{
"type": "bundle",
"id": "bundle--af2cb8e5-5d1c-4964-bfe1-75ebc90f8627",
"spec_version": "2.0",
"objects": [
{
"type": "report",
"id": "report--af2cb8e5-5d1c-4964-bfe1-75ebc90f8627",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-10-16T14:05:19.334Z",
"name": "OilRig",
"description": "OilRig is a threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. \r\n\r\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\r\n\r\n-Organized evasion testing used the during development of their tools.\r\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\r\n-Custom web-shells and backdoors used to persistently access servers.\r\n\r\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.",
"published": "2018-10-16T14:05:19.334Z",
"object_refs": [
"intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b",
"report--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"report--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"report--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"report--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
],
"labels": [
"intrusion-set"
]
},
{
"type": "intrusion-set",
"id": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "OilRig"
},
{
"type": "attack-pattern",
"id": "attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:33:40.572Z",
"name": "T1386: Authorized user performs requested cyber action",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nClicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
"phase_name": "compromise"
},
{
"kill_chain_name": "lockheed",
"phase_name": "exploitation"
}
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/techniques/T1386",
"external_id": "T1386"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:35:06.609Z",
"name": "T1053: Scheduled Task",
"description": "Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1053",
"external_id": "T1053"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/557.html",
"external_id": "CAPEC-557"
},
{
"source_name": "TechNet Task Scheduler Security",
"url": "https://technet.microsoft.com/en-us/library/cc785125.aspx",
"description": "Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016."
},
{
"source_name": "TechNet Autoruns",
"url": "https://technet.microsoft.com/en-us/sysinternals/bb963902",
"description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."
},
{
"source_name": "Twitter Leoloobeek Scheduled Task",
"url": "https://twitter.com/leoloobeek/status/939248813465853953",
"description": "Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017."
},
{
"source_name": "TechNet Forum Scheduled Task Operational Setting",
"url": "https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen",
"description": "Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017."
},
{
"source_name": "TechNet Scheduled Task Events",
"url": "https://technet.microsoft.com/library/dd315590.aspx",
"description": "Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--1c338d0f-a65e-4073-a5c1-c06878849f21",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:31:58.905Z",
"name": "T1093: Process Hollowing",
"description": "Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Endgame Process Injection July 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1093",
"external_id": "T1093"
},
{
"source_name": "Leitch Hollowing",
"url": "http://www.autosectools.com/process-hollowing.pdf",
"description": "Leitch, J. (n.d.). Process Hollowing. Retrieved November 12, 2014."
},
{
"source_name": "Endgame Process Injection July 2017",
"url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:33:42.344Z",
"name": "T1008: Fallback Channels",
"description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "lockheed",
"phase_name": "command-and-control"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1008",
"external_id": "T1008"
},
{
"source_name": "University of Birmingham C2",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:40.713Z",
"name": "T1082: System Information Discovery",
"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.\n\n### Windows\n\nExample commands and utilities that obtain this information include ver, [Systeminfo](https://attack.mitre.org/software/S0096), and dir within [cmd](https://attack.mitre.org/software/S0106) for identifying information based on present files and directories.\n\n### Mac\n\nOn Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1082",
"external_id": "T1082"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/311.html",
"external_id": "CAPEC-311"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:34:43.147Z",
"name": "T1094: Custom Command and Control Protocol",
"description": "Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Standard Application Layer Protocol](https://attack.mitre.org/techniques/T1071). Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "lockheed",
"phase_name": "command-and-control"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1094",
"external_id": "T1094"
},
{
"source_name": "University of Birmingham C2",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:33.618Z",
"name": "T1016: System Network Configuration Discovery",
"description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1016",
"external_id": "T1016"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/309.html",
"external_id": "CAPEC-309"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:33:45.990Z",
"name": "T1367: Spear phishing messages with malicious attachments",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with malicious attachments are designed to get a user to open/execute the attachment in order to deliver malware payloads. (Citation: APT1)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
"phase_name": "launch"
},
{
"kill_chain_name": "lockheed",
"phase_name": "delivery"
}
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/techniques/T1367",
"external_id": "T1367"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:55.156Z",
"name": "T1069: Permission Groups Discovery",
"description": "Adversaries may attempt to find local system or domain-level groups and permissions settings. \n\n### Windows\n\nExamples of commands that can list groups are net group /domain and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility.\n\n### Mac\n\nOn Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.\n\n### Linux\n\nOn Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1069",
"external_id": "T1069"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/576.html",
"external_id": "CAPEC-576"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:34:29.528Z",
"name": "T1057: Process Discovery",
"description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n### Windows\n\nAn example command that would obtain details on processes is \"tasklist\" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.\n\n### Mac and Linux\n\nIn Mac and Linux, this is accomplished with the ps command.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1057",
"external_id": "T1057"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/573.html",
"external_id": "CAPEC-573"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:34:57.266Z",
"name": "T1074: Data Staged",
"description": "Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Data Compressed](https://attack.mitre.org/techniques/T1002) or [Data Encrypted](https://attack.mitre.org/techniques/T1022).\n\nInteractive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1074",
"external_id": "T1074"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:33:49.016Z",
"name": "T1071: Standard Application Layer Protocol",
"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "lockheed",
"phase_name": "command-and-control"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1071",
"external_id": "T1071"
},
{
"source_name": "University of Birmingham C2",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:34:32.000Z",
"name": "T1087: Account Discovery",
"description": "Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are net user, net group , and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.\n\nAlso, groups can be enumerated through the groups and id commands.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1087",
"external_id": "T1087"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/575.html",
"external_id": "CAPEC-575"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:31.026Z",
"name": "T1033: System Owner/User Discovery",
"description": "### Windows\n\nAdversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.\n\n### Mac\n\nOn Mac, the currently logged in user can be identified with users,w, and who.\n\n### Linux\n\nOn Linux, the currently logged in user can be identified with w and who.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1033",
"external_id": "T1033"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/577.html",
"external_id": "CAPEC-577"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:31:54.582Z",
"name": "T1068: Exploitation for Privilege Escalation",
"description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform Privilege Escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1068",
"external_id": "T1068"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/69.html",
"external_id": "CAPEC-69"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "indicator",
"id": "indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "systeminfo",
"pattern": "[process:command_line = 'systeminfo']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--2c461e83-a8d2-444e-9480-a2516a1f87c8",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "n.n.c.%.cdnmsnupdate.com",
"pattern": "[domain-name:value LIKE 'n.n.c.%.cdnmsnupdate.com']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--1d8f709a-12fb-4ee6-928b-921a7eccc2f6",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "ipconfig /all",
"pattern": "[process:command_line = 'ipconfig /all']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--b32af739-cdbf-4b43-938c-eaaa89bf5010",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-11-05T19:56:08.027Z",
"name": "81230c13aeaccc4a1b1b514559525ba6239834773c0cc4cafd88e1e06b9b6e3c",
"pattern": "[file:hashes.'SHA-256' = '81230c13aeaccc4a1b1b514559525ba6239834773c0cc4cafd88e1e06b9b6e3c']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--e12c095d-899f-415b-a29b-eeb6f630db70",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "a67d:db8:85a3:4325:7654:8a2a:370:7334",
"pattern": "[domain-name:resolves_to_refs[*].value = 'a67d:db8:85a3:4325:7654:8a2a:370:7334']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "netstat -an",
"pattern": "[process:command_line = 'netstat -an']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--5fcecf74-b682-4781-904d-f261f101282b",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "481dae0dd9522a3de3f93ee4e54b48bc81e564f31cb11c643890dcee1671dfa9",
"pattern": "[file:hashes.'SHA-256' = '481dae0dd9522a3de3f93ee4e54b48bc81e564f31cb11c643890dcee1671dfa9']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--0e700b7b-764b-4c8a-a57d-f8d686d887f4",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "net group /domain",
"pattern": "[process:command_line = 'net group /domain']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--d3df5939-91b1-4042-9ab8-d4843028a60c",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "tasklist",
"pattern": "[process:command_line = 'tasklist']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--7c357da2-f901-49a3-b52f-1cd4b968caf9",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "\\\\\\\\Temp\\\\\\\\runlog%.tmp",
"pattern": "[file:name LIKE '\\\\\\\\Temp\\\\\\\\runlog%.tmp']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--559172a7-fc70-4d25-8ffe-803ce24929a5",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[http-request-ext:request_method = 'get' AND http-request-ext:request_value = '/action2/']",
"pattern": "[http-request-ext:request_method = 'get' AND http-request-ext:request_value = '/action2/']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "net user",
"pattern": "[process:command_line = 'net user']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--2bc55d71-48a5-4921-854e-351f762e24aa",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "http://www.msoffice-cdn.com/updatecdnsrv/prelocated/owa/auth/template.rtf",
"pattern": "[url:value = 'http://www.msoffice-cdn.com/updatecdnsrv/prelocated/owa/auth/template.rtf']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--2d6903fb-e4f1-4b0e-a657-e3937fe89861",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "net user /domain",
"pattern": "[process:command_line = 'net user /domain']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "relationship",
"id": "relationship--41efb691-eea7-4f15-9c25-d9dbdb7e991e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--102c9f05-756e-412f-9fc2-d59a2f055e47",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--2c461e83-a8d2-444e-9480-a2516a1f87c8",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--d3b4ab75-10fd-4373-9a46-1ebe9a13800b",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--1d8f709a-12fb-4ee6-928b-921a7eccc2f6",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--cb25d6b0-4953-4854-9937-eef5828d23fc",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--b32af739-cdbf-4b43-938c-eaaa89bf5010",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--b3a74588-3273-4d8d-9751-06e0548d7269",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--e12c095d-899f-415b-a29b-eeb6f630db70",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--89696ae6-9dc7-4ce0-a8e1-77c0f110f793",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--98857351-247b-4a37-825f-d339b4c8bf4f",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--5fcecf74-b682-4781-904d-f261f101282b",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--c97a139d-18fe-4902-a46b-686002573966",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--0e700b7b-764b-4c8a-a57d-f8d686d887f4",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--ca74c75e-b861-4b54-b4f2-812d39e92c5e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--d3df5939-91b1-4042-9ab8-d4843028a60c",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--832a5d5b-6e8a-4ff4-b320-08ea09b6fc5c",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--7c357da2-f901-49a3-b52f-1cd4b968caf9",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--1f7cadc7-e1c3-47cd-afb0-b98c93ccb965",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--559172a7-fc70-4d25-8ffe-803ce24929a5",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--6e8b68d8-b954-49ba-b96f-af4537633457",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--8a229436-835d-4d5f-90ed-d26c4517c835",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--2bc55d71-48a5-4921-854e-351f762e24aa",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--931398d5-ff3b-4626-a64a-58fdd9862a3f",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--2d6903fb-e4f1-4b0e-a657-e3937fe89861",
"target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb"
},
{
"type": "relationship",
"id": "relationship--ffc4eff3-45b8-4bbd-ae4c-52bfdc9d8f4c",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "ISMAgent C2 reports back system information ",
"source_ref": "indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"type": "relationship",
"id": "relationship--fb67941d-e8c0-48e1-a553-9ea87c850994",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Uses DNS tunneling",
"source_ref": "indicator--2c461e83-a8d2-444e-9480-a2516a1f87c8",
"target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
{
"type": "relationship",
"id": "relationship--dfcd4fbd-1c9f-4955-8237-0c863dd576a7",
"relationship_type": "uses",
"description": "ISMAgent C2 check host network configuration",
"source_ref": "indicator--1d8f709a-12fb-4ee6-928b-921a7eccc2f6",
"target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
{
"type": "relationship",
"id": "relationship--fc89865d-5e2b-4d51-8ff3-25c8c5de8e23",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-11-05T19:55:59.873Z",
"relationship_type": "uses",
"description": "Attachment hash",
"source_ref": "indicator--b32af739-cdbf-4b43-938c-eaaa89bf5010",
"target_ref": "attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97"
},
{
"type": "relationship",
"id": "relationship--c928c66a-c17b-48e9-a88b-d3958a0a3a09",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Uses DNS tunneling",
"source_ref": "indicator--e12c095d-899f-415b-a29b-eeb6f630db70",
"target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
{
"type": "relationship",
"id": "relationship--874395b6-5a6f-49b1-ad27-1680a6566919",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "ISMAgent C2 check host network configuration",
"source_ref": "indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de",
"target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
{
"type": "relationship",
"id": "relationship--fc6c7958-3fb4-42f6-ae1c-c5ff79ac7ecb",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Attachment hash",
"source_ref": "indicator--5fcecf74-b682-4781-904d-f261f101282b",
"target_ref": "attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97"
},
{
"type": "relationship",
"id": "relationship--8e293418-fbe5-4ebe-894a-320391c18c11",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "ISMAgent C2 checks the current user's domain account and group",
"source_ref": "indicator--0e700b7b-764b-4c8a-a57d-f8d686d887f4",
"target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce"
},
{
"type": "relationship",
"id": "relationship--4c4507f1-7c51-4b5e-9bbd-67c51d66fc96",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T14:20:40.294Z",
"relationship_type": "uses",
"description": "ISMAgent C2 runs the tasklist command",
"source_ref": "indicator--d3df5939-91b1-4042-9ab8-d4843028a60c",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
{
"type": "relationship",
"id": "relationship--51ce57cc-33c5-43ba-879a-32a32ed09d72",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "ISMAgent saves files to a specific directory that contain data to exfil to C2",
"source_ref": "indicator--7c357da2-f901-49a3-b52f-1cd4b968caf9",
"target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
{
"type": "relationship",
"id": "relationship--062079ac-7bd7-45b5-bc97-b234e4d84fc4",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Uses HTTP and DNS for C2",
"source_ref": "indicator--559172a7-fc70-4d25-8ffe-803ce24929a5",
"target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
{
"type": "relationship",
"id": "relationship--770bd929-dd09-49d5-a21b-72495d1b2f0d",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "ISMAgent C2 checks local users and groups via the net application",
"source_ref": "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b",
"target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
{
"type": "relationship",
"id": "relationship--450c6745-0fa7-4773-8a98-4d7f982a9209",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "ISMAgent C2 checks local users and groups via the net application",
"source_ref": "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b",
"target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104"
},
{
"type": "relationship",
"id": "relationship--4e502b39-2e6e-4038-9359-d3e6ecf38ec7",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Exploits CVE-2017-0199",
"source_ref": "indicator--2bc55d71-48a5-4921-854e-351f762e24aa",
"target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839"
},
{
"type": "relationship",
"id": "relationship--176f8da5-e078-4cb7-867c-0a807281b7e6",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "ISMAgent C2 checks local users and groups via the net application",
"source_ref": "indicator--2d6903fb-e4f1-4b0e-a657-e3937fe89861",
"target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce"
},
{
"type": "relationship",
"id": "relationship--742a1fa0-c425-4972-83d5-603f56dd7932",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "ISMAgent C2 checks local users and groups via the net application",
"source_ref": "indicator--2d6903fb-e4f1-4b0e-a657-e3937fe89861",
"target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
{
"type": "relationship",
"id": "relationship--fbe5dc4c-a80c-4883-8499-96e148223061",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa"
},
{
"type": "relationship",
"id": "relationship--de68c70f-1e7b-4188-889d-adc0c03c6122",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
{
"type": "relationship",
"id": "relationship--06cafa2f-85d6-43bb-8527-ede8377c0860",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--1c338d0f-a65e-4073-a5c1-c06878849f21"
},
{
"type": "relationship",
"id": "relationship--6339b9fc-6595-4da0-98de-171d86decc16",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433"
},
{
"type": "relationship",
"id": "relationship--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "attributed-to",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b"
},
{
"type": "relationship",
"id": "relationship--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"type": "relationship",
"id": "relationship--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
{
"type": "relationship",
"id": "relationship--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
{
"type": "relationship",
"id": "relationship--e24a9f99-cb76-42a3-a50b-464668773e97",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97"
},
{
"type": "relationship",
"id": "relationship--15dbf668-795c-41e6-8219-f0447c0e64ce",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce"
},
{
"type": "relationship",
"id": "relationship--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
{
"type": "relationship",
"id": "relationship--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
{
"type": "relationship",
"id": "relationship--355be19c-ffc9-46d5-8d50-d6a036c675b6",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
{
"type": "relationship",
"id": "relationship--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
{
"type": "relationship",
"id": "relationship--03d7999c-1f4c-42cc-8373-e7690d318104",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104"
},
{
"type": "relationship",
"id": "relationship--b21c3b2d-02e6-45b1-980b-e69051040839",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839"
},
{
"type": "report",
"id": "report--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "second",
"published": "2018-08-03T20:30:50.665Z",
"object_refs": [
"campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b",
"indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374",
"indicator--2c461e83-a8d2-444e-9480-a2516a1f87c8",
"indicator--1d8f709a-12fb-4ee6-928b-921a7eccc2f6",
"indicator--b32af739-cdbf-4b43-938c-eaaa89bf5010",
"indicator--e12c095d-899f-415b-a29b-eeb6f630db70",
"indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de",
"indicator--5fcecf74-b682-4781-904d-f261f101282b",
"indicator--0e700b7b-764b-4c8a-a57d-f8d686d887f4",
"indicator--d3df5939-91b1-4042-9ab8-d4843028a60c",
"indicator--7c357da2-f901-49a3-b52f-1cd4b968caf9",
"indicator--559172a7-fc70-4d25-8ffe-803ce24929a5",
"indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b",
"indicator--2bc55d71-48a5-4921-854e-351f762e24aa",
"indicator--2d6903fb-e4f1-4b0e-a657-e3937fe89861",
"attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa",
"attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"attack-pattern--1c338d0f-a65e-4073-a5c1-c06878849f21",
"attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433",
"attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97",
"attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce",
"attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6",
"attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
"relationship--41efb691-eea7-4f15-9c25-d9dbdb7e991e",
"relationship--102c9f05-756e-412f-9fc2-d59a2f055e47",
"relationship--d3b4ab75-10fd-4373-9a46-1ebe9a13800b",
"relationship--cb25d6b0-4953-4854-9937-eef5828d23fc",
"relationship--b3a74588-3273-4d8d-9751-06e0548d7269",
"relationship--89696ae6-9dc7-4ce0-a8e1-77c0f110f793",
"relationship--98857351-247b-4a37-825f-d339b4c8bf4f",
"relationship--c97a139d-18fe-4902-a46b-686002573966",
"relationship--ca74c75e-b861-4b54-b4f2-812d39e92c5e",
"relationship--832a5d5b-6e8a-4ff4-b320-08ea09b6fc5c",
"relationship--1f7cadc7-e1c3-47cd-afb0-b98c93ccb965",
"relationship--6e8b68d8-b954-49ba-b96f-af4537633457",
"relationship--8a229436-835d-4d5f-90ed-d26c4517c835",
"relationship--931398d5-ff3b-4626-a64a-58fdd9862a3f",
"relationship--ffc4eff3-45b8-4bbd-ae4c-52bfdc9d8f4c",
"relationship--fb67941d-e8c0-48e1-a553-9ea87c850994",
"relationship--dfcd4fbd-1c9f-4955-8237-0c863dd576a7",
"relationship--fc89865d-5e2b-4d51-8ff3-25c8c5de8e23",
"relationship--c928c66a-c17b-48e9-a88b-d3958a0a3a09",
"relationship--874395b6-5a6f-49b1-ad27-1680a6566919",
"relationship--fc6c7958-3fb4-42f6-ae1c-c5ff79ac7ecb",
"relationship--8e293418-fbe5-4ebe-894a-320391c18c11",
"relationship--4c4507f1-7c51-4b5e-9bbd-67c51d66fc96",
"relationship--51ce57cc-33c5-43ba-879a-32a32ed09d72",
"relationship--062079ac-7bd7-45b5-bc97-b234e4d84fc4",
"relationship--770bd929-dd09-49d5-a21b-72495d1b2f0d",
"relationship--450c6745-0fa7-4773-8a98-4d7f982a9209",
"relationship--4e502b39-2e6e-4038-9359-d3e6ecf38ec7",
"relationship--176f8da5-e078-4cb7-867c-0a807281b7e6",
"relationship--742a1fa0-c425-4972-83d5-603f56dd7932",
"relationship--fbe5dc4c-a80c-4883-8499-96e148223061",
"relationship--de68c70f-1e7b-4188-889d-adc0c03c6122",
"relationship--06cafa2f-85d6-43bb-8527-ede8377c0860",
"relationship--6339b9fc-6595-4da0-98de-171d86decc16",
"relationship--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"relationship--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"relationship--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"relationship--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"relationship--e24a9f99-cb76-42a3-a50b-464668773e97",
"relationship--15dbf668-795c-41e6-8219-f0447c0e64ce",
"relationship--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"relationship--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"relationship--355be19c-ffc9-46d5-8d50-d6a036c675b6",
"relationship--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"relationship--03d7999c-1f4c-42cc-8373-e7690d318104",
"relationship--b21c3b2d-02e6-45b1-980b-e69051040839"
],
"labels": [
"campaign"
]
},
{
"type": "campaign",
"id": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "second",
"description": "Play based on research discussed at https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/",
"first_seen": "2017-07-23T00:00:00Z",
"last_seen": "2017-08-29T00:00:00Z"
},
{
"type": "attack-pattern",
"id": "attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:34:47.782Z",
"name": "T1024: Custom Cryptographic Protocol",
"description": "Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext.\n\nCustom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used.\n\nSome adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors. (Citation: F-Secure Cosmicduke)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "lockheed",
"phase_name": "command-and-control"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1024",
"external_id": "T1024"
},
{
"source_name": "F-Secure Cosmicduke",
"url": "https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf",
"description": "F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014."
},
{
"source_name": "Fidelis DarkComet",
"url": "https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf",
"description": "Fidelis Cybersecurity. (2015, August 4). Looking at the Sky for a DarkComet. Retrieved April 5, 2016."
},
{
"source_name": "University of Birmingham C2",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:34:10.599Z",
"name": "T1132: Data Encoding",
"description": "Command and control (C2) information is encoded using a standard data encoding system. Use of data encoding may be to adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, UTF-8, or other binary-to-text and character encoding systems. (Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "lockheed",
"phase_name": "command-and-control"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1132",
"external_id": "T1132"
},
{
"source_name": "Wikipedia Binary-to-text Encoding",
"url": "https://en.wikipedia.org/wiki/Binary-to-text_encoding",
"description": "Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017."
},
{
"source_name": "Wikipedia Character Encoding",
"url": "https://en.wikipedia.org/wiki/Character_encoding",
"description": "Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017."
},
{
"source_name": "University of Birmingham C2",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:23.644Z",
"name": "T1105: Remote File Copy",
"description": "Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as [FTP](https://attack.mitre.org/software/S0095). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.\n\nAdversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
},
{
"kill_chain_name": "lockheed",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1105",
"external_id": "T1105"
},
{
"source_name": "University of Birmingham C2",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:33:20.449Z",
"name": "T1059: Command-Line Interface",
"description": "Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is [cmd](https://attack.mitre.org/software/S0106), which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. [Scheduled Task](https://attack.mitre.org/techniques/T1053)).\n\nAdversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059",
"external_id": "T1059"
},
{
"source_name": "Wikipedia Command-Line Interface",
"url": "https://en.wikipedia.org/wiki/Command-line_interface",
"description": "Wikipedia. (2016, June 26). Command-line interface. Retrieved June 27, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:34:48.273Z",
"name": "T1041: Exfiltration Over Command and Control Channel",
"description": "Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1041",
"external_id": "T1041"
},
{
"source_name": "University of Birmingham C2",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "indicator",
"id": "indicator--df6e4110-8f96-4388-a418-8f8418e107ba",
"created": "2018-01-18T22:17:37.829Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "www.msoffice365cdn.com",
"pattern": "[domain-name:value = 'www.msoffice365cdn.com']",
"valid_from": "2018-01-18T22:17:37.829Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--2590acbe-216e-48db-82fe-44d50b5ec519",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "1eb0d27515161fff05357c2a4770a9de3a807a620fe160b40ac86e93c67511c8",
"pattern": "[file:hashes.'SHA-256' = '1eb0d27515161fff05357c2a4770a9de3a807a620fe160b40ac86e93c67511c8']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--3d8472f1-c641-4428-8f57-6af5b8ac4d42",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%AAZ46696C652055706C6F61646564')]",
"pattern": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%AAZ46696C652055706C6F61646564')]",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--a0012b87-ad05-4c74-a014-9957d1795397",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[file:name = 'Seminar-Invitation.doc' AND email:subject = 'Beirut Insurance Seminar Invitation']",
"pattern": "[file:name = 'Seminar-Invitation.doc' AND email:subject = 'Beirut Insurance Seminar Invitation']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--9fcb8551-97e9-4335-a63c-91ca5156efd0",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[domain-name:value = 'www.msoffice365cdn.com' AND (http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '/what?' OR http-request-ext:request_value LIKE '/chk?'))]",
"pattern": "[domain-name:value = 'www.msoffice365cdn.com' AND (http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '/what?' OR http-request-ext:request_value LIKE '/chk?'))]",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--2560de5f-2375-49de-9d4a-47dc1f5f067b",
"created": "2018-01-26T16:53:32.415Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "ec3f55cac3e8257d6d48e5d543db758fed7d267f14f63a6a5d98ba7a0fab6870",
"pattern": "[file:hashes.'SHA-256' = 'ec3f55cac3e8257d6d48e5d543db758fed7d267f14f63a6a5d98ba7a0fab6870']",
"valid_from": "2018-01-26T16:53:32.415Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--8e3da953-ff61-4520-893f-afefe7d145e9",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[process:command_line LIKE 'SchTasks /Create /SC MINUTE /MO 1 /TN%' AND process:command_line LIKE '%cmd.exe /c Certutil -decode %appdata%\\\\Base.txt%']",
"pattern": "[process:command_line LIKE 'SchTasks /Create /SC MINUTE /MO 1 /TN%' AND process:command_line LIKE '%cmd.exe /c Certutil -decode %appdata%\\\\Base.txt%']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--337a0d8f-efa1-4e2e-9956-c7fd385bc136",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%AAZ3C2046696C65204E6F7420466F756E64203E' )]",
"pattern": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%AAZ3C2046696C65204E6F7420466F756E64203E' )]",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--e28f89fe-377d-44cf-a486-e8b84af20737",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[process:command_line LIKE 'SchTasks /Create /SC MINUTE /MO 2 /TN%' AND process:command_line LIKE '%wscript %appdata%\\\\chkSrv.vbs%']",
"pattern": "[process:command_line LIKE 'SchTasks /Create /SC MINUTE /MO 2 /TN%' AND process:command_line LIKE '%wscript %appdata%\\\\chkSrv.vbs%']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--91afba2e-8721-4751-abb5-89e4ea75d771",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%ABZFinish' )]",
"pattern": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%ABZFinish' )]",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "relationship",
"id": "relationship--70ce103c-4360-4c8a-abde-63591527c5a1",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--df6e4110-8f96-4388-a418-8f8418e107ba",
"target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455"
},
{
"type": "relationship",
"id": "relationship--04849e13-75ca-4efa-bafb-bc8cc1825a77",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--2590acbe-216e-48db-82fe-44d50b5ec519",
"target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455"
},
{
"type": "relationship",
"id": "relationship--ef02aa8d-cf3d-4426-881b-6a4d6ed07a82",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--3d8472f1-c641-4428-8f57-6af5b8ac4d42",
"target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455"
},
{
"type": "relationship",
"id": "relationship--22b09015-9ae3-4b16-8a89-954ab6a065ce",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--a0012b87-ad05-4c74-a014-9957d1795397",
"target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455"
},
{
"type": "relationship",
"id": "relationship--9cec34a5-ab91-490e-8bbb-8482cfb6e8f1",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--9fcb8551-97e9-4335-a63c-91ca5156efd0",
"target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455"
},
{
"type": "relationship",
"id": "relationship--76c8e37a-4ed8-4609-a555-dd0280d8e54c",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--2560de5f-2375-49de-9d4a-47dc1f5f067b",
"target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455"
},
{
"type": "relationship",
"id": "relationship--c1bcd7e8-889e-4fa1-8f1d-294232de6c09",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--8e3da953-ff61-4520-893f-afefe7d145e9",
"target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455"
},
{
"type": "relationship",
"id": "relationship--fd03c24c-7334-472f-8f8a-2941e34a7e47",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--337a0d8f-efa1-4e2e-9956-c7fd385bc136",
"target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455"
},
{
"type": "relationship",
"id": "relationship--e886c2be-b2d0-44b8-9fd0-3f7810a8fed1",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--e28f89fe-377d-44cf-a486-e8b84af20737",
"target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455"
},
{
"type": "relationship",
"id": "relationship--cf1c7aee-2def-4d8d-9f9a-d10c65a33fd8",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--91afba2e-8721-4751-abb5-89e4ea75d771",
"target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455"
},
{
"type": "relationship",
"id": "relationship--008da2c6-0d38-449c-8a36-3d7b0d815ac0",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Uses HTTP for C2",
"source_ref": "indicator--df6e4110-8f96-4388-a418-8f8418e107ba",
"target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
{
"type": "relationship",
"id": "relationship--1f3260dd-efff-4dcd-8f15-8182fa2c70c2",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Macro hash",
"source_ref": "indicator--2590acbe-216e-48db-82fe-44d50b5ec519",
"target_ref": "attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa"
},
{
"type": "relationship",
"id": "relationship--4eeb79d6-f779-4cf6-9901-8ce3ba3d9a16",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Exfiltrates data to C2 over HTTP channel",
"source_ref": "indicator--3d8472f1-c641-4428-8f57-6af5b8ac4d42",
"target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d"
},
{
"type": "relationship",
"id": "relationship--1b6e1fa9-5e7d-456e-a668-bdb9d5192e08",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Email attachment and subject",
"source_ref": "indicator--a0012b87-ad05-4c74-a014-9957d1795397",
"target_ref": "attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97"
},
{
"type": "relationship",
"id": "relationship--19ce8250-86e1-4279-b023-cbb787365eeb",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Uses HTTP for C2",
"source_ref": "indicator--9fcb8551-97e9-4335-a63c-91ca5156efd0",
"target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
{
"type": "relationship",
"id": "relationship--4e465efc-850a-4aed-9bd0-dd8ecfa55f68",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Attachment hash",
"source_ref": "indicator--2560de5f-2375-49de-9d4a-47dc1f5f067b",
"target_ref": "attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97"
},
{
"type": "relationship",
"id": "relationship--17e8782b-ed62-4d33-901d-e023b2b1b946",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Tasks created by malicious macro to automatically run OopsIE every n minutes.",
"source_ref": "indicator--8e3da953-ff61-4520-893f-afefe7d145e9",
"target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
{
"type": "relationship",
"id": "relationship--c9c52d19-7e21-4de2-8e63-968b8ef51f9b",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Exfiltrates data to C2 over HTTP channel",
"source_ref": "indicator--337a0d8f-efa1-4e2e-9956-c7fd385bc136",
"target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d"
},
{
"type": "relationship",
"id": "relationship--ed8b1668-7a2d-4537-a24a-99ae0faee4ab",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Tasks created by malicious macro to automatically run OopsIE every n minutes.",
"source_ref": "indicator--e28f89fe-377d-44cf-a486-e8b84af20737",
"target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
{
"type": "relationship",
"id": "relationship--51372409-6c33-4b17-a5fb-1193c80b15a9",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Exfiltrates data to C2 over HTTP channel",
"source_ref": "indicator--91afba2e-8721-4751-abb5-89e4ea75d771",
"target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d"
},
{
"type": "relationship",
"id": "relationship--18984045-bb93-45ac-b8d5-2895044e3b01",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"target_ref": "attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
{
"type": "relationship",
"id": "relationship--59fb94fd-a2ac-4df8-ae7d-8a96f07d65d4",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
{
"type": "relationship",
"id": "relationship--8c7819b0-d3b4-4a0a-be71-e6ed6c230513",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
{
"type": "relationship",
"id": "relationship--70893e8f-6c9e-4e7f-a424-4e7df9eea046",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830"
},
{
"type": "relationship",
"id": "relationship--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "attributed-to",
"source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b"
},
{
"type": "relationship",
"id": "relationship--0440f60f-9056-4791-a740-8eae96eb61fa",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"target_ref": "attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa"
},
{
"type": "relationship",
"id": "relationship--92d7da27-2d91-488e-a00c-059dc162766d",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d"
},
{
"type": "relationship",
"id": "relationship--35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
{
"type": "report",
"id": "report--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "Trips_right__slip_screen",
"published": "2018-08-03T20:30:50.665Z",
"object_refs": [
"campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b",
"indicator--df6e4110-8f96-4388-a418-8f8418e107ba",
"indicator--2590acbe-216e-48db-82fe-44d50b5ec519",
"indicator--3d8472f1-c641-4428-8f57-6af5b8ac4d42",
"indicator--a0012b87-ad05-4c74-a014-9957d1795397",
"indicator--9fcb8551-97e9-4335-a63c-91ca5156efd0",
"indicator--2560de5f-2375-49de-9d4a-47dc1f5f067b",
"indicator--8e3da953-ff61-4520-893f-afefe7d145e9",
"indicator--337a0d8f-efa1-4e2e-9956-c7fd385bc136",
"indicator--e28f89fe-377d-44cf-a486-e8b84af20737",
"indicator--91afba2e-8721-4751-abb5-89e4ea75d771",
"attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
"attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6",
"attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa",
"attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
"attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97",
"attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"relationship--70ce103c-4360-4c8a-abde-63591527c5a1",
"relationship--04849e13-75ca-4efa-bafb-bc8cc1825a77",
"relationship--ef02aa8d-cf3d-4426-881b-6a4d6ed07a82",
"relationship--22b09015-9ae3-4b16-8a89-954ab6a065ce",
"relationship--9cec34a5-ab91-490e-8bbb-8482cfb6e8f1",
"relationship--76c8e37a-4ed8-4609-a555-dd0280d8e54c",
"relationship--c1bcd7e8-889e-4fa1-8f1d-294232de6c09",
"relationship--fd03c24c-7334-472f-8f8a-2941e34a7e47",
"relationship--e886c2be-b2d0-44b8-9fd0-3f7810a8fed1",
"relationship--cf1c7aee-2def-4d8d-9f9a-d10c65a33fd8",
"relationship--008da2c6-0d38-449c-8a36-3d7b0d815ac0",
"relationship--1f3260dd-efff-4dcd-8f15-8182fa2c70c2",
"relationship--4eeb79d6-f779-4cf6-9901-8ce3ba3d9a16",
"relationship--1b6e1fa9-5e7d-456e-a668-bdb9d5192e08",
"relationship--19ce8250-86e1-4279-b023-cbb787365eeb",
"relationship--4e465efc-850a-4aed-9bd0-dd8ecfa55f68",
"relationship--17e8782b-ed62-4d33-901d-e023b2b1b946",
"relationship--c9c52d19-7e21-4de2-8e63-968b8ef51f9b",
"relationship--ed8b1668-7a2d-4537-a24a-99ae0faee4ab",
"relationship--51372409-6c33-4b17-a5fb-1193c80b15a9",
"relationship--18984045-bb93-45ac-b8d5-2895044e3b01",
"relationship--59fb94fd-a2ac-4df8-ae7d-8a96f07d65d4",
"relationship--8c7819b0-d3b4-4a0a-be71-e6ed6c230513",
"relationship--70893e8f-6c9e-4e7f-a424-4e7df9eea046",
"relationship--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"relationship--355be19c-ffc9-46d5-8d50-d6a036c675b6",
"relationship--0440f60f-9056-4791-a740-8eae96eb61fa",
"relationship--92d7da27-2d91-488e-a00c-059dc162766d",
"relationship--e24a9f99-cb76-42a3-a50b-464668773e97",
"relationship--35dd844a-b219-4e2b-a6bb-efa9a75995a9"
],
"labels": [
"campaign"
]
},
{
"type": "campaign",
"id": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "Trips_right__slip_screen",
"description": "",
"first_seen": "2018-01-08T00:00:00Z",
"last_seen": "2018-02-01T00:00:00Z"
},
{
"type": "attack-pattern",
"id": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:07.364Z",
"name": "T1119: Automated Collection",
"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [Scripting](https://attack.mitre.org/techniques/T1064) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Remote File Copy](https://attack.mitre.org/techniques/T1105) to identify and move files.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1119",
"external_id": "T1119"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:34:03.558Z",
"name": "T1012: Query Registry",
"description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1012",
"external_id": "T1012"
},
{
"source_name": "Wikipedia Windows Registry",
"url": "https://en.wikipedia.org/wiki/Windows_Registry",
"description": "Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "indicator",
"id": "indicator--9daeba2e-bb3e-443b-95d1-fbc0428932a9",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "reg query HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default",
"pattern": "[process:command_line = 'reg query HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--4536e0b1-c2e6-42c2-bcf5-000f0df72eea",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[file:name = 'ReportSample.xls' AND email:subject = 'FW: MOI Registration - alrajhi application [Report Form]']",
"pattern": "[file:name = 'ReportSample.xls' AND email:subject = 'FW: MOI Registration - alrajhi application [Report Form]']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--2115ea65-8275-49bf-bbf9-d3d7e4d204d5",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "net group Exchange Trusted Subsystem /domain",
"pattern": "[process:command_line = 'net group Exchange Trusted Subsystem /domain']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--131a36f4-f5ce-461c-b633-8f555ec191fb",
"created": "2018-05-30T19:51:58.430Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e",
"pattern": "[file:hashes.'SHA-256' = 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e']",
"valid_from": "2018-05-30T19:51:58.430Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--8795c03c-3d57-4402-8ae5-4de697194f90",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "sc query",
"pattern": "[process:command_line = 'sc query']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--c258f33d-57c8-458d-9d77-7cd8bf1e264a",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "%.go0gIe.com",
"pattern": "[domain-name:value LIKE '%.go0gIe.com']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--dd45ed80-44ee-4d88-b122-e6a9a863b5f9",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[http-request-ext:request_method = 'get' AND http-request-ext:request_value LIKE '/sysupdate.aspx?req=' AND http-request-ext:request_value LIKE '%5Cbat&m=d']",
"pattern": "[http-request-ext:request_method = 'get' AND http-request-ext:request_value LIKE '/sysupdate.aspx?req=' AND http-request-ext:request_value LIKE '%5Cbat&m=d']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--ec689de0-d752-476f-bbce-7055b192d5fd",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "net group domain admins /domain",
"pattern": "[process:command_line = 'net group domain admins /domain']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--882830ad-a601-4405-bab1-54a28ab4bc86",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[(file:name = 'Issue-doc.zip' OR file:name = 'Issue-doc1.zip') AND (email:subject = 'Importan Issue' OR email:subject = 'Important Issue')]",
"pattern": "[(file:name = 'Issue-doc.zip' OR file:name = 'Issue-doc1.zip') AND (email:subject = 'Importan Issue' OR email:subject = 'Important Issue')]",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--6ab420c2-4bed-4281-9da4-790bf0065e81",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "net accounts /domain",
"pattern": "[process:command_line = 'net accounts /domain']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--bf094398-e075-4b6d-99df-2dbcee3ef39d",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "whoami",
"pattern": "[process:command_line = 'whoami']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--182761bb-1d21-4ed8-909c-a0b6a2e09ce4",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "%Public%\\\\Libraries\\\\tp",
"pattern": "[directory:path = '%Public%\\\\Libraries\\\\tp']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--cd473c0f-1c24-4b67-800d-7447aec8079a",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "schtasks.exe /create /F /sc minute /mo 3 /tn GoogleUpdateTaskMachineUI /tr Users\\\\Public\\\\Libraries\\\\update.vbs",
"pattern": "[process:command_line = 'schtasks.exe /create /F /sc minute /mo 3 /tn GoogleUpdateTaskMachineUI /tr Users\\\\Public\\\\Libraries\\\\update.vbs']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--09a93c5a-e410-4a1d-a3a9-39c5d634b766",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-22T19:51:21.715Z",
"name": "88.88.88.88",
"pattern": "[domain-name:resolves_to_refs[*].value = '88.88.88.88']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "relationship",
"id": "relationship--1753a9b0-9ce7-40f2-abfc-9cbdd111c1a9",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--e4a35d4e-1942-4dd8-a5bc-4908c4ff5649",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--d3df5939-91b1-4042-9ab8-d4843028a60c",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--7a090b7e-66a8-49b1-8b83-41ba7f9474ee",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--9daeba2e-bb3e-443b-95d1-fbc0428932a9",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--58eb7e95-bc30-4658-a50c-eb9d044bc4d4",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--d9f1147f-d336-467e-a7d2-40fc8fbcb818",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--4536e0b1-c2e6-42c2-bcf5-000f0df72eea",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--ad0aadbf-b691-4bf3-b26f-c5e505a553d0",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--2115ea65-8275-49bf-bbf9-d3d7e4d204d5",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--ae847f0d-c6e0-4344-abe4-3a14d7c4e818",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--131a36f4-f5ce-461c-b633-8f555ec191fb",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--f0a81c5b-9be4-4471-a400-e25558aa6c84",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--8795c03c-3d57-4402-8ae5-4de697194f90",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--3abed9e3-31c2-47da-9967-482c8f6bf2e4",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--c258f33d-57c8-458d-9d77-7cd8bf1e264a",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--3a3f4a27-177e-4128-be8c-a54f7535e6bf",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--dd45ed80-44ee-4d88-b122-e6a9a863b5f9",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--d0618c38-8036-4f51-964a-0162cd2132e6",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--ec689de0-d752-476f-bbce-7055b192d5fd",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--d97d8d18-4a5f-4e76-9ae7-54b14b5d3b1f",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--882830ad-a601-4405-bab1-54a28ab4bc86",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--72020d0d-b6dd-4369-85b6-a294fde2b922",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--6ab420c2-4bed-4281-9da4-790bf0065e81",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--098b5e44-9cf7-4fe6-9bab-cb443e7d352e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--bf094398-e075-4b6d-99df-2dbcee3ef39d",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--f85a48f8-cc16-4676-bf61-27934057174f",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--182761bb-1d21-4ed8-909c-a0b6a2e09ce4",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--ea9fbaed-5cd1-4fdb-999f-a3980c43c506",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--cd473c0f-1c24-4b67-800d-7447aec8079a",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--3563da55-300f-46e8-bc8a-fd9d910e4aed",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--09a93c5a-e410-4a1d-a3a9-39c5d634b766",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--6846ada7-0a47-48ac-89f6-df9deb5d00b4",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b",
"target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c"
},
{
"type": "relationship",
"id": "relationship--127390be-0ff7-4f80-8a26-6bcac47581f5",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Helminth checks registry to see if RDP is enabled on the system",
"source_ref": "indicator--9daeba2e-bb3e-443b-95d1-fbc0428932a9",
"target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
{
"type": "relationship",
"id": "relationship--74d509af-2231-4fd6-a0de-1808e3881aa2",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Sender addresses common strings used in body",
"source_ref": "indicator--4536e0b1-c2e6-42c2-bcf5-000f0df72eea",
"target_ref": "attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97"
},
{
"type": "relationship",
"id": "relationship--91b32542-ec28-4df5-8c6f-e1e7024d974b",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Helminth C2 checks for the local admin group domain admin group and exchange trusted subsystem group",
"source_ref": "indicator--2115ea65-8275-49bf-bbf9-d3d7e4d204d5",
"target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce"
},
{
"type": "relationship",
"id": "relationship--07f24187-e3d2-4b5e-a46d-c7f0e01109b3",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Sender addresses common strings used in body",
"source_ref": "indicator--131a36f4-f5ce-461c-b633-8f555ec191fb",
"target_ref": "attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97"
},
{
"type": "relationship",
"id": "relationship--365e252d-d64f-477d-9f21-e171ff5c6485",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Helminth C2 reports back system information",
"source_ref": "indicator--8795c03c-3d57-4402-8ae5-4de697194f90",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"type": "relationship",
"id": "relationship--adf368c8-b965-4554-943c-291e77a226cb",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Uses DNS tunneling",
"source_ref": "indicator--c258f33d-57c8-458d-9d77-7cd8bf1e264a",
"target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
{
"type": "relationship",
"id": "relationship--22a6c66b-08b3-49ff-a5e3-af9063a2d609",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Standard Application Layer Protocol",
"source_ref": "indicator--dd45ed80-44ee-4d88-b122-e6a9a863b5f9",
"target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
{
"type": "relationship",
"id": "relationship--741c9fc7-da67-4f53-82bd-74876ab07ebb",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Helminth C2 checks for the local admin group domain admin group and exchange trusted subsystem group",
"source_ref": "indicator--ec689de0-d752-476f-bbce-7055b192d5fd",
"target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce"
},
{
"type": "relationship",
"id": "relationship--ad27b1d4-e78a-48eb-9b81-f0d6e9033aa6",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Attachment names and email subjects",
"source_ref": "indicator--882830ad-a601-4405-bab1-54a28ab4bc86",
"target_ref": "attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97"
},
{
"type": "relationship",
"id": "relationship--b99c7a27-ba87-42ca-9af6-7d29be9274df",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Helminth C2 checks local users and groups via the net application",
"source_ref": "indicator--6ab420c2-4bed-4281-9da4-790bf0065e81",
"target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
{
"type": "relationship",
"id": "relationship--e777e1ca-7852-4827-9024-a8a4dfd7c05b",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Helminth C2 checks local users and groups via the net application",
"source_ref": "indicator--bf094398-e075-4b6d-99df-2dbcee3ef39d",
"target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
{
"type": "relationship",
"id": "relationship--ece9acf9-34a3-4dd8-b434-a294a086ce3a",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Helminth saves files to a specific directory that contain data to exfil to C2",
"source_ref": "indicator--182761bb-1d21-4ed8-909c-a0b6a2e09ce4",
"target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
{
"type": "relationship",
"id": "relationship--07d1feb5-6575-40ac-8df0-9b7c169a2b29",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Tasks created by Clayslide to automatically run Helminth every n minutes.",
"source_ref": "indicator--cd473c0f-1c24-4b67-800d-7447aec8079a",
"target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
{
"type": "relationship",
"id": "relationship--b6080c1b-48c1-49f7-8b1e-11fade37f627",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Uses DNS tunneling",
"source_ref": "indicator--09a93c5a-e410-4a1d-a3a9-39c5d634b766",
"target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
{
"type": "relationship",
"id": "relationship--8a7f1679-bd76-4ef0-bcf5-9e596bcd4ae6",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433"
},
{
"type": "relationship",
"id": "relationship--f54a6555-6741-4a40-9690-7744eb95d40d",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"target_ref": "attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa"
},
{
"type": "relationship",
"id": "relationship--19f310d3-6ddd-4aa0-9a34-9c691dc3facf",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619"
},
{
"type": "relationship",
"id": "relationship--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "attributed-to",
"source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b"
},
{
"type": "relationship",
"id": "relationship--c32f7008-9fea-41f7-8366-5eb9b74bd896",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
{
"type": "report",
"id": "report--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "first",
"published": "2018-08-03T20:30:50.665Z",
"object_refs": [
"campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b",
"indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374",
"indicator--d3df5939-91b1-4042-9ab8-d4843028a60c",
"indicator--9daeba2e-bb3e-443b-95d1-fbc0428932a9",
"indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de",
"indicator--4536e0b1-c2e6-42c2-bcf5-000f0df72eea",
"indicator--2115ea65-8275-49bf-bbf9-d3d7e4d204d5",
"indicator--131a36f4-f5ce-461c-b633-8f555ec191fb",
"indicator--8795c03c-3d57-4402-8ae5-4de697194f90",
"indicator--c258f33d-57c8-458d-9d77-7cd8bf1e264a",
"indicator--dd45ed80-44ee-4d88-b122-e6a9a863b5f9",
"indicator--ec689de0-d752-476f-bbce-7055b192d5fd",
"indicator--882830ad-a601-4405-bab1-54a28ab4bc86",
"indicator--6ab420c2-4bed-4281-9da4-790bf0065e81",
"indicator--bf094398-e075-4b6d-99df-2dbcee3ef39d",
"indicator--182761bb-1d21-4ed8-909c-a0b6a2e09ce4",
"indicator--cd473c0f-1c24-4b67-800d-7447aec8079a",
"indicator--09a93c5a-e410-4a1d-a3a9-39c5d634b766",
"indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b",
"attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433",
"attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa",
"attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
"attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896",
"attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97",
"attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce",
"attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6",
"attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"relationship--1753a9b0-9ce7-40f2-abfc-9cbdd111c1a9",
"relationship--e4a35d4e-1942-4dd8-a5bc-4908c4ff5649",
"relationship--7a090b7e-66a8-49b1-8b83-41ba7f9474ee",
"relationship--58eb7e95-bc30-4658-a50c-eb9d044bc4d4",
"relationship--d9f1147f-d336-467e-a7d2-40fc8fbcb818",
"relationship--ad0aadbf-b691-4bf3-b26f-c5e505a553d0",
"relationship--ae847f0d-c6e0-4344-abe4-3a14d7c4e818",
"relationship--f0a81c5b-9be4-4471-a400-e25558aa6c84",
"relationship--3abed9e3-31c2-47da-9967-482c8f6bf2e4",
"relationship--3a3f4a27-177e-4128-be8c-a54f7535e6bf",
"relationship--d0618c38-8036-4f51-964a-0162cd2132e6",
"relationship--d97d8d18-4a5f-4e76-9ae7-54b14b5d3b1f",
"relationship--72020d0d-b6dd-4369-85b6-a294fde2b922",
"relationship--098b5e44-9cf7-4fe6-9bab-cb443e7d352e",
"relationship--f85a48f8-cc16-4676-bf61-27934057174f",
"relationship--ea9fbaed-5cd1-4fdb-999f-a3980c43c506",
"relationship--3563da55-300f-46e8-bc8a-fd9d910e4aed",
"relationship--6846ada7-0a47-48ac-89f6-df9deb5d00b4",
"relationship--ffc4eff3-45b8-4bbd-ae4c-52bfdc9d8f4c",
"relationship--4c4507f1-7c51-4b5e-9bbd-67c51d66fc96",
"relationship--127390be-0ff7-4f80-8a26-6bcac47581f5",
"relationship--874395b6-5a6f-49b1-ad27-1680a6566919",
"relationship--74d509af-2231-4fd6-a0de-1808e3881aa2",
"relationship--91b32542-ec28-4df5-8c6f-e1e7024d974b",
"relationship--07f24187-e3d2-4b5e-a46d-c7f0e01109b3",
"relationship--365e252d-d64f-477d-9f21-e171ff5c6485",
"relationship--adf368c8-b965-4554-943c-291e77a226cb",
"relationship--22a6c66b-08b3-49ff-a5e3-af9063a2d609",
"relationship--741c9fc7-da67-4f53-82bd-74876ab07ebb",
"relationship--ad27b1d4-e78a-48eb-9b81-f0d6e9033aa6",
"relationship--b99c7a27-ba87-42ca-9af6-7d29be9274df",
"relationship--e777e1ca-7852-4827-9024-a8a4dfd7c05b",
"relationship--ece9acf9-34a3-4dd8-b434-a294a086ce3a",
"relationship--07d1feb5-6575-40ac-8df0-9b7c169a2b29",
"relationship--b6080c1b-48c1-49f7-8b1e-11fade37f627",
"relationship--770bd929-dd09-49d5-a21b-72495d1b2f0d",
"relationship--450c6745-0fa7-4773-8a98-4d7f982a9209",
"relationship--8a7f1679-bd76-4ef0-bcf5-9e596bcd4ae6",
"relationship--f54a6555-6741-4a40-9690-7744eb95d40d",
"relationship--19f310d3-6ddd-4aa0-9a34-9c691dc3facf",
"relationship--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"relationship--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"relationship--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"relationship--c32f7008-9fea-41f7-8366-5eb9b74bd896",
"relationship--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"relationship--e24a9f99-cb76-42a3-a50b-464668773e97",
"relationship--15dbf668-795c-41e6-8219-f0447c0e64ce",
"relationship--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"relationship--355be19c-ffc9-46d5-8d50-d6a036c675b6",
"relationship--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"relationship--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"relationship--35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"relationship--03d7999c-1f4c-42cc-8373-e7690d318104"
],
"labels": [
"campaign"
]
},
{
"type": "campaign",
"id": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "first",
"description": "Play based on research discussed at https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
"first_seen": "2016-05-04T00:00:00Z",
"last_seen": "2017-09-26T00:00:00Z"
},
{
"type": "attack-pattern",
"id": "attack-pattern--56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:51.204Z",
"name": "T1107: File Deletion",
"description": "Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1107",
"external_id": "T1107"
},
{
"source_name": "Trend Micro APT Attack Tools",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/",
"description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:35:00.574Z",
"name": "T1388: Compromise of externally facing system",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nExternally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
"phase_name": "compromise"
},
{
"kill_chain_name": "lockheed",
"phase_name": "exploitation"
}
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/techniques/T1388",
"external_id": "T1388"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:31:52.765Z",
"name": "T1362: Upload, install, and configure software/tools",
"description": "An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
"phase_name": "stage-capabilities"
},
{
"kill_chain_name": "lockheed",
"phase_name": "weaponization"
}
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/techniques/T1362",
"external_id": "T1362"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:34:05.267Z",
"name": "T1374: Credential pharming",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nCredential pharming a form of attack designed to steal users' credential by redirecting users to fraudulent websites. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. (Citation: DriveByPharming) (Citation: GoogleDrive Phishing)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
"phase_name": "launch"
},
{
"kill_chain_name": "lockheed",
"phase_name": "delivery"
}
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/techniques/T1374",
"external_id": "T1374"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:21.453Z",
"name": "T1027: Obfuscated Files or Information",
"description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command-Line Interface](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding [Invoke-PSImage](https://attack.mitre.org/software/S0231). The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used [Invoke-PSImage](https://attack.mitre.org/software/S0231) to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027",
"external_id": "T1027"
},
{
"source_name": "Volexity PowerDuke November 2016",
"url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/",
"description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017."
},
{
"source_name": "Linux/Cdorked.A We Live Security Analysis",
"url": "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/",
"description": "Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017."
},
{
"source_name": "Carbon Black Obfuscation Sept 2016",
"url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/",
"description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018."
},
{
"source_name": "FireEye Obfuscation June 2017",
"url": "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
"description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018."
},
{
"source_name": "FireEye Revoke-Obfuscation July 2017",
"url": "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf",
"description": "Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018."
},
{
"source_name": "PaloAlto EncodedCommand March 2017",
"url": "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/",
"description": "White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018."
},
{
"source_name": "GitHub Revoke-Obfuscation",
"url": "https://github.com/danielbohannon/Revoke-Obfuscation",
"description": "Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018."
},
{
"source_name": "GitHub Office-Crackros Aug 2016",
"url": "https://github.com/itsreallynick/office-crackros",
"description": "Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018."
},
{
"source_name": "Wikipedia Duqu",
"url": "https://en.wikipedia.org/wiki/Duqu",
"description": "Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018."
},
{
"source_name": "McAfee Malicious Doc Targets Pyeongchang Olympics",
"url": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/",
"description": "Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--128c55d3-aeba-469f-bd3e-c8996ab4112a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:33:09.817Z",
"name": "T1099: Timestomp",
"description": "Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1099",
"external_id": "T1099"
},
{
"source_name": "WindowsIR Anti-Forensic Techniques",
"url": "http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html",
"description": "Carvey, H. (2013, July 23). HowTo: Determine/Detect the use of Anti-Forensics Techniques. Retrieved June 3, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:35.513Z",
"name": "T1108: Redundant Access",
"description": "Adversaries may use more than one remote access tool with varying command and control protocols as a hedge against detection. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use [External Remote Services](https://attack.mitre.org/techniques/T1133) such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network. (Citation: Mandiant APT1)\n\nUse of a [Web Shell](https://attack.mitre.org/techniques/T1100) is one such way to maintain access to a network through an externally accessible Web server.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1108",
"external_id": "T1108"
},
{
"source_name": "Mandiant APT1",
"url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf",
"description": "Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:33:11.490Z",
"name": "T1078: Valid Accounts",
"description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. \n\nCompromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nAdversaries may also create accounts, sometimes using pre-defined account names and passwords, as a means for persistence through backup access in case other means are unsuccessful. \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
},
{
"kill_chain_name": "lockheed",
"phase_name": "delivery"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1078",
"external_id": "T1078"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/560.html",
"external_id": "CAPEC-560"
},
{
"source_name": "TechNet Credential Theft",
"url": "https://technet.microsoft.com/en-us/library/dn535501.aspx",
"description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016."
},
{
"source_name": "TechNet Audit Policy",
"url": "https://technet.microsoft.com/en-us/library/dn487457.aspx",
"description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:55.530Z",
"name": "T1100: Web Shell",
"description": "A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)\n\nWeb shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1100",
"external_id": "T1100"
},
{
"source_name": "Lee 2013",
"url": "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
"description": "Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015."
},
{
"source_name": "US-CERT Alert TA15-314A Web Shells",
"url": "https://www.us-cert.gov/ncas/alerts/TA15-314A",
"description": "US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:32:53.646Z",
"name": "T1003: Credential Dumping",
"description": "Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.\n\nSeveral of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n\n### Windows\n\n#### SAM (Security Accounts Manager)\n\nThe SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)\n\nNotes:\nRid 500 account is the local, in-built administrator.\nRid 501 is the guest account.\nUser accounts start with a RID of 1,000+.\n\n#### Cached Credentials\n\nThe DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nCached credentials for Windows Vista are derived using PBKDF2.\n\n#### Local Security Authority (LSA) Secrets\n\nWith SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.\n \nWhen services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nThe passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.\nWindows 10 adds protections for LSA Secrets described in Mitigation.\n\n#### NTDS from Domain Controller\n\nActive Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)\n \nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n\n#### Group Policy Preference (GPP) Files\n\nGroup Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.\n\nThese group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit’s post exploitation module: \"post/windows/gather/credentials/gpp\"\n* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nNotes:\nOn the SYSVOL share, the following can be used to enumerate potential XML files.\ndir /s * .xml\n\n#### Service Principal Names (SPNs)\n\nSee [Kerberoasting](https://attack.mitre.org/techniques/T1208).\n\n#### Plaintext Credentials\n\nAfter a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.\n\nSSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.\n\nThe following SSPs can be used to access credentials:\n\nMsv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\nWdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)\nKerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\nCredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)\n \nThe following tools can be used to enumerate credentials:\n\n* [Windows Credential Editor](https://attack.mitre.org/software/S0005)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\n#### DCSync\n\nDCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the \"lsadump\" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)\n\n### Linux\n\n#### Proc filesystem\n\nThe /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1003",
"external_id": "T1003"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/567.html",
"external_id": "CAPEC-567"
},
{
"source_name": "Powersploit",
"url": "https://github.com/mattifestation/PowerSploit",
"description": "PowerSploit. (n.d.). Retrieved December 4, 2014."
},
{
"source_name": "Harmj0y Mimikatz and DCSync",
"url": "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/",
"description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved August 7, 2017."
},
{
"source_name": "ADSecurity Mimikatz DCSync",
"url": "https://adsecurity.org/?p=1729",
"description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017."
},
{
"source_name": "GitHub Mimikatz lsadump Module",
"url": "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump",
"description": "Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017."
},
{
"source_name": "Microsoft DRSR Dec 2017",
"url": "https://msdn.microsoft.com/library/cc228086.aspx",
"description": "Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017."
},
{
"source_name": "Microsoft GetNCCChanges",
"url": "https://msdn.microsoft.com/library/dd207691.aspx",
"description": "Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017."
},
{
"source_name": "Samba DRSUAPI",
"url": "https://wiki.samba.org/index.php/DRSUAPI",
"description": "SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017."
},
{
"source_name": "Wine API samlib.dll",
"url": "https://source.winehq.org/WineAPI/samlib.html",
"description": "Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017."
},
{
"source_name": "InsiderThreat ChangeNTLM July 2017",
"url": "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM",
"description": "Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017."
},
{
"source_name": "AdSecurity DCSync Sept 2015",
"url": "https://adsecurity.org/?p=1729",
"description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017."
},
{
"source_name": "Harmj0y DCSync Sept 2015",
"url": "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/",
"description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017."
},
{
"source_name": "Microsoft SAMR",
"url": "https://msdn.microsoft.com/library/cc245496.aspx",
"description": "Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017."
},
{
"source_name": "Microsoft NRPC Dec 2017",
"url": "https://msdn.microsoft.com/library/cc237008.aspx",
"description": "Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017."
},
{
"source_name": "GitHub Creddump7",
"url": "https://github.com/Neohapsis/creddump7",
"description": "Flathers, R. (2018, February 19). creddump7. Retrieved April 11, 2018."
},
{
"source_name": "Wikipedia Active Directory",
"url": "https://en.wikipedia.org/wiki/Active_Directory",
"description": "Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018."
},
{
"source_name": "Microsoft GPP Key",
"url": "https://msdn.microsoft.com/library/cc422924.aspx",
"description": "Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April 11, 2018."
},
{
"source_name": "SRD GPP",
"url": "http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx",
"description": "Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015."
},
{
"source_name": "TechNet Blogs Credential Protection",
"url": "https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/",
"description": "Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018."
},
{
"source_name": "Microsoft CredSSP",
"url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749211(v=ws.10)",
"description": "Microsoft. (2008, July 25). Credential Security Service Provider and SSO for Terminal Services Logon. Retrieved April 11, 2018."
},
{
"source_name": "Obscuresecurity Get-GPPPassword",
"url": "https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html",
"description": "Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell. Retrieved April 11, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},
{
"type": "indicator",
"id": "indicator--0853a871-de52-40f0-90cf-0d8069892c9f",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-22T19:56:25.701Z",
"name": "91.121.237.227",
"pattern": "[ipv4-addr:value = '91.121.237.227']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--13d221b8-4f3c-44d1-a010-a0e849c3fc56",
"created": "2017-12-21T15:00:31.140Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "my-mailcoil.ml",
"pattern": "[domain-name:value = 'my-mailcoil.ml']",
"valid_from": "2017-12-21T15:00:31.140Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--605e63fe-aa3a-490d-b71b-936fca21dc3d",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "S64.exe",
"pattern": "[file:name = 'S64.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--aaa55127-74e3-41c9-b1c6-7d9726372e18",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "499ff5f8fa3a58307142eb0c1794414cdee0ef326a0fc2d1d93d72de1c3e8021",
"pattern": "[file:hashes.'SHA-256' = '499ff5f8fa3a58307142eb0c1794414cdee0ef326a0fc2d1d93d72de1c3e8021']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--b20d9819-1488-4156-aef4-02234af0f67f",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c",
"pattern": "[file:hashes.'SHA-256' = '5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--3c52b486-9d0f-4197-890f-615001e6df35",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "91.121.237.224",
"pattern": "[ipv4-addr:value = '91.121.237.224']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--b1e04bb9-945d-4b87-98b8-e411f16a74d4",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "6e623311768f1c419b3f755248a3b3d4bf80d26606a74ed4cfd25547a67734c7",
"pattern": "[file:hashes.'SHA-256' = '6e623311768f1c419b3f755248a3b3d4bf80d26606a74ed4cfd25547a67734c7']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--a21f7d93-f44b-4b89-9577-570c5281d5c4",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "Local.exe",
"pattern": "[file:name = 'Local.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--8e7b95cc-58c0-4f3b-8118-c11a85d90044",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "caf5f9791ab3049811e16971b4673ec6d4baf35ffaadd7486ea4c5e318d10696",
"pattern": "[file:hashes.'SHA-256' = 'caf5f9791ab3049811e16971b4673ec6d4baf35ffaadd7486ea4c5e318d10696']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--45680f4c-a738-4515-ac9a-7b9852526159",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "O64.exe",
"pattern": "[file:name = 'O64.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--fb13e76a-0266-4b12-99f0-1599532c2f3c",
"created": "2017-12-21T15:26:09.943Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "79c9a2a2b596f8270b32f30f3e03882b00b87102e65de00a325b64d30051da4e",
"pattern": "[file:hashes.'SHA-256' = '79c9a2a2b596f8270b32f30f3e03882b00b87102e65de00a325b64d30051da4e']",
"valid_from": "2017-12-21T15:26:09.943Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--5580c978-1497-40a4-bdc3-756b841776b1",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[http-request-ext:request_header.'Cookie' LIKE '%#tfil#=#c:\\\\windows\\\\temp\\\\Exchange.aspx#|#ttar#=#d:\\\\Program+Files\\\\Microsoft\\\\Exchange+Server\\\\V14\\\\ClientAccess\\\\exchweb\\\\ews\\\\exchange.asmx#|#ttim#=#%']",
"pattern": "[http-request-ext:request_header.'Cookie' LIKE '%#tfil#=#c:\\\\windows\\\\temp\\\\Exchange.aspx#|#ttar#=#d:\\\\Program+Files\\\\Microsoft\\\\Exchange+Server\\\\V14\\\\ClientAccess\\\\exchweb\\\\ews\\\\exchange.asmx#|#ttim#=#%']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--10a18683-9321-4647-97e7-5ca864d9ecb7",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "9eadfc0fb8cfdb7d3b45060dc9acc97ac430246b7672ee47d0de1fd11ea2c682",
"pattern": "[file:hashes.'SHA-256' = '9eadfc0fb8cfdb7d3b45060dc9acc97ac430246b7672ee47d0de1fd11ea2c682']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--272c2c5d-1779-49a1-8990-c8fdfe2d2bb2",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[directory:path = 'c:\\\\windows\\\\temp' AND file:name = '01.txt']",
"pattern": "[directory:path = 'c:\\\\windows\\\\temp' AND file:name = '01.txt']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--db032d1a-c929-4c03-9099-fc08a6b1d1f7",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[directory:path = 'c:\\\\windows\\\\temp' AND file:name = 'mic.txt']",
"pattern": "[directory:path = 'c:\\\\windows\\\\temp' AND file:name = 'mic.txt']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--f52a5188-5bdb-4530-83c2-4bbc1c1cb741",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "d3b03c0da854102802c21c0fa8736910ea039bbe93a140c09689fc802435ea31",
"pattern": "[file:hashes.'SHA-256' = 'd3b03c0da854102802c21c0fa8736910ea039bbe93a140c09689fc802435ea31']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--a9337ac8-cfe0-44db-8211-018b5a5f396d",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-22T19:54:58.868Z",
"name": "138.201.209.182",
"pattern": "[ipv4-addr:value = '138.201.209.182']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--62a8dbd4-adfd-443f-9042-8f92e7ea0384",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "ManageContent1.aspx",
"pattern": "[file:name = 'ManageContent1.aspx']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--ffb49010-2a49-474f-8e10-81c129a94997",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "TrafficHandler.dll",
"pattern": "[file:name = 'TrafficHandler.dll']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--0e9934f4-e2df-42f0-9964-0d03836329e1",
"created": "2017-10-09T18:03:03.291Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa",
"pattern": "[file:hashes.'SHA-256' = 'a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa']",
"valid_from": "2017-10-09T18:03:03.291Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--1cda5ec5-3f45-4ca4-86fb-406cccce75a0",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "kb-11.exe",
"pattern": "[file:name = 'kb-11.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--53176466-cbfb-47ab-a2ad-a7653da9ab1b",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "O6.exe",
"pattern": "[file:name = 'O6.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--1b6c1677-d260-41b2-b11c-7db4b1f402c1",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "HttpParser.dll",
"pattern": "[file:name = 'HttpParser.dll']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--4a43354a-b58b-41e0-b2b6-d2a8e97bf54d",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "92.222.209.51",
"pattern": "[ipv4-addr:value = '92.222.209.51']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--793e3414-7023-4bd6-8d03-def9852cee0f",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "5b7eb534a852c187eee7eb729056082eec7a028819191fc2bc3ba4d1127fbd12",
"pattern": "[file:hashes.'SHA-256' = '5b7eb534a852c187eee7eb729056082eec7a028819191fc2bc3ba4d1127fbd12']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--bf7a082f-e2a6-45d6-b8dd-bf056888f36e",
"created": "2017-12-21T15:26:09.943Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f",
"pattern": "[file:hashes.'SHA-256' = '818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f']",
"valid_from": "2017-12-21T15:26:09.943Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--e19046c0-47db-42fb-a076-c7f2f3c112d4",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[http-request-ext:request_header.'Cookie' LIKE 'pwd=RmVlZE1lIQ==;%']",
"pattern": "[http-request-ext:request_header.'Cookie' LIKE 'pwd=RmVlZE1lIQ==;%']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--f54a9d8f-46bb-4338-97ed-19921f2ac82b",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "137.59.229.231",
"pattern": "[ipv4-addr:value = '137.59.229.231']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--0d14ac47-7ba7-405e-8639-876bdd341841",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301",
"pattern": "[file:hashes.'SHA-256' = '6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--52139071-3ddd-4025-85a2-515004370eb1",
"created": "2017-12-21T15:00:31.140Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "webmail-tidhar-co-il.ml",
"pattern": "[domain-name:value = 'webmail-tidhar-co-il.ml']",
"valid_from": "2017-12-21T15:00:31.140Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--175fda21-0fe8-4cc0-a276-8ef03b099d8d",
"created": "2017-12-21T15:26:09.943Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f",
"pattern": "[file:hashes.'SHA-256' = '0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f']",
"valid_from": "2017-12-21T15:26:09.943Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--e33849ee-529f-4c5a-ad26-96a190327682",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "kbs.exe",
"pattern": "[file:name = 'kbs.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--9c4ebb07-7590-498a-91f0-ceeb677eb21e",
"created": "2017-12-21T15:00:31.140Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "logn-micrsftonine-con.ml",
"pattern": "[domain-name:value = 'logn-micrsftonine-con.ml']",
"valid_from": "2017-12-21T15:00:31.140Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--a8e8ca2f-328e-4f45-af78-9281957f7739",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "138.201.209.162",
"pattern": "[ipv4-addr:value = '138.201.209.162']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--0288c52e-7bd4-476f-9e29-534a122d173f",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "b4be6518b5d47fbaefc68660d54516140b65e36ebc68d309e39ffc15bbbfc70e",
"pattern": "[file:hashes.'SHA-256' = 'b4be6518b5d47fbaefc68660d54516140b65e36ebc68d309e39ffc15bbbfc70e']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--fdc86d39-670c-4eb9-945a-daef21d35bea",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "News1.aspx",
"pattern": "[file:name = 'News1.aspx']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--fab07434-d3df-437c-95ef-b1b3d3c8d1e3",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "tmperror4.aspx",
"pattern": "[file:name = 'tmperror4.aspx']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--13776d10-7c53-4f1e-ab29-5415d50486f7",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "PsExec.exe",
"pattern": "[file:name = 'PsExec.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--c7bfb666-66af-4dfb-9489-8e0d8fde3859",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "c:\\\\windows\\\\temp\\\\MicrosoftUpdate.exe p::d s::l q%",
"pattern": "[process:command_line LIKE 'c:\\\\windows\\\\temp\\\\MicrosoftUpdate.exe p::d s::l q%']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--21afa13a-d6e4-46ec-8539-68ec5c723ed5",
"created": "2017-12-21T15:26:09.943Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "c116f078a0b9ea25c5fdb2e72914c3446c46f22d9f2b37c582600162ed711b69",
"pattern": "[file:hashes.'SHA-256' = 'c116f078a0b9ea25c5fdb2e72914c3446c46f22d9f2b37c582600162ed711b69']",
"valid_from": "2017-12-21T15:26:09.943Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--112bb219-3133-4c6f-9e29-3efd820d9612",
"created": "2017-12-21T15:26:09.943Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "e33096ab328949af19c290809819034d196445b8ed0406206e7418ec96f66b68",
"pattern": "[file:hashes.'SHA-256' = 'e33096ab328949af19c290809819034d196445b8ed0406206e7418ec96f66b68']",
"valid_from": "2017-12-21T15:26:09.943Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--605f4247-c18d-407d-bf86-9973adf2995f",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "kb.exe",
"pattern": "[file:name = 'kb.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--0809240c-9ec9-4002-8846-f30a7915eb4e",
"created": "2017-12-21T15:26:09.943Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113",
"pattern": "[file:hashes.'SHA-256' = 'fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113']",
"valid_from": "2017-12-21T15:26:09.943Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--fc65ae3e-1860-4bba-a2f4-f86f180ffebc",
"created": "2017-12-21T15:02:26.003Z",
"modified": "2018-08-22T19:53:31.086Z",
"name": "137.74.131.208",
"pattern": "[ipv4-addr:value = '137.74.131.208']",
"valid_from": "2017-12-21T15:02:26.003Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--d4cc0533-2a26-4678-912e-e3ddb2c2abe6",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "edd7420f1bacdcce650511284a7bef522151e0eb6b5786fae02ba82b167aa75b",
"pattern": "[file:hashes.'SHA-256' = 'edd7420f1bacdcce650511284a7bef522151e0eb6b5786fae02ba82b167aa75b']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--8a03e9a0-15ea-40cd-9473-c5cd35d7f285",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "744e0ce108598aaa8994f211e00769ac8a3f05324d3f07f7705277b9af7a7497",
"pattern": "[file:hashes.'SHA-256' = '744e0ce108598aaa8994f211e00769ac8a3f05324d3f07f7705277b9af7a7497']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--1da4e7ce-10ab-47ec-ad5a-673887f15f01",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-22T19:55:44.632Z",
"name": "51.254.50.153",
"pattern": "[ipv4-addr:value = '51.254.50.153']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--c1bb11ca-f3ed-45cd-8083-ee166fb72aa0",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "ea1e957381f58efdcdb4e246c36128bf685277adf3a3b8f0bbea329ed3f53c4f",
"pattern": "[file:hashes.'SHA-256' = 'ea1e957381f58efdcdb4e246c36128bf685277adf3a3b8f0bbea329ed3f53c4f']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--fe57191c-11cb-47b6-aeeb-f2b5d01ee788",
"created": "2017-12-21T15:00:31.140Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "mail-macroadvisorypartners.ml",
"pattern": "[domain-name:value = 'mail-macroadvisorypartners.ml']",
"valid_from": "2017-12-21T15:00:31.140Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--a748b2fb-cef6-449a-9884-4d3342467796",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "94.23.172.49",
"pattern": "[ipv4-addr:value = '94.23.172.49']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--685a33e8-a147-4a60-8e7e-9e3e6855ca43",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd",
"pattern": "[file:hashes.'SHA-256' = '450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--5162b82b-ad9e-42fa-8fca-1ce50fb2db3a",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "bb9b4e088eb99100156f56bbd35a21ff7e96981ffe78ca9132781e9b3f064f44",
"pattern": "[file:hashes.'SHA-256' = 'bb9b4e088eb99100156f56bbd35a21ff7e96981ffe78ca9132781e9b3f064f44']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--21b40f68-e0e8-4497-bc7f-63f7b7b9c9dd",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "getidtoken.aspx",
"pattern": "[file:name = 'getidtoken.aspx']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--90b9a557-b2f4-4076-b760-fd7ed5da29d1",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "i64.exe",
"pattern": "[file:name = 'i64.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--1dd724ec-3747-4a81-bbb4-bb5fab167487",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "92.222.209.48",
"pattern": "[ipv4-addr:value = '92.222.209.48']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--ec7ec6dd-2d36-4ec1-aada-134c4670845b",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "3d0bb0426048334501fb6be5200d702120bf8a960709a1d67eb1928ea44b2df2",
"pattern": "[file:hashes.'SHA-256' = '3d0bb0426048334501fb6be5200d702120bf8a960709a1d67eb1928ea44b2df2']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--d2258707-dbd9-4407-b6b8-5401e4c59b74",
"created": "2017-12-21T15:26:09.943Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b",
"pattern": "[file:hashes.'SHA-256' = '8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b']",
"valid_from": "2017-12-21T15:26:09.943Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--0f75c726-1b4a-4eb9-8749-fa89af8f6d2b",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "c:\\\\windows\\\\temp\\\\m64.exe privilege::debug sekurlsa::logonpasswords exit%",
"pattern": "[process:command_line LIKE 'c:\\\\windows\\\\temp\\\\m64.exe privilege::debug sekurlsa::logonpasswords exit%']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--c649ab0f-4fc3-487c-96b7-72f0f7baae11",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "postinfo.aspx",
"pattern": "[file:name = 'postinfo.aspx']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--e2f1938f-2ba5-4175-9d9c-e6d7ff6fe9fd",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "43280264f6db0875c681f0d99796c886b3c5dc5ee08bf2bb25276a7c3f8a1ff8",
"pattern": "[file:hashes.'SHA-256' = '43280264f6db0875c681f0d99796c886b3c5dc5ee08bf2bb25276a7c3f8a1ff8']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--70b13368-9612-437e-a2fe-206b51ccdce4",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "89.163.206.0",
"pattern": "[ipv4-addr:value = '89.163.206.0']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--b6fc5d18-1bf3-46b2-a793-d15ac7ef2b57",
"created": "2017-12-21T15:00:31.140Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "webmaiil-tau-ac-il.ml",
"pattern": "[domain-name:value = 'webmaiil-tau-ac-il.ml']",
"valid_from": "2017-12-21T15:00:31.140Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--4b396d52-fb1d-4681-a6e1-a4b7f43dfb5a",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "mom64.exe",
"pattern": "[file:name = 'mom64.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--c9cd916e-49ff-4e7a-96e8-c204b7a50750",
"created": "2017-12-21T15:09:47.517Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "so-cc-hujii-ac-il.ml",
"pattern": "[domain-name:value = 'so-cc-hujii-ac-il.ml']",
"valid_from": "2017-12-21T15:09:47.517Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--8aba6285-00ba-4a83-a366-8c634228c80f",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "212.16.80.102",
"pattern": "[ipv4-addr:value = '212.16.80.102']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--6016872c-11c6-459c-ac21-9692adcdcca0",
"created": "2017-10-09T18:02:28.711Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3",
"pattern": "[file:hashes.'SHA-256' = '497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3']",
"valid_from": "2017-10-09T18:02:28.711Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--02e254af-73f9-4630-9a4e-350297d86505",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "pl.exe",
"pattern": "[file:name = 'pl.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--d1d3c0e5-cfa5-4388-a2c8-32a019951bf3",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-22T19:57:07.269Z",
"name": "176.9.164.252",
"pattern": "[ipv4-addr:value = '176.9.164.252']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--3a30e2d8-c1d8-4211-ae3f-cd7fe280c890",
"created": "2017-12-21T15:11:37.195Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "5.39.59.97",
"pattern": "[ipv4-addr:value = '5.39.59.97']",
"valid_from": "2017-12-21T15:11:37.195Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--1a6d1c72-b27c-40e2-813a-fb8395b800b5",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "iishandler6.dll",
"pattern": "[file:name = 'iishandler6.dll']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--d7bdf4a0-0509-43de-895e-793994de8a0e",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "ErrorEE.aspx",
"pattern": "[file:name = 'ErrorEE.aspx']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--d2a60762-9fb2-442e-a7d2-6f86b06cb970",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "ea4efb8148146f546d45f02fdee48d429540bba608233ff95e52e8ea7f6994e8",
"pattern": "[file:hashes.'SHA-256' = 'ea4efb8148146f546d45f02fdee48d429540bba608233ff95e52e8ea7f6994e8']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--9d97724a-638b-4b7f-bfae-c3eb74b02a0a",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95",
"pattern": "[file:hashes.'SHA-256' = '3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--e4589569-a46b-4cc1-99e7-41199f8d579f",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "a342bdcbfd2c1065f4315a63de55fac3347ac24a1e23354a796367f8b09bb34f",
"pattern": "[file:hashes.'SHA-256' = 'a342bdcbfd2c1065f4315a63de55fac3347ac24a1e23354a796367f8b09bb34f']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--15905560-f7fc-4a6b-a9d8-c5df9bf3b17b",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "z64.exe",
"pattern": "[file:name = 'z64.exe']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--1534513c-33cf-4462-b102-7f7ba0a3eda8",
"created": "2017-12-21T15:11:50.586Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2",
"pattern": "[file:hashes.'SHA-256' = '28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2']",
"valid_from": "2017-12-21T15:11:50.586Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--61701bc9-c9d8-44fa-a452-c9fbe15dcf88",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "668020e32d1cd7a3a475ed73e44aea46d3e986c2b29fcde144eabd242fcafe3a",
"pattern": "[file:hashes.'SHA-256' = '668020e32d1cd7a3a475ed73e44aea46d3e986c2b29fcde144eabd242fcafe3a']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--02a7d94a-1fab-4d16-8d55-597d3ec6379e",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "ConferenceList.aspx",
"pattern": "[file:name = 'ConferenceList.aspx']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--c501abd1-62f0-4da6-91ee-bd6ef9391fdc",
"created": "2017-12-21T15:26:09.943Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f",
"pattern": "[file:hashes.'SHA-256' = '54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f']",
"valid_from": "2017-12-21T15:26:09.943Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--59424cdc-40b1-4137-bc2b-9fe18decf7ca",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "[http-request-ext:request_header.'Cookie' LIKE 'data=pro#=##|#cmd#=##%']",
"pattern": "[http-request-ext:request_header.'Cookie' LIKE 'data=pro#=##|#cmd#=##%']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--e9544c85-bc9c-48ff-8f6c-df64ed98073a",
"created": "2017-12-21T15:00:31.140Z",
"modified": "2018-08-03T20:34:40.945Z",
"name": "owa-insss-org-ill-owa-authen.ml",
"pattern": "[domain-name:value = 'owa-insss-org-ill-owa-authen.ml']",
"valid_from": "2017-12-21T15:00:31.140Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--f119cf69-6230-4cea-ba31-9768f647b81a",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "c4eb1c6d0cf51a2fa0b0574fd1e78e80bf69662bb11016f6f2a527a0d6d8e0fc",
"pattern": "[file:hashes.'SHA-256' = 'c4eb1c6d0cf51a2fa0b0574fd1e78e80bf69662bb11016f6f2a527a0d6d8e0fc']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "indicator",
"id": "indicator--f8a60d12-0bb9-4424-bacd-5d2628f72cd3",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "error2.aspx",
"pattern": "[file:name = 'error2.aspx']",
"valid_from": "2018-08-03T20:30:50.665Z",
"labels": [
"malicious-activity"
]
},
{
"type": "relationship",
"id": "relationship--fb2588e8-7aa5-4f5a-9eee-6fb8d7cd4f04",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--0853a871-de52-40f0-90cf-0d8069892c9f",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--345337e3-a082-44a4-aaea-12d1e06747bd",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--13d221b8-4f3c-44d1-a010-a0e849c3fc56",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--f0026eb9-bfad-4036-b310-47d882260c23",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--605e63fe-aa3a-490d-b71b-936fca21dc3d",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--0dc9fe6a-99e9-43e8-8d62-163a06324b15",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--aaa55127-74e3-41c9-b1c6-7d9726372e18",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--b5781372-3677-4d71-a433-12abd5aa1faa",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--b20d9819-1488-4156-aef4-02234af0f67f",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--d2156f81-8329-40ba-8b8e-51d33d655d29",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--3c52b486-9d0f-4197-890f-615001e6df35",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--279fb95d-05a7-449d-9ded-c66215063621",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--b1e04bb9-945d-4b87-98b8-e411f16a74d4",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--4b914c99-5397-4d89-b99c-39eeeea96349",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--a21f7d93-f44b-4b89-9577-570c5281d5c4",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--898d677b-d728-44ad-a13a-a27b6267ec4a",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--8e7b95cc-58c0-4f3b-8118-c11a85d90044",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--2deaa2ab-2c27-42af-bcd6-ca6931c6ed07",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--45680f4c-a738-4515-ac9a-7b9852526159",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--41fabc5f-1954-4819-8e3a-18f796bc7a72",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--fb13e76a-0266-4b12-99f0-1599532c2f3c",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--25937292-8d4a-47e5-ad8c-88ebfb948b1c",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--5580c978-1497-40a4-bdc3-756b841776b1",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--2a7da7d8-a8c1-4131-b206-e4f9442eb3e5",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--10a18683-9321-4647-97e7-5ca864d9ecb7",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--e6ac508a-9dce-4f28-be0e-02252de0c763",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--272c2c5d-1779-49a1-8990-c8fdfe2d2bb2",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--cae45069-8bb3-4ea2-813a-c1b427818397",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--db032d1a-c929-4c03-9099-fc08a6b1d1f7",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--30979464-94ff-4da9-99ff-c24795cf9929",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--f52a5188-5bdb-4530-83c2-4bbc1c1cb741",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--b896bb36-1b06-4132-8891-debfbc93ccb2",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--a9337ac8-cfe0-44db-8211-018b5a5f396d",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--1689721a-39e5-414d-ac1b-20bd084fa72d",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--62a8dbd4-adfd-443f-9042-8f92e7ea0384",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--05889549-3c49-4443-a33a-e33b89653774",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--ffb49010-2a49-474f-8e10-81c129a94997",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--e85122c4-bae0-4edc-9627-648d203a69da",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--0e9934f4-e2df-42f0-9964-0d03836329e1",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--d3d75b51-02f7-4af6-8b42-3c0f73fc4ee3",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--1cda5ec5-3f45-4ca4-86fb-406cccce75a0",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--9d3bfb47-df55-41dc-9e73-978bd6c2d815",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--53176466-cbfb-47ab-a2ad-a7653da9ab1b",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--78ac3d60-829f-4cb1-9b4b-80405cd87c41",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--1b6c1677-d260-41b2-b11c-7db4b1f402c1",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--b927d998-8bf8-4871-b615-ef7217344f96",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--4a43354a-b58b-41e0-b2b6-d2a8e97bf54d",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--14e32a01-2916-4348-a7a4-e6ab999cf24e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--793e3414-7023-4bd6-8d03-def9852cee0f",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--51c8fc0a-a1a2-4279-8cb1-4a2b6611750a",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--bf7a082f-e2a6-45d6-b8dd-bf056888f36e",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--e2d3f2df-996f-42a3-b698-f90274a51e1f",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--e19046c0-47db-42fb-a076-c7f2f3c112d4",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--6179156f-7bc3-4d4d-bde3-700ede4075a7",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--f54a9d8f-46bb-4338-97ed-19921f2ac82b",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--c350640d-2bb8-40cd-88bc-fce4fd13a9cb",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--0d14ac47-7ba7-405e-8639-876bdd341841",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--d5099dc9-b04a-4d8a-9326-59bc90512bbb",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--52139071-3ddd-4025-85a2-515004370eb1",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--3d957e59-d370-45ab-9304-cb6f1c92f49d",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--175fda21-0fe8-4cc0-a276-8ef03b099d8d",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--e540b61d-c40c-4c19-bb4f-19ab06d2df28",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--e33849ee-529f-4c5a-ad26-96a190327682",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--9067bdd5-17af-4865-9288-f4abecd91519",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--9c4ebb07-7590-498a-91f0-ceeb677eb21e",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--8b221b67-e765-4bfb-81d0-fea9a458519e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--a8e8ca2f-328e-4f45-af78-9281957f7739",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--af207ed1-0aef-43d0-b440-84278d5c06d9",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--0288c52e-7bd4-476f-9e29-534a122d173f",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--84fd2836-5718-4384-9379-ee114f3ed422",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--fdc86d39-670c-4eb9-945a-daef21d35bea",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--4a0c67e6-098f-48e4-b92a-c09fc554c8af",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--fab07434-d3df-437c-95ef-b1b3d3c8d1e3",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--e06080e5-b96b-4dd9-99e6-a50daecd14b3",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--13776d10-7c53-4f1e-ab29-5415d50486f7",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--ed7c1bda-808e-4af0-b998-13c509e5d942",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--c7bfb666-66af-4dfb-9489-8e0d8fde3859",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--8f25d6a9-08cf-43bd-89e3-35133e5dd385",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--21afa13a-d6e4-46ec-8539-68ec5c723ed5",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--7c514ee6-0bc6-437a-840c-a2abd6a5bf5d",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--112bb219-3133-4c6f-9e29-3efd820d9612",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--6638f553-1c27-4f9e-8794-39255ffef883",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--605f4247-c18d-407d-bf86-9973adf2995f",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--5c91db08-13d9-4413-842e-9d2cf4abd589",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--0809240c-9ec9-4002-8846-f30a7915eb4e",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--d9764754-3b10-4097-8a3b-e1b8a0d1d8dc",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--fc65ae3e-1860-4bba-a2f4-f86f180ffebc",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--74600180-26d3-43d6-bf4f-686aa5365eea",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--d4cc0533-2a26-4678-912e-e3ddb2c2abe6",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--535c8c72-10b3-4437-bf1a-1f035cdbf19e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--8a03e9a0-15ea-40cd-9473-c5cd35d7f285",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--3e6874a1-1144-4054-9097-7221832eab70",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--1da4e7ce-10ab-47ec-ad5a-673887f15f01",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--ea30ae8f-b7f4-496b-b29d-477e6b22e56e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--c1bb11ca-f3ed-45cd-8083-ee166fb72aa0",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--f389d990-2355-45bf-bf0f-cbd4886728d1",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--fe57191c-11cb-47b6-aeeb-f2b5d01ee788",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--52727246-b6a9-45bc-9f6b-115c898a1374",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--a748b2fb-cef6-449a-9884-4d3342467796",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--1bf349c7-b572-4d9c-b2cf-12f6bd9e980d",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--685a33e8-a147-4a60-8e7e-9e3e6855ca43",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--131b0239-0613-4260-a513-42cbe643063a",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--5162b82b-ad9e-42fa-8fca-1ce50fb2db3a",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--d88a9aba-3c00-4189-a2ca-5ca7e5577365",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--21b40f68-e0e8-4497-bc7f-63f7b7b9c9dd",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--7638658b-68c4-4786-aa80-3ecd52710bb3",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--90b9a557-b2f4-4076-b760-fd7ed5da29d1",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--3675a4d6-d1bd-4f11-b4a6-8b61e4155996",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--1dd724ec-3747-4a81-bbb4-bb5fab167487",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--4db2c40f-18cd-440d-b849-3005efab7a98",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--ec7ec6dd-2d36-4ec1-aada-134c4670845b",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--20610904-7759-4410-94c7-4e7366846573",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--d2258707-dbd9-4407-b6b8-5401e4c59b74",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--58915020-0e11-4255-acf9-a5777553b0aa",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--0f75c726-1b4a-4eb9-8749-fa89af8f6d2b",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--ca859310-a720-4389-9193-5a46b1173814",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--c649ab0f-4fc3-487c-96b7-72f0f7baae11",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--0940af0b-5578-4e51-b4a1-3d4b3b1b9544",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--e2f1938f-2ba5-4175-9d9c-e6d7ff6fe9fd",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--36e32d47-d235-4e47-849b-6846dc8506d9",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--70b13368-9612-437e-a2fe-206b51ccdce4",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--0c5dd13e-ad1c-423e-89fa-2b8010d11288",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--b6fc5d18-1bf3-46b2-a793-d15ac7ef2b57",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--2e74e182-c3cd-4e58-91dd-a0873839cb98",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--4b396d52-fb1d-4681-a6e1-a4b7f43dfb5a",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--790040a0-6238-4ab7-b861-a0254cb6c25e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--c9cd916e-49ff-4e7a-96e8-c204b7a50750",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--376609da-e365-4dcd-89eb-addcaf73040b",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--8aba6285-00ba-4a83-a366-8c634228c80f",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--85143f31-cafa-4a4f-a320-5474d1d89f84",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--6016872c-11c6-459c-ac21-9692adcdcca0",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--66370308-0954-48a5-9724-f1b7c1afb131",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--02e254af-73f9-4630-9a4e-350297d86505",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--41f4f1b7-c79f-49ab-9a17-9ef02bcb1689",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--d1d3c0e5-cfa5-4388-a2c8-32a019951bf3",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--9d9548b4-5ee8-435a-b0cc-94387fc7634d",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--3a30e2d8-c1d8-4211-ae3f-cd7fe280c890",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--77586b2f-7b6a-4316-848f-85fa5f30dc74",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--1a6d1c72-b27c-40e2-813a-fb8395b800b5",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--7305e104-a7a9-4b02-8b14-b52d730aee8b",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--d7bdf4a0-0509-43de-895e-793994de8a0e",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--972a8c19-2c44-4c52-a6db-171280d18880",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--d2a60762-9fb2-442e-a7d2-6f86b06cb970",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--9c58ac73-6e8f-40e1-a54d-323805ba0a22",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--9d97724a-638b-4b7f-bfae-c3eb74b02a0a",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--ac822827-616f-4833-850b-45353f6d3a02",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--e4589569-a46b-4cc1-99e7-41199f8d579f",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--40813dcd-5d8f-438d-ae5d-c1192e4251fa",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--15905560-f7fc-4a6b-a9d8-c5df9bf3b17b",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--e5cde892-87b2-46cf-87a8-6d0108179688",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--1534513c-33cf-4462-b102-7f7ba0a3eda8",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--fd706729-53ad-4aa0-ad40-c5ff4470e61a",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--61701bc9-c9d8-44fa-a452-c9fbe15dcf88",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--0d69a54f-2c9f-42d6-a328-55131ba7a328",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--02a7d94a-1fab-4d16-8d55-597d3ec6379e",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--13c938b2-52a0-45b2-a1df-3c67c2b8f410",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--c501abd1-62f0-4da6-91ee-bd6ef9391fdc",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--0f2d8d9e-b04e-4f9b-bde0-993b8c50b013",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--59424cdc-40b1-4137-bc2b-9fe18decf7ca",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--cc683d05-c44c-4898-821b-cff15009a508",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--e9544c85-bc9c-48ff-8f6c-df64ed98073a",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--49429187-47ff-4b3c-a54e-12c976af7e6c",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--f119cf69-6230-4cea-ba31-9768f647b81a",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--93fbb9c8-df84-466a-940a-55d0b1526c99",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "indicates",
"source_ref": "indicator--f8a60d12-0bb9-4424-bacd-5d2628f72cd3",
"target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
},
{
"type": "relationship",
"id": "relationship--3f484875-4d55-49ed-a5da-72fdb2473998",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--0853a871-de52-40f0-90cf-0d8069892c9f",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--df64dd9f-bb4e-4cba-b253-e822d9c28e33",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Infrastructure hosted credential phishing sites",
"source_ref": "indicator--13d221b8-4f3c-44d1-a010-a0e849c3fc56",
"target_ref": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4"
},
{
"type": "relationship",
"id": "relationship--8faf3dcd-759f-41af-9b88-0f6c272ae1d7",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--605e63fe-aa3a-490d-b71b-936fca21dc3d",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--fa674092-f74f-4c98-bd92-638b6a389467",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--aaa55127-74e3-41c9-b1c6-7d9726372e18",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--8296f9aa-02ae-432b-9be0-43866283ceb3",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--b20d9819-1488-4156-aef4-02234af0f67f",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--df5c9dbc-fd8d-4d14-b2d5-d75342a70cdc",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--3c52b486-9d0f-4197-890f-615001e6df35",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--8b198f3d-d11d-4ab8-a4d0-083c1b2e9d76",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--b1e04bb9-945d-4b87-98b8-e411f16a74d4",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--74e0a2be-76e3-48cf-8b75-3e3610269172",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--a21f7d93-f44b-4b89-9577-570c5281d5c4",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--32448092-7814-4fd0-a25f-95744608608e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--8e7b95cc-58c0-4f3b-8118-c11a85d90044",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--f57de9ca-96f2-4e8f-a7b1-36b22bc31fa5",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--45680f4c-a738-4515-ac9a-7b9852526159",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--002a932b-d4c7-46b0-91ae-3cb2fa6a8c96",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--fb13e76a-0266-4b12-99f0-1599532c2f3c",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--c6086e1b-106b-457b-ae90-fbed7c725714",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace allows actor to set the file times of any file on the system to a specific time, or to match any file on the system. ",
"source_ref": "indicator--5580c978-1497-40a4-bdc3-756b841776b1",
"target_ref": "attack-pattern--128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
{
"type": "relationship",
"id": "relationship--237cd050-242a-4745-8b86-645a7df117ac",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--10a18683-9321-4647-97e7-5ca864d9ecb7",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--ad2e5183-af39-47af-9f77-607c32bce492",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors save output of their commands to \"c:\\windows\\temp\".",
"source_ref": "indicator--272c2c5d-1779-49a1-8990-c8fdfe2d2bb2",
"target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
{
"type": "relationship",
"id": "relationship--990c5f1c-9af7-43ae-9787-a0728607969e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors save output of their commands to \"c:\\windows\\temp\".",
"source_ref": "indicator--db032d1a-c929-4c03-9099-fc08a6b1d1f7",
"target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
{
"type": "relationship",
"id": "relationship--c65d50c0-53d4-4d3c-8f04-9c8a8babbfa5",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--f52a5188-5bdb-4530-83c2-4bbc1c1cb741",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--45bfbc91-9dae-42e1-b1fb-228b11517661",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--a9337ac8-cfe0-44db-8211-018b5a5f396d",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--2394f246-58a7-44de-b7b2-b37ff0b3750b",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--62a8dbd4-adfd-443f-9042-8f92e7ea0384",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--a8d215ec-0d80-4257-959e-e5f7eafe8afc",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell",
"source_ref": "indicator--ffb49010-2a49-474f-8e10-81c129a94997",
"target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
{
"type": "relationship",
"id": "relationship--7b553b26-a4d6-4463-bc2c-956c587cf54d",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell",
"source_ref": "indicator--0e9934f4-e2df-42f0-9964-0d03836329e1",
"target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
{
"type": "relationship",
"id": "relationship--e37e5487-dd6a-485b-b2ff-7e52f53a6650",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--1cda5ec5-3f45-4ca4-86fb-406cccce75a0",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--d1cd73ce-7084-42c8-8c7b-6809f0917757",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--53176466-cbfb-47ab-a2ad-a7653da9ab1b",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--ccbf006a-9c20-4b53-8fc8-5dfaba31342c",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell",
"source_ref": "indicator--1b6c1677-d260-41b2-b11c-7db4b1f402c1",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--67574375-12d6-4f45-8971-466d8ab2b6fa",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell",
"source_ref": "indicator--1b6c1677-d260-41b2-b11c-7db4b1f402c1",
"target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
{
"type": "relationship",
"id": "relationship--96706fb5-d78a-4c30-b922-e19010b99c3f",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--4a43354a-b58b-41e0-b2b6-d2a8e97bf54d",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--63344b8e-749f-4118-b949-fb52e74ff7f4",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--793e3414-7023-4bd6-8d03-def9852cee0f",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--ff4b1594-350f-42f4-97e2-db922fbb461d",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--bf7a082f-e2a6-45d6-b8dd-bf056888f36e",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--83f16acf-7aed-47e9-b0ff-00859af381c5",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Webshells requires authentication via adversary specified password. ",
"source_ref": "indicator--e19046c0-47db-42fb-a076-c7f2f3c112d4",
"target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81"
},
{
"type": "relationship",
"id": "relationship--473697e3-3b03-46a7-b4ec-cab5159d76e2",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--f54a9d8f-46bb-4338-97ed-19921f2ac82b",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--ffb53efe-225a-4829-950d-36a5c64da9c5",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--0d14ac47-7ba7-405e-8639-876bdd341841",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--200052eb-e612-4e05-b612-d5491ed96fe7",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Infrastructure hosted credential phishing sites",
"source_ref": "indicator--52139071-3ddd-4025-85a2-515004370eb1",
"target_ref": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4"
},
{
"type": "relationship",
"id": "relationship--b01b2fc2-4743-4292-b48e-d6c9e04388d0",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--175fda21-0fe8-4cc0-a276-8ef03b099d8d",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--2c6443b0-e748-4b83-ae8d-44c5980d7ffa",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--e33849ee-529f-4c5a-ad26-96a190327682",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--6051622a-16e2-4603-8d91-b6141eeade39",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Infrastructure hosted credential phishing sites",
"source_ref": "indicator--9c4ebb07-7590-498a-91f0-ceeb677eb21e",
"target_ref": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4"
},
{
"type": "relationship",
"id": "relationship--9d390308-91a4-4b28-9af0-34c63423d5bc",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--a8e8ca2f-328e-4f45-af78-9281957f7739",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--7b7ee3dd-a6be-46f4-9c5a-68a56311c924",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--0288c52e-7bd4-476f-9e29-534a122d173f",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--723d3c99-a17b-4767-9dd8-701270f67443",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors install webshell onto webservers to gain access to network ",
"source_ref": "indicator--fdc86d39-670c-4eb9-945a-daef21d35bea",
"target_ref": "attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df"
},
{
"type": "relationship",
"id": "relationship--9fdf5952-e551-403b-aa07-83132074b447",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--fab07434-d3df-437c-95ef-b1b3d3c8d1e3",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--ee25827b-5f88-4835-a065-19c8abad0d4b",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--13776d10-7c53-4f1e-ab29-5415d50486f7",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--4cb378a1-9fa6-499e-bcbf-8b7d48ab8e51",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Operators use mimikatz to dump credentials",
"source_ref": "indicator--c7bfb666-66af-4dfb-9489-8e0d8fde3859",
"target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
{
"type": "relationship",
"id": "relationship--3f93cfb2-b920-453d-8660-3da132ebc45a",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--21afa13a-d6e4-46ec-8539-68ec5c723ed5",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--4c931c47-5d1c-4654-85e7-65b36a0493b4",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--112bb219-3133-4c6f-9e29-3efd820d9612",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--df537d22-fa69-4f76-86e5-74b793c63f1a",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--605f4247-c18d-407d-bf86-9973adf2995f",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--3153a4d5-b2a3-4330-8090-6b10f0ede286",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--0809240c-9ec9-4002-8846-f30a7915eb4e",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--90cd291d-a9e7-4760-be0a-646ea346fb08",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Infrastructure hosted credential phishing sites",
"source_ref": "indicator--fc65ae3e-1860-4bba-a2f4-f86f180ffebc",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--89d6b4c0-0bf1-45fe-b3f1-709e58efdf20",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Infrastructure hosted credential phishing sites",
"source_ref": "indicator--fc65ae3e-1860-4bba-a2f4-f86f180ffebc",
"target_ref": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4"
},
{
"type": "relationship",
"id": "relationship--6b79d243-3344-486a-856b-9c80bbc9d7bd",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--d4cc0533-2a26-4678-912e-e3ddb2c2abe6",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--28a810c5-f38b-47ca-96bf-f72a1975df74",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--8a03e9a0-15ea-40cd-9473-c5cd35d7f285",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--849af613-48f1-488f-b038-cae3f7cd54c0",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--1da4e7ce-10ab-47ec-ad5a-673887f15f01",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--d48b71f3-d8c2-4777-9603-4074e119027a",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--c1bb11ca-f3ed-45cd-8083-ee166fb72aa0",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--8a63756f-10a8-4330-b0b5-a57131f7f551",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Infrastructure hosted credential phishing sites",
"source_ref": "indicator--fe57191c-11cb-47b6-aeeb-f2b5d01ee788",
"target_ref": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4"
},
{
"type": "relationship",
"id": "relationship--46e44ae7-dd04-4cfb-a4a8-8ddbbd6c95c9",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--a748b2fb-cef6-449a-9884-4d3342467796",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--f2675a48-ee34-425b-8719-0c6dd793ecc4",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--685a33e8-a147-4a60-8e7e-9e3e6855ca43",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--2ea69db7-de76-4b6d-94bb-33a78c05fb67",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--5162b82b-ad9e-42fa-8fca-1ce50fb2db3a",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--e0224fd2-3ee7-450c-a37d-1511ab34d917",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--21b40f68-e0e8-4497-bc7f-63f7b7b9c9dd",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--b4be8580-575c-4f46-a648-3156e158ff4d",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--90b9a557-b2f4-4076-b760-fd7ed5da29d1",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--b73e06ff-9935-4758-9948-2343c7a40895",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--1dd724ec-3747-4a81-bbb4-bb5fab167487",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--38f20f69-6786-445a-a582-8624b6bc4d9e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--ec7ec6dd-2d36-4ec1-aada-134c4670845b",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--799e79ab-38e8-4eb6-9155-17c058541f6f",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--d2258707-dbd9-4407-b6b8-5401e4c59b74",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--1013f916-605c-4203-ae25-b1701b4f94ae",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Operators use mimikatz to dump credentials",
"source_ref": "indicator--0f75c726-1b4a-4eb9-8749-fa89af8f6d2b",
"target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
{
"type": "relationship",
"id": "relationship--3ded4025-95d1-4532-a2e0-3ae6d16a439f",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--c649ab0f-4fc3-487c-96b7-72f0f7baae11",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--74abc122-8d08-431d-947e-59ad1af5b87c",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--e2f1938f-2ba5-4175-9d9c-e6d7ff6fe9fd",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--df67561f-3a89-4133-a2cd-0b062d3f0844",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--70b13368-9612-437e-a2fe-206b51ccdce4",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--3cf9b67c-ddce-455a-8b1c-083a6e1f895a",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Infrastructure hosted credential phishing sites",
"source_ref": "indicator--b6fc5d18-1bf3-46b2-a793-d15ac7ef2b57",
"target_ref": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4"
},
{
"type": "relationship",
"id": "relationship--e2ba89b3-eaee-4f23-82d5-acab723e8d58",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--4b396d52-fb1d-4681-a6e1-a4b7f43dfb5a",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--61c92891-c8a6-41da-b6b0-f6d3239b2acd",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Infrastructure hosted credential phishing sites",
"source_ref": "indicator--c9cd916e-49ff-4e7a-96e8-c204b7a50750",
"target_ref": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4"
},
{
"type": "relationship",
"id": "relationship--f7c78adb-32c7-4488-bf22-664cac0133db",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--8aba6285-00ba-4a83-a366-8c634228c80f",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--6c67cdc2-6eba-476d-abb5-cc872618638a",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell",
"source_ref": "indicator--6016872c-11c6-459c-ac21-9692adcdcca0",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--d7de275c-da2c-4fce-bc7a-a4e1ffca15b1",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell",
"source_ref": "indicator--6016872c-11c6-459c-ac21-9692adcdcca0",
"target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
{
"type": "relationship",
"id": "relationship--6d717d3f-e011-495b-9b1e-e021e0943903",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--02e254af-73f9-4630-9a4e-350297d86505",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--876a642f-f3d0-43ec-879c-a76d3bf91de8",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--d1d3c0e5-cfa5-4388-a2c8-32a019951bf3",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--16f78019-b055-421e-a81e-5f89e4bbe7d7",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--3a30e2d8-c1d8-4211-ae3f-cd7fe280c890",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--92525cb2-624a-4619-855f-7023a440b81f",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell",
"source_ref": "indicator--1a6d1c72-b27c-40e2-813a-fb8395b800b5",
"target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
{
"type": "relationship",
"id": "relationship--36c01cdc-0150-400f-b650-ccdbe3219e0e",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors install webshell onto webservers to gain access to network ",
"source_ref": "indicator--d7bdf4a0-0509-43de-895e-793994de8a0e",
"target_ref": "attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df"
},
{
"type": "relationship",
"id": "relationship--39e9bcea-563f-465e-bb6c-5b3e336822d5",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--d2a60762-9fb2-442e-a7d2-6f86b06cb970",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--47903b93-fd84-4667-adcd-972865bc24b7",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--9d97724a-638b-4b7f-bfae-c3eb74b02a0a",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--712ba8e0-b0d5-4866-b66e-14ea23116924",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--e4589569-a46b-4cc1-99e7-41199f8d579f",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--aeef63aa-5142-49fd-ac9b-d177786d3560",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--15905560-f7fc-4a6b-a9d8-c5df9bf3b17b",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--4d2763cd-5868-4231-aeb0-4438262bbf75",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors uploaded additional tools, such as Putty Link and PSExec to webshell",
"source_ref": "indicator--1534513c-33cf-4462-b102-7f7ba0a3eda8",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--ea85612a-c20a-4d37-8240-a38c9940feb8",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--61701bc9-c9d8-44fa-a452-c9fbe15dcf88",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--e118cfb8-0e30-45e2-a1fd-e42b476c4682",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--02a7d94a-1fab-4d16-8d55-597d3ec6379e",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--b8f35421-49bc-44fb-8fbd-4102b74dd833",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--c501abd1-62f0-4da6-91ee-bd6ef9391fdc",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--6b34c0cf-32cb-4d30-93cd-5d20e77bd905",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors install webshell onto webservers to gain access to network ",
"source_ref": "indicator--59424cdc-40b1-4137-bc2b-9fe18decf7ca",
"target_ref": "attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df"
},
{
"type": "relationship",
"id": "relationship--f022666d-4510-4249-ba41-e2b02c86621f",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Infrastructure hosted credential phishing sites",
"source_ref": "indicator--e9544c85-bc9c-48ff-8f6c-df64ed98073a",
"target_ref": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4"
},
{
"type": "relationship",
"id": "relationship--4a4eef49-e1e4-454d-83de-4b00a87ecaf0",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "TwoFace contains the functional webshell in encrypted form",
"source_ref": "indicator--f119cf69-6230-4cea-ba31-9768f647b81a",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--49b0fe85-3493-4c1c-a2f0-fa2734863fef",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-03T20:30:53.040Z",
"relationship_type": "uses",
"description": "Actors install webshell onto webservers to gain access to network ",
"source_ref": "indicator--f8a60d12-0bb9-4424-bacd-5d2628f72cd3",
"target_ref": "attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df"
},
{
"type": "relationship",
"id": "relationship--9706197d-53cb-43eb-baa1-6f32a7f41fa0",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
{
"type": "relationship",
"id": "relationship--0b7920e3-d2b9-46bd-a514-dcc26fd508a1",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4"
},
{
"type": "relationship",
"id": "relationship--c6ac9803-adbf-490a-936d-f21d91d18018",
"created": "2018-08-03T20:30:53.040Z",
"modified": "2018-08-22T12:34:11.223Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830"
},
{
"type": "relationship",
"id": "relationship--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "attributed-to",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b"
},
{
"type": "relationship",
"id": "relationship--e8471f43-2742-4fd7-9af7-8ed1330ada37",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37"
},
{
"type": "relationship",
"id": "relationship--38a6d2f5-d948-4235-bb91-bb01604448b4",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4"
},
{
"type": "relationship",
"id": "relationship--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"type": "relationship",
"id": "relationship--128c55d3-aeba-469f-bd3e-c8996ab4112a",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
{
"type": "relationship",
"id": "relationship--6aabc5ec-eae6-422c-8311-38d45ee9838a",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
{
"type": "relationship",
"id": "relationship--b17a1a56-e99c-403c-8948-561df0cffe81",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81"
},
{
"type": "relationship",
"id": "relationship--c16e5409-ee53-4d79-afdc-4099dc9292df",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df"
},
{
"type": "relationship",
"id": "relationship--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"relationship_type": "uses",
"source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
{
"type": "report",
"id": "report--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "third",
"published": "2018-08-03T20:30:50.665Z",
"object_refs": [
"campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b",
"indicator--0853a871-de52-40f0-90cf-0d8069892c9f",
"indicator--13d221b8-4f3c-44d1-a010-a0e849c3fc56",
"indicator--605e63fe-aa3a-490d-b71b-936fca21dc3d",
"indicator--aaa55127-74e3-41c9-b1c6-7d9726372e18",
"indicator--b20d9819-1488-4156-aef4-02234af0f67f",
"indicator--3c52b486-9d0f-4197-890f-615001e6df35",
"indicator--b1e04bb9-945d-4b87-98b8-e411f16a74d4",
"indicator--a21f7d93-f44b-4b89-9577-570c5281d5c4",
"indicator--8e7b95cc-58c0-4f3b-8118-c11a85d90044",
"indicator--45680f4c-a738-4515-ac9a-7b9852526159",
"indicator--fb13e76a-0266-4b12-99f0-1599532c2f3c",
"indicator--5580c978-1497-40a4-bdc3-756b841776b1",
"indicator--10a18683-9321-4647-97e7-5ca864d9ecb7",
"indicator--272c2c5d-1779-49a1-8990-c8fdfe2d2bb2",
"indicator--db032d1a-c929-4c03-9099-fc08a6b1d1f7",
"indicator--f52a5188-5bdb-4530-83c2-4bbc1c1cb741",
"indicator--a9337ac8-cfe0-44db-8211-018b5a5f396d",
"indicator--62a8dbd4-adfd-443f-9042-8f92e7ea0384",
"indicator--ffb49010-2a49-474f-8e10-81c129a94997",
"indicator--0e9934f4-e2df-42f0-9964-0d03836329e1",
"indicator--1cda5ec5-3f45-4ca4-86fb-406cccce75a0",
"indicator--53176466-cbfb-47ab-a2ad-a7653da9ab1b",
"indicator--1b6c1677-d260-41b2-b11c-7db4b1f402c1",
"indicator--4a43354a-b58b-41e0-b2b6-d2a8e97bf54d",
"indicator--793e3414-7023-4bd6-8d03-def9852cee0f",
"indicator--bf7a082f-e2a6-45d6-b8dd-bf056888f36e",
"indicator--e19046c0-47db-42fb-a076-c7f2f3c112d4",
"indicator--f54a9d8f-46bb-4338-97ed-19921f2ac82b",
"indicator--0d14ac47-7ba7-405e-8639-876bdd341841",
"indicator--52139071-3ddd-4025-85a2-515004370eb1",
"indicator--175fda21-0fe8-4cc0-a276-8ef03b099d8d",
"indicator--e33849ee-529f-4c5a-ad26-96a190327682",
"indicator--9c4ebb07-7590-498a-91f0-ceeb677eb21e",
"indicator--a8e8ca2f-328e-4f45-af78-9281957f7739",
"indicator--0288c52e-7bd4-476f-9e29-534a122d173f",
"indicator--fdc86d39-670c-4eb9-945a-daef21d35bea",
"indicator--fab07434-d3df-437c-95ef-b1b3d3c8d1e3",
"indicator--13776d10-7c53-4f1e-ab29-5415d50486f7",
"indicator--c7bfb666-66af-4dfb-9489-8e0d8fde3859",
"indicator--21afa13a-d6e4-46ec-8539-68ec5c723ed5",
"indicator--112bb219-3133-4c6f-9e29-3efd820d9612",
"indicator--605f4247-c18d-407d-bf86-9973adf2995f",
"indicator--0809240c-9ec9-4002-8846-f30a7915eb4e",
"indicator--fc65ae3e-1860-4bba-a2f4-f86f180ffebc",
"indicator--d4cc0533-2a26-4678-912e-e3ddb2c2abe6",
"indicator--8a03e9a0-15ea-40cd-9473-c5cd35d7f285",
"indicator--1da4e7ce-10ab-47ec-ad5a-673887f15f01",
"indicator--c1bb11ca-f3ed-45cd-8083-ee166fb72aa0",
"indicator--fe57191c-11cb-47b6-aeeb-f2b5d01ee788",
"indicator--a748b2fb-cef6-449a-9884-4d3342467796",
"indicator--685a33e8-a147-4a60-8e7e-9e3e6855ca43",
"indicator--5162b82b-ad9e-42fa-8fca-1ce50fb2db3a",
"indicator--21b40f68-e0e8-4497-bc7f-63f7b7b9c9dd",
"indicator--90b9a557-b2f4-4076-b760-fd7ed5da29d1",
"indicator--1dd724ec-3747-4a81-bbb4-bb5fab167487",
"indicator--ec7ec6dd-2d36-4ec1-aada-134c4670845b",
"indicator--d2258707-dbd9-4407-b6b8-5401e4c59b74",
"indicator--0f75c726-1b4a-4eb9-8749-fa89af8f6d2b",
"indicator--c649ab0f-4fc3-487c-96b7-72f0f7baae11",
"indicator--e2f1938f-2ba5-4175-9d9c-e6d7ff6fe9fd",
"indicator--70b13368-9612-437e-a2fe-206b51ccdce4",
"indicator--b6fc5d18-1bf3-46b2-a793-d15ac7ef2b57",
"indicator--4b396d52-fb1d-4681-a6e1-a4b7f43dfb5a",
"indicator--c9cd916e-49ff-4e7a-96e8-c204b7a50750",
"indicator--8aba6285-00ba-4a83-a366-8c634228c80f",
"indicator--6016872c-11c6-459c-ac21-9692adcdcca0",
"indicator--02e254af-73f9-4630-9a4e-350297d86505",
"indicator--d1d3c0e5-cfa5-4388-a2c8-32a019951bf3",
"indicator--3a30e2d8-c1d8-4211-ae3f-cd7fe280c890",
"indicator--1a6d1c72-b27c-40e2-813a-fb8395b800b5",
"indicator--d7bdf4a0-0509-43de-895e-793994de8a0e",
"indicator--d2a60762-9fb2-442e-a7d2-6f86b06cb970",
"indicator--9d97724a-638b-4b7f-bfae-c3eb74b02a0a",
"indicator--e4589569-a46b-4cc1-99e7-41199f8d579f",
"indicator--15905560-f7fc-4a6b-a9d8-c5df9bf3b17b",
"indicator--1534513c-33cf-4462-b102-7f7ba0a3eda8",
"indicator--61701bc9-c9d8-44fa-a452-c9fbe15dcf88",
"indicator--02a7d94a-1fab-4d16-8d55-597d3ec6379e",
"indicator--c501abd1-62f0-4da6-91ee-bd6ef9391fdc",
"indicator--59424cdc-40b1-4137-bc2b-9fe18decf7ca",
"indicator--e9544c85-bc9c-48ff-8f6c-df64ed98073a",
"indicator--f119cf69-6230-4cea-ba31-9768f647b81a",
"indicator--f8a60d12-0bb9-4424-bacd-5d2628f72cd3",
"attack-pattern--56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4",
"attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
"attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37",
"attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4",
"attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"attack-pattern--128c55d3-aeba-469f-bd3e-c8996ab4112a",
"attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a",
"attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81",
"attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df",
"attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"relationship--fb2588e8-7aa5-4f5a-9eee-6fb8d7cd4f04",
"relationship--345337e3-a082-44a4-aaea-12d1e06747bd",
"relationship--f0026eb9-bfad-4036-b310-47d882260c23",
"relationship--0dc9fe6a-99e9-43e8-8d62-163a06324b15",
"relationship--b5781372-3677-4d71-a433-12abd5aa1faa",
"relationship--d2156f81-8329-40ba-8b8e-51d33d655d29",
"relationship--279fb95d-05a7-449d-9ded-c66215063621",
"relationship--4b914c99-5397-4d89-b99c-39eeeea96349",
"relationship--898d677b-d728-44ad-a13a-a27b6267ec4a",
"relationship--2deaa2ab-2c27-42af-bcd6-ca6931c6ed07",
"relationship--41fabc5f-1954-4819-8e3a-18f796bc7a72",
"relationship--25937292-8d4a-47e5-ad8c-88ebfb948b1c",
"relationship--2a7da7d8-a8c1-4131-b206-e4f9442eb3e5",
"relationship--e6ac508a-9dce-4f28-be0e-02252de0c763",
"relationship--cae45069-8bb3-4ea2-813a-c1b427818397",
"relationship--30979464-94ff-4da9-99ff-c24795cf9929",
"relationship--b896bb36-1b06-4132-8891-debfbc93ccb2",
"relationship--1689721a-39e5-414d-ac1b-20bd084fa72d",
"relationship--05889549-3c49-4443-a33a-e33b89653774",
"relationship--e85122c4-bae0-4edc-9627-648d203a69da",
"relationship--d3d75b51-02f7-4af6-8b42-3c0f73fc4ee3",
"relationship--9d3bfb47-df55-41dc-9e73-978bd6c2d815",
"relationship--78ac3d60-829f-4cb1-9b4b-80405cd87c41",
"relationship--b927d998-8bf8-4871-b615-ef7217344f96",
"relationship--14e32a01-2916-4348-a7a4-e6ab999cf24e",
"relationship--51c8fc0a-a1a2-4279-8cb1-4a2b6611750a",
"relationship--e2d3f2df-996f-42a3-b698-f90274a51e1f",
"relationship--6179156f-7bc3-4d4d-bde3-700ede4075a7",
"relationship--c350640d-2bb8-40cd-88bc-fce4fd13a9cb",
"relationship--d5099dc9-b04a-4d8a-9326-59bc90512bbb",
"relationship--3d957e59-d370-45ab-9304-cb6f1c92f49d",
"relationship--e540b61d-c40c-4c19-bb4f-19ab06d2df28",
"relationship--9067bdd5-17af-4865-9288-f4abecd91519",
"relationship--8b221b67-e765-4bfb-81d0-fea9a458519e",
"relationship--af207ed1-0aef-43d0-b440-84278d5c06d9",
"relationship--84fd2836-5718-4384-9379-ee114f3ed422",
"relationship--4a0c67e6-098f-48e4-b92a-c09fc554c8af",
"relationship--e06080e5-b96b-4dd9-99e6-a50daecd14b3",
"relationship--ed7c1bda-808e-4af0-b998-13c509e5d942",
"relationship--8f25d6a9-08cf-43bd-89e3-35133e5dd385",
"relationship--7c514ee6-0bc6-437a-840c-a2abd6a5bf5d",
"relationship--6638f553-1c27-4f9e-8794-39255ffef883",
"relationship--5c91db08-13d9-4413-842e-9d2cf4abd589",
"relationship--d9764754-3b10-4097-8a3b-e1b8a0d1d8dc",
"relationship--74600180-26d3-43d6-bf4f-686aa5365eea",
"relationship--535c8c72-10b3-4437-bf1a-1f035cdbf19e",
"relationship--3e6874a1-1144-4054-9097-7221832eab70",
"relationship--ea30ae8f-b7f4-496b-b29d-477e6b22e56e",
"relationship--f389d990-2355-45bf-bf0f-cbd4886728d1",
"relationship--52727246-b6a9-45bc-9f6b-115c898a1374",
"relationship--1bf349c7-b572-4d9c-b2cf-12f6bd9e980d",
"relationship--131b0239-0613-4260-a513-42cbe643063a",
"relationship--d88a9aba-3c00-4189-a2ca-5ca7e5577365",
"relationship--7638658b-68c4-4786-aa80-3ecd52710bb3",
"relationship--3675a4d6-d1bd-4f11-b4a6-8b61e4155996",
"relationship--4db2c40f-18cd-440d-b849-3005efab7a98",
"relationship--20610904-7759-4410-94c7-4e7366846573",
"relationship--58915020-0e11-4255-acf9-a5777553b0aa",
"relationship--ca859310-a720-4389-9193-5a46b1173814",
"relationship--0940af0b-5578-4e51-b4a1-3d4b3b1b9544",
"relationship--36e32d47-d235-4e47-849b-6846dc8506d9",
"relationship--0c5dd13e-ad1c-423e-89fa-2b8010d11288",
"relationship--2e74e182-c3cd-4e58-91dd-a0873839cb98",
"relationship--790040a0-6238-4ab7-b861-a0254cb6c25e",
"relationship--376609da-e365-4dcd-89eb-addcaf73040b",
"relationship--85143f31-cafa-4a4f-a320-5474d1d89f84",
"relationship--66370308-0954-48a5-9724-f1b7c1afb131",
"relationship--41f4f1b7-c79f-49ab-9a17-9ef02bcb1689",
"relationship--9d9548b4-5ee8-435a-b0cc-94387fc7634d",
"relationship--77586b2f-7b6a-4316-848f-85fa5f30dc74",
"relationship--7305e104-a7a9-4b02-8b14-b52d730aee8b",
"relationship--972a8c19-2c44-4c52-a6db-171280d18880",
"relationship--9c58ac73-6e8f-40e1-a54d-323805ba0a22",
"relationship--ac822827-616f-4833-850b-45353f6d3a02",
"relationship--40813dcd-5d8f-438d-ae5d-c1192e4251fa",
"relationship--e5cde892-87b2-46cf-87a8-6d0108179688",
"relationship--fd706729-53ad-4aa0-ad40-c5ff4470e61a",
"relationship--0d69a54f-2c9f-42d6-a328-55131ba7a328",
"relationship--13c938b2-52a0-45b2-a1df-3c67c2b8f410",
"relationship--0f2d8d9e-b04e-4f9b-bde0-993b8c50b013",
"relationship--cc683d05-c44c-4898-821b-cff15009a508",
"relationship--49429187-47ff-4b3c-a54e-12c976af7e6c",
"relationship--93fbb9c8-df84-466a-940a-55d0b1526c99",
"relationship--3f484875-4d55-49ed-a5da-72fdb2473998",
"relationship--df64dd9f-bb4e-4cba-b253-e822d9c28e33",
"relationship--8faf3dcd-759f-41af-9b88-0f6c272ae1d7",
"relationship--fa674092-f74f-4c98-bd92-638b6a389467",
"relationship--8296f9aa-02ae-432b-9be0-43866283ceb3",
"relationship--df5c9dbc-fd8d-4d14-b2d5-d75342a70cdc",
"relationship--8b198f3d-d11d-4ab8-a4d0-083c1b2e9d76",
"relationship--74e0a2be-76e3-48cf-8b75-3e3610269172",
"relationship--32448092-7814-4fd0-a25f-95744608608e",
"relationship--f57de9ca-96f2-4e8f-a7b1-36b22bc31fa5",
"relationship--002a932b-d4c7-46b0-91ae-3cb2fa6a8c96",
"relationship--c6086e1b-106b-457b-ae90-fbed7c725714",
"relationship--237cd050-242a-4745-8b86-645a7df117ac",
"relationship--ad2e5183-af39-47af-9f77-607c32bce492",
"relationship--990c5f1c-9af7-43ae-9787-a0728607969e",
"relationship--c65d50c0-53d4-4d3c-8f04-9c8a8babbfa5",
"relationship--45bfbc91-9dae-42e1-b1fb-228b11517661",
"relationship--2394f246-58a7-44de-b7b2-b37ff0b3750b",
"relationship--a8d215ec-0d80-4257-959e-e5f7eafe8afc",
"relationship--7b553b26-a4d6-4463-bc2c-956c587cf54d",
"relationship--e37e5487-dd6a-485b-b2ff-7e52f53a6650",
"relationship--d1cd73ce-7084-42c8-8c7b-6809f0917757",
"relationship--ccbf006a-9c20-4b53-8fc8-5dfaba31342c",
"relationship--67574375-12d6-4f45-8971-466d8ab2b6fa",
"relationship--96706fb5-d78a-4c30-b922-e19010b99c3f",
"relationship--63344b8e-749f-4118-b949-fb52e74ff7f4",
"relationship--ff4b1594-350f-42f4-97e2-db922fbb461d",
"relationship--83f16acf-7aed-47e9-b0ff-00859af381c5",
"relationship--473697e3-3b03-46a7-b4ec-cab5159d76e2",
"relationship--ffb53efe-225a-4829-950d-36a5c64da9c5",
"relationship--200052eb-e612-4e05-b612-d5491ed96fe7",
"relationship--b01b2fc2-4743-4292-b48e-d6c9e04388d0",
"relationship--2c6443b0-e748-4b83-ae8d-44c5980d7ffa",
"relationship--6051622a-16e2-4603-8d91-b6141eeade39",
"relationship--9d390308-91a4-4b28-9af0-34c63423d5bc",
"relationship--7b7ee3dd-a6be-46f4-9c5a-68a56311c924",
"relationship--723d3c99-a17b-4767-9dd8-701270f67443",
"relationship--9fdf5952-e551-403b-aa07-83132074b447",
"relationship--ee25827b-5f88-4835-a065-19c8abad0d4b",
"relationship--4cb378a1-9fa6-499e-bcbf-8b7d48ab8e51",
"relationship--3f93cfb2-b920-453d-8660-3da132ebc45a",
"relationship--4c931c47-5d1c-4654-85e7-65b36a0493b4",
"relationship--df537d22-fa69-4f76-86e5-74b793c63f1a",
"relationship--3153a4d5-b2a3-4330-8090-6b10f0ede286",
"relationship--90cd291d-a9e7-4760-be0a-646ea346fb08",
"relationship--89d6b4c0-0bf1-45fe-b3f1-709e58efdf20",
"relationship--6b79d243-3344-486a-856b-9c80bbc9d7bd",
"relationship--28a810c5-f38b-47ca-96bf-f72a1975df74",
"relationship--849af613-48f1-488f-b038-cae3f7cd54c0",
"relationship--d48b71f3-d8c2-4777-9603-4074e119027a",
"relationship--8a63756f-10a8-4330-b0b5-a57131f7f551",
"relationship--46e44ae7-dd04-4cfb-a4a8-8ddbbd6c95c9",
"relationship--f2675a48-ee34-425b-8719-0c6dd793ecc4",
"relationship--2ea69db7-de76-4b6d-94bb-33a78c05fb67",
"relationship--e0224fd2-3ee7-450c-a37d-1511ab34d917",
"relationship--b4be8580-575c-4f46-a648-3156e158ff4d",
"relationship--b73e06ff-9935-4758-9948-2343c7a40895",
"relationship--38f20f69-6786-445a-a582-8624b6bc4d9e",
"relationship--799e79ab-38e8-4eb6-9155-17c058541f6f",
"relationship--1013f916-605c-4203-ae25-b1701b4f94ae",
"relationship--3ded4025-95d1-4532-a2e0-3ae6d16a439f",
"relationship--74abc122-8d08-431d-947e-59ad1af5b87c",
"relationship--df67561f-3a89-4133-a2cd-0b062d3f0844",
"relationship--3cf9b67c-ddce-455a-8b1c-083a6e1f895a",
"relationship--e2ba89b3-eaee-4f23-82d5-acab723e8d58",
"relationship--61c92891-c8a6-41da-b6b0-f6d3239b2acd",
"relationship--f7c78adb-32c7-4488-bf22-664cac0133db",
"relationship--6c67cdc2-6eba-476d-abb5-cc872618638a",
"relationship--d7de275c-da2c-4fce-bc7a-a4e1ffca15b1",
"relationship--6d717d3f-e011-495b-9b1e-e021e0943903",
"relationship--876a642f-f3d0-43ec-879c-a76d3bf91de8",
"relationship--16f78019-b055-421e-a81e-5f89e4bbe7d7",
"relationship--92525cb2-624a-4619-855f-7023a440b81f",
"relationship--36c01cdc-0150-400f-b650-ccdbe3219e0e",
"relationship--39e9bcea-563f-465e-bb6c-5b3e336822d5",
"relationship--47903b93-fd84-4667-adcd-972865bc24b7",
"relationship--712ba8e0-b0d5-4866-b66e-14ea23116924",
"relationship--aeef63aa-5142-49fd-ac9b-d177786d3560",
"relationship--4d2763cd-5868-4231-aeb0-4438262bbf75",
"relationship--ea85612a-c20a-4d37-8240-a38c9940feb8",
"relationship--e118cfb8-0e30-45e2-a1fd-e42b476c4682",
"relationship--b8f35421-49bc-44fb-8fbd-4102b74dd833",
"relationship--6b34c0cf-32cb-4d30-93cd-5d20e77bd905",
"relationship--f022666d-4510-4249-ba41-e2b02c86621f",
"relationship--4a4eef49-e1e4-454d-83de-4b00a87ecaf0",
"relationship--49b0fe85-3493-4c1c-a2f0-fa2734863fef",
"relationship--9706197d-53cb-43eb-baa1-6f32a7f41fa0",
"relationship--0b7920e3-d2b9-46bd-a514-dcc26fd508a1",
"relationship--c6ac9803-adbf-490a-936d-f21d91d18018",
"relationship--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"relationship--e8471f43-2742-4fd7-9af7-8ed1330ada37",
"relationship--38a6d2f5-d948-4235-bb91-bb01604448b4",
"relationship--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"relationship--128c55d3-aeba-469f-bd3e-c8996ab4112a",
"relationship--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"relationship--6aabc5ec-eae6-422c-8311-38d45ee9838a",
"relationship--b17a1a56-e99c-403c-8948-561df0cffe81",
"relationship--c16e5409-ee53-4d79-afdc-4099dc9292df",
"relationship--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
],
"labels": [
"campaign"
]
},
{
"type": "campaign",
"id": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "third",
"description": "Play based on research discussed at https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/",
"first_seen": "2016-05-31T00:00:00Z",
"last_seen": "2017-08-11T00:00:00Z"
}
]
}