{"response": [{"Event":{"id":"7721","orgc_id":"20","org_id":"1","date":"2019-10-07","threat_level_id":"2","info":"Emotet in Depth TTP 10-07-19","published":false,"uuid":"5d9b5933-964c-433c-b84f-4c680a2fe004","attribute_count":"71","analysis":"1","timestamp":"1571266221","distribution":"3","proposal_email_lock":false,"locked":true,"publish_timestamp":"0","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"Hestat","uuid":"5cb1fe4f-5ebc-4dc2-b79f-4374b49abff9","local":true},"Orgc":{"id":"20","name":"MiSOC","uuid":"5d49b744-1ef4-4480-b486-40f06b08ac45","local":false},"Attribute":[{"id":"1824852","type":"url","category":"Network activity","to_ids":true,"uuid":"5d9b5bdf-36e8-494f-9bda-4522a63f8736","event_id":"7721","distribution":"5","timestamp":"1570462687","comment":"Maldoc 1st stage Download URL's","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/dulich.goasiatravel.com\/calendar\/u8hsm_46c4yi-6024747470\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1824853","type":"url","category":"Network activity","to_ids":true,"uuid":"5d9b5bdf-b5ac-4550-8ee8-4491a63f8736","event_id":"7721","distribution":"5","timestamp":"1570462687","comment":"Maldoc 1st stage Download URL's","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/drewnianazagroda.pl\/c0nm\/PtlOoIWOzs\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1824854","type":"url","category":"Network activity","to_ids":true,"uuid":"5d9b5bdf-b0a8-4c75-a2b0-49b4a63f8736","event_id":"7721","distribution":"5","timestamp":"1570462687","comment":"Maldoc 1st stage Download URL's","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/latestgovernment.com\/pramodchoudhary.examqualify.com\/CKBOIhWtjs\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1824855","type":"url","category":"Network activity","to_ids":true,"uuid":"5d9b5bdf-b654-4401-9164-4f6ba63f8736","event_id":"7721","distribution":"5","timestamp":"1570462687","comment":"Maldoc 1st stage Download URL's","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/kurumsalinternetsitesi.com\/wp-content\/wgSCKDClY\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1824856","type":"url","category":"Network activity","to_ids":true,"uuid":"5d9b5bdf-9bf0-4a3f-8387-404ca63f8736","event_id":"7721","distribution":"5","timestamp":"1570462687","comment":"Maldoc 1st stage Download URL's","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/edealsadvisor.com\/wp-includes\/ZqLAroEkK\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825457","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-879c-49ef-846b-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/201.184.105.242\/ban\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825458","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-325c-4d0b-a401-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/201.184.105.242\/cone\/dma\/arizona\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825459","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-7ae4-4276-abff-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/201.184.105.242\/health\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825460","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-90e4-4122-9476-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/201.184.105.242\/iplk\/enable\/loadan\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825461","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-f444-4981-917b-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/201.184.105.242\/loadan\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825462","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-558c-4548-a83c-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/201.184.105.242\/sess\/pnp\/ringin\/merge\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825463","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-3d98-416c-9ff5-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/201.184.105.242\/site\/vermont\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825464","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-94f8-4ae2-9a3b-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/201.184.105.242\/symbols\/schema\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825465","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-4208-483c-badc-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/45.123.3.54\/badge\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825466","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-e7d4-4ece-94ac-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/45.123.3.54\/publish\/acquire\/enabled\/merge\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825467","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-3188-4a7f-8e13-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/45.123.3.54\/site\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825468","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-9f88-43a2-9b73-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/80.79.23.144\/free\/schema\/scripts\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825469","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-5b0c-49d0-802a-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/80.79.23.144\/results\/cone\/window\/merge\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825470","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-4e48-4b7d-ba67-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/80.79.23.144\/splash\/prov\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825471","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-47a0-4480-a429-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/104.131.11.150\/cookies\/usbccid\/enabled\/merge\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825472","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-6acc-48a8-abba-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/104.131.11.150\/dma\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825473","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-04f8-46df-bf49-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/104.131.11.150\/img\/enabled\/scripts\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825474","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-cb88-445a-8eaa-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/142.44.162.209\/pnp\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825475","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-3910-4501-8065-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/142.44.162.209\/report\/chunk\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825476","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-4910-4e43-9939-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/142.44.162.209\/results\/glitch\/merge\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825477","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-55f8-4fd0-807a-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/178.254.6.27\/site\/results\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825478","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-24e0-4062-9bba-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/178.254.6.27\/stubs\/pnp\/window\/merge\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825479","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-560c-4070-b46f-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/178.254.6.27\/taskbar\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825480","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-dec8-4574-9ced-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/192.254.173.31\/child\/","Galaxy":[],"ShadowAttribute":[]},{"id":"1825481","type":"url","category":"Network activity","to_ids":true,"uuid":"5da79ead-048c-4da7-92c0-315974656a8a","event_id":"7721","distribution":"5","timestamp":"1571266221","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/192.254.173.31\/json\/add\/","Galaxy":[],"ShadowAttribute":[]}],"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[{"id":"2","uuid":"c4e851fa-775f-11e7-8163-b774922098cd","name":"Attack Pattern","type":"mitre-attack-pattern","description":"ATT&CK Tactic","version":"8","icon":"map","namespace":"mitre-attack","kill_chain_order":{"mitre-attack":["initial-access","execution","persistence","privilege-escalation","defense-evasion","credential-access","discovery","lateral-movement","collection","command-and-control","exfiltration","impact"],"mitre-mobile-attack":["initial-access","persistence","privilege-escalation","defense-evasion","credential-access","discovery","lateral-movement","effects","collection","exfiltration","command-and-control","network-effects","remote-service-effects"],"mitre-pre-attack":["priority-definition-planning","priority-definition-direction","target-selection","technical-information-gathering","people-information-gathering","organizational-information-gathering","technical-weakness-identification","people-weakness-identification","organizational-weakness-identification","adversary-opsec","establish-&-maintain-infrastructure","persona-development","build-capabilities","test-capabilities","stage-capabilities"]},"GalaxyCluster":[{"id":"6161","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Spearphishing Attachment - T1193","tag_name":"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"","description":"Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https:\/\/attack.mitre.org\/techniques\/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"6aac77c4-eaf2-4366-8c13-ce50ab951f38","tag_id":"562","meta":{"external_id":["CAPEC-163"],"kill_chain":["mitre-attack:initial-access"],"mitre_data_sources":["File monitoring","Packet capture","Network intrusion detection system","Detonation chamber","Email gateway","Mail server"],"mitre_platforms":["Windows","macOS","Linux"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1193","https:\/\/capec.mitre.org\/data\/definitions\/163.html"]},"local":false},{"id":"6071","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Command-Line Interface - T1059","tag_name":"misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\"","description":"Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is [cmd](https:\/\/attack.mitre.org\/software\/S0106), which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. [Scheduled Task](https:\/\/attack.mitre.org\/techniques\/T1053)).\n\nAdversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"7385dfaf-6886-4229-9ecd-6fd678040830","tag_id":"737","meta":{"external_id":["T1059"],"kill_chain":["mitre-attack:execution"],"mitre_data_sources":["Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1059","https:\/\/en.wikipedia.org\/wiki\/Command-line_interface"]},"local":false},{"id":"6121","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Scheduled Task - T1053","tag_name":"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"","description":"Utilities such as [at](https:\/\/attack.mitre.org\/software\/S0110) and [schtasks](https:\/\/attack.mitre.org\/software\/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"35dd844a-b219-4e2b-a6bb-efa9a75995a9","tag_id":"820","meta":{"external_id":["CAPEC-557"],"kill_chain":["mitre-attack:execution","mitre-attack:persistence","mitre-attack:privilege-escalation"],"mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Windows event logs"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1053","https:\/\/capec.mitre.org\/data\/definitions\/557.html","https:\/\/technet.microsoft.com\/en-us\/library\/cc785125.aspx","https:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb963902","https:\/\/twitter.com\/leoloobeek\/status\/939248813465853953","https:\/\/social.technet.microsoft.com\/Forums\/en-US\/e5bca729-52e7-4fcb-ba12-3225c564674c\/scheduled-tasks-history-retention-settings?forum=winserver8gen","https:\/\/technet.microsoft.com\/library\/dd315590.aspx"]},"local":false},{"id":"6204","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Scripting - T1064","tag_name":"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"","description":"Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https:\/\/attack.mitre.org\/techniques\/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https:\/\/attack.mitre.org\/techniques\/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit),  (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"7fd87010-3a00-4da3-b905-410525e8ec44","tag_id":"569","meta":{"external_id":["T1064"],"kill_chain":["mitre-attack:defense-evasion","mitre-attack:execution"],"mitre_data_sources":["Process monitoring","File monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1064","http:\/\/www.metasploit.com","https:\/\/www.veil-framework.com\/framework\/","https:\/\/github.com\/mattifestation\/PowerSploit","https:\/\/blog.crowdstrike.com\/deep-thought-chinese-targeting-national-security-think-tanks\/","https:\/\/www.uperesia.com\/analyzing-malicious-office-documents"]},"local":false},{"id":"5970","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Windows Management Instrumentation - T1047","tag_name":"misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"","description":"Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"01a5a209-b94c-450b-b7f9-946497d91055","tag_id":"738","meta":{"external_id":["T1047"],"kill_chain":["mitre-attack:execution"],"mitre_data_sources":["Authentication logs","Netflow\/Enclave netflow","Process monitoring","Process command-line parameters"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1047","https:\/\/msdn.microsoft.com\/en-us\/library\/aa394582.aspx","https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/global\/en\/current-threats\/pdfs\/wp-windows-management-instrumentation.pdf","https:\/\/en.wikipedia.org\/wiki\/Server_Message_Block","https:\/\/technet.microsoft.com\/en-us\/library\/cc787851.aspx"]},"local":false},{"id":"5752","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Registry Run Keys \/ Startup Folder - T1060","tag_name":"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys \/ Startup Folder - T1060\"","description":"Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce<\/code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce<\/code>\n\nThe <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx<\/code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend \/v 1 \/d \"C:\\temp\\evil[.]dll\"<\/code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders<\/code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders<\/code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders<\/code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders<\/code>\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https:\/\/attack.mitre.org\/techniques\/T1036) to make the Registry entries look as if they are associated with legitimate programs.","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"9422fc14-1c43-410d-ab0f-a709b76c72dc","tag_id":"741","meta":{"external_id":["CAPEC-270"],"kill_chain":["mitre-attack:persistence"],"mitre_data_sources":["Windows Registry","File monitoring"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1060","https:\/\/capec.mitre.org\/data\/definitions\/270.html","http:\/\/msdn.microsoft.com\/en-us\/library\/aa376977","https:\/\/support.microsoft.com\/help\/310593\/description-of-the-runonceex-registry-key","https:\/\/oddvar.moe\/2018\/03\/21\/persistence-using-runonceex-hidden-from-autoruns-exe\/","https:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb963902"]},"local":false},{"id":"6131","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Process Injection - T1055","tag_name":"misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"","description":"Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system\/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.\n\n### Windows\n\nThere are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Endgame Process Injection July 2017)\n\n* **Dynamic-link library (DLL) injection** involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.\n* **Portable executable injection** involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)\n* **Thread execution hijacking** involves injecting malicious code or the path to a DLL into a thread of a process. Similar to [Process Hollowing](https:\/\/attack.mitre.org\/techniques\/T1093), the thread must first be suspended.\n* **Asynchronous Procedure Call** (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018)  AtomBombing  (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)\n* **Thread Local Storage** (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)\n\n### Mac and Linux\n\nImplementations for Linux and OS X\/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)\n\n* **LD_PRELOAD, LD_LIBRARY_PATH** (Linux), **DYLD_INSERT_LIBRARIES** (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)\n* **Ptrace system calls** can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)\n* **\/proc\/[pid]\/mem** provides access to the memory of the process and can be used to read\/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)\n* **VDSO hijacking** performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)\n\nMalware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"43e7dc91-05b2-474c-b9ac-2ed4fe101f4d","tag_id":"436","meta":{"external_id":["CAPEC-242"],"kill_chain":["mitre-attack:defense-evasion","mitre-attack:privilege-escalation"],"mitre_data_sources":["API monitoring","Windows Registry","File monitoring","DLL monitoring","Process monitoring","Named Pipes"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1055","https:\/\/capec.mitre.org\/data\/definitions\/242.html","https:\/\/github.com\/mattifestation\/PowerSploit","https:\/\/www.endgame.com\/blog\/technical-blog\/hunting-memory","https:\/\/msdn.microsoft.com\/library\/windows\/desktop\/ms681951.aspx","https:\/\/blog.ensilo.com\/atombombing-brand-new-code-injection-for-windows","https:\/\/msdn.microsoft.com\/library\/windows\/desktop\/ms649053.aspx","https:\/\/docs.microsoft.com\/sysinternals\/downloads\/sysmon","https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/11\/ursnif-variant-malicious-tls-callback-technique.html","https:\/\/www.datawire.io\/code-injection-on-linux-and-macos\/","http:\/\/hick.org\/code\/skape\/papers\/needle.txt","http:\/\/phrack.org\/issues\/51\/8.html","http:\/\/vxer.org\/lib\/vrn00.html","https:\/\/www.gnu.org\/software\/acct\/","https:\/\/access.redhat.com\/documentation\/red_hat_enterprise_linux\/6\/html\/security_guide\/chap-system_auditing","http:\/\/www.chokepoint.net\/2014\/02\/detecting-userland-preload-rootkits.html","https:\/\/www.cyberbit.com\/blog\/endpoint-security\/new-early-bird-code-injection-technique-discovered\/","https:\/\/www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"]},"local":false},{"id":"6134","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Account Discovery - T1087","tag_name":"misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"","description":"Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are <code>net user<\/code>, <code>net group <groupname><\/code>, and <code>net localgroup <groupname><\/code> using the [Net](https:\/\/attack.mitre.org\/software\/S0039) utility or through use of [dsquery](https:\/\/attack.mitre.org\/software\/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner\/User Discovery](https:\/\/attack.mitre.org\/techniques\/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the <code>groups<\/code> and <code>id<\/code> commands. In mac specifically, <code>dscl . list \/Groups<\/code> and <code>dscacheutil -q group<\/code> can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the <code>\/etc\/passwd<\/code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>\/etc\/master.passwd<\/code> file.\n\nAlso, groups can be enumerated through the <code>groups<\/code> and <code>id<\/code> commands.","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"72b74d71-8169-42aa-92e0-e7b04b9f5a08","tag_id":"952","meta":{"external_id":["CAPEC-575"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["API monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1087","https:\/\/capec.mitre.org\/data\/definitions\/575.html"]},"local":false},{"id":"6033","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Domain Trust Discovery - T1482","tag_name":"misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"","description":"Adversaries may attempt to gather information on domain trust relationships that may be used to identify [Lateral Movement](https:\/\/attack.mitre.org\/tactics\/TA0008) opportunities in Windows multi-domain\/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https:\/\/attack.mitre.org\/techniques\/T1178), [Pass the Ticket](https:\/\/attack.mitre.org\/techniques\/T1097), and [Kerberoasting](https:\/\/attack.mitre.org\/techniques\/T1208).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https:\/\/attack.mitre.org\/software\/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"767dbf9e-df3f-45cb-8998-4903ab5f80c0","tag_id":"980","meta":{"external_id":["T1482"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["PowerShell logs","API monitoring","Process command-line parameters","Process monitoring"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1482","https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2003\/cc759554(v=ws.10)","https:\/\/adsecurity.org\/?p=1588","http:\/\/www.harmj0y.net\/blog\/redteaming\/a-guide-to-attacking-domain-trusts\/ ","https:\/\/www.microsoft.com\/security\/blog\/2017\/05\/04\/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack\/","https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships"]},"local":false},{"id":"5929","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"System Owner\/User Discovery - T1033","tag_name":"misp-galaxy:mitre-attack-pattern=\"System Owner\/User Discovery - T1033\"","description":"### Windows\n\nAdversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [Credential Dumping](https:\/\/attack.mitre.org\/techniques\/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file\/directory ownership, session information, and system logs.\n\n### Mac\n\nOn Mac, the currently logged in user can be identified with <code>users<\/code>,<code>w<\/code>, and <code>who<\/code>.\n\n### Linux\n\nOn Linux, the currently logged in user can be identified with <code>w<\/code> and <code>who<\/code>.","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"03d7999c-1f4c-42cc-8373-e7690d318104","tag_id":"959","meta":{"external_id":["CAPEC-577"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1033","https:\/\/capec.mitre.org\/data\/definitions\/577.html"]},"local":false},{"id":"5963","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Commonly Used Port - T1043","tag_name":"misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"","description":"Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP\/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol. \n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are \n\n* TCP\/UDP:135 (RPC)\n* TCP\/UDP:22 (SSH)\n* TCP\/UDP:3389 (RDP)","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"f879d51c-5476-431c-aedf-f14d207e4d1e","tag_id":"834","meta":{"external_id":["T1043"],"kill_chain":["mitre-attack:command-and-control"],"mitre_data_sources":["Packet capture","Netflow\/Enclave netflow","Process use of network","Process monitoring"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1043","https:\/\/arxiv.org\/ftp\/arxiv\/papers\/1408\/1408.1136.pdf"]},"local":false},{"id":"5851","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Standard Application Layer Protocol - T1071","tag_name":"misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\"","description":"Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"355be19c-ffc9-46d5-8d50-d6a036c675b6","tag_id":"840","meta":{"external_id":["T1071"],"kill_chain":["mitre-attack:command-and-control"],"mitre_data_sources":["Packet capture","Netflow\/Enclave netflow","Process use of network","Malware reverse engineering","Process monitoring"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1071","https:\/\/arxiv.org\/ftp\/arxiv\/papers\/1408\/1408.1136.pdf"]},"local":false},{"id":"5958","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Standard Cryptographic Protocol - T1032","tag_name":"misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"","description":"Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and\/or generated within malware samples\/configuration files.","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5","tag_id":"841","meta":{"external_id":["T1032"],"kill_chain":["mitre-attack:command-and-control"],"mitre_data_sources":["Packet capture","Netflow\/Enclave netflow","Malware reverse engineering","Process use of network","Process monitoring","SSL\/TLS inspection"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1032","http:\/\/www.sans.org\/reading-room\/whitepapers\/analyst\/finding-hidden-threats-decrypting-ssl-34840","https:\/\/insights.sei.cmu.edu\/cert\/2015\/03\/the-risks-of-ssl-inspection.html","https:\/\/www.fidelissecurity.com\/sites\/default\/files\/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf","https:\/\/arxiv.org\/ftp\/arxiv\/papers\/1408\/1408.1136.pdf"]},"local":false},{"id":"6206","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"PowerShell - T1086","tag_name":"misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"","description":"PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https:\/\/attack.mitre.org\/software\/S0363),  PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)\n\nPowerShell commands\/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"f4882e23-8aa7-4b12-b28a-b349c12ee9e0","tag_id":"740","meta":{"external_id":["T1086"],"kill_chain":["mitre-attack:execution"],"mitre_data_sources":["PowerShell logs","Loaded DLLs","DLL monitoring","Windows Registry","File monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1086","https:\/\/technet.microsoft.com\/en-us\/scriptcenter\/dd742419.aspx","https:\/\/github.com\/mattifestation\/PowerSploit","https:\/\/github.com\/jaredhaight\/PSAttack","http:\/\/www.sixdub.net\/?p=367","https:\/\/silentbreaksecurity.com\/powershell-jobs-without-powershell-exe\/","https:\/\/blogs.msdn.microsoft.com\/kebab\/2014\/04\/28\/executing-powershell-scripts-from-c\/","http:\/\/www.malwarearchaeology.com\/s\/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf","https:\/\/www.fireeye.com\/blog\/threat-research\/2016\/02\/greater_visibilityt.html"]},"local":false},{"id":"6088","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"New Service - T1050","tag_name":"misp-galaxy:mitre-attack-pattern=\"New Service - T1050\"","description":"When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. \n\nAdversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with [Masquerading](https:\/\/attack.mitre.org\/techniques\/T1036). Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https:\/\/attack.mitre.org\/techniques\/T1035).","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"478aa214-2ca7-4ec0-9978-18798e514790","tag_id":"942","meta":{"external_id":["CAPEC-550"],"kill_chain":["mitre-attack:persistence","mitre-attack:privilege-escalation"],"mitre_data_sources":["Windows Registry","Process monitoring","Process command-line parameters","Windows event logs"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1050","https:\/\/capec.mitre.org\/data\/definitions\/550.html","https:\/\/technet.microsoft.com\/en-us\/library\/cc772408.aspx","https:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb963902","https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/auditing\/event-4697","https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/use-windows-event-forwarding-to-assist-in-intrusion-detection"]},"local":false}]},{"id":"28","uuid":"d5cbd1a2-78f6-11e7-a833-7b9bccca9649","name":"Tool","type":"mitre-tool","description":"Name of ATT&CK software","version":"6","icon":"gavel","namespace":"mitre-attack","GalaxyCluster":[{"id":"9847","collection_uuid":"d700dc5c-78f6-11e7-a476-5f748c8e4fe0","type":"mitre-tool","value":"Empire - S0363","tag_name":"misp-galaxy:mitre-tool=\"Empire - S0363\"","description":"[Empire](https:\/\/attack.mitre.org\/software\/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https:\/\/attack.mitre.org\/techniques\/T1086) for Windows and Python for Linux\/macOS. [Empire](https:\/\/attack.mitre.org\/software\/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)\n\n","galaxy_id":"28","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"13","uuid":"3433a9e8-1c47-4320-b9bf-ed449061d1c3","tag_id":"981","meta":{"external_id":["S0363"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/software\/S0363","https:\/\/s3.eu-west-1.amazonaws.com\/ncsc-content\/files\/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf","https:\/\/github.com\/PowerShellEmpire\/Empire","https:\/\/github.com\/dstepanic\/attck_empire"],"synonyms":["Empire","EmPyre","PowerShell Empire"]},"local":false},{"id":"9798","collection_uuid":"d700dc5c-78f6-11e7-a476-5f748c8e4fe0","type":"mitre-tool","value":"Cobalt Strike - S0154","tag_name":"misp-galaxy:mitre-tool=\"Cobalt Strike - S0154\"","description":"[Cobalt Strike](https:\/\/attack.mitre.org\/software\/S0154) is a commercial, full-featured, penetration testing tool which bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https:\/\/attack.mitre.org\/software\/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https:\/\/attack.mitre.org\/software\/S0002). (Citation: cobaltstrike manual)","galaxy_id":"28","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"13","uuid":"aafea02e-ece5-4bb2-91a6-3bf8c7f38a39","tag_id":"982","meta":{"external_id":["S0154"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/software\/S0154","https:\/\/cobaltstrike.com\/downloads\/csmanual38.pdf"],"synonyms":["Cobalt Strike"]},"local":false}]},{"id":"22","uuid":"9b8037f7-bc8f-4de1-a797-37266619bc0b","name":"Tool","type":"tool","description":"Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.","version":"3","icon":"optin-monster","namespace":"misp","GalaxyCluster":[{"id":"8784","collection_uuid":"0d821b68-9d82-4c6d-86a6-1071a9e0f79f","type":"tool","value":"Emotet","tag_name":"misp-galaxy:tool=\"Emotet\"","description":"","galaxy_id":"22","source":"MISP Project","authors":["Alexandre Dulaunoy","Florian Roth","Timo Steffens","Christophe Vandeplas","Dennis Rand","raw-data"],"version":"122","uuid":"3f7616bd-f1de-46ee-87c2-43c0c2edaa28","tag_id":"42","meta":{"refs":["https:\/\/securelist.com\/analysis\/publications\/69560\/the-banking-trojan-emotet-detailed-analysis\/","https:\/\/www.forcepoint.com\/blog\/security-labs\/thanks-giving-emotet","https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks\/","https:\/\/cofense.com\/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links\/"],"synonyms":["Geodo"]},"local":false}]}],"Object":[{"id":"17749","name":"file","meta-category":"file","description":"File object describing a file with meta-information","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"17","event_id":"7721","uuid":"5d9b5a7c-7204-4384-9512-48970a2fe004","timestamp":"1570462332","distribution":"5","sharing_group_id":"0","comment":"Selected Malware Document for sandbox run","deleted":false,"ObjectReference":[],"Attribute":[{"id":"1824857","type":"malware-sample","category":"Payload delivery","to_ids":true,"uuid":"5d9b5a7c-2560-44ac-969d-42e60a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462332","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17749","object_relation":"malware-sample","value":"SCAN_10079460983_IB_1007.doc|9ce5126ffcbc936ad6c0155763898f19","Galaxy":[],"ShadowAttribute":[]},{"id":"1824858","type":"filename","category":"Payload delivery","to_ids":false,"uuid":"5d9b5a7c-c814-4b59-903f-4c0e0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462332","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17749","object_relation":"filename","value":"SCAN_10079460983_IB_1007.doc","Galaxy":[],"ShadowAttribute":[]},{"id":"1824859","type":"md5","category":"Payload delivery","to_ids":true,"uuid":"5d9b5a7c-6d60-4555-90a2-42c30a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462332","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17749","object_relation":"md5","value":"9ce5126ffcbc936ad6c0155763898f19","Galaxy":[],"ShadowAttribute":[]},{"id":"1824860","type":"sha1","category":"Payload delivery","to_ids":true,"uuid":"5d9b5a7c-74a0-4902-addb-4afa0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462332","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17749","object_relation":"sha1","value":"284534ae3c3ca467f098115d07cd7e14cbec9583","Galaxy":[],"ShadowAttribute":[]},{"id":"1824861","type":"sha256","category":"Payload delivery","to_ids":true,"uuid":"5d9b5a7c-3ef8-48e9-8671-40760a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462332","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17749","object_relation":"sha256","value":"dd007df90f91857a9efe65008cf015f7955ff05a5b243017e4931087f5742355","Galaxy":[],"ShadowAttribute":[]},{"id":"1824862","type":"size-in-bytes","category":"Other","to_ids":false,"uuid":"5d9b5a7c-4740-4d31-bca2-4f830a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462332","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"17749","object_relation":"size-in-bytes","value":"175104","Galaxy":[],"ShadowAttribute":[]}]},{"id":"17750","name":"file","meta-category":"file","description":"File object describing a file with meta-information","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"17","event_id":"7721","uuid":"5d9b5aa8-9a10-4649-bfd4-4dff0a2fe004","timestamp":"1570462376","distribution":"5","sharing_group_id":"0","comment":"Cobalt strike payload called by powershell","deleted":false,"ObjectReference":[],"Attribute":[{"id":"1824863","type":"malware-sample","category":"Payload delivery","to_ids":true,"uuid":"5d9b5aa8-5124-4bfe-bcc4-446c0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462376","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17750","object_relation":"malware-sample","value":"ikillyou.txt|26017e97acce09276f3b4c6800dec256","Galaxy":[],"ShadowAttribute":[]},{"id":"1824864","type":"filename","category":"Payload delivery","to_ids":false,"uuid":"5d9b5aa8-6c48-43a7-a725-4a860a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462376","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17750","object_relation":"filename","value":"ikillyou.txt","Galaxy":[],"ShadowAttribute":[]},{"id":"1824865","type":"md5","category":"Payload delivery","to_ids":true,"uuid":"5d9b5aa8-a07c-4401-99ee-44b80a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462376","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17750","object_relation":"md5","value":"26017e97acce09276f3b4c6800dec256","Galaxy":[],"ShadowAttribute":[]},{"id":"1824866","type":"sha1","category":"Payload delivery","to_ids":true,"uuid":"5d9b5aa8-e53c-4d68-a233-4d5f0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462376","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17750","object_relation":"sha1","value":"b49b6719495f8398f72e18c0e9450feacb0f9bd9","Galaxy":[],"ShadowAttribute":[]},{"id":"1824867","type":"sha256","category":"Payload delivery","to_ids":true,"uuid":"5d9b5aa8-732c-4ebc-b096-429a0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462376","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17750","object_relation":"sha256","value":"3306d41a09840db2e94e7497c911e8d61d15776b44346f02bbb6a88f5bd51caa","Galaxy":[],"ShadowAttribute":[]},{"id":"1824868","type":"size-in-bytes","category":"Other","to_ids":false,"uuid":"5d9b5aa8-72c0-4d0f-9783-47980a2fe004","event_id":"7721","distribution":"5","timestamp":"1570462376","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"17750","object_relation":"size-in-bytes","value":"2789","Galaxy":[],"ShadowAttribute":[]}]},{"id":"17751","name":"file","meta-category":"file","description":"File object describing a file with meta-information","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"17","event_id":"7721","uuid":"5d9b6d2a-f048-4333-a71b-4f830a2fe004","timestamp":"1570467114","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"ObjectReference":[],"Attribute":[{"id":"1824869","type":"malware-sample","category":"Payload delivery","to_ids":true,"uuid":"5d9b6d2a-661c-4c0a-8813-4ab70a2fe004","event_id":"7721","distribution":"5","timestamp":"1570467114","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17751","object_relation":"malware-sample","value":"26017e97acce09276f3b4c6800dec256_unzipped_decoded.zip|0e8c5174646dcd87ac893271b80c9633","Galaxy":[],"ShadowAttribute":[]}]},{"id":"17752","name":"file","meta-category":"file","description":"File object describing a file with meta-information","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"17","event_id":"7721","uuid":"5d9b80b5-67ac-4570-8958-4ea90a2fe004","timestamp":"1570472117","distribution":"5","sharing_group_id":"0","comment":"Emotet Exe","deleted":false,"ObjectReference":[],"Attribute":[{"id":"1824870","type":"malware-sample","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b80b5-83e8-4811-933f-40dc0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472117","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17752","object_relation":"malware-sample","value":"pixelproc.exe|9afcbf6f4f13a40791d368df767b4304","Galaxy":[{"id":"22","uuid":"9b8037f7-bc8f-4de1-a797-37266619bc0b","name":"Tool","type":"tool","description":"Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.","version":"3","icon":"optin-monster","namespace":"misp","GalaxyCluster":[{"id":"8784","collection_uuid":"0d821b68-9d82-4c6d-86a6-1071a9e0f79f","type":"tool","value":"Emotet","tag_name":"misp-galaxy:tool=\"Emotet\"","description":"","galaxy_id":"22","source":"MISP Project","authors":["Alexandre Dulaunoy","Florian Roth","Timo Steffens","Christophe Vandeplas","Dennis Rand","raw-data"],"version":"122","uuid":"3f7616bd-f1de-46ee-87c2-43c0c2edaa28","tag_id":"42","meta":{"refs":["https:\/\/securelist.com\/analysis\/publications\/69560\/the-banking-trojan-emotet-detailed-analysis\/","https:\/\/www.forcepoint.com\/blog\/security-labs\/thanks-giving-emotet","https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks\/","https:\/\/cofense.com\/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links\/"],"synonyms":["Geodo"]},"local":false}]}],"ShadowAttribute":[],"Tag":[{"id":"42","name":"misp-galaxy:tool=\"Emotet\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null}]},{"id":"1824871","type":"filename","category":"Artifacts dropped","to_ids":false,"uuid":"5d9b80b5-1bfc-4bbd-aabf-4e400a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472117","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17752","object_relation":"filename","value":"pixelproc.exe","Galaxy":[],"ShadowAttribute":[]},{"id":"1824872","type":"md5","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b80b5-ff4c-4d46-98ce-40cd0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472117","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17752","object_relation":"md5","value":"9afcbf6f4f13a40791d368df767b4304","Galaxy":[],"ShadowAttribute":[]},{"id":"1824873","type":"sha1","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b80b5-c704-4916-a3bb-45780a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472117","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17752","object_relation":"sha1","value":"019a178ee95b34980a2f07ee624528de5f4eae44","Galaxy":[],"ShadowAttribute":[]},{"id":"1824874","type":"sha256","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b80b5-437c-41c1-823b-459c0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472117","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17752","object_relation":"sha256","value":"16d007d650d117c68da005747378f16cebe820e75a2565be70602fad2cb6e1fe","Galaxy":[],"ShadowAttribute":[]},{"id":"1824875","type":"size-in-bytes","category":"Other","to_ids":false,"uuid":"5d9b80b5-e340-4e19-977b-47d30a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472117","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"17752","object_relation":"size-in-bytes","value":"221184","Galaxy":[],"ShadowAttribute":[]}]},{"id":"17753","name":"file","meta-category":"file","description":"File object describing a file with meta-information","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"17","event_id":"7721","uuid":"5d9b8142-6bd0-484e-8a8f-43410a2fe004","timestamp":"1570472258","distribution":"5","sharing_group_id":"0","comment":"Trickbot Exe","deleted":false,"ObjectReference":[],"Attribute":[{"id":"1824876","type":"malware-sample","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b8142-9654-49da-af32-4ba80a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472258","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17753","object_relation":"malware-sample","value":".exe|9240845226d22642cbe5e0d39205d869","Galaxy":[],"ShadowAttribute":[]},{"id":"1824877","type":"filename","category":"Artifacts dropped","to_ids":false,"uuid":"5d9b8142-56b8-49a7-8e90-426d0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472258","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17753","object_relation":"filename","value":".exe","Galaxy":[],"ShadowAttribute":[]},{"id":"1824878","type":"md5","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b8142-3a1c-4760-872c-436f0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472258","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17753","object_relation":"md5","value":"9240845226d22642cbe5e0d39205d869","Galaxy":[],"ShadowAttribute":[]},{"id":"1824879","type":"sha1","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b8142-04e4-4ebe-8564-44590a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472258","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17753","object_relation":"sha1","value":"10dae0bced984456d3d7a2b059cd71a4762f1c5b","Galaxy":[],"ShadowAttribute":[]},{"id":"1824880","type":"sha256","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b8142-b590-4445-81b3-4ffb0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472258","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17753","object_relation":"sha256","value":"4cbe34dc9928a6b93786a69bea92b3df0e04fd67d116fc1746d817496314de9e","Galaxy":[],"ShadowAttribute":[]},{"id":"1824881","type":"size-in-bytes","category":"Other","to_ids":false,"uuid":"5d9b8142-3e88-4463-b633-4ab80a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472258","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"17753","object_relation":"size-in-bytes","value":"393309","Galaxy":[],"ShadowAttribute":[]}]},{"id":"17754","name":"file","meta-category":"file","description":"File object describing a file with meta-information","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"17","event_id":"7721","uuid":"5d9b8162-9658-45ba-897f-4cdd0a2fe004","timestamp":"1570472290","distribution":"5","sharing_group_id":"0","comment":"Trickbot artifact","deleted":false,"ObjectReference":[],"Attribute":[{"id":"1824882","type":"malware-sample","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b8162-fb20-4ad9-91da-45380a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472290","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17754","object_relation":"malware-sample","value":"settings.ini|03dfc482ccecbbbc16c5c208ae55d49a","Galaxy":[],"ShadowAttribute":[]},{"id":"1824883","type":"filename","category":"Artifacts dropped","to_ids":false,"uuid":"5d9b8162-0990-4049-848a-459d0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472290","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17754","object_relation":"filename","value":"settings.ini","Galaxy":[],"ShadowAttribute":[]},{"id":"1824884","type":"md5","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b8162-b0bc-42c4-8bb8-4d660a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472290","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17754","object_relation":"md5","value":"03dfc482ccecbbbc16c5c208ae55d49a","Galaxy":[],"ShadowAttribute":[]},{"id":"1824885","type":"sha1","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b8162-cae0-41f9-8933-42050a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472290","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17754","object_relation":"sha1","value":"46b1ad83e2bbf22b08462656e979bca53afff6ba","Galaxy":[],"ShadowAttribute":[]},{"id":"1824886","type":"sha256","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b8162-0efc-48c5-a090-42360a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472290","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17754","object_relation":"sha256","value":"e23033b26e459f6987fb65b9dd8a975a14c2ea9d903a720d4a67a32d43bff293","Galaxy":[],"ShadowAttribute":[]},{"id":"1824887","type":"size-in-bytes","category":"Other","to_ids":false,"uuid":"5d9b8162-9158-4838-8904-44830a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472290","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"17754","object_relation":"size-in-bytes","value":"63950","Galaxy":[],"ShadowAttribute":[]}]},{"id":"17755","name":"file","meta-category":"file","description":"File object describing a file with meta-information","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"17","event_id":"7721","uuid":"5d9b817a-8320-4f3b-afee-43650a2fe004","timestamp":"1570472314","distribution":"5","sharing_group_id":"0","comment":"Exchange DB file from trickbot","deleted":false,"ObjectReference":[],"Attribute":[{"id":"1824888","type":"malware-sample","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b817a-6ea0-47b0-a1a3-47a00a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472314","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17755","object_relation":"malware-sample","value":"grabber_temp.INTEG.RAW|b65e8c666af6ff39c67552e0c98f55d5","Galaxy":[],"ShadowAttribute":[]},{"id":"1824889","type":"filename","category":"Artifacts dropped","to_ids":false,"uuid":"5d9b817a-53e4-4d92-9256-4c0c0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472314","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17755","object_relation":"filename","value":"grabber_temp.INTEG.RAW","Galaxy":[],"ShadowAttribute":[]},{"id":"1824890","type":"md5","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b817a-44f0-4c37-95f3-46e60a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472314","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17755","object_relation":"md5","value":"b65e8c666af6ff39c67552e0c98f55d5","Galaxy":[],"ShadowAttribute":[]},{"id":"1824891","type":"sha1","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b817a-6698-4f70-97c0-4a940a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472314","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17755","object_relation":"sha1","value":"844ce6691b66a81237a592ec6bd2c59c8dbd52a0","Galaxy":[],"ShadowAttribute":[]},{"id":"1824892","type":"sha256","category":"Artifacts dropped","to_ids":true,"uuid":"5d9b817a-dedc-4ee0-85b5-46f60a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472314","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17755","object_relation":"sha256","value":"2826263cc5a3199167970f988c628c177ec45cee60618ae40e9fe84ec9167b73","Galaxy":[],"ShadowAttribute":[]},{"id":"1824893","type":"size-in-bytes","category":"Other","to_ids":false,"uuid":"5d9b817a-cc38-4f34-8da2-4e8d0a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472314","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"17755","object_relation":"size-in-bytes","value":"138246","Galaxy":[],"ShadowAttribute":[]}]},{"id":"17756","name":"ip-port","meta-category":"network","description":"An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.","template_uuid":"9f8cea74-16fe-4968-a2b4-026676949ac6","template_version":"8","event_id":"7721","uuid":"5d9b8302-b1ec-49b1-8c31-46d50a2fe004","timestamp":"1570472706","distribution":"5","sharing_group_id":"0","comment":"Cobalt Strike C2 Server","deleted":false,"ObjectReference":[],"Attribute":[{"id":"1824894","type":"port","category":"Network activity","to_ids":false,"uuid":"5d9b8302-1ecc-493a-b7fd-41d70a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472706","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"17756","object_relation":"dst-port","value":"443","Galaxy":[],"ShadowAttribute":[]},{"id":"1824895","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5d9b8302-fea8-4074-a5f1-4d020a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472706","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17756","object_relation":"ip","value":"144.202.75.93","Galaxy":[],"ShadowAttribute":[]}]},{"id":"17757","name":"ip-port","meta-category":"network","description":"An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.","template_uuid":"9f8cea74-16fe-4968-a2b4-026676949ac6","template_version":"8","event_id":"7721","uuid":"5d9b8343-9d98-442f-b331-4a9a0a2fe004","timestamp":"1570472771","distribution":"5","sharing_group_id":"0","comment":"Powershell Empire C2","deleted":false,"ObjectReference":[],"Attribute":[{"id":"1824896","type":"port","category":"Network activity","to_ids":false,"uuid":"5d9b8343-c774-4cf8-a1d1-4c930a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472771","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"17757","object_relation":"dst-port","value":"443","Galaxy":[],"ShadowAttribute":[]},{"id":"1824897","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5d9b8343-6770-4d3d-b8a0-42a60a2fe004","event_id":"7721","distribution":"5","timestamp":"1570472771","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"17757","object_relation":"ip","value":"91.200.102.245","Galaxy":[],"ShadowAttribute":[]}]}],"Tag":[{"id":"755","name":"emotet","colour":"#000000","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"4","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"562","name":"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"737","name":"misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"820","name":"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"569","name":"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"738","name":"misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"741","name":"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys \/ Startup Folder - T1060\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"436","name":"misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"952","name":"misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"980","name":"misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"959","name":"misp-galaxy:mitre-attack-pattern=\"System Owner\/User Discovery - T1033\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"834","name":"misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"840","name":"misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"841","name":"misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"981","name":"misp-galaxy:mitre-tool=\"Empire - S0363\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"42","name":"misp-galaxy:tool=\"Emotet\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"982","name":"misp-galaxy:mitre-tool=\"Cobalt Strike - S0154\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"740","name":"misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"942","name":"misp-galaxy:mitre-attack-pattern=\"New Service - T1050\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null}]}}]}