misp-circl-feed/feeds/circl/misp/58d39c29-8244-4fcf-a48b-40db950d210f.json

537 lines
No EOL
24 KiB
JSON

{
"type": "bundle",
"id": "bundle--58d39c29-8244-4fcf-a48b-40db950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58d39c29-8244-4fcf-a48b-40db950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"name": "OSINT - Hunt Case Study: Hunting Campaign Indicators on Privacy Protected Attack Infrastructure",
"published": "2017-03-23T10:02:09Z",
"object_refs": [
"observed-data--58d39c3d-8908-4925-8b24-418c950d210f",
"url--58d39c3d-8908-4925-8b24-418c950d210f",
"x-misp-attribute--58d39c4e-1eec-4a83-96da-474c950d210f",
"indicator--58d39c5f-bb60-44f1-a30f-42f8950d210f",
"indicator--58d39c60-3e70-4d30-8732-41e4950d210f",
"indicator--58d39c7e-32e0-4558-911b-4358950d210f",
"indicator--58d39c80-c7b4-44e7-9a70-4d03950d210f",
"indicator--58d39c80-26d8-4afd-a1fa-444c950d210f",
"indicator--58d39c81-8f4c-443e-b5b8-4624950d210f",
"indicator--58d39ca6-c634-4226-82c4-494e950d210f",
"indicator--58d39ca7-64c0-4cae-8562-45e9950d210f",
"indicator--58d39cb8-c2c8-4923-9ef1-4507950d210f",
"indicator--58d39cf9-44d0-4837-847e-4bb402de0b81",
"indicator--58d39cfa-8a84-40f4-8652-40d002de0b81",
"observed-data--58d39cfb-e1fc-4ef3-8864-45e002de0b81",
"url--58d39cfb-e1fc-4ef3-8864-45e002de0b81",
"indicator--58d39cfc-62b8-493e-bac9-450e02de0b81",
"indicator--58d39cfd-4738-4014-ac84-413302de0b81",
"observed-data--58d39cfe-7a60-4250-b08d-480602de0b81",
"url--58d39cfe-7a60-4250-b08d-480602de0b81",
"indicator--58d39cff-dbec-4aef-8012-4bd502de0b81",
"indicator--58d39d00-7e14-464a-9970-455f02de0b81",
"observed-data--58d39d02-b5d8-437e-9cf0-4ddc02de0b81",
"url--58d39d02-b5d8-437e-9cf0-4ddc02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d39c3d-8908-4925-8b24-418c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"first_observed": "2017-03-23T10:01:17Z",
"last_observed": "2017-03-23T10:01:17Z",
"number_observed": 1,
"object_refs": [
"url--58d39c3d-8908-4925-8b24-418c950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d39c3d-8908-4925-8b24-418c950d210f",
"value": "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58d39c4e-1eec-4a83-96da-474c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "As a researcher, when I find an attacker working, one of the first places I start to pivot is the command and control infrastructure. I do this because I want to see if I can find additional binaries, indicators of attack, or additional infrastructure being used by an adversary.\r\n\r\nWhen looking at attacker infrastructure, one of the things that annoys analysts the most is attackers using Whois protection services for registering domains that are used as attack infrastructure. At first glance, many analysts will abandon an investigation when finding privacy protected domains. So, in this blog, I intend to show just how you can pivot on a privacy protected indicator of attack infrastructure, and ultimately find good intelligence data.\r\n\r\nPlease keep in mind, in this blog I will not be attributing this activity to any specific nation state. We have indicators that point to a specific actor group, but nation-state attribution is a tricky and near impossible endeavor, therefore we shy away from making any nation-state attribution claims."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39c5f-bb60-44f1-a30f-42f8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '212.199.61.51']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39c60-3e70-4d30-8732-41e4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '86.105.18.5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39c7e-32e0-4558-911b-4358950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"pattern": "[domain-name:value = 'primeminister-goverment-techcenter.tech']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39c80-c7b4-44e7-9a70-4d03950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"pattern": "[url:value = 'http://ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter.tech']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39c80-26d8-4afd-a1fa-444c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"pattern": "[domain-name:value = 'static.dyn-usr.f-login-me.c19.a23.akamaitechnology.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39c81-8f4c-443e-b5b8-4624950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"pattern": "[domain-name:value = '212.199.61.51.static.012.net.il']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39ca6-c634-4226-82c4-494e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"description": "Annual Survey.docx and/or \u00d7\u00a1\u00d7\u00a7\u00d7\u00a8\u00d7\u00a9\u00d7\u00a0\u00d7\u00aa\u00d7\u2122.docx",
"pattern": "[file:hashes.SHA256 = '5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39ca7-64c0-4cae-8562-45e9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"description": "PDFOPENER_CONSOLE.exe",
"pattern": "[file:hashes.SHA256 = '4d657793ddc9c49abe7e4afcf9abb43626e91a18a925223555070c53fd672b59']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39cb8-c2c8-4923-9ef1-4507950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:17.000Z",
"modified": "2017-03-23T10:01:17.000Z",
"description": "oleObject1.bin",
"pattern": "[file:hashes.SHA256 = '7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39cf9-44d0-4837-847e-4bb402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:29.000Z",
"modified": "2017-03-23T10:01:29.000Z",
"description": "oleObject1.bin - Xchecked via VT: 7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6",
"pattern": "[file:hashes.SHA1 = '59c448abaa6cd20ce7af33d6c0ae27e4a853d2bd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39cfa-8a84-40f4-8652-40d002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:30.000Z",
"modified": "2017-03-23T10:01:30.000Z",
"description": "oleObject1.bin - Xchecked via VT: 7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6",
"pattern": "[file:hashes.MD5 = 'b34721e53599286a1093c90a9dd0b789']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d39cfb-e1fc-4ef3-8864-45e002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:31.000Z",
"modified": "2017-03-23T10:01:31.000Z",
"first_observed": "2017-03-23T10:01:31Z",
"last_observed": "2017-03-23T10:01:31Z",
"number_observed": 1,
"object_refs": [
"url--58d39cfb-e1fc-4ef3-8864-45e002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d39cfb-e1fc-4ef3-8864-45e002de0b81",
"value": "https://www.virustotal.com/file/7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6/analysis/1480095398/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39cfc-62b8-493e-bac9-450e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:32.000Z",
"modified": "2017-03-23T10:01:32.000Z",
"description": "PDFOPENER_CONSOLE.exe - Xchecked via VT: 4d657793ddc9c49abe7e4afcf9abb43626e91a18a925223555070c53fd672b59",
"pattern": "[file:hashes.SHA1 = '15cac8196cc1cec4d3909698fc5d8a5250d826b5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39cfd-4738-4014-ac84-413302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:33.000Z",
"modified": "2017-03-23T10:01:33.000Z",
"description": "PDFOPENER_CONSOLE.exe - Xchecked via VT: 4d657793ddc9c49abe7e4afcf9abb43626e91a18a925223555070c53fd672b59",
"pattern": "[file:hashes.MD5 = '62f8f45c5f10647af0040f965a3ea96d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d39cfe-7a60-4250-b08d-480602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:34.000Z",
"modified": "2017-03-23T10:01:34.000Z",
"first_observed": "2017-03-23T10:01:34Z",
"last_observed": "2017-03-23T10:01:34Z",
"number_observed": 1,
"object_refs": [
"url--58d39cfe-7a60-4250-b08d-480602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d39cfe-7a60-4250-b08d-480602de0b81",
"value": "https://www.virustotal.com/file/4d657793ddc9c49abe7e4afcf9abb43626e91a18a925223555070c53fd672b59/analysis/1480095399/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39cff-dbec-4aef-8012-4bd502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:35.000Z",
"modified": "2017-03-23T10:01:35.000Z",
"description": "Annual Survey.docx and/or \u00d7\u00a1\u00d7\u00a7\u00d7\u00a8\u00d7\u00a9\u00d7\u00a0\u00d7\u00aa\u00d7\u2122.docx - Xchecked via VT: 5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902",
"pattern": "[file:hashes.SHA1 = '341c920ec47efa4fd1bfcd1859a7fb98945f9d85']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39d00-7e14-464a-9970-455f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:36.000Z",
"modified": "2017-03-23T10:01:36.000Z",
"description": "Annual Survey.docx and/or \u00d7\u00a1\u00d7\u00a7\u00d7\u00a8\u00d7\u00a9\u00d7\u00a0\u00d7\u00aa\u00d7\u2122.docx - Xchecked via VT: 5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902",
"pattern": "[file:hashes.MD5 = '871efc9ecd8a446a7aa06351604a9bf4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T10:01:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d39d02-b5d8-437e-9cf0-4ddc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T10:01:38.000Z",
"modified": "2017-03-23T10:01:38.000Z",
"first_observed": "2017-03-23T10:01:38Z",
"last_observed": "2017-03-23T10:01:38Z",
"number_observed": 1,
"object_refs": [
"url--58d39d02-b5d8-437e-9cf0-4ddc02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d39d02-b5d8-437e-9cf0-4ddc02de0b81",
"value": "https://www.virustotal.com/file/5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902/analysis/1486642481/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}