8c-7320-42e1-93b6-430102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:07:33.000Z",
"modified": "2016-11-06T10:07:33.000Z",
"name": "Yara Rule Set - detection of Empire by Florian Roth (PowerShell and Python post-exploitation agent.)",
"published": "2016-11-06T10:07:45Z",
"object_refs": [
"observed-data--581efd9f-1ed4-4575-ad8c-475702de0b81",
"url--581efd9f-1ed4-4575-ad8c-475702de0b81",
"indicator--581efdc5-cc10-43e2-a9d2-407302de0b81",
"indicator--581efddb-b6e0-4b40-a2f4-47ba02de0b81",
"indicator--581efdeb-a918-444f-912c-4b9602de0b81",
"indicator--581efdff-6ddc-4752-89fb-485f02de0b81",
"indicator--581efe15-182c-4a00-bded-439202de0b81",
"indicator--581efe26-b710-4586-9ddd-418d02de0b81",
"indicator--581efe37-7244-49f0-84fe-412a02de0b81",
"indicator--581efe49-2f28-46a9-9855-429e02de0b81",
"indicator--581efe5b-442c-4aa2-bb73-4d7502de0b81",
"indicator--581efe6c-9c48-4143-a91f-4c6002de0b81",
"indicator--581efe81-4d54-4fbf-b687-4bca02de0b81",
"indicator--581efe91-8460-4156-8bdc-48e302de0b81",
"indicator--581efea3-d140-46a5-83b3-464302de0b81",
"indicator--581efeb5-eaac-4beb-a104-4d4702de0b81",
"indicator--581efec4-4e58-4de6-a706-44e702de0b81",
"indicator--581efed9-3cc0-4170-84ba-430a02de0b81",
"indicator--581efef2-27a4-4558-8c9a-43b502de0b81",
"indicator--581eff00-8ed0-4b83-8ce5-468302de0b81",
"indicator--581eff13-aa70-4a4f-b9df-49c402de0b81",
"indicator--581eff50-d410-4275-a70b-4e2d02de0b81",
"indicator--581eff60-2ff4-4280-88cd-406502de0b81",
"indicator--581eff6f-0f04-446d-a5c0-40fa02de0b81",
"indicator--581eff94-9c94-4ce6-bb0b-4bbf02de0b81",
"indicator--581effa7-6eec-4e0b-9925-4e9302de0b81",
"indicator--581effbc-5838-4a76-9cce-4e8702de0b81",
"indicator--581effce-d7e4-4a05-9385-40d602de0b81",
"indicator--581effe6-df20-4d6d-b2a1-4a7602de0b81",
"indicator--581efffb-bb00-4a06-a9b1-41ff02de0b81",
"indicator--581f0012-cce0-4716-a3fa-47be02de0b81",
"indicator--581f0025-2108-4e3e-9f88-4c4c02de0b81",
"indicator--581f0044-47d0-4258-ad34-4ec902de0b81",
"indicator--581f005a-74d4-42c2-b69a-492e02de0b81",
"indicator--581f006d-c9cc-4b62-98d5-461202de0b81",
"indicator--581f007f-b594-4b1d-8a3f-466702de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"ms-caro-malware:malware-type=\"HackTool\"",
"osint:source-type=\"technical-report\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--581efd9f-1ed4-4575-ad8c-475702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:53:35.000Z",
"modified": "2016-11-06T09:53:35.000Z",
"first_observed": "2016-11-06T09:53:35Z",
"last_observed": "2016-11-06T09:53:35Z",
"number_observed": 1,
"object_refs": [
"url--581efd9f-1ed4-4575-ad8c-475702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--581efd9f-1ed4-4575-ad8c-475702de0b81",
"value": "https://github.com/Neo23x0/signature-base/blob/master/yara/gen_empire.yar"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efdc5-cc10-43e2-a9d2-407302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:54:12.000Z",
"modified": "2016-11-06T09:54:12.000Z",
"pattern": "[rule Empire_Invoke_MetasploitPayload {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-MetasploitPayload.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"a85ca27537ebeb79601b885b35ddff6431860b5852c6a664d32a321782808c54\"\r\n strings:\r\n $s1 = \"$ProcessInfo.Arguments=\\\"-nop -c $DownloadCradle\\\"\" fullword ascii\r\n $s2 = \"$PowershellExe=$env:windir+'\\\\syswow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 9KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:54:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efddb-b6e0-4b40-a2f4-47ba02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:54:35.000Z",
"modified": "2016-11-06T09:54:35.000Z",
"pattern": "[rule Empire_Exploit_Jenkins {\r\n meta:\r\n description = \"Detects Empire component - file Exploit-Jenkins.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"a5182cccd82bb9984b804b365e07baba78344108f225b94bd12a59081f680729\"\r\n strings:\r\n $s1 = \"$postdata=\\\"script=println+new+ProcessBuilder%28%27\\\"+$($Cmd)+\\\"\" ascii\r\n $s2 = \"$url = \\\"http://\\\"+$($Rhost)+\\\":\\\"+$($Port)+\\\"/script\\\"\" fullword ascii\r\n $s3 = \"$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x6620 and filesize < 7KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:54:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efdeb-a918-444f-912c-4b9602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:54:51.000Z",
"modified": "2016-11-06T09:54:51.000Z",
"pattern": "[rule Empire_Get_SecurityPackages {\r\n meta:\r\n description = \"Detects Empire component - file Get-SecurityPackages.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1\"\r\n strings:\r\n $s1 = \"$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)\" fullword ascii\r\n $s2 = \"$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:54:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efdff-6ddc-4752-89fb-485f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:55:11.000Z",
"modified": "2016-11-06T09:55:11.000Z",
"pattern": "[rule Empire_Invoke_PowerDump {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-PowerDump.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1\"\r\n strings:\r\n $x16 = \"$enc = Get-PostHashdumpScript\" fullword ascii\r\n $x19 = \"$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;\" fullword ascii\r\n $x20 = \"$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x2023 and filesize < 60KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:55:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efe15-182c-4a00-bded-439202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:55:33.000Z",
"modified": "2016-11-06T09:55:33.000Z",
"pattern": "[rule Empire_Install_SSP {\r\n meta:\r\n description = \"Detects Empire component - file Install-SSP.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"7fd921a23950334257dda57b99e03c1e1594d736aab2dbfe9583f99cd9b1d165\"\r\n strings:\r\n $s1 = \"Install-SSP -Path .\\\\mimilib.dll\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:55:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efe26-b710-4586-9ddd-418d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:55:50.000Z",
"modified": "2016-11-06T09:55:50.000Z",
"pattern": "[rule Empire_Invoke_ShellcodeMSIL {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-ShellcodeMSIL.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f\"\r\n strings:\r\n $s1 = \"$FinalShellcode.Length\" fullword ascii\r\n $s2 = \"@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)\" fullword ascii\r\n $s3 = \"@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,\" fullword ascii\r\n $s4 = \"$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:55:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efe37-7244-49f0-84fe-412a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:56:07.000Z",
"modified": "2016-11-06T09:56:07.000Z",
"pattern": "[rule Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp {\r\n meta:\r\n description = \"Detects Empire component - file PowerUp.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c\"\r\n strings:\r\n $x2 = \"$PoolPasswordCmd = 'c:\\\\windows\\\\system32\\\\inetsrv\\\\appcmd.exe list apppool\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:56:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efe49-2f28-46a9-9855-429e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:56:25.000Z",
"modified": "2016-11-06T09:56:25.000Z",
"pattern": "[rule Empire_Invoke_Mimikatz {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-Mimikatz.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n strings:\r\n $s1 = \"= \\\"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ\" ascii\r\n $s2 = \"Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \\\"Void\\\", 0, \\\"\\\", $ExeArgs)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:56:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efe5b-442c-4aa2-bb73-4d7502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:56:43.000Z",
"modified": "2016-11-06T09:56:43.000Z",
"pattern": "[rule Empire_Get_GPPPassword {\r\n meta:\r\n description = \"Detects Empire component - file Get-GPPPassword.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"55a4519c4f243148a971e4860225532a7ce730b3045bde3928303983ebcc38b0\"\r\n strings:\r\n $s1 = \"$Base64Decoded = [Convert]::FromBase64String($Cpassword)\" fullword ascii\r\n $s2 = \"$XMlFiles += Get-ChildItem -Path \\\"\\\\\\\\$DomainController\\\\SYSVOL\\\" -Recurse\" ascii\r\n $s3 = \"function Get-DecryptedCpassword {\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:56:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efe6c-9c48-4143-a91f-4c6002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:57:00.000Z",
"modified": "2016-11-06T09:57:00.000Z",
"pattern": "[rule Empire_Invoke_SmbScanner {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-SmbScanner.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd\"\r\n strings:\r\n $s1 = \"$up = Test-Connection -count 1 -Quiet -ComputerName $Computer \" fullword ascii\r\n $s2 = \"$out | add-member Noteproperty 'Password' $Password\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:57:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efe81-4d54-4fbf-b687-4bca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:57:21.000Z",
"modified": "2016-11-06T09:57:21.000Z",
"pattern": "[rule Empire_Exploit_JBoss {\r\n meta:\r\n description = \"Detects Empire component - file Exploit-JBoss.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"9ea3e00b299e644551d90bbee0ce3e4e82445aa15dab7adb7fcc0b7f1fe4e653\"\r\n strings:\r\n $s1 = \"Exploit-JBoss\" fullword ascii\r\n $s2 = \"$URL = \\\"http$($SSL)://\\\" + $($Rhost) + ':' + $($Port)\" ascii\r\n $s3 = \"\\\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service\" ascii\r\n $s4 = \"http://blog.rvrsh3ll.net\" fullword ascii\r\n $s5 = \"Remote URL to your own WARFile to deploy.\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:57:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efe91-8460-4156-8bdc-48e302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:57:37.000Z",
"modified": "2016-11-06T09:57:37.000Z",
"pattern": "[rule Empire_dumpCredStore {\r\n meta:\r\n description = \"Detects Empire component - file dumpCredStore.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350\"\r\n strings:\r\n $x1 = \"[DllImport(\\\"Advapi32.dll\\\", SetLastError = true, EntryPoint = \\\"CredReadW\\\"\" ascii\r\n $s12 = \"[String] $Msg = \\\"Failed to enumerate credentials store for user '$Env:UserName'\\\"\" fullword ascii\r\n $s15 = \"Rtn = CredRead(\\\"Target\\\", CRED_TYPE.GENERIC, out Cred);\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x233c and filesize < 40KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:57:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efea3-d140-46a5-83b3-464302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:57:55.000Z",
"modified": "2016-11-06T09:57:55.000Z",
"pattern": "[rule Empire_Invoke_EgressCheck {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-EgressCheck.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534\"\r\n strings:\r\n $s1 = \"egress -ip $ip -port $c -delay $delay -protocol $protocol\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x233c and filesize < 10KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:57:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efeb5-eaac-4beb-a104-4d4702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:58:13.000Z",
"modified": "2016-11-06T09:58:13.000Z",
"pattern": "[rule Empire_ReflectivePick_x64_orig {\r\n meta:\r\n description = \"Detects Empire component - file ReflectivePick_x64_orig.dll\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2\"\r\n strings:\r\n $s1 = \"\\\\PowerShellRunner.pdb\" fullword ascii\r\n $s2 = \"PowerShellRunner.dll\" fullword wide\r\n $s3 = \"ReflectivePick_x64.dll\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:58:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efec4-4e58-4de6-a706-44e702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:58:28.000Z",
"modified": "2016-11-06T09:58:28.000Z",
"pattern": "[rule Empire_Out_Minidump {\r\n meta:\r\n description = \"Detects Empire component - file Out-Minidump.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1\"\r\n strings:\r\n $s1 = \"$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,\" fullword ascii\r\n $s2 = \"$ProcessFileName = \\\"$($ProcessName)_$($ProcessId).dmp\\\"\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:58:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efed9-3cc0-4170-84ba-430a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:58:49.000Z",
"modified": "2016-11-06T09:58:49.000Z",
"pattern": "[rule Empire_Invoke_PsExec {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-PsExec.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88\"\r\n strings:\r\n $s1 = \"Invoke-PsExecCmd\" fullword ascii\r\n $s2 = \"\\\"[*] Executing service .EXE\" fullword ascii\r\n $s3 = \"$cmd = \\\"%COMSPEC% /C echo $Command ^> %systemroot%\\\\Temp\\\\\" ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:58:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efef2-27a4-4558-8c9a-43b502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:59:14.000Z",
"modified": "2016-11-06T09:59:14.000Z",
"pattern": "[rule Empire_Invoke_PostExfil {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-PostExfil.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e\"\r\n strings:\r\n $s1 = \"# upload to a specified exfil URI\" fullword ascii\r\n $s2 = \"Server path to exfil to.\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x490a and filesize < 2KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:59:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581eff00-8ed0-4b83-8ce5-468302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:59:28.000Z",
"modified": "2016-11-06T09:59:28.000Z",
"pattern": "[rule Empire_Invoke_SMBAutoBrute {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-SMBAutoBrute.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2\"\r\n strings:\r\n $s1 = \"[*] PDC: LAB-2008-DC1.lab.com\" fullword ascii\r\n $s2 = \"$attempts = Get-UserBadPwdCount $userid $dcs\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581eff13-aa70-4a4f-b9df-49c402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T09:59:47.000Z",
"modified": "2016-11-06T09:59:47.000Z",
"pattern": "[rule Empire_Get_Keystrokes {\r\n meta:\r\n description = \"Detects Empire component - file Get-Keystrokes.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad\"\r\n strings:\r\n $s1 = \"$RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T09:59:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581eff50-d410-4275-a70b-4e2d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:00:48.000Z",
"modified": "2016-11-06T10:00:48.000Z",
"pattern": "[rule Empire_Invoke_DllInjection {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-DllInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0\"\r\n strings:\r\n $s1 = \"-Dll evil.dll\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 40KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:00:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581eff60-2ff4-4280-88cd-406502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:01:04.000Z",
"modified": "2016-11-06T10:01:04.000Z",
"pattern": "[rule Empire_KeePassConfig {\r\n meta:\r\n description = \"Detects Empire component - file KeePassConfig.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3\"\r\n strings:\r\n $s1 = \"$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:01:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581eff6f-0f04-446d-a5c0-40fa02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:01:19.000Z",
"modified": "2016-11-06T10:01:19.000Z",
"pattern": "[rule Empire_Invoke_SSHCommand {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-SSHCommand.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"cbaf086b14d5bb6a756cbda42943d4d7ef97f8277164ce1f7dd0a1843e9aa242\"\r\n strings:\r\n $s1 = \"$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA\" ascii\r\n $s2 = \"Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \\\"id\\\"\" fullword ascii\r\n $s3 = \"Write-Verbose \\\"[*] Error loading dll\\\"\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x660a and filesize < 2000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:01:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581eff94-9c94-4ce6-bb0b-4bbf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:01:56.000Z",
"modified": "2016-11-06T10:01:56.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_PowerShell_Framework_Gen1 {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash2 = \"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28\"\r\n hash3 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n hash4 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash5 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n strings:\r\n $s1 = \"Write-BytesToMemory -Bytes $Shellcode\" ascii\r\n $s2 = \"$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:01:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581effa7-6eec-4e0b-9925-4e9302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:02:15.000Z",
"modified": "2016-11-06T10:02:15.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_PowerUp_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files PowerUp.ps1, PowerUp.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c\"\r\n strings:\r\n $s1 = \"$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath\" fullword ascii\r\n $s2 = \"$Result = sc.exe pause $($TargetService.Name)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:02:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581effbc-5838-4a76-9cce-4e8702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:02:36.000Z",
"modified": "2016-11-06T10:02:36.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_PowerShell_Framework_Gen2 {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Invoke-ReflectivePEInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash3 = \"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28\"\r\n hash5 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n hash6 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash8 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n strings:\r\n $x1 = \"$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)\" fullword ascii\r\n $s20 = \"#Shellcode: CallDllMain.asm\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:02:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581effce-d7e4-4a05-9385-40d602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:02:54.000Z",
"modified": "2016-11-06T10:02:54.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_Agent_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files agent.ps1, agent.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db\"\r\n hash2 = \"380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db\"\r\n strings:\r\n $s1 = \"$wc.Headers.Add(\\\"User-Agent\\\",$script:UserAgent)\" fullword ascii\r\n $s2 = \"$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)\" fullword ascii\r\n $s3 = \"if ($script:AgentDelay -ne 0){\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x660a and filesize < 100KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:02:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581effe6-df20-4d6d-b2a1-4a7602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:03:18.000Z",
"modified": "2016-11-06T10:03:18.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_PowerShell_Framework_Gen3 {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash2 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n hash3 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash4 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n strings:\r\n $s1 = \"if (($PEInfo.FileType -ieq \\\"DLL\\\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))\" fullword ascii\r\n $s2 = \"remote DLL injection\" ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:03:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581efffb-bb00-4a06-a9b1-41ff02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:03:39.000Z",
"modified": "2016-11-06T10:03:39.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_Invoke_InveighRelay_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash2 = \"21b90762150f804485219ad36fa509aeda210d46453307a9761c816040312f41\"\r\n strings:\r\n $s1 = \"$inveigh.SMBRelay_failed_list.Add(\\\"$HTTP_NTLM_domain_string\\\\$HTTP_NTLM_user_string $SMBRelayTarget\\\")\" fullword ascii\r\n $s2 = \"$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 200KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:03:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581f0012-cce0-4716-a3fa-47be02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:04:02.000Z",
"modified": "2016-11-06T10:04:02.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_KeePassConfig_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash2 = \"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3\"\r\n strings:\r\n $s1 = \"$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:04:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581f0025-2108-4e3e-9f88-4c4c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:04:21.000Z",
"modified": "2016-11-06T10:04:21.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_Invoke_Portscan_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash2 = \"cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3\"\r\n strings:\r\n $s1 = \"Test-Port -h $h -p $Port -timeout $Timeout\" fullword ascii\r\n $s2 = \"1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 100KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:04:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581f0044-47d0-4258-ad34-4ec902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:04:52.000Z",
"modified": "2016-11-06T10:04:52.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_PowerShell_Framework_Gen4 {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-BypassUAC.ps1, Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DllInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PsExec.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Invoke-Shellcode.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"743c51334f17751cfd881be84b56f648edbdaf31f8186de88d094892edc644a9\"\r\n hash2 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash3 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash4 = \"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28\"\r\n hash5 = \"304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0\"\r\n hash6 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n hash7 = \"0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88\"\r\n hash8 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash9 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n hash10 = \"fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438\"\r\n strings:\r\n $s1 = \"Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\\\\\')[-1].Equals('System.dll') }\" fullword ascii\r\n $s2 = \"# Get a handle to the module specified\" fullword ascii\r\n $s3 = \"$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))\" fullword ascii\r\n $s4 = \"$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:04:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581f005a-74d4-42c2-b69a-492e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:05:14.000Z",
"modified": "2016-11-06T10:05:14.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash2 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n strings:\r\n $s1 = \"$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle\" fullword ascii\r\n $s2 = \"$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:05:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581f006d-c9cc-4b62-98d5-461202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:05:33.000Z",
"modified": "2016-11-06T10:05:33.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_Invoke_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28\"\r\n hash2 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash3 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n strings:\r\n $s1 = \"$Shellcode1 += 0x48\" fullword ascii\r\n $s2 = \"$PEHandle = [IntPtr]::Zero\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 3000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:05:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581f007f-b594-4b1d-8a3f-466702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T10:05:51.000Z",
"modified": "2016-11-06T10:05:51.000Z",
"description": "Super Rules",
"pattern": "[rule Empire_PowerShell_Framework_Gen5 {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash2 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash3 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n strings:\r\n $s1 = \"if ($ExeArgs -ne $null -and $ExeArgs -ne '')\" fullword ascii\r\n $s2 = \"$ExeArgs = \\\"ReflectiveExe $ExeArgs\\\"\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 1000KB and 1 of them ) or all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-11-06T10:05:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink