488 lines
No EOL
23 KiB
JSON
488 lines
No EOL
23 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--60118dab-1ab8-40b2-b02b-b6f80aba047c",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-06-01T13:09:37.000Z",
|
|
"modified": "2021-06-01T13:09:37.000Z",
|
|
"name": "CERT-FR_1510",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--60118dab-1ab8-40b2-b02b-b6f80aba047c",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-06-01T13:09:37.000Z",
|
|
"modified": "2021-06-01T13:09:37.000Z",
|
|
"name": "[CERT-FR] Sandworm intrusion set campaign targeting Centreon systems",
|
|
"published": "2021-06-03T06:35:09Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--f8883b86-2c53-45c3-8c5a-f07a92e2cb11",
|
|
"x-misp-attribute--edd5abb9-f1c9-4232-86ed-f196be3409f4",
|
|
"observed-data--bad6d43d-ca69-4f28-b724-95c6b6cae48e",
|
|
"url--bad6d43d-ca69-4f28-b724-95c6b6cae48e",
|
|
"x-misp-attribute--e7eb3aff-9486-4d05-a717-8fa70e93bced",
|
|
"indicator--4de76d7c-6155-4f00-b9ef-dfb4678c331b",
|
|
"indicator--e97c0599-b476-4754-9c23-67e90e47b161",
|
|
"indicator--fbab8de1-e0a7-4b13-8c86-6b51e855761a",
|
|
"x-misp-attribute--d6f7e6f3-6789-4028-8048-af14ad9f7247",
|
|
"x-misp-attribute--420bf406-ac48-4ed4-8a70-6aaacb7ecaeb",
|
|
"x-misp-attribute--c79f9713-47c3-4bd3-a1f2-0326cd7dc457",
|
|
"x-misp-attribute--c61bed7c-dc0a-4780-8471-14b299400f51",
|
|
"x-misp-attribute--956357dc-8eff-4d61-ab4e-fa24136505d2",
|
|
"x-misp-attribute--e0a61f2c-850f-48ce-85f6-dcdd85ad9bbc",
|
|
"x-misp-attribute--70255c9e-fc5e-4bcf-9f71-f7df4412a9ed",
|
|
"x-misp-attribute--e440aa3a-cbec-4e98-8681-6fcbbde389e7",
|
|
"x-misp-attribute--7b6e5d40-ae2f-40aa-a207-9d569ca3951f",
|
|
"x-misp-attribute--0dee95bf-8855-47e5-88c1-b07bc70de321",
|
|
"indicator--b0989f9c-96d3-40ce-ad1b-5ee1c1728c71",
|
|
"indicator--5dc5b6d6-0adc-494b-af96-df9fd503f27b",
|
|
"indicator--368d9b48-fc32-426d-acef-94aa829ccb61",
|
|
"indicator--a561555f-df46-4d33-95c9-893e05d95a77"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"fr-classif:non-classifiees=\"NON-CLASSIFIEES\"",
|
|
"cossi:RechercheSourceOuverte=\"Interdite\"",
|
|
"cossi:fiabilite=\"Bonne\"",
|
|
"misp-galaxy:threat-actor=\"IRIDIUM\"",
|
|
"misp-galaxy:threat-actor=\"TeleBots\"",
|
|
"misp-galaxy:threat-actor=\"Sandworm\"",
|
|
"misp-galaxy:threat-actor=\"ELECTRUM\"",
|
|
"cossi:TLP=\"white\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"",
|
|
"osint:source-type=\"block-or-filter-list\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--f8883b86-2c53-45c3-8c5a-f07a92e2cb11",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-01-27T15:58:35.000Z",
|
|
"modified": "2021-01-27T15:58:35.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"Other\"",
|
|
"misp:to_ids=\"True\"",
|
|
"DescriptionTechnique"
|
|
],
|
|
"x_misp_category": "Other",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Backdoors related to Sandworm"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--edd5abb9-f1c9-4232-86ed-f196be3409f4",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:29.000Z",
|
|
"modified": "2021-02-16T12:26:29.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_comment": "Cert-IST Attack name",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "TeleBots"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--bad6d43d-ca69-4f28-b724-95c6b6cae48e",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:29.000Z",
|
|
"modified": "2021-02-16T12:26:29.000Z",
|
|
"first_observed": "2021-02-16T12:26:29Z",
|
|
"last_observed": "2021-02-16T12:26:29Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--bad6d43d-ca69-4f28-b724-95c6b6cae48e"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--bad6d43d-ca69-4f28-b724-95c6b6cae48e",
|
|
"value": "https://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2016-066"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--e7eb3aff-9486-4d05-a717-8fa70e93bced",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:30.000Z",
|
|
"modified": "2021-02-16T12:26:30.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_comment": "Cert-IST Description",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "These IOCs come from an ANSSI report (CERTFR-2021-CTI-004) published on February 15, 2021, which document a campaign of system compromises that impacted several French entities. This campaign targeted the Centreon IT monitoring software.\r\n\r\nThe first compromises identified by the ANSSI date back from the end of 2017 and the attacks have continued until 2020. They mainly affected IT service providers, particularly web hosting providers.\r\n\r\nOn the compromised systems, the webshell P.A.S. (alias Fobushell) is deployed in the Centreon web folder. Its content remains encrypted until the attacker connects to it and enters the right password.\r\n\r\nIn several cases, this webshell has been used to deploy the Exaramel backdoor. This malware written in Go language is also deployed in the Centreon directory and its persistence is ensured via a scheduled task (Cron).\r\n\r\nThe initial vector of this attack campaign is not precisely known. It can simply be assumed that it involves the exploitation of a vulnerability or a weakness in the Centreon monitoring software.\r\n\r\nThe analyses allowed to identify two categories of infrastructure used in these attacks:\r\n\r\n\r\n\tAnonymization infrastructure: attackers use Tor or VPN services to connect to the webshells,\r\n\tCommand and control infrastructure: Attackers use dedicated servers to manage the implants.\r\n\r\n\r\nNote: Exaramel communicates with its command and control servers via HTTPS.\r\n\r\nWARNING: the ANSSI does not attribute these attacks to the Sandworm group (alias Telebots) and therefore even less to a Russian intelligence unit. The similarities observed relate to the modus operandi implemented: in particular the Exaramel backdoor and infrastructure elements. In reality, these elements of similarity even seem rather weak, at least on the sole reading of the ANSSI report."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--4de76d7c-6155-4f00-b9ef-dfb4678c331b",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-18T16:51:59.000Z",
|
|
"modified": "2021-02-18T16:51:59.000Z",
|
|
"description": "Socket created by Exaramel",
|
|
"pattern": "[file:name = '/tmp/.applocktx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-18T16:51:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e97c0599-b476-4754-9c23-67e90e47b161",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-18T16:51:59.000Z",
|
|
"modified": "2021-02-18T16:51:59.000Z",
|
|
"description": "Socket created by Exaramel",
|
|
"pattern": "[file:name = '/tmp/.applock']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-18T16:51:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--fbab8de1-e0a7-4b13-8c86-6b51e855761a",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-18T16:53:34.000Z",
|
|
"modified": "2021-02-18T16:53:34.000Z",
|
|
"description": "Exaramel configuration file",
|
|
"pattern": "[file:name = 'configtx.json']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-18T16:53:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--d6f7e6f3-6789-4028-8048-af14ad9f7247",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:31.000Z",
|
|
"modified": "2021-02-16T12:26:31.000Z",
|
|
"labels": [
|
|
"misp:type=\"target-location\"",
|
|
"misp:category=\"Targeting data\""
|
|
],
|
|
"x_misp_category": "Targeting data",
|
|
"x_misp_comment": "Cert-IST Targeted Country",
|
|
"x_misp_type": "target-location",
|
|
"x_misp_value": "France"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--420bf406-ac48-4ed4-8a70-6aaacb7ecaeb",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:30.000Z",
|
|
"modified": "2021-02-16T12:26:30.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_comment": "Cert-IST Malware Name",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Exaramel"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--c79f9713-47c3-4bd3-a1f2-0326cd7dc457",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:30.000Z",
|
|
"modified": "2021-02-16T12:26:30.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_comment": "Cert-IST Malware Name",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Fobushell"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--c61bed7c-dc0a-4780-8471-14b299400f51",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:30.000Z",
|
|
"modified": "2021-02-16T12:26:30.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_comment": "Cert-IST Malware Name",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "PAS"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--956357dc-8eff-4d61-ab4e-fa24136505d2",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:30.000Z",
|
|
"modified": "2021-02-16T12:26:30.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_comment": "Cert-IST Malware Name",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "P.A.S."
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--e0a61f2c-850f-48ce-85f6-dcdd85ad9bbc",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:30.000Z",
|
|
"modified": "2021-02-16T12:26:30.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_comment": "Cert-IST Attack Alias",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Sandworm Team"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--70255c9e-fc5e-4bcf-9f71-f7df4412a9ed",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:30.000Z",
|
|
"modified": "2021-02-16T12:26:30.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_comment": "Cert-IST Attack Alias",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "ELECTRUM"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--e440aa3a-cbec-4e98-8681-6fcbbde389e7",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:29.000Z",
|
|
"modified": "2021-02-16T12:26:29.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_comment": "Cert-IST Attack Alias",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "BlackEnergy"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--7b6e5d40-ae2f-40aa-a207-9d569ca3951f",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:31.000Z",
|
|
"modified": "2021-02-16T12:26:31.000Z",
|
|
"labels": [
|
|
"misp:type=\"datetime\"",
|
|
"misp:category=\"Other\""
|
|
],
|
|
"x_misp_category": "Other",
|
|
"x_misp_comment": "Cert-IST First Disclosed Date",
|
|
"x_misp_type": "datetime",
|
|
"x_misp_value": "2021-01-26T23:00:00+00:00"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--0dee95bf-8855-47e5-88c1-b07bc70de321",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-02-16T12:26:31.000Z",
|
|
"modified": "2021-02-16T12:26:31.000Z",
|
|
"labels": [
|
|
"misp:type=\"datetime\"",
|
|
"misp:category=\"Other\""
|
|
],
|
|
"x_misp_category": "Other",
|
|
"x_misp_comment": "Cert-IST First Seen Date",
|
|
"x_misp_type": "datetime",
|
|
"x_misp_value": "2017-10-31T23:00:00+00:00"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b0989f9c-96d3-40ce-ad1b-5ee1c1728c71",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-01-27T15:58:35.000Z",
|
|
"modified": "2021-01-27T15:58:35.000Z",
|
|
"description": "Linux/Exaramel backdoor",
|
|
"pattern": "[file:hashes.MD5 = '92ef0aaf5f622b1253e5763f11a08857' AND file:hashes.SHA1 = 'a739f44390037b3d0a3942cd43d161a7c45fd7e7' AND file:hashes.SHA256 = 'e1ff729f45b587a5ebbc8a8a97a7923fc4ada14de4973704c9b4b89c50fd1146' AND file:name = 'centreon_module_linux_app64']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-01-27T15:58:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cossi:fiabilite=\"Bonne\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5dc5b6d6-0adc-494b-af96-df9fd503f27b",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-01-27T15:58:35.000Z",
|
|
"modified": "2021-01-27T15:58:35.000Z",
|
|
"description": "P.A.S. webshell with LF lines",
|
|
"pattern": "[file:hashes.MD5 = '84837778682450cdca43d1397afd2310' AND file:hashes.SHA1 = 'c69db1b120d21bd603f13006d87e817fed016667' AND file:hashes.SHA256 = '893750547255b848a273bd1668e128a5e169011e79a7f5c7bb86cc5d7b2153bc' AND file:name = 'search.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-01-27T15:58:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cossi:fiabilite=\"Bonne\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--368d9b48-fc32-426d-acef-94aa829ccb61",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-01-27T15:58:35.000Z",
|
|
"modified": "2021-01-27T15:58:35.000Z",
|
|
"description": "P.A.S. webshell with CRLF lines",
|
|
"pattern": "[file:hashes.MD5 = 'a89251cd4c15909a8e15256ead40584e' AND file:hashes.SHA1 = 'b7afb8c91f8f9df4f18764c25251576a0f8bef6f' AND file:hashes.SHA256 = '928d8dde63b0255feffc3d03db30aa76f7ed8913238321cc101083c2c5056ffa' AND file:name = 'DB-Drop.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-01-27T15:58:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cossi:fiabilite=\"Bonne\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a561555f-df46-4d33-95c9-893e05d95a77",
|
|
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
|
|
"created": "2021-01-27T15:58:35.000Z",
|
|
"modified": "2021-01-27T15:58:35.000Z",
|
|
"description": "SetUID Binary",
|
|
"pattern": "[file:hashes.MD5 = '9885fcdda12167b2f598b2d22de07d5b' AND file:hashes.SHA1 = '5a58e46e5b8f468445f848f8eca741eddebcef3e' AND file:hashes.SHA256 = 'ebe98d5e1ab6966ec1e292fafbd5ef21c2b15bd7c7bb871d8e756971b8b6877a' AND file:name = '/bin/backup']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-01-27T15:58:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"cossi:fiabilite=\"Bonne\""
|
|
]
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |