1176 lines
No EOL
48 KiB
JSON
1176 lines
No EOL
48 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "0",
|
|
"date": "2022-09-12",
|
|
"extends_uuid": "",
|
|
"info": "Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free",
|
|
"publish_timestamp": "1666603355",
|
|
"published": true,
|
|
"threat_level_id": "4",
|
|
"timestamp": "1666603345",
|
|
"uuid": "761270e6-3a97-4c18-9a44-a844cb5b562b",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"name": "osint:lifetime=\"perpetual\""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"name": "osint:certainty=\"50\""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Standard Non-Application Layer Protocol - T1095\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\""
|
|
},
|
|
{
|
|
"colour": "#064d00",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Domain Accounts - T1078.002\""
|
|
},
|
|
{
|
|
"colour": "#064d00",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Local Accounts - T1078.003\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:malpedia=\"Chisel (ELF)\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:malpedia=\"Chisel (Windows)\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:malpedia=\"Lorenz\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:ransomware=\"Lorenz Ransomware\""
|
|
},
|
|
{
|
|
"colour": "#000000",
|
|
"name": "dnc:malware-type=\"Ransomware\""
|
|
},
|
|
{
|
|
"colour": "#39b300",
|
|
"name": "enisa:nefarious-activity-abuse=\"ransomware\""
|
|
},
|
|
{
|
|
"colour": "#006c6c",
|
|
"name": "ecsirt:malicious-code=\"ransomware\""
|
|
},
|
|
{
|
|
"colour": "#2c4f00",
|
|
"name": "malware_classification:malware-category=\"Ransomware\""
|
|
},
|
|
{
|
|
"colour": "#00acd1",
|
|
"name": "veris:action:malware:variety=\"Ransomware\""
|
|
},
|
|
{
|
|
"colour": "#000000",
|
|
"name": "Ransomware"
|
|
},
|
|
{
|
|
"colour": "#420053",
|
|
"name": "ms-caro-malware:malware-type=\"Ransom\""
|
|
},
|
|
{
|
|
"colour": "#001739",
|
|
"name": "ms-caro-malware-full:malware-type=\"Ransom\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663230900",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "efce45a5-d17b-4da7-8e4a-02cc68b78064",
|
|
"value": "CVE-2022-29499"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Data exfiltration via FileZilla",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663241378",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "00352f55-b2a8-4eb0-b764-9ce328ce4e81",
|
|
"value": "138.197.218.11",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:country=\"united states\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Data exfiltration via FileZilla",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663241419",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "6fba8d44-4605-4a77-aec4-ead4519463bf",
|
|
"value": "138.68.19.94",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:country=\"united states\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Used to download Chisel",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663230900",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "9a5a18d7-4e2f-4748-ae25-2bf2cab5c1b6",
|
|
"value": "138.68.59.16"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Data exfiltration via FileZilla",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663241443",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "a0e7bf5d-19f1-40a1-8ad3-fdcf115d0164",
|
|
"value": "159.65.248.159",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:country=\"united states\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Data exfiltration via FileZilla; HTTP POST requests to notify threat actors of encryption progress",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663241629",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "892a5cd0-0395-4491-b996-8d45fb4ac7cf",
|
|
"value": "206.188.197.125",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:country=\"netherlands\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Data exfiltration via FileZilla",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663241419",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "6549b64d-0f09-4813-b9eb-31ccdb09f9de",
|
|
"value": "64.190.113.100",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:country=\"united states\""
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "7",
|
|
"timestamp": "1663227795",
|
|
"uuid": "62263df7-4b98-46f0-8925-c02d90716c82",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1663227795",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "086cf17a-272e-405e-b4bb-24abe206d118",
|
|
"value": "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1663227795",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "8184f511-f31a-4fa5-9a74-d3df2998a0d5",
|
|
"value": "Arctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1663227795",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "260b4c23-6508-4b5d-bf02-b06183013575",
|
|
"value": "Blog"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1663231414",
|
|
"uuid": "eb00b3cf-fe12-4a16-b44b-21c2c89c72f6",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Chisel",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1663231414",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "707c73ef-8bab-4d55-9287-830e67c92bee",
|
|
"value": "97ff99fd824a02106d20d167e2a2b647244712a558639524e7db1e6a2064a68d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1663231414",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "24c92a5d-8d6e-452a-94fe-14a0f4ab53cf",
|
|
"value": "mem"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "ip-port",
|
|
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
|
|
"template_version": "9",
|
|
"timestamp": "1663231502",
|
|
"uuid": "47511f00-1ba7-4843-a276-a7174b6448b2",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Used to exploit the Mitel device (CVE-2022-29499)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1663231502",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "cf262512-e7a6-4c58-ab98-501b6bbdbaed",
|
|
"value": "137.184.181.252"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "dst-port",
|
|
"timestamp": "1663231502",
|
|
"to_ids": false,
|
|
"type": "port",
|
|
"uuid": "65078267-d28d-4ca9-b743-ff34b1d5f3dd",
|
|
"value": "8443"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1663234275",
|
|
"uuid": "0ad373ea-22f7-4fd3-967a-52541d545ea1",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Webshell",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1663234275",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "4d9b1740-117c-484c-a65c-2d96de2dd6f4",
|
|
"value": "07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1663234275",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "d0ebe166-0da3-4700-8eb7-13d41b8d2d92",
|
|
"value": "pdf_import_export.php"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
|
|
"meta-category": "network",
|
|
"name": "asn",
|
|
"template_uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587",
|
|
"template_version": "3",
|
|
"timestamp": "1663242137",
|
|
"uuid": "b310d8a7-6e3d-4080-91b6-91d13b06d33a",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "asn",
|
|
"timestamp": "1663242137",
|
|
"to_ids": false,
|
|
"type": "AS",
|
|
"uuid": "9fc054f0-cffa-4a00-94d5-5ee5723ec47e",
|
|
"value": "14061"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1663242137",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "bed2aa5b-01fc-4f7a-93e9-4de853023f38",
|
|
"value": "DIGITALOCEAN-ASN"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "country",
|
|
"timestamp": "1663242137",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "4e594b04-59ac-408f-bc05-4b8cddf92947",
|
|
"value": "US"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "subnet-announced",
|
|
"timestamp": "1663242137",
|
|
"to_ids": true,
|
|
"type": "ip-src",
|
|
"uuid": "aaead232-226d-4496-a022-b11398e33206",
|
|
"value": "138.197.218.11"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "subnet-announced",
|
|
"timestamp": "1663242137",
|
|
"to_ids": true,
|
|
"type": "ip-src",
|
|
"uuid": "d2a1ca46-fbfe-43fb-ae75-4b4871f5bbdc",
|
|
"value": "138.68.19.94"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "subnet-announced",
|
|
"timestamp": "1663242137",
|
|
"to_ids": true,
|
|
"type": "ip-src",
|
|
"uuid": "f2cbea0b-3a1a-422e-8666-ecbf932fe3dd",
|
|
"value": "159.65.248.159"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
|
|
"meta-category": "network",
|
|
"name": "asn",
|
|
"template_uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587",
|
|
"template_version": "3",
|
|
"timestamp": "1663242199",
|
|
"uuid": "e7caa4ad-275f-4622-803d-5a5bc059bef5",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "asn",
|
|
"timestamp": "1663242199",
|
|
"to_ids": false,
|
|
"type": "AS",
|
|
"uuid": "67858e0e-3a3d-4f3d-8dd7-fefa847deedd",
|
|
"value": "399629"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1663242199",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "59d27e3b-b2b3-4b6b-ada2-3b2e55e05074",
|
|
"value": "BL Networks"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "country",
|
|
"timestamp": "1663242199",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "2e9f97bf-35cc-4c10-afac-278120060fa8",
|
|
"value": "NL"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "subnet-announced",
|
|
"timestamp": "1663242199",
|
|
"to_ids": true,
|
|
"type": "ip-src",
|
|
"uuid": "0ea13694-5cc0-42b2-9cf9-f45676493691",
|
|
"value": "206.188.197.125"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
|
|
"meta-category": "network",
|
|
"name": "asn",
|
|
"template_uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587",
|
|
"template_version": "3",
|
|
"timestamp": "1663242230",
|
|
"uuid": "93d05fa9-55f4-4607-b7c6-16e2ec591700",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "asn",
|
|
"timestamp": "1663242230",
|
|
"to_ids": false,
|
|
"type": "AS",
|
|
"uuid": "ba396f22-2d05-4d3d-afe6-eebd3f31dd7e",
|
|
"value": "399629"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1663242230",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "ff9921c9-1959-49c2-8839-e28e2f8e24e0",
|
|
"value": "BL Networks"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "country",
|
|
"timestamp": "1663242230",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "2bb9b0a4-2ca0-49bb-841d-5b53d92d781f",
|
|
"value": "US"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "subnet-announced",
|
|
"timestamp": "1663242231",
|
|
"to_ids": true,
|
|
"type": "ip-src",
|
|
"uuid": "78d613c1-7197-468e-8f28-72d9acfdaf1a",
|
|
"value": "64.190.113.100"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing one or more Suricata rule(s) along with version and contextual information.",
|
|
"meta-category": "network",
|
|
"name": "suricata",
|
|
"template_uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a",
|
|
"template_version": "2",
|
|
"timestamp": "1663242412",
|
|
"uuid": "7efd1d01-3ad0-450c-95e5-c02a1dd99b88",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "suricata",
|
|
"timestamp": "1663242412",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "e2c67c4c-4cdf-4157-a13d-f48e7c58568b",
|
|
"value": "alert tls any any -> $HOME_NET any (msg:\"[Arctic Wolf Labs] Possible Ncat shell via SSL/TLS\"; flow:established,to_client; content:\"|41 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 4e 63 61 74|\";tls_cert_issuer; content:\"CN=localhost\";depth:12;sid:10000;rev:1; reference:url,https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in;)"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "suricata",
|
|
"timestamp": "1663242412",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "3d6283e0-6b14-46c3-93c2-460861d4c90d",
|
|
"value": "alert http any any -> any any (msg:\"[Arctic Wolf Labs] Base64 POST via Curl User-Agent to PHP File\"; flow:established,to_server; content:\"POST\"; http_method; content:\".php\"; http_uri;content:\"/vhelp/pdf/\"; http_uri; content:\"curl\"; http_user_agent;pcre:\"/(?:[A-Za-z\\d+\\/]{4})*(?:[A-Za-z\\d+\\/]{3}=|[A-Za-z\\d+\\/]{2}==)?$/\"; sid:10001; rev:1; reference:url,https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in;)"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ref",
|
|
"timestamp": "1663242412",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "c20ca78f-fabd-40f8-9ef6-154ee53f0bd0",
|
|
"value": "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing one or more Suricata rule(s) along with version and contextual information.",
|
|
"meta-category": "network",
|
|
"name": "suricata",
|
|
"template_uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a",
|
|
"template_version": "2",
|
|
"timestamp": "1663243934",
|
|
"uuid": "3dd56064-19ea-46f0-b3ce-3ac65d5ae66b",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "suricata",
|
|
"timestamp": "1663243934",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "dcd14519-1c31-46c1-8d47-3e12939d6dc3",
|
|
"value": "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)\"; flow:established,to_server; content:\"GET\"; http_method; content:\"/scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php?cmd=syncfile:db_files/\"; http_uri; http_header_names; content:!\"Referer\"; reference:url,www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; reference:cve,2022-29499; classtype:attempted-admin; sid:2037121; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_06_24, cve CVE_2022_29499, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ref",
|
|
"timestamp": "1663243934",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "745896e2-7759-4d04-b42b-425f9d91ec6c",
|
|
"value": "https://threatintel.proofpoint.com/sid/2037121#references1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing one or more Suricata rule(s) along with version and contextual information.",
|
|
"meta-category": "network",
|
|
"name": "suricata",
|
|
"template_uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a",
|
|
"template_version": "2",
|
|
"timestamp": "1663243974",
|
|
"uuid": "046432a6-3ff8-47de-b73c-2239f71798c5",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "suricata",
|
|
"timestamp": "1663243974",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "79c6eb51-9f8d-466d-b810-4d83121ab150",
|
|
"value": "#alert tcp any any -> any !$SSH_PORTS (msg:\"ET POLICY SSH Client Banner Detected on Unusual Port\"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:\"SSH-\"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ref",
|
|
"timestamp": "1663243975",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "3cc6c417-23b0-4207-a16c-aae84241f501",
|
|
"value": "https://threatintel.proofpoint.com/sid/2001980"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1663244802",
|
|
"uuid": "66c1a496-fc3d-4160-86e2-11a8b120da5e",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "reference",
|
|
"timestamp": "1663244802",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "54a4c0aa-bd23-4c3a-899a-8335a683a4c8",
|
|
"value": "https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1663244802",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "9f709927-e9e6-4328-a3a6-1cafb6f21d94",
|
|
"value": "rule webshell_php_3b64command: Webshells PHP B64 {\r\n meta:\r\n Description= \"Detects Possible PHP Webshell expecting triple base64 command\"\r\n Category = \"Malware\"\r\n Author = \"Arctic Wolf Labs\"\r\n Date = \"2022-09-12\"\r\n Hash = \"07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94\"\r\n Reference = \"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in\"\r\n strings:\r\n $decode = \"base64_decode(base64_decode(base64_decode(\" ascii\r\n $encode = \"base64_encode(base64_encode(base64_encode(\" ascii\r\n $s1 = \"popen(\" ascii\r\n $s2 = \"pclose\" ascii\r\n $s3 = \"fread(\" ascii\r\n $s4 = \"$_POST\" ascii\r\n condition:\r\n $decode and $encode\r\n and 3 of ($s*)\r\n and filesize < 2KB\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1663244802",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "cf174050-e6f9-48fa-8610-2a39ac235a94",
|
|
"value": "webshell_php_3b64command: Webshells PHP B64"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1663244827",
|
|
"uuid": "54e0dd10-1259-40f6-abbe-030482b53812",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "reference",
|
|
"timestamp": "1663244827",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "9755b10d-6d25-4d21-a459-f6f1ac23c281",
|
|
"value": "https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1663244827",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "66724ad2-81e5-4912-b0ad-0763dfcb123f",
|
|
"value": "rule hktl_chisel_artifacts: Chisel Hacktool Artifacts {\r\n meta:\r\n Description = \"looks for hacktool chisel artifacts potentially left in memory or unallocated space\"\r\n Category = \"Tool\"\r\n Author = \"Arctic Wolf Labs\"\r\n Date = \"2022-09-12\"\r\n Reference = \"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in\"\r\n strings:\r\n $chisel = \"chisel_1.\" ascii\r\n $s1 = \"client\" ascii\r\n $s2 = \"--tls-skip-verify\" ascii\r\n $s3 = \"--fingerprint\" ascii\r\n $s4 = \"R:socks\" ascii\r\n condition:\r\n $chisel or 3 of ($s*)\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1663244827",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "ef19bc84-ecaa-4aee-94b6-55744c61a49a",
|
|
"value": "hktl_chisel_artifacts: Chisel Hacktool Artifacts"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a Sigma rule (or a Sigma rule name).",
|
|
"meta-category": "misc",
|
|
"name": "sigma",
|
|
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
|
|
"template_version": "1",
|
|
"timestamp": "1663244892",
|
|
"uuid": "47a5ff44-cb7d-46c6-a522-8db93e1f379a",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "reference",
|
|
"timestamp": "1663244892",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "ba95c882-13a3-4152-93d3-78980d936608",
|
|
"value": "https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_susp_comsvcs_procdump.yml"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma",
|
|
"timestamp": "1663244892",
|
|
"to_ids": true,
|
|
"type": "sigma",
|
|
"uuid": "a7287c83-f7ea-4616-adf0-5c2c46ca3144",
|
|
"value": "title: Process Dump via Comsvcs DLL\r\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\r\nstatus: test\r\ndescription: Detects process memory dump via comsvcs.dll and rundll32\r\nauthor: Modexp (idea)\r\nreferences:\r\n - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\r\n - https://twitter.com/SBousseaden/status/1167417096374050817\r\ndate: 2019/09/02\r\nmodified: 2021/11/27\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n rundll_image:\r\n Image|endswith: '\\rundll32.exe'\r\n rundll_ofn:\r\n OriginalFileName: 'RUNDLL32.EXE'\r\n selection:\r\n CommandLine|contains|all:\r\n - 'comsvcs'\r\n - 'MiniDump' #Matches MiniDump and MinidumpW\r\n - 'full'\r\n condition: (rundll_image or rundll_ofn) and selection\r\nfields:\r\n - CommandLine\r\n - ParentCommandLine\r\nfalsepositives:\r\n - unknown\r\nlevel: medium\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1218.011\r\n - attack.credential_access\r\n - attack.t1003.001\r\n - attack.t1003 # an old one"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma-rule-name",
|
|
"timestamp": "1663244892",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "c8e5f130-66dd-41c5-89d9-6acdeb07ab80",
|
|
"value": "Process Dump via Comsvcs DLL"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a Sigma rule (or a Sigma rule name).",
|
|
"meta-category": "misc",
|
|
"name": "sigma",
|
|
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
|
|
"template_version": "1",
|
|
"timestamp": "1663244997",
|
|
"uuid": "996361d8-5e7e-4e6f-8004-d40c38408096",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "reference",
|
|
"timestamp": "1663244997",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "31a24608-6691-457b-9f86-0256c2cb1f42",
|
|
"value": "https://github.com/SigmaHQ/sigma/blob/b24e7ae9846f53cbbf61adad72f17af317c860a4/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma",
|
|
"timestamp": "1663244997",
|
|
"to_ids": true,
|
|
"type": "sigma",
|
|
"uuid": "c59fd0a8-5b13-4a94-b026-8a71a86e6497",
|
|
"value": "title: Encoded PowerShell Command Line Usage of ConvertTo-SecureString\r\nid: 74403157-20f5-415d-89a7-c505779585cf\r\nstatus: test\r\ndescription: Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines\r\nauthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65\r\ndate: 2020/10/11\r\nmodified: 2022/07/14\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|endswith:\r\n - '\\powershell.exe'\r\n - '\\pwsh.exe'\r\n CommandLine|contains: 'ConvertTo-SecureString'\r\n condition: selection\r\nfalsepositives:\r\n - Unlikely\r\nlevel: high\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1027\r\n - attack.execution\r\n - attack.t1059.001"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma-rule-name",
|
|
"timestamp": "1663244997",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "a97f98d5-dec3-4780-bd9e-c3ac9886133a",
|
|
"value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a Sigma rule (or a Sigma rule name).",
|
|
"meta-category": "misc",
|
|
"name": "sigma",
|
|
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
|
|
"template_version": "1",
|
|
"timestamp": "1663245194",
|
|
"uuid": "1a6c2f52-af2e-4cbb-a487-0b249f970dc9",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "reference",
|
|
"timestamp": "1663245194",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "d44e0513-93eb-400f-82df-33da4b06927e",
|
|
"value": "https://github.com/SigmaHQ/sigma/blob/1e16ed00905a496cbc3b0a1a03d4c2f6f4b63de2/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma",
|
|
"timestamp": "1663245194",
|
|
"to_ids": true,
|
|
"type": "sigma",
|
|
"uuid": "2f547dd0-7ed0-462b-9a32-5e1bbb68bb7b",
|
|
"value": "title: CrackMapExec Process Patterns\r\nid: f26307d8-14cd-47e3-a26b-4b4769f24af6\r\ndescription: Detects suspicious process patterns found in logs when CrackMapExec is used\r\nstatus: experimental\r\nauthor: Florian Roth\r\nreferences:\r\n - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass\r\ndate: 2022/03/12\r\nmodified: 2022/05/27\r\ntags:\r\n - attack.credential_access\r\n - attack.t1003.001\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n selection_lsass_dump1:\r\n CommandLine|contains|all:\r\n - 'cmd.exe /c '\r\n - 'tasklist /fi '\r\n - 'Imagename eq lsass.exe'\r\n User|contains: # covers many language settings\r\n - 'AUTHORI'\r\n - 'AUTORI'\r\n selection_lsass_dump2:\r\n CommandLine|contains|all:\r\n - 'do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump'\r\n - '\\Windows\\Temp\\'\r\n - ' full'\r\n - '%%B'\r\n selection_procdump:\r\n CommandLine|contains|all:\r\n - 'tasklist /v /fo csv'\r\n - 'findstr /i \"lsass\"'\r\n condition: 1 of selection*\r\nfalsepositives:\r\n - Unknown\r\nlevel: high"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma-rule-name",
|
|
"timestamp": "1663245194",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5ee19a29-639e-4f9b-bab3-c64c901447a9",
|
|
"value": "CrackMapExec Process Patterns"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a Sigma rule (or a Sigma rule name).",
|
|
"meta-category": "misc",
|
|
"name": "sigma",
|
|
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
|
|
"template_version": "1",
|
|
"timestamp": "1663246536",
|
|
"uuid": "33bb1b75-b184-406b-b981-12bc9e86352c",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "reference",
|
|
"timestamp": "1663246536",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "00ecfc3b-94d9-41d2-800c-1bc50e05290e",
|
|
"value": "https://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_powershell_as_service.yml"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma",
|
|
"timestamp": "1663246536",
|
|
"to_ids": true,
|
|
"type": "sigma",
|
|
"uuid": "a6bc8003-825c-4065-a9ea-baeddc728697",
|
|
"value": "title: PowerShell as a Service in Registry\r\nid: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d\r\ndescription: Detects that a powershell code is written to the registry as a service.\r\nstatus: experimental\r\nauthor: oscd.community, Natalia Shornikova\r\ndate: 2020/10/06\r\nmodified: 2021/05/21\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\r\ntags:\r\n - attack.execution\r\n - attack.t1569.002\r\nlogsource:\r\n category: registry_event\r\n product: windows\r\ndetection:\r\n selection:\r\n TargetObject|contains: '\\Services\\'\r\n TargetObject|endswith: '\\ImagePath'\r\n Details|contains:\r\n - 'powershell'\r\n - 'pwsh'\r\n condition: selection\r\nfalsepositives: \r\n - Unknown\r\nlevel: high"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma-rule-name",
|
|
"timestamp": "1663246536",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "a570bae1-a24e-4f04-a1c3-aa294d3471ab",
|
|
"value": "PowerShell as a Service in Registry"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a Sigma rule (or a Sigma rule name).",
|
|
"meta-category": "misc",
|
|
"name": "sigma",
|
|
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
|
|
"template_version": "1",
|
|
"timestamp": "1663246594",
|
|
"uuid": "69b405d5-2c50-46c2-9866-83e6c1dc8799",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "reference",
|
|
"timestamp": "1663246594",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "e1d515c5-2840-4cee-96d4-b075d220d8b8",
|
|
"value": "https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/builtin/win_atsvc_task.yml"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma",
|
|
"timestamp": "1663246594",
|
|
"to_ids": true,
|
|
"type": "sigma",
|
|
"uuid": "4b53d570-8ff4-4413-a779-9531efa88b2b",
|
|
"value": "title: Remote Task Creation via ATSVC Named Pipe\r\nid: f6de6525-4509-495a-8a82-1f8b0ed73a00\r\ndescription: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe\r\nauthor: Samir Bousseaden\r\ndate: 2019/04/03\r\nreferences:\r\n - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\r\ntags:\r\n - attack.lateral_movement\r\n - attack.persistence\r\n - attack.t1053\r\n - car.2013-05-004\r\n - car.2015-04-001\r\nlogsource:\r\n product: windows\r\n service: security\r\n description: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\r\ndetection:\r\n selection:\r\n EventID: 5145\r\n ShareName: \\\\*\\IPC$\r\n RelativeTargetName: atsvc\r\n Accesses: '*WriteData*'\r\n condition: selection\r\nfalsepositives:\r\n - pentesting\r\nlevel: medium"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma-rule-name",
|
|
"timestamp": "1663246594",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "8f093294-6ebc-4806-9a2c-006dd723c874",
|
|
"value": "Remote Task Creation via ATSVC Named Pipe"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a Sigma rule (or a Sigma rule name).",
|
|
"meta-category": "misc",
|
|
"name": "sigma",
|
|
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
|
|
"template_version": "1",
|
|
"timestamp": "1663246741",
|
|
"uuid": "1cefa739-fd00-462e-a8ed-bd4964a10476",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "reference",
|
|
"timestamp": "1663246741",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "ee252939-235b-46f0-a2ef-7ed34bc6c030",
|
|
"value": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma",
|
|
"timestamp": "1663246741",
|
|
"to_ids": true,
|
|
"type": "sigma",
|
|
"uuid": "d14f0fef-e003-480f-8001-8303f34b498e",
|
|
"value": "title: Accessing WinAPI in PowerShell for Credentials Dumping\r\nid: 3f07b9d1-2082-4c56-9277-613a621983cc\r\ndescription: Detects Accessing to lsass.exe by Powershell\r\nstatus: experimental\r\nauthor: oscd.community, Natalia Shornikova\r\ndate: 2020/10/06\r\nmodified: 2022/07/14\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\r\ntags:\r\n - attack.credential_access\r\n - attack.t1003.001\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection:\r\n EventID:\r\n - 8\r\n - 10\r\n SourceImage|endswith:\r\n - '\\powershell.exe'\r\n - '\\pwsh.exe'\r\n TargetImage|endswith: '\\lsass.exe'\r\n condition: selection\r\nfalsepositives:\r\n - Unknown\r\nlevel: high"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sigma-rule-name",
|
|
"timestamp": "1663246741",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "131b2111-451c-41f5-b0b9-9f534b3927c1",
|
|
"value": "Accessing WinAPI in PowerShell for Credentials Dumping"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |