misp-circl-feed/feeds/circl/misp/761270e6-3a97-4c18-9a44-a844cb5b562b.json

770 lines
No EOL
42 KiB
JSON

{
"type": "bundle",
"id": "bundle--761270e6-3a97-4c18-9a44-a844cb5b562b",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-24T09:22:25.000Z",
"modified": "2022-10-24T09:22:25.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--761270e6-3a97-4c18-9a44-a844cb5b562b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-24T09:22:25.000Z",
"modified": "2022-10-24T09:22:25.000Z",
"name": "Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free",
"published": "2022-10-24T09:22:35Z",
"object_refs": [
"vulnerability--efce45a5-d17b-4da7-8e4a-02cc68b78064",
"indicator--00352f55-b2a8-4eb0-b764-9ce328ce4e81",
"indicator--6fba8d44-4605-4a77-aec4-ead4519463bf",
"indicator--9a5a18d7-4e2f-4748-ae25-2bf2cab5c1b6",
"indicator--a0e7bf5d-19f1-40a1-8ad3-fdcf115d0164",
"indicator--892a5cd0-0395-4491-b996-8d45fb4ac7cf",
"indicator--6549b64d-0f09-4813-b9eb-31ccdb09f9de",
"x-misp-object--62263df7-4b98-46f0-8925-c02d90716c82",
"indicator--eb00b3cf-fe12-4a16-b44b-21c2c89c72f6",
"indicator--47511f00-1ba7-4843-a276-a7174b6448b2",
"indicator--0ad373ea-22f7-4fd3-967a-52541d545ea1",
"indicator--b310d8a7-6e3d-4080-91b6-91d13b06d33a",
"indicator--e7caa4ad-275f-4622-803d-5a5bc059bef5",
"indicator--93d05fa9-55f4-4607-b7c6-16e2ec591700",
"indicator--7efd1d01-3ad0-450c-95e5-c02a1dd99b88",
"indicator--3dd56064-19ea-46f0-b3ce-3ac65d5ae66b",
"indicator--046432a6-3ff8-47de-b73c-2239f71798c5",
"indicator--66c1a496-fc3d-4160-86e2-11a8b120da5e",
"indicator--54e0dd10-1259-40f6-abbe-030482b53812",
"indicator--47a5ff44-cb7d-46c6-a522-8db93e1f379a",
"indicator--996361d8-5e7e-4e6f-8004-d40c38408096",
"indicator--1a6c2f52-af2e-4cbb-a487-0b249f970dc9",
"indicator--33bb1b75-b184-406b-b981-12bc9e86352c",
"indicator--69b405d5-2c50-46c2-9866-83e6c1dc8799",
"indicator--1cefa739-fd00-462e-a8ed-bd4964a10476"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"",
"misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"",
"misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"",
"misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"",
"misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"",
"misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"",
"misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"",
"misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"",
"misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"",
"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"",
"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"",
"misp-galaxy:mitre-attack-pattern=\"Standard Non-Application Layer Protocol - T1095\"",
"misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"",
"misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"",
"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"",
"misp-galaxy:mitre-attack-pattern=\"Domain Accounts - T1078.002\"",
"misp-galaxy:mitre-attack-pattern=\"Local Accounts - T1078.003\"",
"misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"",
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002\"",
"misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"",
"misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"",
"misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"",
"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"",
"misp-galaxy:malpedia=\"Chisel (ELF)\"",
"misp-galaxy:malpedia=\"Chisel (Windows)\"",
"misp-galaxy:malpedia=\"Lorenz\"",
"misp-galaxy:ransomware=\"Lorenz Ransomware\"",
"dnc:malware-type=\"Ransomware\"",
"enisa:nefarious-activity-abuse=\"ransomware\"",
"ecsirt:malicious-code=\"ransomware\"",
"malware_classification:malware-category=\"Ransomware\"",
"veris:action:malware:variety=\"Ransomware\"",
"Ransomware",
"ms-caro-malware:malware-type=\"Ransom\"",
"ms-caro-malware-full:malware-type=\"Ransom\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--efce45a5-d17b-4da7-8e4a-02cc68b78064",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T08:35:00.000Z",
"modified": "2022-09-15T08:35:00.000Z",
"name": "CVE-2022-29499",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"External analysis\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2022-29499"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--00352f55-b2a8-4eb0-b764-9ce328ce4e81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T11:29:38.000Z",
"modified": "2022-09-15T11:29:38.000Z",
"description": "Data exfiltration via FileZilla",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '138.197.218.11']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T11:29:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"misp-galaxy:country=\"united states\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6fba8d44-4605-4a77-aec4-ead4519463bf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T11:30:19.000Z",
"modified": "2022-09-15T11:30:19.000Z",
"description": "Data exfiltration via FileZilla",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '138.68.19.94']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T11:30:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"misp-galaxy:country=\"united states\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9a5a18d7-4e2f-4748-ae25-2bf2cab5c1b6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T08:35:00.000Z",
"modified": "2022-09-15T08:35:00.000Z",
"description": "Used to download Chisel",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '138.68.59.16']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T08:35:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a0e7bf5d-19f1-40a1-8ad3-fdcf115d0164",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T11:30:43.000Z",
"modified": "2022-09-15T11:30:43.000Z",
"description": "Data exfiltration via FileZilla",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.65.248.159']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T11:30:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"misp-galaxy:country=\"united states\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--892a5cd0-0395-4491-b996-8d45fb4ac7cf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T11:33:49.000Z",
"modified": "2022-09-15T11:33:49.000Z",
"description": "Data exfiltration via FileZilla; HTTP POST requests to notify threat actors of encryption progress",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '206.188.197.125']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T11:33:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"misp-galaxy:country=\"netherlands\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6549b64d-0f09-4813-b9eb-31ccdb09f9de",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T11:30:19.000Z",
"modified": "2022-09-15T11:30:19.000Z",
"description": "Data exfiltration via FileZilla",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.190.113.100']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T11:30:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"misp-galaxy:country=\"united states\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--62263df7-4b98-46f0-8925-c02d90716c82",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T07:43:15.000Z",
"modified": "2022-09-15T07:43:15.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
"category": "External analysis",
"uuid": "086cf17a-272e-405e-b4bb-24abe206d118"
},
{
"type": "text",
"object_relation": "summary",
"value": "Arctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access",
"category": "Other",
"uuid": "8184f511-f31a-4fa5-9a74-d3df2998a0d5"
},
{
"type": "text",
"object_relation": "type",
"value": "Blog",
"category": "Other",
"uuid": "260b4c23-6508-4b5d-bf02-b06183013575"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--eb00b3cf-fe12-4a16-b44b-21c2c89c72f6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T08:43:34.000Z",
"modified": "2022-09-15T08:43:34.000Z",
"pattern": "[file:hashes.SHA256 = '97ff99fd824a02106d20d167e2a2b647244712a558639524e7db1e6a2064a68d' AND file:name = 'mem']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T08:43:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--47511f00-1ba7-4843-a276-a7174b6448b2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T08:45:02.000Z",
"modified": "2022-09-15T08:45:02.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '137.184.181.252') AND network-traffic:dst_port = '8443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T08:45:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0ad373ea-22f7-4fd3-967a-52541d545ea1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T09:31:15.000Z",
"modified": "2022-09-15T09:31:15.000Z",
"pattern": "[file:hashes.SHA256 = '07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94' AND file:name = 'pdf_import_export.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T09:31:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b310d8a7-6e3d-4080-91b6-91d13b06d33a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T11:42:17.000Z",
"modified": "2022-09-15T11:42:17.000Z",
"pattern": "[autonomous-system:number = '14061' AND autonomous-system:name = 'DIGITALOCEAN-ASN' AND autonomous-system:x_misp_country = 'US' AND autonomous-system:x_misp_subnet_announced = '138.197.218.11' AND autonomous-system:x_misp_subnet_announced = '138.68.19.94' AND autonomous-system:x_misp_subnet_announced = '159.65.248.159']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T11:42:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"asn\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e7caa4ad-275f-4622-803d-5a5bc059bef5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T11:43:19.000Z",
"modified": "2022-09-15T11:43:19.000Z",
"pattern": "[autonomous-system:number = '399629' AND autonomous-system:name = 'BL Networks' AND autonomous-system:x_misp_country = 'NL' AND autonomous-system:x_misp_subnet_announced = '206.188.197.125']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T11:43:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"asn\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--93d05fa9-55f4-4607-b7c6-16e2ec591700",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T11:43:50.000Z",
"modified": "2022-09-15T11:43:50.000Z",
"pattern": "[autonomous-system:number = '399629' AND autonomous-system:name = 'BL Networks' AND autonomous-system:x_misp_country = 'US' AND autonomous-system:x_misp_subnet_announced = '64.190.113.100']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-15T11:43:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"asn\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7efd1d01-3ad0-450c-95e5-c02a1dd99b88",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T11:46:52.000Z",
"modified": "2022-09-15T11:46:52.000Z",
"pattern": "alert http any any -> any any (msg:\\\\\"[Arctic Wolf Labs] Base64 POST via Curl User-Agent to PHP File\\\\\"; flow:established,to_server; content:\\\\\"POST\\\\\"; http_method; content:\\\\\".php\\\\\"; http_uri;content:\\\\\"/vhelp/pdf/\\\\\"; http_uri; content:\\\\\"curl\\\\\"; http_user_agent;pcre:\\\\\"/(?:[A-Za-z\\\\d+\\\\/]{4})*(?:[A-Za-z\\\\d+\\\\/]{3}=|[A-Za-z\\\\d+\\\\/]{2}==)?$/\\\\\"; sid:10001; rev:1; reference:url,https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in;)",
"pattern_type": "snort",
"pattern_version": "2.1",
"valid_from": "2022-09-15T11:46:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"suricata\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
],
"external_references": [
{
"source_name": "url",
"url": "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3dd56064-19ea-46f0-b3ce-3ac65d5ae66b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T12:12:14.000Z",
"modified": "2022-09-15T12:12:14.000Z",
"pattern": "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\\\\\"ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)\\\\\"; flow:established,to_server; content:\\\\\"GET\\\\\"; http_method; content:\\\\\"/scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php?cmd=syncfile:db_files/\\\\\"; http_uri; http_header_names; content:!\\\\\"Referer\\\\\"; reference:url,www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; reference:cve,2022-29499; classtype:attempted-admin; sid:2037121; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_06_24, cve CVE_2022_29499, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)",
"pattern_type": "snort",
"pattern_version": "2.1",
"valid_from": "2022-09-15T12:12:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"suricata\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
],
"external_references": [
{
"source_name": "url",
"url": "https://threatintel.proofpoint.com/sid/2037121#references1"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--046432a6-3ff8-47de-b73c-2239f71798c5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T12:12:54.000Z",
"modified": "2022-09-15T12:12:54.000Z",
"pattern": "#alert tcp any any -> any !$SSH_PORTS (msg:\\\\\"ET POLICY SSH Client Banner Detected on Unusual Port\\\\\"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:\\\\\"SSH-\\\\\"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)",
"pattern_type": "snort",
"pattern_version": "2.1",
"valid_from": "2022-09-15T12:12:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"suricata\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
],
"external_references": [
{
"source_name": "url",
"url": "https://threatintel.proofpoint.com/sid/2001980"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--66c1a496-fc3d-4160-86e2-11a8b120da5e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T12:26:42.000Z",
"modified": "2022-09-15T12:26:42.000Z",
"name": "webshell_php_3b64command: Webshells PHP B64",
"pattern": "rule webshell_php_3b64command: Webshells PHP B64 {\r\n meta:\r\n Description= \\\\\"Detects Possible PHP Webshell expecting triple base64 command\\\\\"\r\n Category = \\\\\"Malware\\\\\"\r\n Author = \\\\\"Arctic Wolf Labs\\\\\"\r\n Date = \\\\\"2022-09-12\\\\\"\r\n Hash = \\\\\"07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94\\\\\"\r\n Reference = \\\\\"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in\\\\\"\r\n strings:\r\n $decode = \\\\\"base64_decode(base64_decode(base64_decode(\\\\\" ascii\r\n $encode = \\\\\"base64_encode(base64_encode(base64_encode(\\\\\" ascii\r\n $s1 = \\\\\"popen(\\\\\" ascii\r\n $s2 = \\\\\"pclose\\\\\" ascii\r\n $s3 = \\\\\"fread(\\\\\" ascii\r\n $s4 = \\\\\"$_POST\\\\\" ascii\r\n condition:\r\n $decode and $encode\r\n and 3 of ($s*)\r\n and filesize < 2KB\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2022-09-15T12:26:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54e0dd10-1259-40f6-abbe-030482b53812",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T12:27:07.000Z",
"modified": "2022-09-15T12:27:07.000Z",
"name": "hktl_chisel_artifacts: Chisel Hacktool Artifacts",
"pattern": "rule hktl_chisel_artifacts: Chisel Hacktool Artifacts {\r\n meta:\r\n Description = \\\\\"looks for hacktool chisel artifacts potentially left in memory or unallocated space\\\\\"\r\n Category = \\\\\"Tool\\\\\"\r\n Author = \\\\\"Arctic Wolf Labs\\\\\"\r\n Date = \\\\\"2022-09-12\\\\\"\r\n Reference = \\\\\"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in\\\\\"\r\n strings:\r\n $chisel = \\\\\"chisel_1.\\\\\" ascii\r\n $s1 = \\\\\"client\\\\\" ascii\r\n $s2 = \\\\\"--tls-skip-verify\\\\\" ascii\r\n $s3 = \\\\\"--fingerprint\\\\\" ascii\r\n $s4 = \\\\\"R:socks\\\\\" ascii\r\n condition:\r\n $chisel or 3 of ($s*)\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2022-09-15T12:27:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--47a5ff44-cb7d-46c6-a522-8db93e1f379a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T12:28:12.000Z",
"modified": "2022-09-15T12:28:12.000Z",
"name": "Process Dump via Comsvcs DLL",
"pattern": "title: Process Dump via Comsvcs DLL\r\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\r\nstatus: test\r\ndescription: Detects process memory dump via comsvcs.dll and rundll32\r\nauthor: Modexp (idea)\r\nreferences:\r\n - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\r\n - https://twitter.com/SBousseaden/status/1167417096374050817\r\ndate: 2019/09/02\r\nmodified: 2021/11/27\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n rundll_image:\r\n Image|endswith: \\'\\\\rundll32.exe\\'\r\n rundll_ofn:\r\n OriginalFileName: \\'RUNDLL32.EXE\\'\r\n selection:\r\n CommandLine|contains|all:\r\n - \\'comsvcs\\'\r\n - \\'MiniDump\\' #Matches MiniDump and MinidumpW\r\n - \\'full\\'\r\n condition: (rundll_image or rundll_ofn) and selection\r\nfields:\r\n - CommandLine\r\n - ParentCommandLine\r\nfalsepositives:\r\n - unknown\r\nlevel: medium\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1218.011\r\n - attack.credential_access\r\n - attack.t1003.001\r\n - attack.t1003 # an old one",
"pattern_type": "sigma",
"pattern_version": "2.1",
"valid_from": "2022-09-15T12:28:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"sigma\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"external_references": [
{
"source_name": "url",
"url": "https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_susp_comsvcs_procdump.yml"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--996361d8-5e7e-4e6f-8004-d40c38408096",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T12:29:57.000Z",
"modified": "2022-09-15T12:29:57.000Z",
"name": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString",
"pattern": "title: Encoded PowerShell Command Line Usage of ConvertTo-SecureString\r\nid: 74403157-20f5-415d-89a7-c505779585cf\r\nstatus: test\r\ndescription: Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines\r\nauthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65\r\ndate: 2020/10/11\r\nmodified: 2022/07/14\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|endswith:\r\n - \\'\\\\powershell.exe\\'\r\n - \\'\\\\pwsh.exe\\'\r\n CommandLine|contains: \\'ConvertTo-SecureString\\'\r\n condition: selection\r\nfalsepositives:\r\n - Unlikely\r\nlevel: high\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1027\r\n - attack.execution\r\n - attack.t1059.001",
"pattern_type": "sigma",
"pattern_version": "2.1",
"valid_from": "2022-09-15T12:29:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"sigma\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"external_references": [
{
"source_name": "url",
"url": "https://github.com/SigmaHQ/sigma/blob/b24e7ae9846f53cbbf61adad72f17af317c860a4/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1a6c2f52-af2e-4cbb-a487-0b249f970dc9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T12:33:14.000Z",
"modified": "2022-09-15T12:33:14.000Z",
"name": "CrackMapExec Process Patterns",
"pattern": "title: CrackMapExec Process Patterns\r\nid: f26307d8-14cd-47e3-a26b-4b4769f24af6\r\ndescription: Detects suspicious process patterns found in logs when CrackMapExec is used\r\nstatus: experimental\r\nauthor: Florian Roth\r\nreferences:\r\n - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass\r\ndate: 2022/03/12\r\nmodified: 2022/05/27\r\ntags:\r\n - attack.credential_access\r\n - attack.t1003.001\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n selection_lsass_dump1:\r\n CommandLine|contains|all:\r\n - \\'cmd.exe /c \\'\r\n - \\'tasklist /fi \\'\r\n - \\'Imagename eq lsass.exe\\'\r\n User|contains: # covers many language settings\r\n - \\'AUTHORI\\'\r\n - \\'AUTORI\\'\r\n selection_lsass_dump2:\r\n CommandLine|contains|all:\r\n - \\'do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump\\'\r\n - \\'\\\\Windows\\\\Temp\\\\\\'\r\n - \\' full\\'\r\n - \\'\\\\%\\\\%B\\'\r\n selection_procdump:\r\n CommandLine|contains|all:\r\n - \\'tasklist /v /fo csv\\'\r\n - \\'findstr /i \\\\\"lsass\\\\\"\\'\r\n condition: 1 of selection*\r\nfalsepositives:\r\n - Unknown\r\nlevel: high",
"pattern_type": "sigma",
"pattern_version": "2.1",
"valid_from": "2022-09-15T12:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"sigma\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"external_references": [
{
"source_name": "url",
"url": "https://github.com/SigmaHQ/sigma/blob/1e16ed00905a496cbc3b0a1a03d4c2f6f4b63de2/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--33bb1b75-b184-406b-b981-12bc9e86352c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T12:55:36.000Z",
"modified": "2022-09-15T12:55:36.000Z",
"name": "PowerShell as a Service in Registry",
"pattern": "title: PowerShell as a Service in Registry\r\nid: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d\r\ndescription: Detects that a powershell code is written to the registry as a service.\r\nstatus: experimental\r\nauthor: oscd.community, Natalia Shornikova\r\ndate: 2020/10/06\r\nmodified: 2021/05/21\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\r\ntags:\r\n - attack.execution\r\n - attack.t1569.002\r\nlogsource:\r\n category: registry_event\r\n product: windows\r\ndetection:\r\n selection:\r\n TargetObject|contains: \\'\\\\Services\\\\\\'\r\n TargetObject|endswith: \\'\\\\ImagePath\\'\r\n Details|contains:\r\n - \\'powershell\\'\r\n - \\'pwsh\\'\r\n condition: selection\r\nfalsepositives: \r\n - Unknown\r\nlevel: high",
"pattern_type": "sigma",
"pattern_version": "2.1",
"valid_from": "2022-09-15T12:55:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"sigma\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"external_references": [
{
"source_name": "url",
"url": "https://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_powershell_as_service.yml"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--69b405d5-2c50-46c2-9866-83e6c1dc8799",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T12:56:34.000Z",
"modified": "2022-09-15T12:56:34.000Z",
"name": "Remote Task Creation via ATSVC Named Pipe",
"pattern": "title: Remote Task Creation via ATSVC Named Pipe\r\nid: f6de6525-4509-495a-8a82-1f8b0ed73a00\r\ndescription: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe\r\nauthor: Samir Bousseaden\r\ndate: 2019/04/03\r\nreferences:\r\n - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\r\ntags:\r\n - attack.lateral_movement\r\n - attack.persistence\r\n - attack.t1053\r\n - car.2013-05-004\r\n - car.2015-04-001\r\nlogsource:\r\n product: windows\r\n service: security\r\n description: \\'The advanced audit policy setting \\\\\"Object Access > Audit Detailed File Share\\\\\" must be configured for Success/Failure\\'\r\ndetection:\r\n selection:\r\n EventID: 5145\r\n ShareName: \\\\\\\\*\\\\IPC$\r\n RelativeTargetName: atsvc\r\n Accesses: \\'*WriteData*\\'\r\n condition: selection\r\nfalsepositives:\r\n - pentesting\r\nlevel: medium",
"pattern_type": "sigma",
"pattern_version": "2.1",
"valid_from": "2022-09-15T12:56:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"sigma\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"external_references": [
{
"source_name": "url",
"url": "https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/builtin/win_atsvc_task.yml"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1cefa739-fd00-462e-a8ed-bd4964a10476",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T12:59:01.000Z",
"modified": "2022-09-15T12:59:01.000Z",
"name": "Accessing WinAPI in PowerShell for Credentials Dumping",
"pattern": "title: Accessing WinAPI in PowerShell for Credentials Dumping\r\nid: 3f07b9d1-2082-4c56-9277-613a621983cc\r\ndescription: Detects Accessing to lsass.exe by Powershell\r\nstatus: experimental\r\nauthor: oscd.community, Natalia Shornikova\r\ndate: 2020/10/06\r\nmodified: 2022/07/14\r\nreferences:\r\n - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\r\ntags:\r\n - attack.credential_access\r\n - attack.t1003.001\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection:\r\n EventID:\r\n - 8\r\n - 10\r\n SourceImage|endswith:\r\n - \\'\\\\powershell.exe\\'\r\n - \\'\\\\pwsh.exe\\'\r\n TargetImage|endswith: \\'\\\\lsass.exe\\'\r\n condition: selection\r\nfalsepositives:\r\n - Unknown\r\nlevel: high",
"pattern_type": "sigma",
"pattern_version": "2.1",
"valid_from": "2022-09-15T12:59:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"sigma\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"external_references": [
{
"source_name": "url",
"url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml"
}
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}