285 lines
No EOL
13 KiB
JSON
285 lines
No EOL
13 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5888f612-8e50-43d8-9603-4d14950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:52:45.000Z",
|
|
"modified": "2017-01-25T19:52:45.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5888f612-8e50-43d8-9603-4d14950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:52:45.000Z",
|
|
"modified": "2017-01-25T19:52:45.000Z",
|
|
"name": "OSINT - Detecting threat actors in recent German industrial attacks with Windows Defender ATP",
|
|
"published": "2017-01-25T19:52:51Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--5888f641-d0d4-48b5-80d9-4757950d210f",
|
|
"observed-data--5888f653-6da0-4004-b86b-4063950d210f",
|
|
"url--5888f653-6da0-4004-b86b-4063950d210f",
|
|
"x-misp-attribute--5888f66a-2e6c-4c10-9efe-4df1950d210f",
|
|
"indicator--5888f71b-4428-47c1-9c4e-5bda950d210f",
|
|
"indicator--5888f71b-9060-4135-86f9-5bda950d210f",
|
|
"indicator--5888f71c-0470-4917-9f46-5bda950d210f",
|
|
"indicator--5888f71d-fc98-4c85-b5c9-5bda950d210f",
|
|
"indicator--5888f71e-b0b8-4a22-a0ef-5bda950d210f",
|
|
"observed-data--5888f761-f828-4fbf-b42e-4bbc02de0b81",
|
|
"url--5888f761-f828-4fbf-b42e-4bbc02de0b81",
|
|
"observed-data--5888f7b5-738c-4861-82e3-47af950d210f",
|
|
"url--5888f7b5-738c-4861-82e3-47af950d210f"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:microsoft-activity-group=\"LEAD\"",
|
|
"misp-galaxy:microsoft-activity-group=\"BARIUM\"",
|
|
"misp-galaxy:tool=\"Winnti\"",
|
|
"admiralty-scale:source-reliability=\"b\"",
|
|
"admiralty-scale:information-credibility=\"2\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5888f641-d0d4-48b5-80d9-4757950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:02:25.000Z",
|
|
"modified": "2017-01-25T19:02:25.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"Antivirus detection\""
|
|
],
|
|
"x_misp_category": "Antivirus detection",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Win32/Barlaiy"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5888f653-6da0-4004-b86b-4063950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:06:35.000Z",
|
|
"modified": "2017-01-25T19:06:35.000Z",
|
|
"first_observed": "2017-01-25T19:06:35Z",
|
|
"last_observed": "2017-01-25T19:06:35Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5888f653-6da0-4004-b86b-4063950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5888f653-6da0-4004-b86b-4063950d210f",
|
|
"value": "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5888f66a-2e6c-4c10-9efe-4df1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:06:44.000Z",
|
|
"modified": "2017-01-25T19:06:44.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Cybercrime Center banner\r\n\r\nWhen a Germany-based industrial conglomerate disclosed in December 2016 that it was breached early that year, the breach was revealed to be a professionally run industrial espionage attack. According to the German press, the intruders used the Winnti family of malware as their main implant, giving them persistent access to the conglomerate\u00e2\u20ac\u2122s network as early as February 2016.\r\n\r\nIn this blog, we look at the Winnti malware implant as used by two known activity groups BARIUM and LEAD. We look at how these activity groups introduce the implant to various targets and techniques used by Microsoft researchers to track the implant.\r\n\r\nTo show how this breach and similar breaches can be mitigated, we look at how Windows Defender Advanced Threat Protection (Windows Defender ATP) flags activities associated with BARIUM, LEAD, and other known activity groups and how it provides extensive threat intelligence about these groups. We go through the Winnti implant installation process and explore how Windows Defender ATP can capture such attacker methods and tools and provide visualized contextual information that can aid in actual attack investigation and response. We then discuss how centralized response options, provided as enhancements to Windows Defender ATP with the Windows 10 Creators Update, can be used to quickly stop threats, including stopping command and control (C&C) communication and preventing existing implants from installing additional components or from moving laterally to other computers on the network."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5888f71b-4428-47c1-9c4e-5bda950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:06:03.000Z",
|
|
"modified": "2017-01-25T19:06:03.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-01-25T19:06:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5888f71b-9060-4135-86f9-5bda950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:06:03.000Z",
|
|
"modified": "2017-01-25T19:06:03.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'eada46387b377ff07a4f4c36e1778cd2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-01-25T19:06:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5888f71c-0470-4917-9f46-5bda950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:06:04.000Z",
|
|
"modified": "2017-01-25T19:06:04.000Z",
|
|
"description": "WINNTI / ASPNET_FILTER.DLL",
|
|
"pattern": "[file:hashes.SHA1 = 'd740674f543565b3616c10c8f9c834ac39bb382f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-01-25T19:06:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5888f71d-fc98-4c85-b5c9-5bda950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:06:05.000Z",
|
|
"modified": "2017-01-25T19:06:05.000Z",
|
|
"description": "fonfig.exe",
|
|
"pattern": "[file:hashes.SHA1 = '56994d107bad32dddf8516351c9c137c3b1d0724']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-01-25T19:06:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5888f71e-b0b8-4a22-a0ef-5bda950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:06:06.000Z",
|
|
"modified": "2017-01-25T19:06:06.000Z",
|
|
"description": "NlaifSvc.dll",
|
|
"pattern": "[file:hashes.SHA1 = '07d8314ceff227f32bce19b9a8d33a48eec6c7e7']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-01-25T19:06:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5888f761-f828-4fbf-b42e-4bbc02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:07:13.000Z",
|
|
"modified": "2017-01-25T19:07:13.000Z",
|
|
"first_observed": "2017-01-25T19:07:13Z",
|
|
"last_observed": "2017-01-25T19:07:13Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5888f761-f828-4fbf-b42e-4bbc02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5888f761-f828-4fbf-b42e-4bbc02de0b81",
|
|
"value": "https://www.virustotal.com/file/964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5/analysis/1485233046/"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5888f7b5-738c-4861-82e3-47af950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-25T19:08:37.000Z",
|
|
"modified": "2017-01-25T19:08:37.000Z",
|
|
"first_observed": "2017-01-25T19:08:37Z",
|
|
"last_observed": "2017-01-25T19:08:37Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5888f7b5-738c-4861-82e3-47af950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5888f7b5-738c-4861-82e3-47af950d210f",
|
|
"value": "https://blogs.technet.microsoft.com/windowsfurunternehmen/2017/01/25/cyber-angriff-auf-deutsche-industrie-mithilfe-von-windows-defender-atp-aufgedeckt/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |