1887 lines
No EOL
84 KiB
JSON
1887 lines
No EOL
84 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2021-04-21",
|
|
"extends_uuid": "",
|
|
"info": "FireEye Mandiant PulseSecure Exploitation Countermeasures",
|
|
"publish_timestamp": "1618997908",
|
|
"published": true,
|
|
"threat_level_id": "1",
|
|
"timestamp": "1618997892",
|
|
"uuid": "b7f8805b-fec8-4491-b866-83a457212437",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"name": "osint:lifetime=\"perpetual\""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#0029ff",
|
|
"name": "estimative-language:confidence-in-analytic-judgment=\"high\""
|
|
},
|
|
{
|
|
"colour": "#001fc2",
|
|
"name": "estimative-language:likelihood-probability=\"almost-certain\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1618992456",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04",
|
|
"value": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1618992728",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5cb95524-3fef-4334-9fef-e6d3f00982a4",
|
|
"value": "https://www.circl.lu/pub/tr-63"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1618995681",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "d584973b-e85b-431b-a2f2-c3cd33562245",
|
|
"value": "alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:\"APT.Webshell.PL.PULSECHECK callback\"; flow:to_server; content:\"POST \"; depth:5; content:\" HTTP/1.1|0d 0a|\"; distance:1; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; reference:mal_hash, a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1; reference:date_created,2021-04-16; sid:999999999; )"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1618995681",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "55301c17-7b0e-450d-89be-54eb3f096592",
|
|
"value": "alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.PULSECHECK.[X-CMD:]\"; content:\"POST \"; depth:5; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; content:!\"|0d 0a|Referer: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; sid: 999999999; )"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1618995681",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "e8e292e5-5fab-4e5b-afa0-89df4eb361d6",
|
|
"value": "alert tcp any $HTTP_PORTS -> any any ( msg:\"APT.Webshell.PL.STEADYPULSE.[<form action=]\"; flow:to_client; content:\"<form action=\\\"\\\" method=\\\"GET\\\">\"; content:\"<input type=\\\"text\\\" name=\\\"cmd\\\" \"; distance:0; content:\"<input type=\\\"text\\\" name=\\\"serverid\\\" \"; distance:0; fast_pattern; content:\"<input type=\\\"submit\\\" value=\\\"Run\\\">\"; distance:0; pcre:\"/<\\/form>\\s{0,512}<pre>/R\"; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; reference:date_created,2021-04-16; sid: 999999999; )"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1618995681",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "4ad4982e-87bf-4edc-915b-4ad84f3b13eb",
|
|
"value": "alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.STEADYPULSE.[<form action=]\"; content:\"<form action=\\\"\\\" method=\\\"GET\\\">\"; content:\"<input type=\\\"text\\\" name=\\\"cmd\\\" \"; distance:0; fast_pattern; content:\"<input type=\\\"text\\\" name=\\\"serverid\\\" \"; distance:0; content:\"<input type=\\\"submit\\\" value=\\\"Run\\\">\"; distance:0; content:!\"|0d 0a|Referer: \"; content:!\"|0d 0a|User-Agent: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; sid: 999999999; )"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1618995681",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "2b0bd4a3-3f4a-4e9a-b330-52a196385fc0",
|
|
"value": "alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.STEADYPULSE.[Results of]\"; content:\"|0d 0a|Results of '\"; content:\"' execution:|0a 0a|\"; distance:1; within:256; fast_pattern; content:!\"|0d 0a|Referer: \"; content:!\"|0d 0a|User-Agent: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; sid: 999999999; )"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1618995681",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "baccb07a-3ac5-4a08-89d0-5c02114ad60b",
|
|
"value": "alert tcp any $HTTP_PORTS -> any any ( msg:\"APT.Webshell.PL.STEADYPULSE. .[Results of]\"; flow:to_client; content:\"Results of '\"; content:\"' execution:|0a 0a|\"; distance:1; within:256; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; reference:date_created,2021-04-16; sid: 999999999; fast_pattern; )"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "3",
|
|
"timestamp": "1618992530",
|
|
"uuid": "57ffce5f-60a8-40ae-b11e-624ca218704d",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1618992530",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "4fa4a70a-3aff-4432-ac42-9409399e196d",
|
|
"value": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1618992530",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "eebfc2b8-6467-4cdd-8a31-041708d20a55",
|
|
"value": "Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.\r\n This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells.\r\n The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector.\r\n Pulse Secure\u2019s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.\r\n Pulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues.\r\n There is no indication the identified backdoors were introduced through a supply chain compromise of the company\u2019s network or software deployment process."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "SLOWPULSE V1 - libdsplibs.so ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618992906",
|
|
"uuid": "6854614c-df9f-4bb5-8de0-857c943be550",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618992906",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "b450f0cd-dbd3-4cb4-90f2-b04355d33d09",
|
|
"value": "23ff4df644aa408d6a074eb8fa9f0da3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618992906",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "2e9d8332-758e-49a1-8678-57f73f34f5a3",
|
|
"value": "cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "SLOWPULSE V2 \r\nlibdsplibs.so ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993022",
|
|
"uuid": "874ca0e5-827e-43f8-99f5-a2a5aa60e672",
|
|
"Attribute": [
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1618993022",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "7eb05728-7cfe-4be1-968b-6f1e8905f681",
|
|
"value": "libdsplibs.so"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993022",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "7c1cbe4a-6979-4922-9932-6f620bbbf7ec",
|
|
"value": "8bf3ebe60f393f4c2fe0bbeb4976fc46"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993022",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "a15c7419-24c7-4d64-a9b3-4df029bcd606",
|
|
"value": "1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "SLOWPULSE V3 \r\nlibdsplibs.so ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993069",
|
|
"uuid": "cd13cfd7-f4dc-4864-9009-30baa29551a6",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993069",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "06e0c098-fb13-4d75-a95c-a3d504d990c0",
|
|
"value": "8f5d87592f68d8350656f722f6f21e10"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993069",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "28469570-b6fc-4997-8f81-6ae68aecae0a",
|
|
"value": "b1c2368773259fbfef425e0bb716be958faa7e74b3282138059f511011d3afd9"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "SLOWPULSE V2 Patcher \r\nunknown ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993162",
|
|
"uuid": "1d87313f-7519-4748-bfb1-fc8b60906cf6",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993162",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "85b43f16-5dda-419c-8b4a-66e679e7b0fa",
|
|
"value": "32a9bc24c6670a3cf880a8c0c9e9dfaf"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993162",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1ba2ad5b-ed88-44cd-9e0e-30a85d5b136a",
|
|
"value": "c9b323b9747659eac25cec078895d75f016e26a8b5858567c7fb945b7321722c"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "SLOWPULSE V3 Patcher \r\nunknown ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993200",
|
|
"uuid": "0b65ad47-db4b-4f58-a33c-e671746afa05",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993200",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5deb6034-011d-4cd8-9159-212665dce222",
|
|
"value": "6272aa2f8f47e2a63f138d81e69fdba7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993200",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1fffbd0a-6d4a-41f0-89d0-c879b8f72662",
|
|
"value": "06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "SLOWPULSE V4 Patcher \r\nunknown ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993245",
|
|
"uuid": "5c9a0062-ee55-43b0-ad64-3c5f6fdf3d01",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993245",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "e7d65381-674f-4d5e-94bd-838be28f25b1",
|
|
"value": "beff02edb0f6a7c2b341aa780e88a48c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993245",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "24648106-ebea-4788-b3d3-db4885b7852e",
|
|
"value": "e63ab6f82c711e4ecc8f5b36046eb7ea216f41eb90158165b82a6c90560ea415"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "SLOWPULSE V4 UnPatcher \r\nunknown ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993284",
|
|
"uuid": "efd7b1ec-0fff-498a-ad64-d1d259ebbf82",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993284",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "64585030-e6dd-461e-990f-bfa1ccb20bda",
|
|
"value": "ece3e2a6b6e3531b50cc74c7f87cdc8d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993284",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "71d8e0e3-76bc-4dcc-b146-ef73c24bfb94",
|
|
"value": "b2350954b9484ae4eac42b95fae6edf7a126169d0b93d79f49d36c5e6497062a"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PULSECHECK \r\nsecid_canceltoken.cgi",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993322",
|
|
"uuid": "35ae369e-4ab2-447c-819c-c366f547ca9c",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993322",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "d2da6559-edf7-44a9-b6ce-b11922fbfdac",
|
|
"value": "33c4947efe66ce8c175464b4e262fe16"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993322",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "089726bf-6119-4870-8c16-70488206a96d",
|
|
"value": "a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PULSECHECK \r\nCompcheckjs.cgi ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993368",
|
|
"uuid": "5f99e163-f31e-4994-8a56-4b249d894012",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993368",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "ed249d94-f701-49ed-ad91-6d0273dcff30",
|
|
"value": "9aa378cbec161ccd168be212c8856749"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993368",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "f4130d08-349e-40b8-902c-7f95c852e1fb",
|
|
"value": "6f4dec58548f5193b5e511ecc3c63154ae3c93f9345661a774cb69a1ce16c577"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "RADIALPULSE \r\napac_login.cgiunknown \r\n",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993417",
|
|
"uuid": "0690ab34-3ffe-4d37-b6a7-4ce477d4de60",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993417",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "f32d321a-0ac5-45b7-8b21-6c3a86c4a481",
|
|
"value": "1cd91b74f8d2d2fe952a97e9040073d8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993417",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "a52a0a5f-c6f3-449b-bf33-d023135ab2ce",
|
|
"value": "d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "RADIALPULSE \r\nbasicauth_userpass.cgi ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993458",
|
|
"uuid": "30408119-108d-495f-89ca-cbe1dcf0b68b",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993458",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "0dfbe8a0-a1f3-47b7-8288-709a0a4032c8",
|
|
"value": "4a2a7cbc1c8855199a27a7a7b51d0117"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993458",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "d2db7c8e-a087-489f-9c49-a6cad1a26eb6",
|
|
"value": "293cc71af317593e0e5d9f8c6fd7a732977c63174becc8dedadf8f8f4cc9c922"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "RADIALPULSE \r\ndswebserver.sh ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993506",
|
|
"uuid": "c0b88e1a-d76c-4226-bffa-45ca59bc2fa9",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993506",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57bb0a19-2d7f-4a92-83cc-a4eadc687f76",
|
|
"value": "4d416e551821ccce8bc9c4457d10573b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993506",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "a14d01f5-cde1-4bc0-96de-e8f8a2ecf00d",
|
|
"value": "b72fdae94e78fe51205966179573693c01eae98ece228af13041855cc4e255b1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "RADIALPULSE \r\nunknown \r\n",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993548",
|
|
"uuid": "dbab04b4-1df0-4055-be1a-2ad6d47b15de",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993548",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "72d9831b-3edf-4501-89ba-b3510e37b804",
|
|
"value": "558090216cf8199802f11da4f70db897"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993548",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "12593459-5515-45a7-b06f-f839da015a8e",
|
|
"value": "dea123cd0a48f01ef9176946f11e4b2b23218018ebcea7ff08d552f88906c52d"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "RADIALPULSE \r\nlogin.cgi ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993586",
|
|
"uuid": "5279454c-137c-4df2-ab40-d4f67be95f40",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993586",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "b9f1655a-aeb0-445d-bd69-d7abe5dc88aa",
|
|
"value": "56e2a1566c7989612320f4ef1669e7d5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993586",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "b660374a-9db5-41cd-9fdd-2418de99cc53",
|
|
"value": "e9df4e13131c95c75ca41a95e08599b3d480e5e7a7922ff0a3fa00bef3bd6561"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "RADIALPULSE \r\nlogin.cgi ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993639",
|
|
"uuid": "61f23a4d-8a5f-4a4c-b846-4f87797fbb1a",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993639",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "02f508a1-8a0d-486c-9b9d-fdc7af003e80",
|
|
"value": "6c63b5c747e8e351426777b7de94da7c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993639",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "ccd8ed79-2e55-4cab-8068-52ac047a3806",
|
|
"value": "61f9f6ae26bd3f4d6632bcc722022079aab1ef1d3ddeb71f0f7db2f14aed4ce4"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "RADIALPULSE \r\nrd.cgi ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993750",
|
|
"uuid": "44e27409-7862-42be-bf2b-4d18fa27243f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993750",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "e82b5fe1-cbd7-4c1e-93f0-af14abe50601",
|
|
"value": "957ca40755de8f1f68602476a62799f9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993750",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "a46290eb-a4a9-4268-a40b-32cab5bac2f3",
|
|
"value": "b482dc4d07e0c11d047c25af3bd239b9c57eaa8648cebf639369ec143297b96a"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "RADIALPULSE \r\nuserpass.cgi ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993794",
|
|
"uuid": "3347af09-6558-4e07-ac68-c7abe87079b9",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993794",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "ea74b5d6-1ecc-4be1-9f32-907b83ca9c61",
|
|
"value": "d21705be48b4b38a66e731f6d4125708"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993794",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "fba9669b-ac5e-40d6-bae5-f6fe7b880567",
|
|
"value": "d61d98a3a68a5a35d49c5c7a43d11d3e22bdb7d26bffb6f5aded83c07c90633a"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PACEMAKER \r\nmemread \r\n",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618993941",
|
|
"uuid": "ec665abd-0414-4647-b4cd-9fa22e979ab8",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618993941",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "19c6a8f2-03aa-4619-9e43-42e3a48a9114",
|
|
"value": "d7881c4de4d57828f7e1cab15687274b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618993941",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "f2b8195b-4b59-4b71-99d3-565d4f4e5a30",
|
|
"value": "68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PACEMAKER Launcher Utility \r\nunknown\r\n",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994067",
|
|
"uuid": "3e50f8b8-0dbc-4bec-80de-30e325671f95",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994067",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "4a86fcff-01d0-4385-9704-6c2f6e62146b",
|
|
"value": "4cb9bb1cdc1931c738843f7dfe63f5c4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994067",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1f59081e-0052-4ff6-be35-a347b4d91664",
|
|
"value": "4c5555955b2e6dc55f52b0c1a3326f3d07b325b112060329c503b294208960ec"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "THINBLOOD \r\ndsclslog ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994112",
|
|
"uuid": "2620c50d-6305-45cb-8aff-e37d50425358",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994112",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "19e96828-d0d0-4fa7-85de-92fdfbd7a5f8",
|
|
"value": "f38fe97c2a7419e62ce72439bdbb85b5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994112",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "d055a2d4-e4db-4f71-8097-dffbe58d03d0",
|
|
"value": "88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "THINBLOOD Variant \r\nclear_log.sh ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994171",
|
|
"uuid": "cfaa4938-1778-45cd-b95a-61be8ba0837e",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994171",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54995171-1d7b-4a2e-8f6c-9626727673bd",
|
|
"value": "ecbd062c45d5fd38bb7f58289a8f5c86"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994171",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "7aef64d6-8313-45da-be36-15f8d5f10454",
|
|
"value": "1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "SLIGHTPULSE \r\nmeeting_testjs.cgi ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994208",
|
|
"uuid": "0da707a9-b329-4d30-b907-01fe6c1de17c",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994208",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "d4f286dc-da0a-4584-b635-02f376f71a93",
|
|
"value": "57df2d9468b66d7585f79b12d4249f22"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994208",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "af6a9523-2844-499b-973a-1b961940fad2",
|
|
"value": "133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "ATRIUM \r\ncompcheckresult.cgi ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994253",
|
|
"uuid": "df51083d-32e2-4812-89bb-f7036472920e",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994253",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "be2767ee-a29f-47c0-bde2-7bf622f21ebf",
|
|
"value": "ca0175d86049fa7c796ea06b413857a3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994253",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "d9ad16cf-ca3b-41af-ad4f-5eecdc8a9392",
|
|
"value": "f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "ATRIUM \r\ndo-install ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994293",
|
|
"uuid": "5151611d-c11d-47cf-9a9c-5ef132b1a303",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994293",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "dc5c127c-80b3-4740-8070-d1eca7427041",
|
|
"value": "a631b7a8a11e6df3fccb21f4d34dbd8a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994293",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1b53120d-eb41-40b6-9dff-df162eb8f1ad",
|
|
"value": "2202234643bcd4807f21fbe4eb9ef3be9a6857ef92fd5979abb2b97b3c113966"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Persistence Patcher (ATRIUM)\r\nDSUpgrade.pm ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994365",
|
|
"uuid": "298449a1-8e86-409c-96fb-0c225d9f98a9",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994365",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "48574406-a20c-4d23-9aad-975e8eaaaa15",
|
|
"value": "d2ef3894c6e46453b7d9416ff0d4d6cc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994365",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "f2fe78d6-8d62-424f-a779-e4c964b06343",
|
|
"value": "224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Persistence Patcher (ATRIUM)\r\nDSUpgrade.pm ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994431",
|
|
"uuid": "cf564f32-56e9-4fe0-87ac-5e5df91b0c9f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994431",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "155a1c4f-4ba4-446a-9772-6e6f7b64ff64",
|
|
"value": "d855ebd2adeaf2b3c87b28e77e9ce4d4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994431",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "9754f09c-928a-4432-8c64-b488be0859b0",
|
|
"value": "a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Persistence Patcher (STEADYPULSE)\r\nDSUpgrade.pm",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994483",
|
|
"uuid": "bbcc14ea-c7fc-4b15-a020-b619641add7e",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994483",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "a10b9032-e060-4c51-b80a-ecbf5ce34759",
|
|
"value": "5009b307214abc4ba5e24fa99133b934"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994483",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "990e49fa-44bc-4aea-94b9-bdc09d2e8ea7",
|
|
"value": "64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Persistence Patcher (PULSECHECK)\r\nDSUpgrade.pm",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994521",
|
|
"uuid": "60b5f9a7-ffa3-4d56-a1a7-6642638be3e6",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994521",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "b44e849e-c240-4df8-a573-64871321bd1e",
|
|
"value": "de9184422b477ca3b6aae536979e8626"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994521",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1e09c762-78f4-4950-a703-5059f2a137a5",
|
|
"value": "705cda7d1ace8f4adeec5502aa311620b8d6c64046a1aed2ae833e2f2835154f"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Persistence Patcher (UNKNOWN)\r\nDSUpgrade.pm",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994576",
|
|
"uuid": "04323a10-ee75-43ae-9150-001fe9a27ab7",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994576",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "cc71c34c-00c8-46ae-80d1-0032cf043d33",
|
|
"value": "22cc57df424cac79f5bf78109a443523"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994576",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "32ce598f-64c0-49b1-86cb-f56107624fc4",
|
|
"value": "78d7c7c9f800f6824f63a99d935a4ad0112f97953d8c100deb29dae24d7da282"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "LOCKPICK \r\nlibcrypto.so ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994614",
|
|
"uuid": "bbdbb662-a8b1-4c13-85f2-898abde6d3f9",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994614",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "cd87c270-dbd0-43a8-8b25-290e878d5f65",
|
|
"value": "e8bfd3f5a2806104316902bbe1195ee8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994614",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "2267dfe7-a5c3-4caa-a410-c31fe6e44942",
|
|
"value": "2610d0372e0e107053bc001d278ef71f08562e5610691f18b978123c499a74d8"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "LOCKPICK Patcher\r\nunknown",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994653",
|
|
"uuid": "b4a44973-985c-4058-b968-9cd867f1bef6",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "12b43149-1987-4c61-9b41-30ff71195627",
|
|
"value": "0ac5571f69a1cb17110d7c5af772a5eb"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994653",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "aa7423da-ec78-4313-bd35-90b120b4acd9",
|
|
"value": "b990f79ce80c24625c97810cb8f161eafdcb10f1b8d9d538df4ca9be387c35e4"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "HARDPULSE \r\ncompcheckjava.cgi",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994698",
|
|
"uuid": "ca389b0d-fbe4-42bc-96e3-56b5f4886c9b",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994698",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "a4b2d624-8566-4708-a1e3-cdf4ea7a548a",
|
|
"value": "980cba9e82faf194edb6f3cc20dc73ff"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994698",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "b4e8ec9f-d74c-4a4e-80a0-ef921f5a178e",
|
|
"value": "1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PULSEJUMP \r\nunknown ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994748",
|
|
"uuid": "34384af6-0071-435b-84c1-bf8c3420cd08",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994748",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "45037dc7-2ff9-428a-aea3-9d2ed2a16da8",
|
|
"value": "91ee23ee24e100ba4a943bb4c15adb4c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994748",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1cf777a9-7112-480d-ba7e-b9010b8a2ad7",
|
|
"value": "7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "QUIETPULSE \r\ndsserver ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994789",
|
|
"uuid": "1fc8066f-98aa-4e70-b4ee-0710931cdac7",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994789",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "d7ee7d83-4dc5-41fe-a4b5-69e8352e20bc",
|
|
"value": "00575bec8d74e221ff6248228c509a16"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994789",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "e299b096-b36f-4ba1-bfa4-5821152997d3",
|
|
"value": "9f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "QUIETPULSE \r\ndshelper ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994864",
|
|
"uuid": "447d890e-3529-486e-b4f8-704b813d745f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994864",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "d6e6b881-b8e2-41f3-88c8-5ac7b8fac08e",
|
|
"value": "82e77d7ad4d39ed71981a3ddca4ff225"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994864",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "cb469440-e27f-4041-82d3-f8cfd1459284",
|
|
"value": "c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "STEADYPULSE \r\nlicenseserverproto.cgi ",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1618994905",
|
|
"uuid": "7bd70c6d-d345-45f3-a8ac-00e4a2149cea",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1618994905",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "0d02a2a1-b7ad-472e-a5d5-bb7ec8d88e59",
|
|
"value": "fb21828f490561810c205241b367095e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1618994905",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "24018992-9619-459d-832d-b8c72571bcd6",
|
|
"value": "168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618994994",
|
|
"uuid": "8f5eaca0-34a1-4e85-b6b3-8082bce62175",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618994994",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "7c8863dc-7683-485a-bb49-f1e1d856bed3",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_Webshell_PL_ATRIUM_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2021-04-16\"\r\n md5 = \"ca0175d86049fa7c796ea06b413857a3\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings:\r\n $s1 = \"CGI::param(\"\r\n $s2 = \"system(\"\r\n $s3 = /if[\\x09\\x20]{0,32}\\(CGI::param\\([\\x22\\x27]\\w{1,64}[\\x22\\x27]\\)\\)\\s{0,128}\\{[\\x09\\x20]{0,32}print [\\x22\\x27]Cache-Control: no-cache\\\\n[\\x22\\x27][\\x09\\x20]{0,32};\\s{0,128}print [\\x22\\x27]Content-type: text\\/html\\\\n\\\\n[\\x22\\x27][\\x09\\x20]{0,32};\\s{0,128}my \\$\\w{1,64}[\\x09\\x20]{0,32}=[\\x09\\x20]{0,32}CGI::param\\([\\x22\\x27]\\w{1,64}[\\x22\\x27]\\)[\\x09\\x20]{0,32};\\s{0,128}system\\([\\x22\\x27]\\$/\r\n condition:\r\n all of them\r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995030",
|
|
"uuid": "4f5204e2-efbe-4200-8f2c-bc6ebbb952da",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995030",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5e918e09-7634-46a9-b33d-0cbb72ac48f9",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_Trojan_SH_ATRIUM_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2021-04-16\"\r\n md5 = \"a631b7a8a11e6df3fccb21f4d34dbd8a\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings:\r\n $s1 = \"CGI::param(\"\r\n $s2 = \"Cache-Control: no-cache\"\r\n $s3 = \"system(\"\r\n $s4 = /sed -i [^\\r\\n]{1,128}CGI::param\\([^\\r\\n]{1,128}print[\\x20\\x09]{1,32}[^\\r\\n]{1,128}Cache-Control: no-cache[^\\r\\n]{1,128}print[\\x20\\x09]{1,32}[^\\r\\n]{1,128}Content-type: text\\/html[^\\r\\n]{1,128}my [^\\r\\n]{1,128}=[\\x09\\x20]{0,32}CGI::param\\([^\\r\\n]{1,128}system\\(/\r\n condition:\r\n all of them\r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995063",
|
|
"uuid": "c73a7441-1444-42a9-974d-3f3e64168bcc",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995063",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "da941f60-25f1-452e-a5b3-3d0e39eee059",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_HARDPULSE \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"980cba9e82faf194edb6f3cc20dc73ff\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $r1 = /if[\\x09\\x20]{0,32}\\(\\$\\w{1,64}[\\x09\\x20]{1,32}eq[\\x09\\x20]{1,32}[\\x22\\x27]\\w{1,64}[\\x22\\x27]\\)\\s{0,128}\\{\\s{1,128}my[\\x09\\x20]{1,32}\\$\\w{1,64}[\\x09\\x20]{0,32}\\x3b\\s{1,128}unless[\\x09\\x20]{0,32}\\(open\\(\\$\\w{1,64},[\\x09\\x20]{0,32}\\$\\w{1,64}\\)\\)\\s{0,128}\\{\\s{1,128}goto[\\x09\\x20]{1,32}\\w{1,64}[\\x09\\x20]{0,32}\\x3b\\s{1,128}return[\\x09\\x20]{1,32}0[\\x09\\x20]{0,32}\\x3b\\s{0,128}\\}/ \r\n $r2 = /open[\\x09\\x20]{0,32}\\(\\*\\w{1,64}[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}[\\x22\\x27]>/ \r\n $r3 = /if[\\x09\\x20]{0,32}\\(\\$\\w{1,64}[\\x09\\x20]{1,32}eq[\\x09\\x20]{1,32}[\\x22\\x27]\\w{1,64}[\\x22\\x27]\\)\\s{0,128}\\{\\s{1,128}print[\\x09\\x20]{0,32}[\\x22\\x27]Content-type/ \r\n $s1 = \"CGI::request_method()\" \r\n $s2 = \"CGI::param(\" \r\n $s3 = \"syswrite(\" \r\n $s4 = \"print $_\" \r\n condition: \r\n all of them \r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995096",
|
|
"uuid": "642cf927-5c24-4846-b8a7-5b895c87594f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995096",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "c4174751-2ba7-4633-bfc4-f2e3c698002a",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux32_LOCKPICK_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2021-04-16\"\r\n md5 = \"e8bfd3f5a2806104316902bbe1195ee8\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings:\r\n $sb1 = { 83 ?? 63 0F 84 [4] 8B 45 ?? 83 ?? 01 89 ?? 24 89 44 24 04 E8 [4] 85 C0 }\r\n $sb2 = { 83 [2] 63 74 ?? 89 ?? 24 04 89 ?? 24 E8 [4] 83 [2] 01 85 C0 0F [5] EB 00 8B ?? 04 83 F8 02 7? ?? 83 E8 01 C1 E0 02 83 C0 00 89 44 24 08 8D 83 [4] 89 44 24 04 8B ?? 89 04 24 E8 }\r\n condition:\r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and (@sb1[1] < @sb2[1])\r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995129",
|
|
"uuid": "c7b0b3ec-3c74-4329-abc4-0d4414228f90",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995129",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "f3991509-ef0a-4f91-8480-99f512140ad5",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux32_PACEMAKER \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"d7881c4de4d57828f7e1cab15687274b\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $s1 = \"\\x00/proc/%d/mem\\x00\" \r\n $s2 = \"\\x00/proc/%s/maps\\x00\" \r\n $s3 = \"\\x00/proc/%s/cmdline\\x00\" \r\n $sb1 = { C7 44 24 08 10 00 00 00 C7 44 24 04 00 00 00 00 8D 45 E0 89 04 24 E8 [4] 8B 45 F4 83 C0 0B C7 44 24 08 10 00 00 00 89 44 24 04 8D 45 E0 89 04 24 E8 [4] 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] EB } \r\n $sb2 = { 8B 95 [4] B8 [4] 8D 8D [4] 89 4C 24 10 8D 8D [4] 89 4C 24 0C 89 54 24 08 89 44 24 04 8D 85 [4] 89 04 24 E8 [4] C7 44 24 08 02 00 00 00 C7 44 24 04 00 00 00 00 8B 45 ?? 89 04 24 E8 [4] 89 45 ?? 8D 85 [4] 89 04 24 E8 [4] 89 44 24 08 8D 85 [4] 89 44 24 04 8B 45 ?? 89 04 24 E8 [4] 8B 45 ?? 89 45 ?? C7 45 ?? 00 00 00 00 [0-16] 83 45 ?? 01 8B 45 ?? 3B 45 0C } \r\n condition: \r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them \r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995157",
|
|
"uuid": "76f29c1c-c880-4baa-be5a-cecf57c18d38",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995157",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5cf39ce1-27b2-485f-9ad2-e49970b71053",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux_PACEMAKER \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"d7881c4de4d57828f7e1cab15687274b\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $s1 = \"\\x00Name:%s || Pwd:%s || AuthNum:%s\\x0a\\x00\" \r\n $s2 = \"\\x00/proc/%d/mem\\x00\" \r\n $s3 = \"\\x00/proc/%s/maps\\x00\" \r\n $s4 = \"\\x00/proc/%s/cmdline\\x00\" \r\n condition: \r\n (uint32(0) == 0x464c457f) and all of them \r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995186",
|
|
"uuid": "12ee2578-f80b-4db9-b7c5-75c5f05215f2",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995186",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "19c91b92-4fd1-46ad-801a-f3823c11f5ad",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_PULSECHECK_1 \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n sha256 = \"a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $r1 = /while[\\x09\\x20]{0,32}\\(<\\w{1,64}>\\)[\\x09\\x20]{0,32}\\{\\s{1,256}\\$\\w{1,64}[\\x09\\x20]{0,32}\\.=[\\x09\\x20]{0,32}\\$_;\\s{0,256}\\}/ \r\n $s1 = \"use Crypt::RC4;\" \r\n $s2 = \"use MIME::Base64\" \r\n $s3 = \"MIME::Base64::decode(\" \r\n $s4 = \"popen(\" \r\n $s5 = \" .= $_;\" \r\n $s6 = \"print MIME::Base64::encode(RC4(\" \r\n $s7 = \"HTTP_X_\" \r\n condition: \r\n $s1 and $s2 and (@s3[1] < @s4[1]) and (@s4[1] < @s5[1]) and (@s5[1] < @s6[1]) and (#s7 > 2) and $r1 \r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995229",
|
|
"uuid": "ef28ce31-93a2-48a8-8ed8-b56b8caf60a7",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995229",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "f2392100-d4c8-4554-b7d9-20da95826507",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_PULSEJUMP_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2021-04-16\"\r\n md5 = \"91ee23ee24e100ba4a943bb4c15adb4c\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings:\r\n $s1 = \"open(\"\r\n $s2 = \">>/tmp/\"\r\n $s3 = \"syswrite(\"\r\n $s4 = /\\}[\\x09\\x20]{0,32}elsif[\\x09\\x20]{0,32}\\([\\x09\\x20]{0,32}\\$\\w{1,64}[\\x09\\x20]{1,32}eq[\\x09\\x20]{1,32}[\\x22\\x27](Radius|Samba|AD)[\\x22\\x27][\\x09\\x20]{0,32}\\)\\s{0,128}\\{\\s{0,128}@\\w{1,64}[\\x09\\x20]{0,32}=[\\x09\\x20]{0,32}&/\r\n condition:\r\n all of them\r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995259",
|
|
"uuid": "d11dc00d-249a-4b44-a70d-8d1912c6b012",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995259",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "be80b924-9f86-4c8c-a5e5-28d7aef3a0b9",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_QUIETPULSE \r\n{\r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"00575bec8d74e221ff6248228c509a16\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $s1 = /open[\\x09\\x20]{0,32}\\(\\*STDOUT[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}[\\x22\\x27]>&CLIENT[\\x22\\x27]\\)/ \r\n $s2 = /open[\\x09\\x20]{0,32}\\(\\*STDERR[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}[\\x22\\x27]>&CLIENT[\\x22\\x27]\\)/ \r\n $s3 = /socket[\\x09\\x20]{0,32}\\(SERVER[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}PF_UNIX[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}SOCK_STREAM[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}0[\\x09\\x20]{0,32}\\)[\\x09\\x20]{0,32};\\s{0,128}unlink/ \r\n $s4 = /bind[\\x09\\x20]{0,32}\\([\\x09\\x20]{0,32}SERVER[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}sockaddr_un\\(/ \r\n $s5 = /listen[\\x09\\x20]{0,32}\\([\\x09\\x20]{0,32}SERVER[\\x09\\x20]{0,32},[\\x09\\x20]{0,32}SOMAXCONN[\\x09\\x20]{0,32}\\)[\\x09\\x20]{0,32};/ \r\n $s6 = /my[\\x09\\x20]{1,32}\\$\\w{1,64}[\\x09\\x20]{0,32}=[\\x09\\x20]{0,32}fork\\([\\x09\\x20]{0,32}\\)[\\x09\\x20]{0,32};\\s{1,128}if[\\x09\\x20]{0,32}\\([\\x09\\x20]{0,32}\\$\\w{1,64}[\\x09\\x20]{0,32}==[\\x09\\x20]{0,32}0[\\x09\\x20]{0,32}\\)[\\x09\\x20]{0,32}\\{\\s{1,128}exec\\(/ \r\n condition: \r\n all of them \r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995292",
|
|
"uuid": "b78852fc-95f7-4ec5-a7ed-e001320e19b4",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995292",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "0796b36d-d4d7-4379-b475-1ce462e5766a",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_1 \r\n{\r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n sha256 = \"d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\" \r\n strings: \r\n $s1 = \"->getRealmInfo()->{name}\" \r\n $s2 = /open\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]>>/ \r\n $s3 = /syswrite\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]realm=\\$/ \r\n $s4 = /syswrite\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]username=\\$/ \r\n $s5 = /syswrite\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]password=\\$/ \r\n condition: \r\n (@s1[1] < @s2[1]) and (@s2[1] < @s3[1]) and $s4 and $s5 \r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995320",
|
|
"uuid": "9df4fc8c-7277-4488-9f3b-ff2a0f51aa66",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995320",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "05fe3a12-d1eb-48de-af91-f21fab1a3200",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_2 \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"4a2a7cbc1c8855199a27a7a7b51d0117\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $s1 = \"open(*fd,\" \r\n $s2 = \"syswrite(*fd,\" \r\n $s3 = \"close(*fd);\" \r\n $s4 = /open\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]>>\\/tmp\\/[\\w.]{1,128}[\\x22\\x27]\\);[\\x09\\x20]{0,32}syswrite\\(\\*fd,[\\x09\\x20]{0,32}/ \r\n $s5 = /syswrite\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27][\\w]{1,128}=\\$\\w{1,128} ?[\\x22\\x27],[\\x09\\x20]{0,32}5000\\)/ \r\n condition: \r\n all of them \r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995355",
|
|
"uuid": "b79a5423-1769-4be7-a580-909c99a08598",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995355",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "25930cf6-c47d-48c4-a3f1-5e3f66258200",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_3 \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n md5 = \"4a2a7cbc1c8855199a27a7a7b51d0117\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\"\r\n strings: \r\n $s1 = \"open(*fd,\" \r\n $s2 = \"syswrite(*fd,\" \r\n $s3 = \"close(*fd);\" \r\n $s4 = /open\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27]>>\\/tmp\\/dsstartssh\\.statementcounters[\\x22\\x27]\\);[\\x09\\x20]{0,32}syswrite\\(\\*fd,[\\x09\\x20]{0,32}/ \r\n $s5 = /syswrite\\(\\*fd,[\\x09\\x20]{0,32}[\\x22\\x27][\\w]{1,128}=\\$username ?[\\x22\\x27],[\\x09\\x20]{0,32}\\d{4}\\)/ \r\n condition: \r\n all of them \r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995387",
|
|
"uuid": "17e7dce5-405d-4cf1-8d2f-9f3de6653c75",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995387",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "2e8d68ef-a463-4af8-9b32-3f5fa6f6d52b",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Backdoor_Linux32_SLOWPULSE_1 \r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\"\r\n sha256 = \"cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\" \r\n strings: \r\n $sb1 = {FC b9 [4] e8 00 00 00 00 5? 8d b? [4] 8b} \r\n $sb2 = {f3 a6 0f 85 [4] b8 03 00 00 00 5? 5? 5?} \r\n $sb3 = {9c 60 e8 00 00 00 00 5? 8d [5] 85 ?? 0f 8?} \r\n $sb4 = {89 13 8b 51 04 89 53 04 8b 51 08 89 53 08} \r\n $sb5 = {8d [5] b9 [4] f3 a6 0f 8?} \r\n condition: \r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them \r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995417",
|
|
"uuid": "95be007c-e7a2-45a6-a1ff-d0f334e662da",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995417",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "1040bf8f-d212-4d84-b89c-d8db89190042",
|
|
"value": "rule FE_APT_Backdoor_Linux32_SLOWPULSE_2\r\n{ \r\n meta: \r\n author = \"Strozfriedberg\" \r\n date_created = \"2021-04-16\"\r\n sha256 = \"cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\" \r\n strings: \r\n $sig = /[\\x20-\\x7F]{16}([\\x20-\\x7F\\x00]+)\\x00.{1,32}\\xE9.{3}\\xFF\\x00+[\\x20-\\x7F][\\x20-\\x7F\\x00]{16}/ \r\n\r\n // TOI_MAGIC_STRING \r\n $exc1 = /\\xED\\xC3\\x02\\xE9\\x98\\x56\\xE5\\x0C/ \r\n condition:\r\n uint32(0) == 0x464C457F and (1 of ($sig*)) and (not (1 of ($exc*)))\r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1618995447",
|
|
"uuid": "40e78b71-1425-4450-aa39-08ecaa30f0df",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1618995447",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "ea766dc1-2087-4a38-9046-1d5788dd7259",
|
|
"value": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_STEADYPULSE_1\r\n{ \r\n meta: \r\n author = \"Mandiant\" \r\n date_created = \"2021-04-16\" \r\n sha256 = \"168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc\"\r\n reference_url = \"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\" \r\n strings: \r\n $s1 = \"parse_parameters\" \r\n $s2 = \"s/\\\\+/ /g\" \r\n $s3 = \"s/%(..)/pack(\" \r\n $s4 = \"MIME::Base64::encode($\" \r\n $s5 = \"$|=1;\" \r\n $s6 = \"RC4(\" \r\n $s7 = \"$FORM{'cmd'}\" \r\n condition: \r\n all of them \r\n}"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |