diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f8dc64f3265..49ce59e5316 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -18,6 +18,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* +- Remove Recorded Future integration from threatintel module. {pull}30564[30564] *Heartbeat* @@ -108,7 +109,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support in httpjson input for oAuth2ProviderDefault of password grant_type. {pull}29087[29087] - Add support for filtering in journald input with `unit`, `kernel`, `identifiers` and `include_matches`. {pull}29294[29294] - Add new `userAgent` and `beatInfo` template functions for httpjson input {pull}29528[29528] -- threatintel module: Add new Recorded Future integration. {pull}30030[30030] - Add pipeline in FB's supported hints. {pull}30212[30212] *Auditbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 830e0f8f19a..5f45a582825 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -151909,43 +151909,6 @@ type: keyword The indicator type, can for example be "domain, email, FileHash-SHA256". -type: keyword - --- - -[float] -=== recordedfuture - -Fields for Recorded Future Threat Intel - - - -*`recordedfuture.evidence_details`*:: -+ --- -List of sightings used as evidence for this indicator. - - -type: flattened - --- - -*`recordedfuture.name`*:: -+ --- -Indicator value. - - -type: keyword - --- - -*`recordedfuture.risk_string`*:: -+ --- -Details of risk rules observed. - - type: keyword -- diff --git a/filebeat/docs/images/filebeat-threatintel-recordedfuture.png b/filebeat/docs/images/filebeat-threatintel-recordedfuture.png deleted file mode 100644 index b3609283f5d..00000000000 Binary files a/filebeat/docs/images/filebeat-threatintel-recordedfuture.png and /dev/null differ diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index bbab60c90e5..a09cb72b2b6 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -29,7 +29,6 @@ The available filesets are: * <>: Supports gathering threat intel attributes from AlientVault OTX. * <>: Supports gathering threat intel attributes from Anomali Limo. * <>: Supports gathering threat intel attributes from Anomali ThreatStream. -* <>: Supports gathering threat intel attributes from Recorded Future. * <>: Supports gathering threat intel attributes from ThreatQuotient. include::../include/gs-link.asciidoc[] @@ -515,124 +514,6 @@ Anomali ThreatStream fields are mapped to the following ECS fields: [[a]] [small]#[1]: Field is used to derive a value for the ECS field but its original value is kept under `threatintel.anomalithreatstream`.# -[[recordedfuture]] -[float] -==== `recordedfuture` fileset settings - -The `recordedfuture` fileset fetches risklists from the Recorded Future Connect API. -It supports `domain`, `hash`, `ip` and `url` entities. - -In order to use it you need to define the `entity` and `list` to fetch. Check the -https://api.recordedfuture.com/index.html[Recorded Future API Explorer] for the -available lists for each entity. - -Sample configuration: -[source,yaml] ----- -- module: threatintel - recordedfuture: - enabled: true - var.input: httpjson - var.interval: 1h - var.api_token: "" - var.list: default - var.entity: domain ----- - -To fetch threat intelligence from multiple entities and/or lists, you must define more -than one instance of the module. The following configuration fetches the default list -for domains every hour and the rfTrending list for hashes every 12 hours: - -[source,yaml] ----- -- module: threatintel - recordedfuture: - enabled: true - var.input: httpjson - var.interval: 1h - var.api_token: "" - var.list: default - var.entity: domain -- module: threatintel - recordedfuture: - enabled: true - var.input: httpjson - var.interval: 12h - var.api_token: "" - var.entity: hash - var.list: rfTrending ----- - -Alternatively, you can use the module to fetch custom Fusion files by setting -`var.custom_url` to the URL of the Fusion File: - -[source,yaml] ----- -- module: threatintel - recordedfuture: - enabled: true - var.input: httpjson - var.interval: 1h - var.api_token: "" - var.custom_url: 'https://api.recordedfuture.com/v2/fusion/files/?path=%2Fpublic%2Frisklists%2Fdefault_domain_risklist.csv' ----- - -It's also possible to load CSV risklists from a file: - -[source,yaml] ----- -- module: threatintel - recordedfuture: - enabled: true - var.input: file - var.paths: - - /path/to/risklist.csv ----- - -*`var.input`*:: - -The input to use to fetch indicators. Use `httpjson` to query -Recorded Future API or `file` to load the indicators from a file. - -*`var.api_token`*:: - -The API token used to access Recorded Future API (RF-Token). - -*`var.interval`*:: - -How often the API is polled for updated information. It is recommended to set this -to `1h`. For `hash` entities, it's recommended to set this to `12h`. - -*`var.entity`*:: - -The type of entity to fetch. One of `domain`, `hash`, `ip` or `url`. - -*`var.list`*:: - -The indicator list to fetch. - -*`var.proxy_url`*:: - -Optional URL to use as HTTP proxy. - -*`var.custom_url`*:: - -An alternative URL pointing to a CSV risklist. Use this option -to fetch custom Fusion Files. - -Recorded Future fields are mapped to the following ECS fields: - -[options="header"] -|============================================================= -| Recorded Future fields | ECS Fields -| entity.name | threat.indicator.{url,ip,domain,file.hash} -| entity.type | threat.indicator.type -| fileHashes | threat.indicator.file.hash -| risk.score | event.risk_score -|============================================================= - -:has-dashboards!: - [float] === Dashboards @@ -675,12 +556,6 @@ image::./images/filebeat-threatintel-misp.png[] [float] Overview of the information provided by the MISP feed. -[role="screenshot"] -image::./images/filebeat-threatintel-recordedfuture.png[] - -[float] -Overview of the information provided by the Recorded Future feed. - [[threatq]] [float] ==== `threatq` fileset settings @@ -787,12 +662,6 @@ image::./images/filebeat-threatintel-misp.png[] [float] Overview of the information provided by the MISP feed. -[role="screenshot"] -image::./images/filebeat-threatintel-recordedfuture.png[] - -[float] -Overview of the information provided by the Recorded Future feed. - [role="screenshot"] image::./images/filebeat-threatintel-threatq.png[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 5cfa51f4a6a..8c081b48790 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2225,32 +2225,6 @@ filebeat.modules: # var.ssl_certificate: path/to/server_ssl_cert.pem # var.ssl_key: path/to/ssl_key.pem - recordedfuture: - enabled: false - - # Input used for ingesting threat intel data - var.input: httpjson - - # Set your API Token. - var.api_token: "" - - # The interval to poll the API for updates - var.interval: 1h - - # The kind of entity to fetch. One of domain, hash, ip or url. - var.entity: domain - - # The list to fetch. See the Recorded Future API Explorer for - # valid lists for each kind of entity. - var.list: default - - # Uncomment to use a different API endpoint. - # The API endpoint used for Recorded Future API calls. - # var.endpoint: "https://api.recordedfuture.com/v2" - - # Uncomment to fetch a custom CSV file via URL. Useful for custom Fusion Files. - # var.custom_url: "https://api.recordedfuture.com/v2/fusion/files/?path=%2Fhome" - threatq: enabled: false diff --git a/x-pack/filebeat/module/threatintel/_meta/config.yml b/x-pack/filebeat/module/threatintel/_meta/config.yml index 8029d3e2d56..48bf490fb96 100644 --- a/x-pack/filebeat/module/threatintel/_meta/config.yml +++ b/x-pack/filebeat/module/threatintel/_meta/config.yml @@ -138,32 +138,6 @@ # var.ssl_certificate: path/to/server_ssl_cert.pem # var.ssl_key: path/to/ssl_key.pem - recordedfuture: - enabled: false - - # Input used for ingesting threat intel data - var.input: httpjson - - # Set your API Token. - var.api_token: "" - - # The interval to poll the API for updates - var.interval: 1h - - # The kind of entity to fetch. One of domain, hash, ip or url. - var.entity: domain - - # The list to fetch. See the Recorded Future API Explorer for - # valid lists for each kind of entity. - var.list: default - - # Uncomment to use a different API endpoint. - # The API endpoint used for Recorded Future API calls. - # var.endpoint: "https://api.recordedfuture.com/v2" - - # Uncomment to fetch a custom CSV file via URL. Useful for custom Fusion Files. - # var.custom_url: "https://api.recordedfuture.com/v2/fusion/files/?path=%2Fhome" - threatq: enabled: false diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index cb496193522..6fb77342230 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -24,7 +24,6 @@ The available filesets are: * <>: Supports gathering threat intel attributes from AlientVault OTX. * <>: Supports gathering threat intel attributes from Anomali Limo. * <>: Supports gathering threat intel attributes from Anomali ThreatStream. -* <>: Supports gathering threat intel attributes from Recorded Future. * <>: Supports gathering threat intel attributes from ThreatQuotient. include::../include/gs-link.asciidoc[] @@ -510,124 +509,6 @@ Anomali ThreatStream fields are mapped to the following ECS fields: [[a]] [small]#[1]: Field is used to derive a value for the ECS field but its original value is kept under `threatintel.anomalithreatstream`.# -[[recordedfuture]] -[float] -==== `recordedfuture` fileset settings - -The `recordedfuture` fileset fetches risklists from the Recorded Future Connect API. -It supports `domain`, `hash`, `ip` and `url` entities. - -In order to use it you need to define the `entity` and `list` to fetch. Check the -https://api.recordedfuture.com/index.html[Recorded Future API Explorer] for the -available lists for each entity. - -Sample configuration: -[source,yaml] ----- -- module: threatintel - recordedfuture: - enabled: true - var.input: httpjson - var.interval: 1h - var.api_token: "" - var.list: default - var.entity: domain ----- - -To fetch threat intelligence from multiple entities and/or lists, you must define more -than one instance of the module. The following configuration fetches the default list -for domains every hour and the rfTrending list for hashes every 12 hours: - -[source,yaml] ----- -- module: threatintel - recordedfuture: - enabled: true - var.input: httpjson - var.interval: 1h - var.api_token: "" - var.list: default - var.entity: domain -- module: threatintel - recordedfuture: - enabled: true - var.input: httpjson - var.interval: 12h - var.api_token: "" - var.entity: hash - var.list: rfTrending ----- - -Alternatively, you can use the module to fetch custom Fusion files by setting -`var.custom_url` to the URL of the Fusion File: - -[source,yaml] ----- -- module: threatintel - recordedfuture: - enabled: true - var.input: httpjson - var.interval: 1h - var.api_token: "" - var.custom_url: 'https://api.recordedfuture.com/v2/fusion/files/?path=%2Fpublic%2Frisklists%2Fdefault_domain_risklist.csv' ----- - -It's also possible to load CSV risklists from a file: - -[source,yaml] ----- -- module: threatintel - recordedfuture: - enabled: true - var.input: file - var.paths: - - /path/to/risklist.csv ----- - -*`var.input`*:: - -The input to use to fetch indicators. Use `httpjson` to query -Recorded Future API or `file` to load the indicators from a file. - -*`var.api_token`*:: - -The API token used to access Recorded Future API (RF-Token). - -*`var.interval`*:: - -How often the API is polled for updated information. It is recommended to set this -to `1h`. For `hash` entities, it's recommended to set this to `12h`. - -*`var.entity`*:: - -The type of entity to fetch. One of `domain`, `hash`, `ip` or `url`. - -*`var.list`*:: - -The indicator list to fetch. - -*`var.proxy_url`*:: - -Optional URL to use as HTTP proxy. - -*`var.custom_url`*:: - -An alternative URL pointing to a CSV risklist. Use this option -to fetch custom Fusion Files. - -Recorded Future fields are mapped to the following ECS fields: - -[options="header"] -|============================================================= -| Recorded Future fields | ECS Fields -| entity.name | threat.indicator.{url,ip,domain,file.hash} -| entity.type | threat.indicator.type -| fileHashes | threat.indicator.file.hash -| risk.score | event.risk_score -|============================================================= - -:has-dashboards!: - [float] === Dashboards @@ -670,12 +551,6 @@ image::./images/filebeat-threatintel-misp.png[] [float] Overview of the information provided by the MISP feed. -[role="screenshot"] -image::./images/filebeat-threatintel-recordedfuture.png[] - -[float] -Overview of the information provided by the Recorded Future feed. - [[threatq]] [float] ==== `threatq` fileset settings @@ -782,12 +657,6 @@ image::./images/filebeat-threatintel-misp.png[] [float] Overview of the information provided by the MISP feed. -[role="screenshot"] -image::./images/filebeat-threatintel-recordedfuture.png[] - -[float] -Overview of the information provided by the Recorded Future feed. - [role="screenshot"] image::./images/filebeat-threatintel-threatq.png[] diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-recordedfuture.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-recordedfuture.json deleted file mode 100644 index 99d101e0bc5..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-recordedfuture.json +++ /dev/null @@ -1,569 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future indicators ingested by the threat intel Filebeat module.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "c5528bd5-fc50-4902-94d9-6f6579e93364", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "c5528bd5-fc50-4902-94d9-6f6579e93364", - "panelRefName": "panel_c5528bd5-fc50-4902-94d9-6f6579e93364", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "5844ac07-8c60-4e94-9fdb-f5489bbaafb0", - "w": 10, - "x": 10, - "y": 0 - }, - "panelIndex": "5844ac07-8c60-4e94-9fdb-f5489bbaafb0", - "panelRefName": "panel_5844ac07-8c60-4e94-9fdb-f5489bbaafb0", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "705de4dd-b10b-4871-b42e-c32802f07cdc", - "w": 9, - "x": 20, - "y": 0 - }, - "panelIndex": "705de4dd-b10b-4871-b42e-c32802f07cdc", - "panelRefName": "panel_705de4dd-b10b-4871-b42e-c32802f07cdc", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "579da37e-73d7-48b8-a2ae-09f9252be1d0", - "w": 9, - "x": 29, - "y": 0 - }, - "panelIndex": "579da37e-73d7-48b8-a2ae-09f9252be1d0", - "panelRefName": "panel_579da37e-73d7-48b8-a2ae-09f9252be1d0", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "5df65cab-f10e-4192-8490-9586519be39a", - "w": 10, - "x": 38, - "y": 0 - }, - "panelIndex": "5df65cab-f10e-4192-8490-9586519be39a", - "panelRefName": "panel_5df65cab-f10e-4192-8490-9586519be39a", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "64b0403d-03e5-48c3-9dae-0b005ebb5f1a", - "w": 25, - "x": 0, - "y": 18 - }, - "panelIndex": "64b0403d-03e5-48c3-9dae-0b005ebb5f1a", - "panelRefName": "panel_64b0403d-03e5-48c3-9dae-0b005ebb5f1a", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "e95ad49d-d270-4592-af6b-0bb20ab8686a", - "w": 23, - "x": 25, - "y": 18 - }, - "panelIndex": "e95ad49d-d270-4592-af6b-0bb20ab8686a", - "panelRefName": "panel_e95ad49d-d270-4592-af6b-0bb20ab8686a", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "1be4a1f3-6421-4bd4-99af-f2c9f99c944d", - "w": 7, - "x": 0, - "y": 35 - }, - "panelIndex": "1be4a1f3-6421-4bd4-99af-f2c9f99c944d", - "panelRefName": "panel_1be4a1f3-6421-4bd4-99af-f2c9f99c944d", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "f2318e6a-9258-4628-897f-c39d16452ec5", - "w": 9, - "x": 7, - "y": 35 - }, - "panelIndex": "f2318e6a-9258-4628-897f-c39d16452ec5", - "panelRefName": "panel_f2318e6a-9258-4628-897f-c39d16452ec5", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "2aec92d5-3db8-42ee-b5a6-27886672811e", - "w": 9, - "x": 16, - "y": 35 - }, - "panelIndex": "2aec92d5-3db8-42ee-b5a6-27886672811e", - "panelRefName": "panel_2aec92d5-3db8-42ee-b5a6-27886672811e", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "4ba8c6c1-b5d2-4624-af2a-5c3a0b999eb9", - "w": 10, - "x": 25, - "y": 35 - }, - "panelIndex": "4ba8c6c1-b5d2-4624-af2a-5c3a0b999eb9", - "panelRefName": "panel_4ba8c6c1-b5d2-4624-af2a-5c3a0b999eb9", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "a60753a1-e859-4388-aff7-e7c30fea8ea0", - "w": 13, - "x": 35, - "y": 35 - }, - "panelIndex": "a60753a1-e859-4388-aff7-e7c30fea8ea0", - "panelRefName": "panel_a60753a1-e859-4388-aff7-e7c30fea8ea0", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "1ccdc84b-976e-4579-8227-e1fec014d744", - "w": 9, - "x": 0, - "y": 53 - }, - "panelIndex": "1ccdc84b-976e-4579-8227-e1fec014d744", - "panelRefName": "panel_1ccdc84b-976e-4579-8227-e1fec014d744", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "48cc5d73-41e5-4c50-bd4b-a2c44848bfa1", - "w": 9, - "x": 9, - "y": 53 - }, - "panelIndex": "48cc5d73-41e5-4c50-bd4b-a2c44848bfa1", - "panelRefName": "panel_48cc5d73-41e5-4c50-bd4b-a2c44848bfa1", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "a454a943-3968-4796-ac2a-89c78ad10c50", - "w": 9, - "x": 18, - "y": 53 - }, - "panelIndex": "a454a943-3968-4796-ac2a-89c78ad10c50", - "panelRefName": "panel_a454a943-3968-4796-ac2a-89c78ad10c50", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "f2bbe7e9-0c11-4ab8-a1cb-5c7b36b950f6", - "w": 9, - "x": 27, - "y": 53 - }, - "panelIndex": "f2bbe7e9-0c11-4ab8-a1cb-5c7b36b950f6", - "panelRefName": "panel_f2bbe7e9-0c11-4ab8-a1cb-5c7b36b950f6", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "f3a61f45-ac06-44db-b21c-1ffbb9e99014", - "w": 12, - "x": 36, - "y": 53 - }, - "panelIndex": "f3a61f45-ac06-44db-b21c-1ffbb9e99014", - "panelRefName": "panel_f3a61f45-ac06-44db-b21c-1ffbb9e99014", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "cbb60fce-f04b-4db4-a8ae-43006185696d", - "w": 12, - "x": 0, - "y": 71 - }, - "panelIndex": "cbb60fce-f04b-4db4-a8ae-43006185696d", - "panelRefName": "panel_cbb60fce-f04b-4db4-a8ae-43006185696d", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-d7cd172c-a50a-40bf-a14a-3d15dc485307", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "d7cd172c-a50a-40bf-a14a-3d15dc485307": { - "columnOrder": [ - "dac2417a-0b3b-430a-bd24-23abfcea4a4c", - "0f52145d-3202-440c-bfe4-62c49385bd9c" - ], - "columns": { - "0f52145d-3202-440c-bfe4-62c49385bd9c": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "dac2417a-0b3b-430a-bd24-23abfcea4a4c": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of recordedfuture.evidence_details.Rule", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0f52145d-3202-440c-bfe4-62c49385bd9c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "recordedfuture.evidence_details.Rule" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "dac2417a-0b3b-430a-bd24-23abfcea4a4c", - "isTransposed": false - }, - { - "columnId": "0f52145d-3202-440c-bfe4-62c49385bd9c", - "isTransposed": false - } - ], - "layerId": "d7cd172c-a50a-40bf-a14a-3d15dc485307", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "4a2008ab-b0ed-45bf-9a3f-9b2aaa445594", - "w": 10, - "x": 12, - "y": 71 - }, - "panelIndex": "4a2008ab-b0ed-45bf-9a3f-9b2aaa445594", - "panelRefName": "panel_4a2008ab-b0ed-45bf-9a3f-9b2aaa445594", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "2e49998b-7bd1-4743-9447-0bd087820080", - "w": 11, - "x": 22, - "y": 71 - }, - "panelIndex": "2e49998b-7bd1-4743-9447-0bd087820080", - "panelRefName": "panel_2e49998b-7bd1-4743-9447-0bd087820080", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "0e825dd7-f593-4741-b28d-8e58158b0e04", - "w": 15, - "x": 33, - "y": 71 - }, - "panelIndex": "0e825dd7-f593-4741-b28d-8e58158b0e04", - "panelRefName": "panel_0e825dd7-f593-4741-b28d-8e58158b0e04", - "type": "lens", - "version": "8.1.0-SNAPSHOT" - } - ], - "timeRestore": false, - "title": "[Filebeat Threat Intel] Recorded Future", - "version": 1 - }, - "coreMigrationVersion": "8.1.0", - "id": "894dd3e0-df57-11eb-8f2b-753caedf727d", - "migrationVersion": { - "dashboard": "8.1.0" - }, - "references": [ - { - "id": "037e2af0-df50-11eb-8f2b-753caedf727d", - "name": "c5528bd5-fc50-4902-94d9-6f6579e93364:panel_c5528bd5-fc50-4902-94d9-6f6579e93364", - "type": "lens" - }, - { - "id": "b0837690-df52-11eb-8f2b-753caedf727d", - "name": "5844ac07-8c60-4e94-9fdb-f5489bbaafb0:panel_5844ac07-8c60-4e94-9fdb-f5489bbaafb0", - "type": "lens" - }, - { - "id": "176bf800-df58-11eb-8f2b-753caedf727d", - "name": "705de4dd-b10b-4871-b42e-c32802f07cdc:panel_705de4dd-b10b-4871-b42e-c32802f07cdc", - "type": "lens" - }, - { - "id": "4bcc4cb0-df50-11eb-8f2b-753caedf727d", - "name": "579da37e-73d7-48b8-a2ae-09f9252be1d0:panel_579da37e-73d7-48b8-a2ae-09f9252be1d0", - "type": "lens" - }, - { - "id": "949bc180-df52-11eb-8f2b-753caedf727d", - "name": "5df65cab-f10e-4192-8490-9586519be39a:panel_5df65cab-f10e-4192-8490-9586519be39a", - "type": "lens" - }, - { - "id": "7ed4ce00-df52-11eb-8f2b-753caedf727d", - "name": "64b0403d-03e5-48c3-9dae-0b005ebb5f1a:panel_64b0403d-03e5-48c3-9dae-0b005ebb5f1a", - "type": "lens" - }, - { - "id": "82fa7420-df58-11eb-8f2b-753caedf727d", - "name": "e95ad49d-d270-4592-af6b-0bb20ab8686a:panel_e95ad49d-d270-4592-af6b-0bb20ab8686a", - "type": "lens" - }, - { - "id": "c2a5c180-df51-11eb-8f2b-753caedf727d", - "name": "1be4a1f3-6421-4bd4-99af-f2c9f99c944d:panel_1be4a1f3-6421-4bd4-99af-f2c9f99c944d", - "type": "lens" - }, - { - "id": "06744e90-df52-11eb-8f2b-753caedf727d", - "name": "f2318e6a-9258-4628-897f-c39d16452ec5:panel_f2318e6a-9258-4628-897f-c39d16452ec5", - "type": "lens" - }, - { - "id": "dd4a3da0-df50-11eb-8f2b-753caedf727d", - "name": "2aec92d5-3db8-42ee-b5a6-27886672811e:panel_2aec92d5-3db8-42ee-b5a6-27886672811e", - "type": "lens" - }, - { - "id": "f37f8350-df50-11eb-8f2b-753caedf727d", - "name": "4ba8c6c1-b5d2-4624-af2a-5c3a0b999eb9:panel_4ba8c6c1-b5d2-4624-af2a-5c3a0b999eb9", - "type": "lens" - }, - { - "id": "139c7da0-df51-11eb-8f2b-753caedf727d", - "name": "a60753a1-e859-4388-aff7-e7c30fea8ea0:panel_a60753a1-e859-4388-aff7-e7c30fea8ea0", - "type": "lens" - }, - { - "id": "a0a31740-df51-11eb-8f2b-753caedf727d", - "name": "1ccdc84b-976e-4579-8227-e1fec014d744:panel_1ccdc84b-976e-4579-8227-e1fec014d744", - "type": "lens" - }, - { - "id": "5e76ef90-df51-11eb-8f2b-753caedf727d", - "name": "48cc5d73-41e5-4c50-bd4b-a2c44848bfa1:panel_48cc5d73-41e5-4c50-bd4b-a2c44848bfa1", - "type": "lens" - }, - { - "id": "8fb01a00-df51-11eb-8f2b-753caedf727d", - "name": "a454a943-3968-4796-ac2a-89c78ad10c50:panel_a454a943-3968-4796-ac2a-89c78ad10c50", - "type": "lens" - }, - { - "id": "3c996410-df52-11eb-8f2b-753caedf727d", - "name": "f2bbe7e9-0c11-4ab8-a1cb-5c7b36b950f6:panel_f2bbe7e9-0c11-4ab8-a1cb-5c7b36b950f6", - "type": "lens" - }, - { - "id": "790cd040-df51-11eb-8f2b-753caedf727d", - "name": "f3a61f45-ac06-44db-b21c-1ffbb9e99014:panel_f3a61f45-ac06-44db-b21c-1ffbb9e99014", - "type": "lens" - }, - { - "id": "6b33edb0-8478-11ec-8aa9-11bf914a1ef2", - "name": "cbb60fce-f04b-4db4-a8ae-43006185696d:panel_cbb60fce-f04b-4db4-a8ae-43006185696d", - "type": "lens" - }, - { - "id": "c6079390-8478-11ec-8aa9-11bf914a1ef2", - "name": "4a2008ab-b0ed-45bf-9a3f-9b2aaa445594:panel_4a2008ab-b0ed-45bf-9a3f-9b2aaa445594", - "type": "lens" - }, - { - "id": "filebeat-*", - "name": "4a2008ab-b0ed-45bf-9a3f-9b2aaa445594:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "4a2008ab-b0ed-45bf-9a3f-9b2aaa445594:indexpattern-datasource-layer-d7cd172c-a50a-40bf-a14a-3d15dc485307", - "type": "index-pattern" - }, - { - "id": "2d365f10-8479-11ec-8aa9-11bf914a1ef2", - "name": "2e49998b-7bd1-4743-9447-0bd087820080:panel_2e49998b-7bd1-4743-9447-0bd087820080", - "type": "lens" - }, - { - "id": "739274d0-8479-11ec-8aa9-11bf914a1ef2", - "name": "0e825dd7-f593-4741-b28d-8e58158b0e04:panel_0e825dd7-f593-4741-b28d-8e58158b0e04", - "type": "lens" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "dashboard", - "updated_at": "2022-02-02T22:58:56.215Z", - "version": "WzI0MjEsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json deleted file mode 100644 index ffd473d7ffe..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future indicator type ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "7b2420d3-1149-4f18-a114-e984e3c701f3", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "7b2420d3-1149-4f18-a114-e984e3c701f3": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future Indicator Type", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.type" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "7b2420d3-1149-4f18-a114-e984e3c701f3", - "7b2420d3-1149-4f18-a114-e984e3c701f3", - "7b2420d3-1149-4f18-a114-e984e3c701f3" - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data", - "legendDisplay": "default", - "metric": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "donut" - } - }, - "title": "Recorded Future Indicator Type [Filebeat Threat Intel]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "8.1.0", - "id": "037e2af0-df50-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMTAsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json deleted file mode 100644 index ac7431fb05d..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future IPv6 indicators ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "642d5400-4a72-4116-b752-58df5138392a", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "642d5400-4a72-4116-b752-58df5138392a": { - "customLabel": true, - "dataType": "ip", - "isBucketed": true, - "label": "Recorded Future IPv6 Indicator", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.ip" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" and threat.indicator.type:ipv6-addr" - }, - "visualization": { - "columns": [ - { - "columnId": "642d5400-4a72-4116-b752-58df5138392a", - "isTransposed": false - }, - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future IPv6 Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "06744e90-df52-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMTgsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 0656b75fecc..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future indicator SHA256 hash ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "ebb0878f-715a-4987-85f1-87420428c88f", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "ebb0878f-715a-4987-85f1-87420428c88f": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future SHA256 File Hash", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.file.hash.sha256" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "columns": [ - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b" - }, - { - "columnId": "ebb0878f-715a-4987-85f1-87420428c88f", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future SHA256 Hash Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "139c7da0-df51-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMjEsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/176bf800-df58-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/176bf800-df58-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 5cc54826d79..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/176bf800-df58-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future indicators ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "27155b23-ab24-4f18-b7dd-159f339e5e9b": { - "columnOrder": [ - "7a45df79-3fa9-480a-95f4-7f287a386b7d" - ], - "columns": { - "7a45df79-3fa9-480a-95f4-7f287a386b7d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Recorded Future Indicators", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "accessor": "7a45df79-3fa9-480a-95f4-7f287a386b7d", - "layerId": "27155b23-ab24-4f18-b7dd-159f339e5e9b", - "layerType": "data" - } - }, - "title": "Recorded Future Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.1.0", - "id": "176bf800-df58-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-27155b23-ab24-4f18-b7dd-159f339e5e9b", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMTIsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/2d365f10-8479-11ec-8aa9-11bf914a1ef2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/2d365f10-8479-11ec-8aa9-11bf914a1ef2.json deleted file mode 100644 index 6fe2065fc44..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/2d365f10-8479-11ec-8aa9-11bf914a1ef2.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future evidence source, ingested by threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "adf5e0dc-5b6d-46b0-a95a-0e692d197777": { - "columnOrder": [ - "603b8ae9-c00d-4fb2-be8f-66c19169c801", - "84667e97-bc5d-459e-809c-8c5616c0bda8" - ], - "columns": { - "603b8ae9-c00d-4fb2-be8f-66c19169c801": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future Evidence Sources", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "84667e97-bc5d-459e-809c-8c5616c0bda8", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "recordedfuture.evidence_details.Sources" - }, - "84667e97-bc5d-459e-809c-8c5616c0bda8": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "603b8ae9-c00d-4fb2-be8f-66c19169c801", - "isTransposed": false - }, - { - "columnId": "84667e97-bc5d-459e-809c-8c5616c0bda8", - "isTransposed": false - } - ], - "layerId": "adf5e0dc-5b6d-46b0-a95a-0e692d197777", - "layerType": "data" - } - }, - "title": "Recorded Future Evidence Source [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "2d365f10-8479-11ec-8aa9-11bf914a1ef2", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-adf5e0dc-5b6d-46b0-a95a-0e692d197777", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-02T22:44:53.659Z", - "version": "WzIzMDksMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 69f38f9c330..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future domain indicators ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "642d5400-4a72-4116-b752-58df5138392a", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "642d5400-4a72-4116-b752-58df5138392a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future Domain Indicator", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.url.domain" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\"" - }, - "visualization": { - "columns": [ - { - "columnId": "642d5400-4a72-4116-b752-58df5138392a", - "isTransposed": false - }, - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future Domain Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "3c996410-df52-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMjUsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/4bcc4cb0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/4bcc4cb0-df50-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 43ecf4d3e4b..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/4bcc4cb0-df50-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future indicator risk score ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "7b2420d3-1149-4f18-a114-e984e3c701f3", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "7b2420d3-1149-4f18-a114-e984e3c701f3": { - "customLabel": true, - "dataType": "number", - "isBucketed": true, - "label": "Recorded Future Risk Score", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "event.risk_score" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "7b2420d3-1149-4f18-a114-e984e3c701f3", - "7b2420d3-1149-4f18-a114-e984e3c701f3", - "7b2420d3-1149-4f18-a114-e984e3c701f3", - "7b2420d3-1149-4f18-a114-e984e3c701f3" - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data", - "legendDisplay": "default", - "metric": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "donut" - } - }, - "title": "Recorded Future Risk Score [Filebeat Threat Intel]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "8.1.0", - "id": "4bcc4cb0-df50-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMTMsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 5bcfd88198b..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future URL domain indicator ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "ebb0878f-715a-4987-85f1-87420428c88f", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "ebb0878f-715a-4987-85f1-87420428c88f": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future URL Domain Indicator", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.url.domain" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "columns": [ - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b" - }, - { - "columnId": "ebb0878f-715a-4987-85f1-87420428c88f", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future URL Domain Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "5e76ef90-df51-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMjMsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/6b33edb0-8478-11ec-8aa9-11bf914a1ef2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/6b33edb0-8478-11ec-8aa9-11bf914a1ef2.json deleted file mode 100644 index 7f71fe860c2..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/6b33edb0-8478-11ec-8aa9-11bf914a1ef2.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future evidence name, ingested by threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "adf5e0dc-5b6d-46b0-a95a-0e692d197777": { - "columnOrder": [ - "603b8ae9-c00d-4fb2-be8f-66c19169c801", - "84667e97-bc5d-459e-809c-8c5616c0bda8" - ], - "columns": { - "603b8ae9-c00d-4fb2-be8f-66c19169c801": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future Evidence Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "84667e97-bc5d-459e-809c-8c5616c0bda8", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "recordedfuture.evidence_details.Name" - }, - "84667e97-bc5d-459e-809c-8c5616c0bda8": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "603b8ae9-c00d-4fb2-be8f-66c19169c801", - "isTransposed": false - }, - { - "columnId": "84667e97-bc5d-459e-809c-8c5616c0bda8", - "isTransposed": false - } - ], - "layerId": "adf5e0dc-5b6d-46b0-a95a-0e692d197777", - "layerType": "data" - } - }, - "title": "Recorded Future Evidence Name [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "6b33edb0-8478-11ec-8aa9-11bf914a1ef2", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-adf5e0dc-5b6d-46b0-a95a-0e692d197777", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-02T22:44:40.916Z", - "version": "WzIyOTksMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/739274d0-8479-11ec-8aa9-11bf914a1ef2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/739274d0-8479-11ec-8aa9-11bf914a1ef2.json deleted file mode 100644 index c1d016c2018..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/739274d0-8479-11ec-8aa9-11bf914a1ef2.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future evidence timestamp, ingested threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "189f5cd8-f47f-4a4b-8b06-1417ddf545f8": { - "columnOrder": [ - "d5b0eba3-5cb3-40fe-adb6-8f1a1de50e57", - "b5aa0466-7f5c-4c82-a134-f4d56ed3e9db" - ], - "columns": { - "b5aa0466-7f5c-4c82-a134-f4d56ed3e9db": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "d5b0eba3-5cb3-40fe-adb6-8f1a1de50e57": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future Evidence Timestamp", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "b5aa0466-7f5c-4c82-a134-f4d56ed3e9db", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "recordedfuture.evidence_details.Timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "d5b0eba3-5cb3-40fe-adb6-8f1a1de50e57", - "isTransposed": false - }, - { - "columnId": "b5aa0466-7f5c-4c82-a134-f4d56ed3e9db", - "isTransposed": false - } - ], - "layerId": "189f5cd8-f47f-4a4b-8b06-1417ddf545f8", - "layerType": "data" - } - }, - "title": "Recorded Future Evidence Timestamp [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "739274d0-8479-11ec-8aa9-11bf914a1ef2", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-189f5cd8-f47f-4a4b-8b06-1417ddf545f8", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-02T22:45:05.207Z", - "version": "WzIzMTksMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 4e64acede68..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future URL original indicator ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "642d5400-4a72-4116-b752-58df5138392a", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "642d5400-4a72-4116-b752-58df5138392a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future URL Original Indicator", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.url.original" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "columns": [ - { - "columnId": "642d5400-4a72-4116-b752-58df5138392a", - "isTransposed": false - }, - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future URL Original Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "790cd040-df51-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMjYsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ed4ce00-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ed4ce00-df52-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 3731cd6da42..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ed4ce00-df52-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future intel cards for indicators ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "642d5400-4a72-4116-b752-58df5138392a", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "642d5400-4a72-4116-b752-58df5138392a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future Intel Card", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "event.reference" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\"" - }, - "visualization": { - "columns": [ - { - "columnId": "642d5400-4a72-4116-b752-58df5138392a", - "isTransposed": false - }, - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future Intel Cards [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "7ed4ce00-df52-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMTUsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/82fa7420-df58-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/82fa7420-df58-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 9d2141feb6a..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/82fa7420-df58-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future indicators over time ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "98644301-1cd1-4e54-9f5b-71a1cbcdd8c8": { - "columnOrder": [ - "8f48381c-5786-43f4-8602-5c23ba146a60", - "86e20fd3-86a5-4796-b4b8-f2461a9fa922" - ], - "columns": { - "86e20fd3-86a5-4796-b4b8-f2461a9fa922": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "8f48381c-5786-43f4-8602-5c23ba146a60": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Recorded Future Indicators Over Time", - "operationType": "date_histogram", - "params": { - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "layers": [ - { - "accessors": [ - "86e20fd3-86a5-4796-b4b8-f2461a9fa922" - ], - "layerId": "98644301-1cd1-4e54-9f5b-71a1cbcdd8c8", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "8f48381c-5786-43f4-8602-5c23ba146a60" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide" - } - }, - "title": "Recorded Future Indicators Over Time [Filebeat Threat Intel]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.1.0", - "id": "82fa7420-df58-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-98644301-1cd1-4e54-9f5b-71a1cbcdd8c8", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMTYsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 873f2a9c590..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future URL path indicator ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "642d5400-4a72-4116-b752-58df5138392a", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "642d5400-4a72-4116-b752-58df5138392a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future URL Path Indicator", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.url.path" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "columns": [ - { - "columnId": "642d5400-4a72-4116-b752-58df5138392a", - "isTransposed": false - }, - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future URL Path Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "8fb01a00-df51-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMjQsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json deleted file mode 100644 index a66ba4accf3..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future risk summary for indicators ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "642d5400-4a72-4116-b752-58df5138392a", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "642d5400-4a72-4116-b752-58df5138392a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future Risk Summary", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "recordedfuture.risk_string" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\"" - }, - "visualization": { - "columns": [ - { - "columnId": "642d5400-4a72-4116-b752-58df5138392a", - "isTransposed": false - }, - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future Risk Summary [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "949bc180-df52-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-02T22:19:12.496Z", - "version": "WzE4MDEsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 9c26c523382..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future URL scheme indicator ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "642d5400-4a72-4116-b752-58df5138392a", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "642d5400-4a72-4116-b752-58df5138392a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future URL Scheme Indicator", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.url.scheme" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "columns": [ - { - "columnId": "642d5400-4a72-4116-b752-58df5138392a", - "isTransposed": false - }, - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future URL Scheme Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "a0a31740-df51-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMjIsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json deleted file mode 100644 index c554c4e487d..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future evidence criticality for indicators ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "642d5400-4a72-4116-b752-58df5138392a", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "642d5400-4a72-4116-b752-58df5138392a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future Risk Criticality", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "recordedfuture.evidence_details.CriticalityLabel" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "642d5400-4a72-4116-b752-58df5138392a" - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data", - "legendDisplay": "default", - "metric": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "donut" - } - }, - "title": "Recorded Future Evidence Criticality [Filebeat Threat Intel]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "8.1.0", - "id": "b0837690-df52-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-02T22:22:45.852Z", - "version": "WzE4NzEsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json deleted file mode 100644 index c025b23d792..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future IPv4 indicators ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "642d5400-4a72-4116-b752-58df5138392a", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "642d5400-4a72-4116-b752-58df5138392a": { - "customLabel": true, - "dataType": "ip", - "isBucketed": true, - "label": "Recorded Future IPv4 Indicator", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.ip" - }, - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" and threat.indicator.type:ipv4-addr" - }, - "visualization": { - "columns": [ - { - "columnId": "642d5400-4a72-4116-b752-58df5138392a", - "isTransposed": false - }, - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future IPv4 Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "c2a5c180-df51-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-01T15:45:07.866Z", - "version": "WzExMTcsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c6079390-8478-11ec-8aa9-11bf914a1ef2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c6079390-8478-11ec-8aa9-11bf914a1ef2.json deleted file mode 100644 index 40a2f75e7d4..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c6079390-8478-11ec-8aa9-11bf914a1ef2.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future evidence rule, ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "d7cd172c-a50a-40bf-a14a-3d15dc485307": { - "columnOrder": [ - "dac2417a-0b3b-430a-bd24-23abfcea4a4c", - "0f52145d-3202-440c-bfe4-62c49385bd9c" - ], - "columns": { - "0f52145d-3202-440c-bfe4-62c49385bd9c": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "dac2417a-0b3b-430a-bd24-23abfcea4a4c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future Evidence Rule", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0f52145d-3202-440c-bfe4-62c49385bd9c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "recordedfuture.evidence_details.Rule" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "dac2417a-0b3b-430a-bd24-23abfcea4a4c", - "isTransposed": false - }, - { - "columnId": "0f52145d-3202-440c-bfe4-62c49385bd9c", - "isTransposed": false - } - ], - "layerId": "d7cd172c-a50a-40bf-a14a-3d15dc485307", - "layerType": "data" - } - }, - "title": "Recorded Future Evidence Rule [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "c6079390-8478-11ec-8aa9-11bf914a1ef2", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-d7cd172c-a50a-40bf-a14a-3d15dc485307", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-02T22:44:25.698Z", - "version": "WzIyOTEsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 8c69ab70ff2..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future indicator MD5 hash ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "ebb0878f-715a-4987-85f1-87420428c88f", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "ebb0878f-715a-4987-85f1-87420428c88f": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future MD5 File Hash", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.file.hash.md5" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "columns": [ - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b" - }, - { - "columnId": "ebb0878f-715a-4987-85f1-87420428c88f", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future MD5 Hash Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "dd4a3da0-df50-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-02T22:49:03.254Z", - "version": "WzIzNzQsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json deleted file mode 100644 index 71b8b565fd3..00000000000 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "description": "Recorded Future indicator SHA1 hash ingested by the threat intel Filebeat module.", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41f41086-8875-4d18-8844-b51b9c9cb8bc": { - "columnOrder": [ - "ebb0878f-715a-4987-85f1-87420428c88f", - "9afb1b09-0f20-488c-9242-a94f7d11800b" - ], - "columns": { - "9afb1b09-0f20-488c-9242-a94f7d11800b": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "ebb0878f-715a-4987-85f1-87420428c88f": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recorded Future SHA1 File Hash", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.file.hash.sha1" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" " - }, - "visualization": { - "columns": [ - { - "columnId": "9afb1b09-0f20-488c-9242-a94f7d11800b" - }, - { - "columnId": "ebb0878f-715a-4987-85f1-87420428c88f", - "isTransposed": false - } - ], - "layerId": "41f41086-8875-4d18-8844-b51b9c9cb8bc", - "layerType": "data" - } - }, - "title": "Recorded Future SHA1 Hash Indicators [Filebeat Threat Intel]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.1.0", - "id": "f37f8350-df50-11eb-8f2b-753caedf727d", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "indexpattern-datasource-layer-41f41086-8875-4d18-8844-b51b9c9cb8bc", - "type": "index-pattern" - }, - { - "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", - "type": "tag" - } - ], - "type": "lens", - "updated_at": "2022-02-02T22:49:17.011Z", - "version": "WzIzODEsMV0=" -} diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go index 76dd9666ce7..fd6f58a867f 100644 --- a/x-pack/filebeat/module/threatintel/fields.go +++ b/x-pack/filebeat/module/threatintel/fields.go @@ -19,5 +19,5 @@ func init() { // AssetThreatintel returns asset data. // This is the base64 encoded zlib format compressed contents of module/threatintel. func AssetThreatintel() string { - return "eJzsXF2P2zbWvs+vOJibJoBjtHmbF4u5WGCaNJsBpk13Prq9M2jy2OKaIlWSssf99Qt+SJZlWrZn6Gl20bkay9I5D8nz8RzyyG9hgetLsIVGYrm0KF4BWG4F9i9qFEgMXsIULXkFwNBQzSvLlbyEv78CALj3D4B/QvA5SorwiQucuqs/KVYLHL8CmHEUzFz6R96CJCVewsWF/whg1xVewlyruopXurd3HwnwxlwyTolVejzjAscFMcXYClO09zcyF7heKc061xNDaP7uCwQn7xsDvKyUtuBkjoDPgCwJF2TqxnIKJlOQ//vb99lQBXHgRB+LaobIxu7KXhCDTzJiiqkimk04OziMRgCZ1gZpMS6JWBG9q7m70AcG/8nbAcyUhisn9cNn+ClIbQzvOppq89e3nA0sN4kTh2BLw74VGYQF3sT9szCv0RhkMF3Dw+1NQWozbu9NoDB8LomtdRYUzVzMSMkFXw8qrrVw4CZMraRQhOXQf6Mocd/A64fbmzewKlAjrFUNlEhoFAEBqqo1qBnYghu/DoNIl1zXxipLxFijqYXNAfXqV2BokXq42qM+FkSFmqJMoZgJRewTMXAJUfCxOASXiyyrxuUCrAJbIPzaigeNLuaN97pzrcXX4so8i/W6yHr9MdglOv84yn80zlC7NJdzKWLkAJRWH3TjibHE1ibXFNBaa5QWgtRmOh5ub8bwizKGTwXCkogaDRCNl6Ck4BJHoGYz9w8QyaCWC6lWwx4V8kou1EEaUKU1mkpJxuU8GDU3EDOPH8QQpKkgdCG4sWZsaj0VOcDdPdz+cLORHKd1z1y6O5D5KZTKTsLHYxFXpAwRPRPwKA8+pvAPgQqRA3Wutb1fcWtRQ0EkE9hYZKMFbEGsI0HNFbaz6PBaaSBSyXWpavNmELwgujvnG+hTpQQSeTz068AA0bhEaAuPFLdgOdBTRNlBHsJwoYx1BlxpteQMNby2ukZQGmZEGHwz6FdkniUWXHlr9LNN5gaIMYpy4kCuuC08zN9r1BxZd0y76UKqkgg+FrxUufJFEPl15IkNz08o7DHtZ6l0so5SWhHnLTKX3iju2CEvieBsMtOqTABgxOLx2v9VoNxWCCviCKM2Fmaqlsx5BDdAlTTOTZAF9SlcpWJ8xpOenQWVIMamlGziyhRFtiQdpLmCnHTCRosoZfuJ754FweetHZMYeQ/FR1JWAl1R6r71hRE3wFRJuByF+LxStWAwRX+HF5Zatg6MPEGt8/VR9uw3QrLMmRMUb5l6dnJINVXSpguNk5X/+Gg1AYuP1rlMe+sSGyV7TSk5J5mq5vstL3JCRr5U7JrQFOGisRssCRcjX2x/JqZ4e/f56t37/79IQVTTfyO1k5LoBZdzx9Kz+d7d/fVv0NL+qClRJ8XEF5ipsRpJeZYEeNcX3U+AKdMSxBg+46FezzEzu2yHyM7icgOV5ktiA4vRqgQCVT0VnMIMI+dtN7DiN2I97mnpsebLRugoPrF9f7Sh9q7BGVFyxtmeQs4USp9Q2DsrKZGYWrcBklBaa0LX8NqP/VvnZ999++0bx6v4XIYNo+56fuMmDBmn3kuJJGJtOTVgkRZSCTVfOxHtBA8zcoaWcPEuMTIXEo4f2EcvJ8QRZ4jJKNGZ9+sy8trpGmqDGr5/N4jzhQhaSrNHOjFoDFdykgdIB0TYQI7iQ8lC3WL7aqUbBZXcMoNh0LkC8fVWED7odBekspMQlC9G4ZMPzc0HXjX/1VpcjHriLqaquYW+64ih7zZX/XNwwd9V8VpJRHtrX577rtXvPmweKdn75t8osiJ6gSzeUhXcFM2zfbHhy+6NUYShRMbrrujuDMHEB/qiTG0qTrny+63NzVZpd7OPfO6DRmknVhO6QO1VDa59ScSe1V9xwSg5bflnSpdh61bjnGi/e0Laus7vJ69HQODDrz/C9ccRhHo6hHlrCV24KyHTjZKl4nFeWLL3OczZkQMfn47XrNGoWlOc1JrngHDr6JSL3A+317tQYkA+cDSAS9TcrnPA+aC55ZQIbtfJ5YnbZz4T++Bk6qoSvB+dDkYGoVYjKJHxuhxBwefFCJao12/dv8OD9bOfY6h3XtLQ8kM3RV25zGrsYWwTNzn5EsMGn8W59kYR9AxPk+3Xqk+dJScoguDm4CwRT0OGkFldG4tsQrmmAiecZeHbmwwa5UOQH4yUl+2G37F+Xleu2s+0jA9eGFx/PLRFn0XZ7c2JMc07ZbYjzo/EklDJD5XNkIoKvBq1tX+tRVvIlez9/vOlmHym5A9CdKbCqTlh+sEL/RrPjLcRpirblzkx/ir2k42PPilQ3f6SBLi+daTWtFMdxZNp00McZAkl570vBscJ8HNdTlG7kbaSQ8UbZ3t3bbvx6TxIotyjcTgHTYLYndr05G5E/QMlak53wO23oyNGtjFdg+hPz+dBDThKDlaT2ay/HbCBdH1/bjTX93uBdDaIwoFUwoB3lno4SzKUls84mmbHNXiO35g29bTkNhwrRoUi6ehUMZy46JKFcCqGPlS5SoJ36osmhfV9uzU8bqpc0f767pc/65DoylrNp3WPHXT2J/WcZmIhX/ScSP5HmN4Pqixr6Wj+hjrhcqurZAvEOTAcoTnUGxOBSxRpCKd5QFxlLy/EuPd+h20Um5C+A27C8asyFmishtKZZaayGABj3H1DRLvtzrfK7K3t9r0T5bc1TZHnRLo9uvLqfHRo5aeU13W+DbmHh55Z7GycdxJyusg57ZzOKfX0XM2cEcgdzX78cRMuGZ8bF55QVSePYU6z0c9qBSWR641g3/UBXFJRM2QubRAwXM7F4SmyvERjSVllmadW2pMni3ETBpXpOOFjR14gyR2PcYE96SxaVco0u4EToWiqQe5kt7lDa7mcm3BGMK81MlAypBd/VOW0gdMGfm+Xm4PL527O1GUSXKrp2vKgthaOm6jNhSCphqLMJJ9VXVlYuRLdSUwbUyqytTVOQTSX84nP+5lS1PapgJeMLMAy0O6+mIOpi3FDpsIFBe1NMm3wT1nHjkR/Wh4UsWBUuLu0KXT4aFEyM3mJ0A3cQsnnhY1a91CMcT4kqkczUll0YHIcmJwtOVtwfH/OEwCda6W2wD0Bl1CUpDaunhqhEkGJiM5hsMZSWdzZBN2mzBltaT9t5hJWBadFOm61vXoO916cOc1sD1JvcDmw5rTAPVi9YebAmtsq9+D1HV2NgZq1pBHXMXba0ruMxrpx61b6qT69gZWzfae7IXwcNPjU6e6JG8G8Wn4/cln/O38aampaDA+BEotzpbOcjfmm9yjvGUO5+BntSukFXFHLl9yuk31JnVVQew5JnmrKG8ymaHrrSG2VqzgpEWLdGLLfbyUugd4NQzxXahqe3WFM/paMlDB4eVjWPAgPlEKnF43bgNqm8VYPspGLnhoNyths408VUYP0G8DmgCWeqZbcivebAbjY6psGiqcEL6rKMlNT5IcgykBJGDZINji5NShmw2jOVah4eR17jHri9Z5Nmgopn3HawTVsoCgw1zsOfXfpvNJQqmWTNU9b4pepsFqkKLfKrAwJNjafniP9f4n8Oe1afONZRyEcmN5nsYF2kneNoz3s61WSh33NnybnQrrVvd7qGAHDCsPLYxG9H5LgC4QLf3TtSEo8wH5rNE0med9T/WjH52WCBqmSjOj10012F+i5uOGpYJ/BEncHdW62+KzBHccbEyuVmz+mRvE8JrkL+lyM8tgVOA7ly3DMvJjPwjpTEHPxz4RFvwQPTQ3pKYw0EWXOzExTyPfnzV18XxdXTYzmSEPPzl4HrfxkHpt0zT+Rz56FJrwww02a/jDX3Yv5RTjvPpM6lf3ujuJrZ8Htbq19fNXH+LQ2ni/3v/0XvOr91/u18Nf7tf/r79du3pahSjNks7rXiPwcP7+NQuGTl3q8z3dOv5fhFc5JfL+mNx82/koTsRYl9rs8D/R43sTuZcPnRWgHqQ0yIKbVevB1ir0/CzHcfnoA2OblvR0v76wYN4uJ4+s7LcTP0BxeB/UtE04+6FqgATU1qJfdrLzd9fd7JnsJ9vHPxk5u+FSTrRp/f3YIb4GwSfL3h04rNW42v/sQf/zMFR6paBOap3LojBTJSxzQiI8V12hyaPzRiTpKGSWC1iLXSDt6G8EDGNqWooyTHN4rH1Sb7/e3os7401uOLPLAv/ba+A79mGQjiF80n3NJRCeF9GW3m7RsidoQzTHPqyIbceFFL6Id+5SLTf4MzDkFpW2uTCBJh/5DOdRg80NMQDZdvZGaA5mq2gKRDaT/BAAA//9TWLkK" + return "eJzsXF9v47ayf99PMchLdwGv0e7tXlzk4QLpbns3QNrt3SQ9fTNocmzNCUWqJGXH/fQHJCVZtmnZTuh0z0HzFMvSzI/k/PnNkPJbeMDVJbjCIHOkHMpXAI6cxO2LBiUyi5cwRcdeAQi03FDlSKtL+N9XAAB34QEIT0iao+IIP5HEqb/6sxa1xPErgBmhFPYyPPIWFCvxEi4uwkcAt6rwEuZG11VzpX97/5EIb0xKEGdOm/GMJI4LZouxk7bo7m9lPuBqqY3oXU8Mof27KxC8vG8sUFlp48DLHAHNgC0YSTb1YzkFky3Yf/3P99lQRXHgRR+LaoYoxv7KXhCDTwpmi6lmRkxIHBxGK4BNa4u8GJdMLpnZ1dxf6AOD/ynYAcy0gSsv9cMn+DlKbQ3vujHV9m/bctaw/CROPIINDftWZBAWBBMPz8K8RmtRwHQF919uClbbcXdvAoWluWKuNllQtHMxYyVJWg0qro304CZCL5XUTOTQf6M589/A6/svN29gWaBBWOkaOFPQKgIGXFcr0DNwBdmwDoNIF2Rq67RjcmzQ1tLlgHr1Gwh0yANcE1AfC6JCw1GlUMykZu6JGEhBI/hYHJLUQ5ZVI/UAToMrEH7rxINBH/PGe925NvJrcWXKYr0+sl5/jHaJ3j+O8h+DMzQ+zeVciiZyACpnDrrxxDrmaptrCnhtDCoHUWo7Hfdfbsbwq7aWphJhwWSNFpjBS9BKksIR6NnM/wNMCajVg9LLYY+KeSUX6igNuDYGbaWVIDWPRk0WmswTBjEEaSoZf5BknR3b2kxlDnC3919+uFlLbqZ1z1z6O1CEKVTaTeLHYxFXrIwRPRPwRh58TOEfAhUjB5pca3u3JOfQQMGUkNhaZKsFXMGcJ0HtFbGz6PBaG2BKq1Wpa/tmELxkpj/na+hTrSUydTz068gA0fpE6IqAFDdgedBTRNVDHsNwoa3zBlwZvSCBBl47UyNoAzMmLb4Z9Cs2zxILroI1htlmcwvMWs2JeZBLckWA+UeNhlD0x7SbLpQumaSxpFLnyhdR5NeRJ9Y8P6Fwi2k/S6WXdZTSinlvUbn0NuKOHfKCSRKTmdFlAoBgDo/X/o8C1aZCWDJPGI11MNO1Et4jyALXyno3QRHVp3CVWtCMkp6dBZVk1qWUrOPKFGW2JB2l+YKc9cJGhyhl+4nvngUh5K0dkxgFD8VHVlYSfVHqvw2FEVkQumSkRjE+L3UtBUwx3BGEpZatByNPUOt9fZQ9h0ZIljnzgppbpoGdHFLNtXLpQuNk5T8+OsPA4aPzLtPdusBWyV5TSs5Jpqr5bsOLvJBRKBX7JjRFuGjtBktGchSK7U/MFm9vP129e//fFymIevpP5G5SMvNAau5Zejbfu727/h062t9oStRJTeKLzNQ6g6w8SwK83Ra9nQBTpiWZtTSjWK/nmJldtsNUb3HJQmVowVxkMUaXwKCqp5I4zLDhvF0Dq/lGrsZbWrZY82UrdNQ8sXl/Y0PdXYMzotWMxJ5CzhbanFDYeyspkdnadAGScV4bxlfwOoz9W+9n33377RvPq2iuYsOov57f+AlDQTx4KVNMrhxxCw55obTU85UX0U3wMCMX6BjJd4mR+ZBw/MA+BjkxjnhDTEaJ3rxflw2vna6gtmjg+3eDOF+IoKU0B6QTi9aSVpM8QHogYgO5ER9LFu4XO1Qr/Sio1YYZDIPOFYivN4LwQae7YJWbxKB8MYqfQmhuP1DV/lcbeTHaEncx1e0t/F1PDH+3vhqegwt6VzXXSia7W7fl+e86/f7D+pFSvG//bURWzDygaG6pCrJF++y22Phl/8ZGhOVMNdd90d0bgm0e2BZla1sRJx36re3NTht/c4h8/oNB5SbOMP6AJqgaXPuSyT2rvyQpODtt+WfalLF1a3DOTOiesK6uC/3k1QgYfPjtR7j+OIJYT8cw7xzjD/5KzHSjZKl4nBeW4n0Oc/bkIMSn4zUbtLo2HCe1oRwQvng65SP3/ZfrXShNQD6wNYALNORWOeB8MOSIM0lulVyepn0WMnEITrauKknb0elgZJB6OYISBdXlCAqaFyNYoFm99f8ODzbMfo6h3gZJQ8sP/RR15TOrdYexTfzk5EsMa3wO5yYYRdQzPE1uu1Z96ix5QQ0IsgdniQUaMoTMmdo6FBNOhkuckMjCt9cZtJEPUX40Uiq7ht+xfl5XvtrPtIz3QRhcfzzUos+i7MvNiTEtOGW2Lc6PzLFYyQ+VzZCKClSNutq/NrIr5Erxfv/+UpN8puxPxkymwqndYfohCP0a94w3EaYq25fZMf4q+sk2RJ8UqP75kgS4betIrWmvOmp2pu0W4ihLajXf+mJwnAC/1OUUjR9pJzlWvM1s765tPz6dB0kj92gc3kGTIHanNj25a1H/hwoN8R1w++3oiJGtTdciht3zeVQDnpKDM2w2224HrCFd350bzfXdXiC9BlHckEoY8M5SD2dJgcrRjNC2HdfoOaExbetpSS5uKzYKZdLRuRY48dElC+HUAkOo8pUE9eqLNoVt+3ZneGSrXNH++vbXv2qT6Mo5Q9N6ix30+pNmzjOxkM9mzhT9Gaf3gy7LWnmav6ZOuNg4VbIB4hwYjtAc642JxAXKNITTPKBZ5SAvxrj3ocM2ag4hfQdk4/artg54Uw2lM8tMZzEAIch/w2TXdqeNMnuj3b53okJb0xZ5dqS7raugLkSHTn5KeV3na8jd32+ZxU7jvJeQ00XOaft0Xmmg53rmjUDtaA7jb5pwyfjcuvCE6zq5DXOajX7SSyiZWq0Fh1MfQIrLWqDwaYOBJTWXh6fIUYnWsbLKMk+dtCdPliAbB5VpO+FjT14kyT2P8YE96SxGV9q23cCJ1Dx1QO5kt7lF50jNbdwjmNcGBWgV00vYqvLawGuD0Nsle3D5/M2ZTplEl2pPbQVQGwtHttHmQ5DSQ1Fmks+qrhwsfYnuJaaNKRXZuhqnYIbUfBLyfqYUtbkrECSjiLAsdN0XezB1CbJsKn1QMMEk0wb/lHXsSQy75VGRiEaFu0ubQoePDpWwk5cI3UAOSpoXrtG6h2KM8yHRWzQjlUUHJseDyXkkZwNOOJ/zBEDnWqkNcE/AJTVnqcbVUyNUIigx2dsMNlhqhztN0E3KnNGW9tNmUrAsiBfpuNWd1fO49+LMaWZ7kAaDy4E1pwXuwRoMMwfW3Fa5B2840dUaqF0p3uA6xk47epfRWNdu3Uk/1afXsHIe3+k3hI+DBj/1Tvc0jWCqFt+PfNb/LuyG2poXw0PgzOFcmyx7Y+HQeyPvGUO5+AXdUpsHuOKOFuRWyXNJvVXQezZJnmrKa8y2aM/WsdppX3FyJuWqNeTQb2U+gd4OQzxXahqe3WFM4ZaMlDB6eVzWPAgPlEKnF42bgLpD450eFCMfPQ1aVM1hm7CriAZUaADbA5Z4plpyI96vB+Bjazg0UDwleHFdlpkORX6IoiyUTGCLZI2TnEU5G0ZzrkIlyOvZY6Onub5lk7ZCTjPiPVzDBooSc73jsO0uvVcaSr1os+ZpS/wyFVaHFNVGmZUhwTaHT8+R/j83/DntWrT2rKMQDkzvs9hAN8m7xtFt9m1Vkod9Lewm50K6cXq90zECgRXGl8ca9GFIkh4QLsLWtScpzQb2W2t4MsmHM9WPbnxeJmiRayWYWT3dZHeBnosbngr2GSxxd1DnZovPGtxxvDGxUrn5Y2oUz2OSu6DPxSiPXYHjUL4Mx8yL+SysMwUxF/9MWPRL8NDUkJ7CSBNR5szMNIV8f97cxfd1cdXEaI409OzsddDKT+axSdf8C/nsWWjCCzPcpOkPc929mF+E8+4zqVPZ7+4ovnYW3HVr3eOrbYxPO8bz+e73f4NXvf9+vxb+fr/2P/392s3jW39kcvDo3P/fOvkNTQ3bKNb2u3k8zi8myR+SOY0z3qxf4G9+xcozyJTZxFMwOXQ2uS5IHNCIjxUZtDk0/uhFHaWMM8lrmWukPb2t4AEM3dmQjJMcXxAeVJvvh5Qanc1vKPmsTzGR7rXxnTwyyZbpPxuak2KyFwu2ZXfdNrFAY5khzHPmfy0uvrHDjKcR6mEdCCMFSkHpTsklkMwkcw4VnhYMLba/qANsfTyz4VjAprp2wFQL6V8BAAD//0EWIX8=" } diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/_meta/fields.yml b/x-pack/filebeat/module/threatintel/recordedfuture/_meta/fields.yml deleted file mode 100644 index 55023015e72..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/_meta/fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: recordedfuture - type: group - description: > - Fields for Recorded Future Threat Intel - fields: - - name: evidence_details - type: flattened - description: > - List of sightings used as evidence for this indicator. - - name: name - type: keyword - description: > - Indicator value. - - name: risk_string - type: keyword - description: > - Details of risk rules observed. diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml deleted file mode 100644 index f11179414aa..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml +++ /dev/null @@ -1,45 +0,0 @@ -{{ if eq .input "httpjson" }} - -type: httpjson -interval: {{ .interval }} - -request.method: GET -{{ if .ssl }} -request.ssl: {{ .ssl | tojson }} -{{ end }} -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} -{{ if .custom_url }} -request.url: "{{ .custom_url }}" -{{ else }} -request.url: "{{ .endpoint }}/{{ .entity }}/risklist?format=csv/splunk&gzip=false&list={{ .list }}" -{{ end }} -request.transforms: -{{ if .api_token }} -- set: - target: header.X-RFToken - value: {{ .api_token }} -{{ end }} -response.decode_as: text/csv - -{{ else if eq .input "file" }} - -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] - -{{ end }} - -tags: -{{if .preserve_original_event}} - - preserve_original_event -{{end}} -{{range $val := .tags}} - - {{$val}} -{{end}} - -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/decode_csv.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/decode_csv.yml deleted file mode 100644 index 718172f4f3c..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/decode_csv.yml +++ /dev/null @@ -1,42 +0,0 @@ -description: Pipeline to decode CSV risklists from Recorded Future threat intel. -processors: - - csv: - field: event.original - target_fields: - - _tmp_.col0 - - _tmp_.col1 - - _tmp_.col2 - - _tmp_.col3 - - _tmp_.col4 - - drop: - description: 'Drops the CSV header line.' - if: 'ctx._tmp_.col0 == "Name"' - -# This supports the default CSV risklists: -# 4-column for url, domain and IPs. -# 5-column for hash. - - script: - description: Maps the CSV entries to fields. - lang: painless - params: - default: - col0: Name - col1: Risk - col2: RiskString - col3: EvidenceDetails - hash: - col0: Name - col1: Algorithm - col2: Risk - col3: RiskString - col4: EvidenceDetails - source: > - def cols = params[ ctx._tmp_.col4 == null? "default" : "hash" ]; - def src = ctx._tmp_; - def dst = new HashMap(); - for (entry in cols.entrySet()) { - dst[entry.getValue()] = src[entry.getKey()]; - } - ctx['json'] = dst; - - remove: - field: _tmp_ diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml deleted file mode 100644 index f6d2bbd39a4..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml +++ /dev/null @@ -1,209 +0,0 @@ -description: Pipeline for parsing Recorded Future threat intel. -processors: -# -# Set basic ECS fields. -# - - set: - field: event.ingested - value: "{{{ _ingest.timestamp }}}" - - set: - field: ecs.version - value: "1.12" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - set: - field: threat.feed.name - value: "[Filebeat] RecordedFuture" - - set: - field: threat.feed.dashboard_id - value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - - - rename: - field: message - target_field: event.original - ignore_missing: true - -# -# Decode event.original as JSON if it starts with the "{" character. -# This is the common case when events are ingested from the API, as httpjson -# transforms the CSV to a JSON message. -# - - json: - field: event.original - target_field: json - if: 'ctx.event?.original != null && ctx.event.original.startsWith("{")' - on_failure: - - fail: - message: "Failed decoding message field as JSON: {{{ _ingest.on_failure_message }}}" - -# -# Decode event.original as CSV when the above processor didn't execute. -# This is used when ingesting CSV lines from a file. -# - - pipeline: - name: '{< IngestPipeline "decode_csv" >}' - if: 'ctx.json == null' - on_failure: - - fail: - message: "Failed decoding message field as CSV: {{{ _ingest.on_failure_message }}}" - -# -# Decode EvidenceDetails column as JSON. -# - - json: - field: json.EvidenceDetails - target_field: _temp_.EvidenceDetails - ignore_failure: true - - - rename: - field: _temp_.EvidenceDetails.EvidenceDetails - target_field: json.evidence_details - ignore_missing: true - -# -# Hash indicators (threat.indicator.type=file) -# As risklist indicators don't have a "type" field, it's necessary -# to detect the kind of indicator in the Name field. -# -# An indicator is of type `hash` when the Algorithm field is present. -# - - set: - field: threat.indicator.type - value: file - if: 'ctx.json.Algorithm != null' - - script: - lang: painless - description: > - Map file hashes. - if: "ctx.json.Algorithm != null" - params: - MD5: md5 - SHA-1: sha1 - SHA-256: sha256 - SHA-384: sha384 - SHA-512: sha512 - source: >- - def key = params[ctx.json.Algorithm]; - if (key == null) { - throw new Exception("Unsupported hash algorithm '" + ctx.json.Algorithm + "'"); - } - def hashes = [key:ctx.json.Name]; - ctx["_hashes"] = hashes; - on_failure: - - append: - field: error.message - value: "Failed to map fileHashes field: {{{ _ingest.on_failure_message }}}" - - rename: - field: _hashes - target_field: threat.indicator.file.hash - ignore_missing: true - -# -# IP indicators (threat.indicator.type=ipvN-addr) -# -# An indicator is of type `ip` if Name is a valid IP address. -# - - convert: - field: json.Name - target_field: threat.indicator.ip - type: ip - ignore_failure: true - if: 'ctx.threat?.indicator?.type == null' - - set: - field: threat.indicator.type - value: ipv4-addr - if: 'ctx.threat?.indicator?.ip != null && !ctx.threat.indicator.ip.contains(":")' - - set: - field: threat.indicator.type - value: ipv6-addr - if: 'ctx.threat?.indicator?.ip != null && ctx.threat.indicator.ip.contains(":")' - -# -# URL indicators (threat.indicator.type=url) -# An indicator is of type `url` if Name contains a slash character. -# - - set: - field: threat.indicator.type - value: url - if: 'ctx.threat?.indicator?.type == null && ctx.json.Name.contains("/")' - - uri_parts: - field: json.Name - target_field: threat.indicator.url - keep_original: true - if: 'ctx.threat?.indicator?.type == "url"' -# -# Domain indicators (threat.indicator.type=domain) -# This is a catch-all type. -# - - set: - field: threat.indicator.type - value: domain-name - if: 'ctx.threat?.indicator?.type == null' - - set: - field: threat.indicator.url.domain - value: '{{{ json.Name }}}' - ignore_empty_value: true - if: 'ctx.threat?.indicator?.type == "domain-name" && ctx.threat?.indicator?.url?.domain == null' - -# -# Normalize Risk -# - - convert: - field: json.Risk - target_field: event.risk_score - ignore_missing: true - type: float - on_failure: - - append: - field: error.message - value: "Risk score `{{{ json.Risk }}}` cannot be converted to float: {{{ _ingest.on_failure_message }}}" - -# -# Fingerprint event: _id = hash(dataset + indicator type + indicator value) -# - - fingerprint: - fields: - - event.dataset - - threat.indicator.type - - json.Name - target_field: "_id" - ignore_missing: true - -# -# Save fields without an ECS mapping under `recordedfuture`. -# - - rename: - field: json.RiskString - target_field: json.risk_string - ignore_missing: true - - rename: - field: json - target_field: recordedfuture - -# -# Cleanup -# - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - recordedfuture.Algorithm - - recordedfuture.EvidenceDetails - - recordedfuture.Name - - recordedfuture.Risk - - _temp_ - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml deleted file mode 100644 index a5544178969..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: interval - default: 1m - - name: endpoint - default: "https://api.recordedfuture.com/v2" - - name: entity - - name: list - - name: custom_url - - name: ssl - - name: tags - default: [threatintel-recordedfuture, forwarded] - - name: proxy_url - - name: api_token - - name: preserve_original_event - default: false -ingest_pipeline: - - ingest/pipeline.yml - - ingest/decode_csv.yml -input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_assorted.json.log b/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_assorted.json.log deleted file mode 100644 index 68da98bb6d3..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_assorted.json.log +++ /dev/null @@ -1,40 +0,0 @@ -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"21 sightings on 4 sources: Proofpoint, PasteBin, The Daily Advance, @DGAFeedAlerts. Most recent tweet: New ramnit Dom: xohrikvjhiu[.]eu IP: 13[.]90[.]196[.]81 NS: https://t.co/nTqEOuAW2E https://t.co/QdrtFSplyz. Most recent link (Nov 16, 2019): https://twitter.com/DGAFeedAlerts/statuses/1195824847915491329\", \"Sources\": [\"QQA438\", \"Jv_xrR\", \"SlNfa3\", \"KvPSaU\"], \"Timestamp\": \"2019-11-16T22:03:55.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"18 sightings on 2 sources: Proofpoint, The Daily Advance. Most recent link (Nov 12, 2018): https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy#.W-nmxyGcuiY.twitter\", \"Sources\": [\"QQA438\", \"KvPSaU\"], \"Timestamp\": \"2018-11-12T20:48:08.675Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Referenced by Insikt Group\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Insikt Group. 1 report: Proofpoint Researchers Observe sLoad and Ramnit in Campaigns Against The U.K. and Italy. Most recent link (Oct 23, 2018): https://app.recordedfuture.com/live/sc/4KSWum2M6Lx7\", \"Sources\": [\"VKz42X\"], \"Timestamp\": \"2018-10-23T00:00:00.000Z\", \"Name\": \"relatedNote\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Operation\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Mar 23, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-03-23T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C DNS Name\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\", \"Sources\": [\"report:QhR8Qs\"], \"Timestamp\": \"2021-12-29T07:12:02.455Z\", \"Name\": \"recentCncSite\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "xohrikvjhiu.eu", "Risk": "96", "RiskString": "5/45"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported by DHS AIS\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-216d34d4-67bd-4add-ae6e-4ddec27dcb0e (Jul 25, 2019).\", \"Sources\": [\"UZNze8\"], \"Timestamp\": \"2019-07-25T00:46:19.000Z\", \"Name\": \"dhsAis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: MALWARE BREAKDOWN. Most recent link (May 17, 2017): https://malwarebreakdown.com/2017/05/17/seamless-malvertising-campaign-leads-to-rig-ek-at-185-154-53-33-and-drops-ramnit/\", \"Sources\": [\"ST7rfx\"], \"Timestamp\": \"2017-05-17T19:31:06.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported in Threat List\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jul 19, 2021, and Jul 21, 2021.\", \"Sources\": [\"report:Tluf00\"], \"Timestamp\": \"2021-12-29T07:21:52.311Z\", \"Name\": \"historicalThreatListMembership\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Operation\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jul 9, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-07-09T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Malware Analysis DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 1 source: Malwr.com. Most recent link (Jul 6, 2017): https://malwr.com/analysis/ZmMxNWJlYWU1NTI4NDA1Nzg3YTc5MWViNTA0YTNhYmQ/\", \"Sources\": [\"NKaUXl\"], \"Timestamp\": \"2017-07-06T00:00:00.000Z\", \"Name\": \"malwareAnalysis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C DNS Name\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\", \"Sources\": [\"report:QhR8Qs\"], \"Timestamp\": \"2021-12-29T07:21:52.303Z\", \"Name\": \"recentCncSite\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "wgwuhauaqcrx.com", "Risk": "95", "RiskString": "6/45"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: wbmpvebw[.]com IP: 209[.]99[.]40[.]220 NS: https://t.co/bH4I7LoMNf https://t.co/KTCPYU87bT. Most recent link (Jan 4, 2020): https://twitter.com/DGAFeedAlerts/statuses/1213551578264821760\", \"Sources\": [\"SlNfa3\"], \"Timestamp\": \"2020-01-04T20:03:37.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html\", \"Sources\": [\"KVQ2PB\"], \"Timestamp\": \"2017-03-08T01:18:17.569Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported in Threat List\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Feb 18, 2021, and Feb 24, 2021.\", \"Sources\": [\"report:Tluf00\"], \"Timestamp\": \"2021-12-29T07:16:05.008Z\", \"Name\": \"historicalThreatListMembership\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Operation\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 30, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-06-30T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Malware Analysis DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/NzhlZjJmMDA1MTMyNGM5NDg3YTQwMzI5YzAzMzY1NTg/\", \"Sources\": [\"NKaUXl\"], \"Timestamp\": \"2017-05-08T00:00:00.000Z\", \"Name\": \"malwareAnalysis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C DNS Name\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\", \"Sources\": [\"report:QhR8Qs\"], \"Timestamp\": \"2021-12-29T07:16:05.007Z\", \"Name\": \"recentCncSite\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "wbmpvebw.com", "Risk": "95", "RiskString": "6/45"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: ckgryagcibbcf[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/nKWfZguQSF https://t.co/czXUwYeuxf. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333576053207040\", \"Sources\": [\"SlNfa3\"], \"Timestamp\": \"2021-02-01T20:08:18.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html\", \"Sources\": [\"KVQ2PB\"], \"Timestamp\": \"2017-03-08T01:18:17.569Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Operation\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 15, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-06-15T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Malware Analysis DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Malwr.com. Most recent link (Apr 11, 2016): https://malwr.com/analysis/YjVjNzlmNjdhMDMyNDY2MjkzY2FkMjQzOWJiNmUyOWI/\", \"Sources\": [\"NKaUXl\"], \"Timestamp\": \"2016-04-11T00:00:00.000Z\", \"Name\": \"malwareAnalysis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C DNS Name\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\", \"Sources\": [\"report:QhR8Qs\"], \"Timestamp\": \"2021-12-29T06:40:44.358Z\", \"Name\": \"recentCncSite\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "ckgryagcibbcf.com", "Risk": "94", "RiskString": "5/45"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: jpuityvakjgg[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/nKWfZguQSF https://t.co/czXUwYeuxf. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333600627683330\", \"Sources\": [\"SlNfa3\"], \"Timestamp\": \"2021-02-01T20:08:24.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html\", \"Sources\": [\"KVQ2PB\"], \"Timestamp\": \"2017-03-08T01:18:17.569Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Operation\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 17, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-06-17T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Malware Analysis DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/NzhlZjJmMDA1MTMyNGM5NDg3YTQwMzI5YzAzMzY1NTg/\", \"Sources\": [\"NKaUXl\"], \"Timestamp\": \"2017-05-08T00:00:00.000Z\", \"Name\": \"malwareAnalysis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C DNS Name\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\", \"Sources\": [\"report:QhR8Qs\"], \"Timestamp\": \"2021-12-29T06:46:28.155Z\", \"Name\": \"recentCncSite\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "jpuityvakjgg.com", "Risk": "94", "RiskString": "5/45"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: jexgpprgph[.]com IP: 209[.]99[.]40[.]222 NS: https://t.co/IGcQwMvzjy https://t.co/J2gdsVMl8U. Most recent link (Dec 13, 2018): https://twitter.com/DGAFeedAlerts/statuses/1073277207919947778\", \"Sources\": [\"SlNfa3\"], \"Timestamp\": \"2018-12-13T18:03:21.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html\", \"Sources\": [\"KVQ2PB\"], \"Timestamp\": \"2017-03-08T01:18:17.569Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Operation\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 30, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-06-30T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Malware Analysis DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/MDcwMzAxMzhkZGIwNGI5Y2I0ZGMyMDY1NzhlZmUzNGI/\", \"Sources\": [\"NKaUXl\"], \"Timestamp\": \"2017-05-08T00:00:00.000Z\", \"Name\": \"malwareAnalysis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C DNS Name\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\", \"Sources\": [\"report:QhR8Qs\"], \"Timestamp\": \"2021-12-29T06:40:30.778Z\", \"Name\": \"recentCncSite\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "jexgpprgph.com", "Risk": "94", "RiskString": "5/45"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: cascotqhij[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/czXUwYeuxf https://t.co/nKWfZguQSF. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333566758682629\", \"Sources\": [\"SlNfa3\"], \"Timestamp\": \"2021-02-01T20:08:16.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html\", \"Sources\": [\"KVQ2PB\"], \"Timestamp\": \"2017-03-08T01:18:17.569Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Operation\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jul 27, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-07-27T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Malware Analysis DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Malwr.com. Most recent link (Apr 11, 2016): https://malwr.com/analysis/YjVjNzlmNjdhMDMyNDY2MjkzY2FkMjQzOWJiNmUyOWI/\", \"Sources\": [\"NKaUXl\"], \"Timestamp\": \"2016-04-11T00:00:00.000Z\", \"Name\": \"malwareAnalysis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C DNS Name\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\", \"Sources\": [\"report:QhR8Qs\"], \"Timestamp\": \"2021-12-29T06:34:06.062Z\", \"Name\": \"recentCncSite\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "cascotqhij.com", "Risk": "94", "RiskString": "5/45"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported by DHS AIS\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-e26bfe3a-8f67-4f57-9449-3f183fe94c07 (Jul 25, 2019).\", \"Sources\": [\"UZNze8\"], \"Timestamp\": \"2019-07-25T01:51:04.000Z\", \"Name\": \"dhsAis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: MALWARE BREAKDOWN. Most recent link (May 17, 2017): https://malwarebreakdown.com/2017/05/17/seamless-malvertising-campaign-leads-to-rig-ek-at-185-154-53-33-and-drops-ramnit/\", \"Sources\": [\"ST7rfx\"], \"Timestamp\": \"2017-05-17T19:31:06.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Operation\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Apr 1, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-04-01T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Malware Analysis DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 1 source: Malwr.com. Most recent link (Jul 6, 2017): https://malwr.com/analysis/ZmMxNWJlYWU1NTI4NDA1Nzg3YTc5MWViNTA0YTNhYmQ/\", \"Sources\": [\"NKaUXl\"], \"Timestamp\": \"2017-07-06T00:00:00.000Z\", \"Name\": \"malwareAnalysis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C DNS Name\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\", \"Sources\": [\"report:QhR8Qs\"], \"Timestamp\": \"2021-12-29T06:45:21.381Z\", \"Name\": \"recentCncSite\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "npcvnorvyhelagx.com", "Risk": "94", "RiskString": "5/45"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: uxlyihgvfnqcrfcf[.]com IP: 209[.]99[.]40[.]224 NS: https://t.co/03Dbt4N72t https://t.co/l29AcRDSvE. Most recent link (Jan 4, 2020): https://twitter.com/DGAFeedAlerts/statuses/1213551575332982790\", \"Sources\": [\"SlNfa3\"], \"Timestamp\": \"2020-01-04T20:03:36.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html\", \"Sources\": [\"KVQ2PB\"], \"Timestamp\": \"2017-03-08T01:18:17.569Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Operation\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 6, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-05-06T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Malware Analysis DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/MDcwMzAxMzhkZGIwNGI5Y2I0ZGMyMDY1NzhlZmUzNGI/\", \"Sources\": [\"NKaUXl\"], \"Timestamp\": \"2017-05-08T00:00:00.000Z\", \"Name\": \"malwareAnalysis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C DNS Name\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\", \"Sources\": [\"report:QhR8Qs\"], \"Timestamp\": \"2021-12-29T06:35:26.677Z\", \"Name\": \"recentCncSite\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "uxlyihgvfnqcrfcf.com", "Risk": "94", "RiskString": "5/45"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported by DHS AIS\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-fd72a0d2-bcbd-43b4-910b-9898e979a562 (Jul 24, 2019).\", \"Sources\": [\"UZNze8\"], \"Timestamp\": \"2019-07-24T23:40:35.000Z\", \"Name\": \"dhsAis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported as a Defanged DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: bjfwfqviu[.]com IP: 23[.]96[.]57[.]36 NS: https://t.co/nTqEOuAW2E https://t.co/NnqzXB3b3P. Most recent link (Jul 3, 2019): https://twitter.com/DGAFeedAlerts/statuses/1146524855602429953\", \"Sources\": [\"SlNfa3\"], \"Timestamp\": \"2019-07-03T21:03:21.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Operation\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 6, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-05-06T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Malware Analysis DNS Name\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"3 sightings on 1 source: Malwr.com. Most recent link (Jul 6, 2017): https://malwr.com/analysis/ZDQ0ODcwOTZiN2FmNDExNmExYzA3YjUwOTcxYmRlMjE/\", \"Sources\": [\"NKaUXl\"], \"Timestamp\": \"2017-07-06T00:00:00.000Z\", \"Name\": \"malwareAnalysis\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C DNS Name\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\", \"Sources\": [\"report:QhR8Qs\"], \"Timestamp\": \"2021-12-29T06:48:58.905Z\", \"Name\": \"recentCncSite\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "bjfwfqviu.com", "Risk": "94", "RiskString": "5/45"} -{"Algorithm": "SHA-256", "EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"50 sightings on 10 sources including: Security Bloggers Network, TechTarget Search Security, Bleeping Computer, Guided Collection, Bleepingcomputer Forums. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561\", \"Sources\": [\"NSAcUx\", \"KCdHcb\", \"J6UzbO\", \"Rlso4a\", \"hkE5DK\", \"cJMUDF\", \"TZRwk8\", \"QMTzEI\", \"LUhTGd\", \"J5NRun\"], \"Timestamp\": \"2021-12-21T08:40:00.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Linked to Attack Vector\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"32 sightings on 27 sources including: Carder Forum (carder.uk), wordpress.com, AAPKS.com, malwareresearch, @phishingalert, @GelosSnake, @neonprimetime, @rpsanch. 7 related attack vectors including Crimeware, Phishing, Remote Code Execution, Malvertising, Click Fraud. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752\", \"Sources\": [\"T1bwMv\", \"LC-zVm\", \"QFvaUy\", \"P_upBR\", \"T2OA5Q\", \"K20lXV\", \"TGgDPZ\", \"hkIDTa\", \"LqRZCN\", \"Vd51cf\", \"ha2FFj\", \"UmsU31\", \"K7wUX2\", \"P_ivKa\", \"Qj3TQr\", \"idn:wordpress.com\", \"J-mrOR\", \"QPbAan\", \"VeioBt\", \"WlbRkJ\", \"K7sErA\", \"TvfQzk\", \"TP1vbk\", \"SrKvJ0\", \"SqCj4s\", \"VXaDYo\", \"bk2VX4\"], \"Timestamp\": \"2021-12-25T03:23:47.000Z\", \"Name\": \"linkedToVector\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Cyber Attack\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"6 sightings on 6 sources including: Messaging Platforms - Uncategorized, @_mr_touch. Most recent tweet: Active cred #phishing/malware distribution campaign on 185.186.245.101 with kits targeting @Office365 and @WeTransfer brands. Windows malware submitted to VT here: https://t.co/edCd4sOnAI domains: https://t.co/4GdqctLwkY cc: @malwrhunterteam @JayTHL @SteveD3 @thepacketrat https://t.co/e9d3R7fzIq. Most recent link (May 28, 2019): https://twitter.com/PhishingAi/statuses/1133376801831436289\", \"Sources\": [\"XV7DoD\", \"Ym7dzt\", \"LKKAV1\", \"VeioBt\", \"Y7TWfI\", \"KGS-xC\"], \"Timestamp\": \"2019-05-28T14:17:41.000Z\", \"Name\": \"linkedToCyberAttack\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Malware\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"119 sightings on 42 sources including: Malware-Traffic-Analysis.net - Blog Entries, Doc Player, GhostBin, Data Breach Today.eu | Updates, Codex - Recent changes en. 43 related malware families including Dardesh, AZORult, Emotet, Ryuk Ransomware, GandCrab. Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321\", \"Sources\": [\"TvGJYk\", \"LErKlJ\", \"QWOrKl\", \"LKKAV1\", \"W4ygGi\", \"PATKM7\", \"T1bwMv\", \"TY6igj\", \"LjkJhE\", \"kuKt0c\", \"QAy9GA\", \"LbYmLr\", \"K20lXV\", \"QZe7TG\", \"idn:droppdf.com\", \"QAmbRP\", \"V_o1DL\", \"TbciDE\", \"XV7DoD\", \"P_j5Dw\", \"QNmgPm\", \"TGXqeD\", \"KGS-xC\", \"L3kVdM\", \"QMfGAr\", \"h6VVAH\", \"doLlw5\", \"UrsUKT\", \"JOU\", \"MIKjae\", \"P_oIyV\", \"QJ6TQK\", \"RfVd0T\", \"J6UzbO\", \"Ql9O5c\", \"USKpXp\", \"TP1vbk\", \"SrKvJ0\", \"Tq2nAb\", \"P_ov9o\", \"VXaDYo\", \"idn:index-of.es\"], \"Timestamp\": \"2021-11-27T23:07:37.000Z\", \"Name\": \"linkedToMalware\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Reported by DHS AIS\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-12195723-7c56-4c63-b828-fc340dd4050a (Dec 20, 2018).\", \"Sources\": [\"UZNze8\"], \"Timestamp\": \"2018-12-20T21:13:36.000Z\", \"Name\": \"dhsAis\", \"MitigationString\": \"\", \"Criticality\": 3.0}, {\"Rule\": \"Positive Malware Verdict\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"5 sightings on 3 sources: Malware-Traffic-Analysis.net - Blog Entries, ReversingLabs, PolySwarm. Most recent link (Dec 15, 2018): https://www.malware-traffic-analysis.net/2018/12/14/index.html\", \"Sources\": [\"LErKlJ\", \"TbciDE\", \"doLlw5\"], \"Timestamp\": \"2020-07-11T09:55:23.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "38e992eb852ab0c4ac03955fb0dc9bb38e64010fdf9c05331d2b02b6e05689c2", "Risk": "89", "RiskString": "6/14"} -{"Algorithm": "SHA-256", "EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"28 sightings on 8 sources including: Dancho Danchev's Blog, SecureWorks, Talos Intel, Unit 42 Palo Alto Networks, Cisco Japan Blog. Most recent link (Mar 12, 2021): https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group?es_p=13420131\", \"Sources\": [\"JfqIbv\", \"Z2mQh2\", \"PA-rR4\", \"jjf3_B\", \"clDYM8\", \"T5\", \"rN\", \"J5NRun\"], \"Timestamp\": \"2021-03-12T20:30:37.672Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Linked to Attack Vector\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"69 sightings on 18 sources including: Stock market news Company News MarketScreenercom, HackDig Posts, Sesin at, US CERT CISA Alerts, citizensudo.com. 6 related attack vectors including Powershell Attack, Supply Chain Attack, Target Destination Manipulation, Reconnaissance, C&C Server. Most recent link (Apr 15, 2021): https://www.cisa.gov/uscert/ncas/alerts/aa20-352a\", \"Sources\": [\"XBl0xf\", \"POs2u-\", \"Z3TZAQ\", \"hhY_oz\", \"idn:citizensudo.com\", \"VKz42X\", \"PA-rR4\", \"POs2tz\", \"idn:firsthackersnews.com\", \"KcjdRW\", \"dCotni\", \"idn:comodo.com\", \"gI8s5W\", \"hibUwt\", \"rN\", \"idn:reportcybercrime.com\", \"idn:eshielder.com\", \"idn:edsitrend.com\"], \"Timestamp\": \"2021-04-15T00:00:00.000Z\", \"Name\": \"linkedToVector\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Vulnerability\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"11 sightings on 2 sources: GitHub, Insikt Group. 5 related cyber vulnerabilities: CWE-20, CWE-287, CVE-2020-10148, CVE-2020-1938, CWE-269. Most recent link (Dec 27, 2021): https://github.com/teamt5-it/official-website-v2/blob/master/_site/_next/data/64e2c6f134e73517d6ff737822e83cd75cf633c6/tw/posts/ithome-ghostcat-apache-tomcat-ajp-vulnerability.json\", \"Sources\": [\"MIKjae\", \"VKz42X\"], \"Timestamp\": \"2021-12-27T07:36:54.000Z\", \"Name\": \"linkedToVuln\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Malware\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"175 sightings on 31 sources including: 4-traders.com, SentinelLabs, Sesin at, Cisco Japan Blog, McAfee. 8 related malware families including WebShell, Ransomware, Backdoor, Backdoor Shell, SUNBURST. Most recent tweet: Malcode highlighted in 'App_Web_logoimagehandler.ashx.b6031896.dll' (c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71) #SolarWinds #SUNBURST https://t.co/lyvnVHuTb2. Most recent link (Dec 16, 2020): https://twitter.com/_mynameisgeff/statuses/1339070792705830913\", \"Sources\": [\"TuWseX\", \"KBTQ2e\", \"eP3CYX\", \"Z3TZAQ\", \"clDYM8\", \"rN\", \"VKz42X\", \"idn:elemendar.com\", \"idn:securitysummitperu.com\", \"PA-rR4\", \"idn:terabitweb.com\", \"eTNyK6\", \"gBQB48\", \"bMZlEg\", \"idn:edsitrend.com\", \"idn:infoblox.com\", \"UZNze8\", \"Z2mQh2\", \"XBl0xf\", \"dCpZqs\", \"jmpFm1\", \"T5\", \"doLlw5\", \"gBDK5G\", \"MIKjae\", \"idn:firsthackersnews.com\", \"jjf3_B\", \"Jv_xrR\", \"dCotni\", \"idn:comodo.com\", \"hibUwt\"], \"Timestamp\": \"2020-12-16T04:52:10.000Z\", \"Name\": \"linkedToMalware\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Reported by DHS AIS\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"3 sightings on 1 source: DHS Automated Indicator Sharing. 3 reports including AA20-352A APT Compromise of Govt Agencies, Critical Infrastructure, and Private Sector Organizations, from CISA, Government Facilities Sector, CISA, Government Facilities Sector, NCCIC:STIX_Package-673aacd1-1852-4d44-bd93-0c44940a6358 (Feb 3, 2021).\", \"Sources\": [\"UZNze8\"], \"Timestamp\": \"2021-02-03T21:32:08.000Z\", \"Name\": \"dhsAis\", \"MitigationString\": \"\", \"Criticality\": 3.0}, {\"Rule\": \"Positive Malware Verdict\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"6 sightings on 2 sources: Sophos Virus and Spyware Threats, PolySwarm. Most recent link (Dec 17, 2020): https://news.sophos.com/fr-fr/2020/12/15/cyberattaque-contre-solarwinds-comment-savoir-si-vous-etes-concerne/\", \"Sources\": [\"K16tAG\", \"doLlw5\"], \"Timestamp\": \"2020-12-20T15:18:53.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 3.0}, {\"Rule\": \"Reported by Insikt Group\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"13 sightings on 1 source: Insikt Group. 4 reports including Researchers Linked Supernova Malware to Spiral Group. Most recent link (Mar 08, 2021): https://app.recordedfuture.com/live/sc/5DIp4RIUiJz6\", \"Sources\": [\"VKz42X\"], \"Timestamp\": \"2021-03-08T00:00:00.000Z\", \"Name\": \"analystNote\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71", "Risk": "89", "RiskString": "7/14"} -{"Algorithm": "MD5", "EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"10 sightings on 7 sources including: ISC Sans Diary Archive, SecureWorks, InfoCON: green, ISC | Latest Headlines, SANS Internet Storm Center. Most recent link (Dec 20, 2021): https://www.jpcert.or.jp/english/at/2021/at210050.html\", \"Sources\": [\"TCw6v6\", \"Z2mQh2\", \"2d\", \"cJuZvt\", \"JYxY8X\", \"J2_htN\", \"jXNbON\"], \"Timestamp\": \"2021-12-20T04:54:00.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Linked to Attack Vector\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"6 sightings on 5 sources: GitHub, SANS Internet Storm Center, Messaging Platforms - Uncategorized, @decalage2, @simonwargniez. 3 related attack vectors: Remote Code Execution, Zero Day Exploit, Cyberattack. Most recent tweet: Great lists of software affected by #Log4Shell / CVE-2021-44228 / Log4J RCE: https://t.co/TpEQXKgMGW by @ncsc_nl https://t.co/FA5i8zR5Z1 by @CISAgov https://t.co/0xVZJvMcpU by @SwitHak https://t.co/788knvztWV https://t.co/WMkXslhgWS #log4j #log4j2. Most recent link (Dec 15, 2021): https://twitter.com/decalage2/statuses/1471121875816353800\", \"Sources\": [\"LUf99I\", \"MIKjae\", \"JYxY8X\", \"Y7TWfI\", \"KIRe_w\"], \"Timestamp\": \"2021-12-15T14:16:01.000Z\", \"Name\": \"linkedToVector\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Vulnerability\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"108 sightings on 78 sources including: bund.de, tistory.com, PasteBin, Sesin at, Messaging Platforms - Uncategorized. 24 related cyber vulnerabilities including CWE-22, CWE-611, CVE-2019-19781, CVE-2020-16898, CWE-20. Most recent tweet: Security advisories, bulletins, and vendor responses related to Log4Shell #Log4Shell #Log4j #cybersecurity #infosec #vendorsecurity https://t.co/Vpwrhdppm7. Most recent link (Dec 22, 2021): https://twitter.com/arrgibbs/statuses/1473733864459841538\", \"Sources\": [\"VQpQDR\", \"KFu3Rc\", \"LUf99I\", \"SGCsBG\", \"U94lUG\", \"KFcv42\", \"QT0CFv\", \"UHvtcg\", \"KFUbjU\", \"KHwUI5\", \"KKSt8d\", \"idn:bund.de\", \"VmIbAC\", \"QGT0Vy\", \"ejfM20\", \"KGlTEd\", \"QCoXJo\", \"RXSwU8\", \"idn:tistory.com\", \"LpdVul\", \"K-eKsL\", \"TKYCSz\", \"SkABVK\", \"SdGk_x\", \"LI6d7O\", \"LQIfBf\", \"U6B2hC\", \"f7_CfD\", \"LKt0HB\", \"RHS4v8\", \"KKmN5m\", \"YfJqp2\", \"Jv_xrR\", \"RJ2_NX\", \"VZXzSv\", \"k0QC11\", \"KFWBRs\", \"LRk_pt\", \"Qn2VRQ\", \"kGHFKP\", \"ShBO5M\", \"T-GSBp\", \"KNdyHF\", \"QLCTXP\", \"Z3TZAQ\", \"Khf99v\", \"KHZhjO\", \"SHH61D\", \"Knx_su\", \"LL8-pr\", \"QpmWTf\", \"KIRe_w\", \"QIea7F\", \"SlhG3F\", \"KIdj8R\", \"SQqKS8\", \"Lq6DNq\", \"QpYsBa\", \"d-ZMP2\", \"LOoye8\", \"QEUmiJ\", \"ewfPjC\", \"LBNFpV\", \"QTpbKE\", \"Y7TWfI\", \"KGS-xC\", \"eifkGz\", \"au2SGr\", \"SKw4tT\", \"KGW5kn\", \"Q9y5Ki\", \"KGxw1d\", \"MIKjae\", \"LO5p1C\", \"JYxY8X\", \"KJsMEF\", \"QBLBHH\", \"k7WJ2k\"], \"Timestamp\": \"2021-12-22T19:15:08.000Z\", \"Name\": \"linkedToVuln\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Malware\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"11 sightings on 3 sources: bund.de, SANS Internet Storm Center, Sesin at. 2 related malware families: Ransomware, Botnet. Most recent link (Dec 20, 2021): https://www.jpcert.or.jp/english/at/2021/at210050.html\", \"Sources\": [\"idn:bund.de\", \"JYxY8X\", \"Z3TZAQ\"], \"Timestamp\": \"2021-12-20T04:54:00.000Z\", \"Name\": \"linkedToMalware\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Positive Malware Verdict\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Naked Security. Most recent link (Dec 18, 2021): https://news.sophos.com/en-us/2021/12/17/log4shell-response-and-mitigation-recommendations/\", \"Sources\": [\"J2_htN\"], \"Timestamp\": \"2021-12-18T00:20:04.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "b66db3a06c2955a9cb71a8718970c592", "Risk": "89", "RiskString": "5/14"} -{"Algorithm": "SHA-256", "EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"91 sightings on 19 sources including: Security News Concentrator, Fortinet, Trend Micro, CrowdStrike, FireEye Threat Research Blog. Most recent link (Dec 20, 2019): https://threatvector.cylance.com/en_us/home/threat-spotlight-petya-like-ransomware-is-nasty-wiper.html\", \"Sources\": [\"QS89Bd\", \"KVP0jz\", \"T5\", \"JYxY5G\", \"WR_Ohh\", \"Jt4ExJ\", \"Kzw0Pm\", \"JQH96m\", \"2d\", \"JYxY8X\", \"rN\", \"PA-rR4\", \"VyWQM7\", \"Lp_esG\", \"ONMgMx\", \"4n\", \"QMTzEI\", \"83\", \"K0TN7r\"], \"Timestamp\": \"2019-12-20T01:04:11.602Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported in Threat List\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jul 6, 2017, and Jul 17, 2017.\", \"Sources\": [\"report:Tluf00\"], \"Timestamp\": \"2021-12-24T20:03:09.087Z\", \"Name\": \"historicalThreatListMembership\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Linked to Attack Vector\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"14 sightings on 5 sources including: Assiste.Forum, @arturodicorinto. 2 related attack vectors: ShellCode, Cyberattack. Most recent tweet: They're getting quicker at updating.. #petya #cyberattack https://t.co/px0g9BSpod. Most recent link (Jun 27, 2017): https://twitter.com/SupersizedSam/statuses/879764638845587461\", \"Sources\": [\"LP7dc7\", \"LRlngp\", \"Sl8XTb\", \"QMfGAr\", \"J-y3tn\"], \"Timestamp\": \"2017-06-27T18:13:29.000Z\", \"Name\": \"linkedToVector\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Vulnerability\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: GitHub. 2 related cyber vulnerabilities: CWE-20, CVE-2017-0143. Most recent link (Oct 10, 2021): https://github.com/demisto/content/blob/master/Packs/RecordedFuture/Integrations/RecordedFuture/example_commands.txt\", \"Sources\": [\"MIKjae\"], \"Timestamp\": \"2021-10-10T08:21:25.825Z\", \"Name\": \"linkedToVuln\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Cyber Attack\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"10 sightings on 9 sources including: BitcoinTalk.org, @Noemi_hcke. Most recent tweet: #petya related hashes in #virustotal https://t.co/Cv7Pltjhia https://t.co/P3otYPoxBj #ransomware #malware #sha256. Most recent link (Jun 28, 2017): https://twitter.com/Menardconnect/statuses/879885997831368705\", \"Sources\": [\"ThowaF\", \"KUtKjP\", \"K84j7t\", \"MghdWI\", \"K8rrfe\", \"QlWPRW\", \"KFsPRz\", \"S-Anbb\", \"KE9dMF\"], \"Timestamp\": \"2017-06-28T02:15:44.000Z\", \"Name\": \"linkedToCyberAttack\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Malware\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"834 sightings on 201 sources including: New Jersey Cybersecurity & Communications Integration Cell, lnkd.in, avtech24h.com, Malwr.com, Talos Intel. 21 related malware families including ICS Malware, PetrWrap, Emotet, Trojan, NotPetya. Most recent tweet: #ransomware 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 f65a7dadff844f2dc44a3bd43e1c0d600b1a6c66f6d02734d8f385872ccab0bc b6e8dc95ec939a1f3b184da559c8010ab3dc773e426e63e5aa7ffc44174d8a9d 9e1609ab7f01b56a9476494d9b3bf5997380d466744b07ec5d9b20e416b10f08. Most recent link (Apr 9, 2021): https://twitter.com/RedBeardIOCs/statuses/1380600677249003521\", \"Sources\": [\"jbVMcB\", \"idn:lnkd.in\", \"idn:avtech24h.com\", \"K84j7t\", \"Sl8XTb\", \"KGRhOC\", \"NKaUXl\", \"KIoGAG\", \"PA-rR4\", \"LRlngp\", \"rN\", \"Jxh46H\", \"KFL44X\", \"TbciDE\", \"KFNVB9\", \"OJpx5g\", \"K-CGye\", \"KK6oqV\", \"WR_Ohh\", \"idn:twitter.com\", \"fgwEcq\", \"QYsx0D\", \"KIFtR_\", \"Lp_esG\", \"TSFWTw\", \"KGHzAY\", \"P_oEH3\", \"KBTQ2e\", \"QCGHCy\", \"JYxY5G\", \"UQsrUj\", \"idn:cert.ro\", \"idn:bluvector.io\", \"KFUJTL\", \"TFUkSW\", \"P0Gs9I\", \"K8ofB1\", \"KVnnHP\", \"TpaXxw\", \"U5qdTI\", \"idn:zscaler.com\", \"L3kVdM\", \"QMfGAr\", \"KIk8aS\", \"Kzw0Pm\", \"hcELIE\", \"POs2tz\", \"KD6Na4\", \"idn:globalsecuritymag.com\", \"LDd0sl\", \"KVP0jz\", \"Lj8CsQ\", \"K8rrfe\", \"LDejRI\", \"J-y3tn\", \"WXutod\", \"idn:infosecurityfactory.nl\", \"LBlc7C\", \"idn:bg.org.tr\", \"QS89Bd\", \"K9SiDc\", \"Qe89bv\", \"TiY1wu\", \"idn:undernews.fr\", \"idn:iteefactory.nl\", \"KFRGd_\", \"KFVuR_\", \"4n\", \"S-Anbb\", \"KFNZEC\", \"TSazOG\", \"K9Skh1\", \"MghdWI\", \"idn:securityiscoming.com\", \"QS89BG\", \"LVg9nH\", \"KFiGli\", \"K9Vq9B\", \"KLbNtt\", \"VyWQM7\", \"NTakwX\", \"KGoarP\", \"idn:gelsene.net\", \"LwURWv\", \"KGX8VB\", \"ThoB0I\", \"TAIz7D\", \"QBHQ61\", \"TiY1w7\", \"idn:kompasiana.com\", \"idn:t.co\", \"KfDTG0\", \"idn:ictsecuritymagazine.com\", \"Liz5-u\", \"MIKjae\", \"JYxY8X\", \"KUtKjP\", \"idn:cert.pl\", \"Lpm4nc\", \"idn:boozallen.com\", \"RVFHk_\", \"KGmazP\", \"M_7iBk\", \"TStw1W\", \"LFcJLk\", \"K0TN7r\", \"KVRURg\", \"UNe62M\", \"iL8bPu\", \"K76BjK\", \"VRixQe\", \"idn:dfir.pro\", \"KF-l77\", \"idn:gixtools.net\", \"P_oIyV\", \"KGzicb\", \"LGryD9\", \"idn:fb.me\", \"K5nCn5\", \"ThKuX0\", \"SYrUYn\", \"KFKbZE\", \"MAe5tQ\", \"KGm6gS\", \"W4ygGi\", \"g9rk5F\", \"idn:menshaway.blogspot.com\", \"KFsPRz\", \"LDm9iS\", \"RV8KWp\", \"KTuH6e\", \"P_uJi3\", \"KG_Bgt\", \"QAmbRP\", \"idn:csirt.cz\", \"LZYvHh\", \"L0HtmN\", \"KWLqO-\", \"LtUj1D\", \"QMTzDr\", \"idn:dy.si\", \"Lo8Box\", \"K-4reD\", \"KFTeBZ\", \"KKzFno\", \"QMTzEI\", \"KFYLd8\", \"KGABt4\", \"LIizBt\", \"idn:herjavecgroup.com\", \"QAAZRn\", \"K66Zgw\", \"KWz-My\", \"Lb0b3F\", \"idn:emsisoft.vn\", \"LodOTm\", \"KE9dMF\", \"O-Wf5x\", \"LG2dQX\", \"P_-RZy\", \"LK7o9D\", \"K60PUk\", \"KKUqfz\", \"idn:logrhythm.com\", \"Jv_xrR\", \"LP7dc7\", \"MFNOaz\", \"TefIES\", \"KGdGg3\", \"KHNdvY\", \"QBTxvB\", \"idn:swordshield.com\", \"ThowaF\", \"idn:binarydefense.com\", \"idn:indusface.com\", \"QBtnC2\", \"QlWPRW\", \"KHZhjO\", \"idn:idcloudhost.com\", \"LRFVsB\", \"KG2JTH\", \"KIm1im\", \"LAfpKN\", \"BaV\", \"KGW3VP\", \"KFcp5q\", \"LCN_6T\", \"idn:avastvn.com\", \"KFTnbG\", \"TiCWjw\", \"Lmhpq3\", \"KGS-xC\", \"KFVthB\", \"idn:finyear.com\", \"KFji4N\", \"P_7M19\", \"K-b0DI\", \"LV1UMS\", \"idn:safe-cyberdefense.com\", \"Kjk3fx\", \"Q1wlJN\"], \"Timestamp\": \"2021-04-09T19:17:06.000Z\", \"Name\": \"linkedToMalware\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Reported by DHS AIS\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-21cebba6-46ed-464e-ad5a-32a8063e1400 (Jun 27, 2017).\", \"Sources\": [\"UZNze8\"], \"Timestamp\": \"2017-06-27T17:18:01.000Z\", \"Name\": \"dhsAis\", \"MitigationString\": \"\", \"Criticality\": 3.0}, {\"Rule\": \"Positive Malware Verdict\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"5 sightings on 3 sources: Recorded Future Malware Detonation, ReversingLabs, PolySwarm. Most recent link (Jun 27, 2017): ReversingLabs malware file analysis.\", \"Sources\": [\"TAIz7D\", \"TbciDE\", \"doLlw5\"], \"Timestamp\": \"2020-12-17T22:59:03.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745", "Risk": "89", "RiskString": "8/14"} -{"Algorithm": "SHA-256", "EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"16 sightings on 4 sources: Guided Collection, Bleepingcomputer Forums, ISC | All Updates, Malwarebytes Unpacked. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561\", \"Sources\": [\"Rlso4a\", \"hkE5DK\", \"TZRwk8\", \"J5NRun\"], \"Timestamp\": \"2021-12-21T08:40:00.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Linked to Attack Vector\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"6 sightings on 6 sources including: malwareresearch, AAPKS.com, @Shouvik95232310, @santGM. 3 related attack vectors: Phishing, Click Fraud, Typosquatting. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752\", \"Sources\": [\"WlbRkJ\", \"ha2FFj\", \"K7wUX2\", \"P_ivKa\", \"J-mrOR\", \"P_upBR\"], \"Timestamp\": \"2021-12-25T03:23:47.000Z\", \"Name\": \"linkedToVector\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Cyber Attack\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: Messaging Platforms - Uncategorized. Most recent link (Oct 18, 2021): https://t.me/An0nymousTeam/1429\", \"Sources\": [\"Y7TWfI\"], \"Timestamp\": \"2021-10-18T12:09:43.000Z\", \"Name\": \"linkedToCyberAttack\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Malware\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"47 sightings on 16 sources including: Ichunqiu Forum, Doc Player, ArXiv, GitHub, droppdf.com. 18 related malware families including Fakespy, Trojan, Offensive Security Tools (OST), Spyware, Dardesh. Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321\", \"Sources\": [\"TGXqeD\", \"W4ygGi\", \"L3kVdM\", \"QMfGAr\", \"kuKt0c\", \"QAy9GA\", \"JOU\", \"MIKjae\", \"P_oIyV\", \"QJ6TQK\", \"idn:droppdf.com\", \"Ql9O5c\", \"QAmbRP\", \"Tq2nAb\", \"TbciDE\", \"idn:index-of.es\"], \"Timestamp\": \"2021-11-27T23:07:37.000Z\", \"Name\": \"linkedToMalware\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Positive Malware Verdict\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: ReversingLabs. Most recent link (Jul 1, 2019): ReversingLabs malware file analysis.\", \"Sources\": [\"TbciDE\"], \"Timestamp\": \"2019-07-01T00:00:00.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "ad2ad0249fafe85877bc79a01e1afd1a44d983c064ad8cb5bc694d29d166217b", "Risk": "89", "RiskString": "5/14"} -{"Algorithm": "SHA-256", "EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Trend Micro. Most recent link (Mar 11, 2021): https://documents.trendmicro.com/assets/pdf/Technical_Brief_Uncleanable_and_Unkillable_The_Evolution_of_IoT_Botnets_Through_P2P_Networking.pdf\", \"Sources\": [\"T5\"], \"Timestamp\": \"2021-03-11T00:00:00.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Linked to Attack Vector\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"31 sightings on 4 sources: @m0rb, @bad_packets, @InfoSex11, @luc4m. 2 related attack vectors: DDOS, Command Injection. Most recent tweet: 2021-06-17T23:29:30 - Commented: https://t.co/j2a05iXOiI #malware #commandinjection. Most recent link (Jun 17, 2021): https://twitter.com/m0rb/statuses/1405668962462011401\", \"Sources\": [\"KFwzec\", \"TGgDPZ\", \"cgGiXI\", \"LMcjZ7\"], \"Timestamp\": \"2021-06-17T23:29:31.000Z\", \"Name\": \"linkedToVector\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Cyber Attack\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"3 sightings on 2 sources: @bad_packets, @swarmdotmarket. Most recent tweet: New #Mozi #malware targets #IoT devices -- research via @BlackLotusLabs -- Samples here in PolySwarm, free to download: https://t.co/JYkyEPPWmH https://t.co/jioPHPnJj9 #threatintel #botnet #infosec Most recent link (Apr 20, 2020): https://twitter.com/PolySwarm/statuses/1252347003457073155\", \"Sources\": [\"TGgDPZ\", \"UBjcy3\"], \"Timestamp\": \"2020-04-20T21:22:47.000Z\", \"Name\": \"linkedToCyberAttack\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Malware\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"87 sightings on 15 sources including: lumen.com, HackDig Posts, Anquanke News, Daily Dot, centurylink.com. 7 related malware families including Mozi Botnet, Trojan, Qbot, Mirai, DDOS Toolkit. Most recent tweet: New #Mozi #malware targets #IoT devices -- research via @BlackLotusLabs -- Samples here in PolySwarm, free to download: https://t.co/JYkyEPPWmH https://t.co/jioPHPnJj9 #threatintel #botnet #infosec. Most recent link (Apr 20, 2020): https://twitter.com/PolySwarm/statuses/1252347003457073155\", \"Sources\": [\"idn:lumen.com\", \"POs2u-\", \"U13S_U\", \"Jzl3yj\", \"idn:centurylink.com\", \"doLlw5\", \"POs2t2\", \"idn:cyberswachhtakendra.gov.in\", \"idn:hackxsecurity.com\", \"TGgDPZ\", \"Jv_xrR\", \"TSFWTv\", \"LMcjZ7\", \"UBjcy3\", \"TbciDE\"], \"Timestamp\": \"2020-04-20T21:22:47.000Z\", \"Name\": \"linkedToMalware\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Positive Malware Verdict\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"5 sightings on 3 sources: Recorded Future Malware Detonation, ReversingLabs, PolySwarm. Most recent link (Nov 28, 2019): ReversingLabs malware file analysis.\", \"Sources\": [\"TAIz7D\", \"TbciDE\", \"doLlw5\"], \"Timestamp\": \"2021-04-04T07:46:20.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a", "Risk": "89", "RiskString": "5/14"} -{"Algorithm": "SHA-256", "EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"45 sightings on 9 sources including: Security Bloggers Network, Bleeping Computer, Guided Collection, Bleepingcomputer Forums, TheServerSide.com | Updates. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561\", \"Sources\": [\"NSAcUx\", \"J6UzbO\", \"Rlso4a\", \"hkE5DK\", \"cJMUDF\", \"TZRwk8\", \"QMTzEI\", \"LUhTGd\", \"J5NRun\"], \"Timestamp\": \"2021-12-21T08:40:00.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Linked to Attack Vector\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"29 sightings on 24 sources including: Carder Forum (carder.uk), wordpress.com, AAPKS.com, malwareresearch, @phishingalert, @GelosSnake, @rpsanch, @rce_coder. 7 related attack vectors including Crimeware, Phishing, Remote Code Execution, Malvertising, Click Fraud. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752\", \"Sources\": [\"T1bwMv\", \"LC-zVm\", \"P_upBR\", \"T2OA5Q\", \"K20lXV\", \"TGgDPZ\", \"hkIDTa\", \"LqRZCN\", \"Vd51cf\", \"ha2FFj\", \"UmsU31\", \"ddafo3\", \"K7wUX2\", \"P_ivKa\", \"idn:wordpress.com\", \"J-mrOR\", \"QPbAan\", \"VeioBt\", \"WlbRkJ\", \"TvfQzk\", \"TP1vbk\", \"SrKvJ0\", \"SqCj4s\", \"VXaDYo\"], \"Timestamp\": \"2021-12-25T03:23:47.000Z\", \"Name\": \"linkedToVector\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Vulnerability\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: Messaging Platforms - Uncategorized. 2 related cyber vulnerabilities: CVE-2016-6663, CWE-362.\", \"Sources\": [\"Y7TWfI\"], \"Timestamp\": \"2021-12-29T07:27:12.565Z\", \"Name\": \"linkedToVuln\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Cyber Attack\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"10 sightings on 7 sources including: SANS Institute Course Selector Results, Messaging Platforms - Uncategorized, @ecstatic_nobel, @Artilllerie. Most recent tweet: Active cred #phishing/malware distribution campaign on 185.186.245.101 with kits targeting @Office365 and @WeTransfer brands. Windows malware submitted to VT here: https://t.co/edCd4sOnAI domains: https://t.co/4GdqctLwkY cc: @malwrhunterteam @JayTHL @SteveD3 @thepacketrat https://t.co/e9d3R7fzIq. Most recent link (May 28, 2019): https://twitter.com/PhishingAi/statuses/1133376801831436289\", \"Sources\": [\"Ym7dzt\", \"LKKAV1\", \"OuKV3V\", \"VeioBt\", \"Y7TWfI\", \"KGS-xC\", \"KFSXln\"], \"Timestamp\": \"2019-05-28T14:17:41.000Z\", \"Name\": \"linkedToCyberAttack\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Malware\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"114 sightings on 42 sources including: Doc Player, GhostBin, Codex - Recent changes en, droppdf.com, ReversingLabs. 41 related malware families including Dardesh, AZORult, Emotet, GandCrab, Offensive Security Tools (OST). Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321\", \"Sources\": [\"QWOrKl\", \"LKKAV1\", \"W4ygGi\", \"PATKM7\", \"T1bwMv\", \"LjkJhE\", \"kuKt0c\", \"QAy9GA\", \"LbYmLr\", \"K20lXV\", \"QZe7TG\", \"idn:droppdf.com\", \"QAmbRP\", \"TbciDE\", \"P_j5Dw\", \"QNmgPm\", \"TGXqeD\", \"POs2u-\", \"KGS-xC\", \"L3kVdM\", \"QMfGAr\", \"h6VVAH\", \"doLlw5\", \"UrsUKT\", \"JOU\", \"MIKjae\", \"P_oIyV\", \"QJ6TQK\", \"RfVd0T\", \"J6UzbO\", \"POs2tz\", \"VfsacJ\", \"Jv_xrR\", \"Ql9O5c\", \"USKpXp\", \"TP1vbk\", \"SrKvJ0\", \"Tq2nAb\", \"KFSXln\", \"P_ov9o\", \"VXaDYo\", \"idn:index-of.es\"], \"Timestamp\": \"2021-11-27T23:07:37.000Z\", \"Name\": \"linkedToMalware\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Positive Malware Verdict\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 19, 2018): ReversingLabs malware file analysis.\", \"Sources\": [\"TbciDE\", \"doLlw5\"], \"Timestamp\": \"2021-02-10T09:10:10.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "fecddb7f3fa478be4687ca542c0ecf232ec35a0c2418c8bfe4875686ec373c1e", "Risk": "89", "RiskString": "6/14"} -{"Algorithm": "SHA-256", "EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"58 sightings on 5 sources: SecureWorks, InfoCON: green, McAfee, Talos Intel, Kaspersky Securelist and Lab. Most recent link (Jun 28, 2018): https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27077/en_US/McAfee_Labs_WannaCry_June24_2018.pdf\", \"Sources\": [\"Z2mQh2\", \"2d\", \"rN\", \"PA-rR4\", \"4n\"], \"Timestamp\": \"2018-06-28T08:11:36.570Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Linked to Malware\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1688 sightings on 26 sources including: lnkd.in, Doc Player, Cyber4Sight, voicebox.pt, VKontakte. 2 related malware families: Wcry, Ransomware. Most recent link (Sep 13, 2017): https://malwr.com/analysis/ZmIzN2E3MzQyM2I0NDYwODllOWRhMmQxODg3YzMxZDA/\", \"Sources\": [\"idn:lnkd.in\", \"W4ygGi\", \"S2tpaX\", \"idn:voicebox.pt\", \"SIjHV9\", \"PJHGaq\", \"PA-rR4\", \"Z2mQh2\", \"e_\", \"idn:gofastbuy.com\", \"idn:ziftsolutions.com\", \"POs2u-\", \"KHpcuE\", \"QccsRc\", \"idn:dfir.pro\", \"idn:nksc.lt\", \"idn:dy.si\", \"KZFCph\", \"rN\", \"QYsx0D\", \"idn:logrhythm.com\", \"Jv_xrR\", \"idn:safe-cyberdefense.com\", \"4n\", \"QS89Bx\", \"NKaUXl\"], \"Timestamp\": \"2017-09-13T00:00:00.000Z\", \"Name\": \"linkedToMalware\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Positive Malware Verdict\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"2 sightings on 1 source: Recorded Future Malware Detonation.\", \"Sources\": [\"TAIz7D\"], \"Timestamp\": \"2020-10-13T10:46:31.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b", "Risk": "89", "RiskString": "3/14"} -{"Algorithm": "SHA-256", "EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"16 sightings on 4 sources: Guided Collection, Bleepingcomputer Forums, ISC | All Updates, Malwarebytes Unpacked. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561\", \"Sources\": [\"Rlso4a\", \"hkE5DK\", \"TZRwk8\", \"J5NRun\"], \"Timestamp\": \"2021-12-21T08:40:00.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Linked to Attack Vector\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"6 sightings on 6 sources including: malwareresearch, AAPKS.com, @Shouvik95232310, @santGM. 3 related attack vectors: Phishing, Click Fraud, Typosquatting. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752\", \"Sources\": [\"WlbRkJ\", \"ha2FFj\", \"K7wUX2\", \"P_ivKa\", \"J-mrOR\", \"P_upBR\"], \"Timestamp\": \"2021-12-25T03:23:47.000Z\", \"Name\": \"linkedToVector\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Cyber Attack\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: Messaging Platforms - Uncategorized. Most recent link (Oct 18, 2021): https://t.me/An0nymousTeam/1429\", \"Sources\": [\"Y7TWfI\"], \"Timestamp\": \"2021-10-18T12:09:43.000Z\", \"Name\": \"linkedToCyberAttack\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Malware\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"43 sightings on 14 sources including: Ichunqiu Forum, Doc Player, ArXiv, GitHub, droppdf.com. 19 related malware families including Fakespy, Trojan, Offensive Security Tools (OST), Spyware, Dardesh. Most recent tweet: RT @demonslay335: #STOP #Djvu #Ransomware extension \\\".mogera\\\" (v090): https://t.co/wlMcSE2EHj | https://t.co/XAYkOoOReU. Most recent link (May 27, 2019): https://twitter.com/DrolSecurity/statuses/1133117241388621825\", \"Sources\": [\"TGXqeD\", \"W4ygGi\", \"L3kVdM\", \"QMfGAr\", \"QAy9GA\", \"JOU\", \"MIKjae\", \"P_oIyV\", \"QJ6TQK\", \"idn:droppdf.com\", \"Ql9O5c\", \"QAmbRP\", \"Tq2nAb\", \"idn:index-of.es\"], \"Timestamp\": \"2019-05-27T21:06:17.000Z\", \"Name\": \"linkedToMalware\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Positive Malware Verdict\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: PolySwarm. Most recent link (Mar 8, 2021): https://polyswarm.network/scan/results/file/85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce\", \"Sources\": [\"doLlw5\"], \"Timestamp\": \"2021-03-08T13:00:15.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce", "Risk": "89", "RiskString": "5/14"} -{"Algorithm": "SHA-256", "EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"16 sightings on 4 sources: Guided Collection, Bleepingcomputer Forums, ISC | All Updates, Malwarebytes Unpacked. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561\", \"Sources\": [\"Rlso4a\", \"hkE5DK\", \"TZRwk8\", \"J5NRun\"], \"Timestamp\": \"2021-12-21T08:40:00.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Linked to Attack Vector\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"7 sightings on 7 sources including: malwareresearch, Malwr.com, AAPKS.com, @Shouvik95232310, @santGM, @aa419. 4 related attack vectors: Phishing, Click Fraud, Typosquatting, Keylogger. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752\", \"Sources\": [\"WlbRkJ\", \"ha2FFj\", \"K7wUX2\", \"NKaUXl\", \"P_ivKa\", \"J-mrOR\", \"P_upBR\"], \"Timestamp\": \"2021-12-25T03:23:47.000Z\", \"Name\": \"linkedToVector\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Cyber Attack\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: Messaging Platforms - Uncategorized. Most recent link (Oct 18, 2021): https://t.me/An0nymousTeam/1429\", \"Sources\": [\"Y7TWfI\"], \"Timestamp\": \"2021-10-18T12:09:43.000Z\", \"Name\": \"linkedToCyberAttack\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Linked to Malware\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"54 sightings on 17 sources including: Ichunqiu Forum, Doc Player, Malwr.com, ArXiv, GitHub. 19 related malware families including Fakespy, Dardesh, Djvu Ransomware, SAVEfiles, Trojan. Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321\", \"Sources\": [\"TGXqeD\", \"W4ygGi\", \"L3kVdM\", \"QMfGAr\", \"NKaUXl\", \"kuKt0c\", \"QAy9GA\", \"JOU\", \"MIKjae\", \"P_oIyV\", \"QJ6TQK\", \"idn:droppdf.com\", \"Ql9O5c\", \"QAmbRP\", \"Tq2nAb\", \"TbciDE\", \"idn:index-of.es\"], \"Timestamp\": \"2021-11-27T23:07:37.000Z\", \"Name\": \"linkedToMalware\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Positive Malware Verdict\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: ReversingLabs. Most recent link (Aug 13, 2017): ReversingLabs malware file analysis.\", \"Sources\": [\"TbciDE\"], \"Timestamp\": \"2017-08-13T00:33:27.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "7531fcea7002c8b52a8d023d0f3bb938efb2cbfec91d2433694930b426d84865", "Risk": "89", "RiskString": "5/14"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Linked to Intrusion Method\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"7 sightings on 1 source: PasteBin. 3 related intrusion methods: Trojan, Banking Trojan, QakBot. Most recent link (Nov 8, 2021): https://pastebin.com/G1Jvm5T0\", \"Sources\": [\"Jv_xrR\"], \"Timestamp\": \"2021-11-08T16:27:15.000Z\", \"Name\": \"linkedIntrusion\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported as a Defanged IP\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 1 source: GitHub. Most recent link (Nov 16, 2021): https://github.com/pan-unit42/tweets/blob/master/2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt\", \"Sources\": [\"MIKjae\"], \"Timestamp\": \"2021-11-16T00:00:00.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Current C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"164 sightings on 4 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions, Abuse.ch: Feodo IP Blocklist, Polyswarm Sandbox Analysis - Malware C2 Extractions. Joe Security malware sandbox identified 103.143.8.71:443 as TA0011 (Command and Control) QakBot using configuration extraction on sample 8f97195fc90ce520e75db6785204da0adbda9be5464bb27cd4dcc5b23b547651\", \"Sources\": [\"b5tNVA\", \"h_iZX8\", \"report:OtiCOp\", \"hyihHO\"], \"Timestamp\": \"2021-12-29T02:11:16.658Z\", \"Name\": \"recentCncServer\", \"MitigationString\": \"\", \"Criticality\": 4.0}, {\"Rule\": \"Actively Communicating C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Qakbot. Communication observed on TCP:443, TCP:6881, TCP:995. Exfiltration behavior observed. Last observed on Dec 27, 2021.\", \"Sources\": [\"report:aEft3k\"], \"Timestamp\": \"2021-12-29T02:11:16.663Z\", \"Name\": \"recentActiveCnc\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "103.143.8.71", "Risk": "99", "RiskString": "4/64"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Linked to Intrusion Method\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: GitHub. 2 related intrusion methods: Nanocore, Remote Access Trojan. Most recent link (Jan 1, 2021): https://github.com/GlacierSheep/DomainBlockList/blob/master/trail/static_nanocore_(malware).domainset\", \"Sources\": [\"MIKjae\"], \"Timestamp\": \"2021-01-01T16:56:57.000Z\", \"Name\": \"linkedIntrusion\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Multicategory Blocklist\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 2 sources: Bitdefender IP Reputation, hpHosts Latest Additions. Bitdefender detected suspicious traffic involving 185.19.85.136 associated with Bitdefender threat name Trojan.GenericKD.34300483 on Apr 30, 2021\", \"Sources\": [\"iFMVSl\", \"Ol_aRZ\"], \"Timestamp\": \"2021-04-30T04:50:06.000Z\", \"Name\": \"multiBlacklist\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported in Threat List\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Previous sightings on 1 source: Recorded Future Fast Flux DNS IP List. Observed between Feb 13, 2021, and Feb 13, 2021.\", \"Sources\": [\"report:SW8xpk\"], \"Timestamp\": \"2021-12-28T19:20:46.641Z\", \"Name\": \"historicalThreatListMembership\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C Server\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"9 sightings on 2 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions. Command & Control host identified on Oct 29, 2021.\", \"Sources\": [\"b5tNVA\", \"h_iZX8\"], \"Timestamp\": \"2021-10-29T08:07:54.495Z\", \"Name\": \"intermediateCncServer\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Recently Active C&C Server\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Asyncrat. Communication observed on TCP:6060. Last observed on Dec 21, 2021.\", \"Sources\": [\"report:aEft3k\"], \"Timestamp\": \"2021-12-28T19:20:46.639Z\", \"Name\": \"intermediateActiveCnc\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Current C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"12 sightings on 2 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions. Command & Control host identified on Dec 24, 2021.\", \"Sources\": [\"b5tNVA\", \"h_iZX8\"], \"Timestamp\": \"2021-12-24T08:07:09.925Z\", \"Name\": \"recentCncServer\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "185.19.85.136", "Risk": "99", "RiskString": "6/64"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Linked to Intrusion Method\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"12 sightings on 2 sources: C2IntelFeeds IPC2s, @drb_ra. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent tweet: Cobalt Strike server found C2: HTTPS @ 45[.]112[.]206[.]18:443 C2 Server: 45[.]112[.]206[.]13,/IE9CompatViewList[.]xml Country: Hong Kong ASN: HK kwaifong group limited #C2 #cobaltstrike. Most recent link (Nov 26, 2021): https://twitter.com/drb_ra/statuses/1464248045118590978\", \"Sources\": [\"k_7zaW\", \"jqWX2B\"], \"Timestamp\": \"2021-11-26T15:01:53.000Z\", \"Name\": \"linkedIntrusion\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Linked to Cyber Attack\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 1 source: C2IntelFeeds IPC2s. Most recent link (Aug 15, 2021): https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s-30day.csv?q=45.112.206.18_20210815\", \"Sources\": [\"k_7zaW\"], \"Timestamp\": \"2021-08-15T00:00:00.000Z\", \"Name\": \"linkedToCyberAttack\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported as a Defanged IP\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"10 sightings on 1 source: @drb_ra. Most recent tweet: Cobalt Strike server found C2: HTTPS @ 45[.]112[.]206[.]18:443 C2 Server: 45[.]112[.]206[.]13,/IE9CompatViewList[.]xml Country: Hong Kong ASN: HK kwaifong group limited #C2 #cobaltstrike. Most recent link (Nov 26, 2021): https://twitter.com/drb_ra/statuses/1464248045118590978\", \"Sources\": [\"jqWX2B\"], \"Timestamp\": \"2021-11-26T15:01:53.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported in Threat List\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Previous sightings on 2 sources: Cobalt Strike Default Certificate Detected - Shodan / Recorded Future, Recorded Future Analyst Community Trending Indicators. Observed between Jul 8, 2021, and Dec 9, 2021.\", \"Sources\": [\"report:aD1qtM\", \"report:Tluf00\"], \"Timestamp\": \"2021-12-28T18:45:41.877Z\", \"Name\": \"historicalThreatListMembership\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Current C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"2 sightings on 1 source: Recorded Future Command & Control List. Command & Control host identified on Jul 5, 2021.\", \"Sources\": [\"b5tNVA\"], \"Timestamp\": \"2021-07-05T08:04:23.139Z\", \"Name\": \"recentCncServer\", \"MitigationString\": \"\", \"Criticality\": 4.0}, {\"Rule\": \"Actively Communicating C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike Team Servers. Communication observed on TCP:443, TCP:8443. Last observed on Dec 26, 2021.\", \"Sources\": [\"report:aEft3k\"], \"Timestamp\": \"2021-12-28T18:45:41.875Z\", \"Name\": \"recentActiveCnc\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "45.112.206.18", "Risk": "99", "RiskString": "6/64"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Linked to Intrusion Method\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"239 sightings on 5 sources: paloaltonetworks.jp, Palo Alto Networks, Unit 42 Palo Alto Networks, PasteBin, Cryptolaemus Pastedump. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Mar 14, 2021): https://unit42.paloaltonetworks.jp/attack-chain-overview-emotet-in-december-2020-and-january-2021/\", \"Sources\": [\"idn:paloaltonetworks.jp\", \"JwO7jp\", \"jjf3_B\", \"Jv_xrR\", \"Z7kln2\"], \"Timestamp\": \"2021-03-14T00:00:00.000Z\", \"Name\": \"linkedIntrusion\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 1 source: Unit 42 Palo Alto Networks. Most recent link (Apr 9, 2021): https://unit42.paloaltonetworks.com/emotet-command-and-control/\", \"Sources\": [\"jjf3_B\"], \"Timestamp\": \"2021-04-09T12:00:00.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Multicategory Blocklist\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"5 sightings on 1 source: AbuseIP Database. Most recent link (Aug 25, 2020): https://www.abuseipdb.com/check/190.55.186.229\", \"Sources\": [\"UneVVu\"], \"Timestamp\": \"2020-08-25T20:01:29.075Z\", \"Name\": \"multiBlacklist\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported as a Defanged IP\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"6 sightings on 3 sources: paloaltonetworks.jp, Palo Alto Networks, Unit 42 Palo Alto Networks. Most recent link (Apr 9, 2021): https://unit42.paloaltonetworks.com/emotet-command-and-control/\", \"Sources\": [\"idn:paloaltonetworks.jp\", \"JwO7jp\", \"jjf3_B\"], \"Timestamp\": \"2021-04-09T12:00:00.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Positive Malware Verdict\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"87 sightings on 1 source: Cryptolaemus Pastedump. Most recent link (Jan 25, 2021): https://paste.cryptolaemus.com/emotet/2021/01/25/emotet-malware-IoCs_01-25-21.html\", \"Sources\": [\"Z7kln2\"], \"Timestamp\": \"2021-01-25T23:59:00.000Z\", \"Name\": \"positiveMalwareVerdict\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Spam Source\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: External Sensor Spam. 190.55.186.229 was historically observed as spam. No longer observed as of Nov 16, 2021.\", \"Sources\": [\"kBCI-b\"], \"Timestamp\": \"2021-11-16T01:06:21.965Z\", \"Name\": \"spam\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported in Threat List\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Previous sightings on 2 sources: University of Science and Technology of China Black IP List, Abuse.ch: Feodo IP Blocklist. Observed between Feb 26, 2021, and Dec 27, 2021.\", \"Sources\": [\"report:Q1ghC0\", \"report:OtiCOp\"], \"Timestamp\": \"2021-12-28T19:33:55.849Z\", \"Name\": \"historicalThreatListMembership\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C Server\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"31 sightings on 3 sources: Palo Alto Networks, Polyswarm Sandbox Analysis - Malware C2 Extractions, Unit 42 Palo Alto Networks. Polyswarm malware sandbox identified 190.55.186.229:80 as TA0011 (Command and Control) for Emotet using configuration extraction on sample a88734cd5c38211a4168bc7701516a50e6aef5ef20d2b1a915edae23c1b345db\", \"Sources\": [\"JwO7jp\", \"hyihHO\", \"jjf3_B\"], \"Timestamp\": \"2021-10-19T12:21:34.268Z\", \"Name\": \"intermediateCncServer\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Recent Multicategory Blocklist\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: Talos IP Blacklist.\", \"Sources\": [\"report:VW6jeN\"], \"Timestamp\": \"2021-12-28T19:33:55.846Z\", \"Name\": \"recentMultiBlacklist\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Current C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"5 sightings on 2 sources: Polyswarm Sandbox Analysis - Malware C2 Extractions, Joe Security Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 190.55.186.229:80 as TA0011 (Command and Control) for Emotet using configuration extraction on sample c9709d56b92047cd55fb097feb6cb7a8de6f3edc5ea79a429363938a69aae580\", \"Sources\": [\"hyihHO\", \"h_iZX8\"], \"Timestamp\": \"2021-12-27T19:00:49.975Z\", \"Name\": \"recentCncServer\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "190.55.186.229", "Risk": "99", "RiskString": "10/64"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Linked to Intrusion Method\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 1 source: PasteBin. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Dec 2, 2021): https://pastebin.com/SusxCK2b\", \"Sources\": [\"Jv_xrR\"], \"Timestamp\": \"2021-12-02T15:58:10.000Z\", \"Name\": \"linkedIntrusion\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Current C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"2 sightings on 2 sources: Recorded Future Command & Control List, Abuse.ch: Feodo IP Blocklist. Command & Control host identified on Dec 1, 2021.\", \"Sources\": [\"b5tNVA\", \"report:OtiCOp\"], \"Timestamp\": \"2021-12-01T08:06:11.827Z\", \"Name\": \"recentCncServer\", \"MitigationString\": \"\", \"Criticality\": 4.0}, {\"Rule\": \"Actively Communicating C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Emotet. Communication observed on TCP:443. Exfiltration behavior observed. Last observed on Dec 26, 2021.\", \"Sources\": [\"report:aEft3k\"], \"Timestamp\": \"2021-12-28T22:05:35.688Z\", \"Name\": \"recentActiveCnc\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "62.210.82.223", "Risk": "99", "RiskString": "3/64"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historical Honeypot Sighting\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 2 sources: Project Honey Pot, @HoneyFog. Most recent tweet: Fog44: 87.120.254.96->22. Most recent link (Dec 14, 2016): https://twitter.com/HoneyFog/statuses/809032869792378880\", \"Sources\": [\"P_izv4\", \"OSz1F0\"], \"Timestamp\": \"2016-12-14T13:50:41.000Z\", \"Name\": \"honeypot\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported as a Defanged IP\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: GitHub. Most recent link (Nov 8, 2021): https://github.com/pan-unit42/tweets/blob/master/2021-11-05-TA551-IOCs.txt\", \"Sources\": [\"MIKjae\"], \"Timestamp\": \"2021-11-08T00:00:00.000Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Spam Source\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: External Sensor Spam. 87.120.254.96 was historically observed as spam. No longer observed as of Nov 16, 2021.\", \"Sources\": [\"kBCI-b\"], \"Timestamp\": \"2021-11-16T03:19:58.721Z\", \"Name\": \"spam\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Linked to Intrusion Method\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: CloudSEK. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Dec 22, 2021): https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/\", \"Sources\": [\"k837l0\"], \"Timestamp\": \"2021-12-22T09:45:33.000Z\", \"Name\": \"recentLinkedIntrusion\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Recent Multicategory Blocklist\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: University of Science and Technology of China Black IP List.\", \"Sources\": [\"report:Q1ghC0\"], \"Timestamp\": \"2021-12-29T06:21:27.693Z\", \"Name\": \"recentMultiBlacklist\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Current C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"2 sightings on 2 sources: Recorded Future Command & Control List, Abuse.ch: Feodo IP Blocklist. Command & Control host identified on Nov 25, 2021.\", \"Sources\": [\"b5tNVA\", \"report:OtiCOp\"], \"Timestamp\": \"2021-11-25T08:06:42.384Z\", \"Name\": \"recentCncServer\", \"MitigationString\": \"\", \"Criticality\": 4.0}, {\"Rule\": \"Actively Communicating C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Bazarloader. Communication observed on TCP:443. Exfiltration behavior observed. Last observed on Dec 25, 2021.\", \"Sources\": [\"report:aEft3k\"], \"Timestamp\": \"2021-12-29T06:21:27.731Z\", \"Name\": \"recentActiveCnc\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "87.120.254.96", "Risk": "99", "RiskString": "7/64"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported in Threat List\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Previous sightings on 3 sources: Cobalt Strike Default Certificate Detected - Shodan / Recorded Future, CINS: CI Army List, Recorded Future Analyst Community Trending Indicators. Observed between Jan 22, 2021, and Sep 25, 2021.\", \"Sources\": [\"report:aD1qtM\", \"report:OchJ-t\", \"report:Tluf00\"], \"Timestamp\": \"2021-12-28T18:42:08.925Z\", \"Name\": \"historicalThreatListMembership\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent Multicategory Blocklist\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: DShield: Recommended Block List.\", \"Sources\": [\"report:OchJ-o\"], \"Timestamp\": \"2021-12-28T18:42:08.917Z\", \"Name\": \"recentMultiBlacklist\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Current C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"19 sightings on 2 sources: Recorded Future Command & Control List, @TheDFIRReport. Most recent tweet: Here's some newer C2 servers we're tracking: #BazarLoader 64.227.73.80 64.225.71.198 #Covenant 167.71.67.196 45.146.165.76 #PoshC2 193.36.15.192 #Empire 64.227.21.255 #Metasploit 91.221.70.143 Full list available @ https://t.co/QT6o626hsR #ThreatFeed. Most recent link (Sep 1, 2021): https://twitter.com/TheDFIRReport/statuses/1433055791964049412\", \"Sources\": [\"b5tNVA\", \"dZgcRz\"], \"Timestamp\": \"2021-09-01T13:15:00.000Z\", \"Name\": \"recentCncServer\", \"MitigationString\": \"\", \"Criticality\": 4.0}, {\"Rule\": \"Actively Communicating C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Covenant. Communication observed on TCP:7443. Exfiltration behavior observed. Last observed on Dec 27, 2021.\", \"Sources\": [\"report:aEft3k\"], \"Timestamp\": \"2021-12-28T18:42:08.923Z\", \"Name\": \"recentActiveCnc\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "45.146.165.76", "Risk": "99", "RiskString": "4/64"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historical Open Proxies\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2339 sightings on 9 sources including: TBN, BlackHatWorld Forum, Carding Mafia Forum, Inforge Forum Hacker Trucchi Giochi Informatica, ProxyFire - The Best Proxy Software and Forum. Most recent link (Jun 29, 2019): https://Black%20Hat%20World%20Forum%20(Obfuscated)/seo/ssl-proxies-occasional-update.927669/page-44#post-12210196\", \"Sources\": [\"RqhhJr\", \"KjGS3i\", \"VU4Qnc\", \"P7sZbk\", \"OQ_oQH\", \"Qk8WdX\", \"Qk8Wdg\", \"QqgtXJ\", \"KhvyCV\"], \"Timestamp\": \"2019-06-29T01:18:00.000Z\", \"Name\": \"openProxies\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Honeypot Sighting\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: @HoneyFog. Most recent tweet: Fog44: 181.112.52.26->22. I've never seen this IP before. Most recent link (Oct 6, 2017): https://twitter.com/HoneyFog/statuses/916371734928019456\", \"Sources\": [\"P_izv4\"], \"Timestamp\": \"2017-10-06T18:37:01.000Z\", \"Name\": \"honeypot\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Linked to Intrusion Method\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"10 sightings on 3 sources: Manato Kumagai Hatena Blog, sentinelone.com, PasteBin. 6 related intrusion methods including TrickLoader, Trojan, Emotet, Banking Trojan, Trickbot. Most recent link (Feb 26, 2020): https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/\", \"Sources\": [\"TiY1wa\", \"idn:sentinelone.com\", \"Jv_xrR\"], \"Timestamp\": \"2020-02-26T15:00:17.035Z\", \"Name\": \"linkedIntrusion\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Multicategory Blocklist\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"4 sightings on 1 source: AbuseIP Database. Most recent link (Aug 17, 2018): https://www.abuseipdb.com/check/181.112.52.26\", \"Sources\": [\"UneVVu\"], \"Timestamp\": \"2018-08-17T00:30:42.194Z\", \"Name\": \"multiBlacklist\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical SSH/Dictionary Attacker\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"4 sightings on 1 source: AbuseIP Database. Most recent link (Aug 17, 2018): https://www.abuseipdb.com/check/181.112.52.26\", \"Sources\": [\"UneVVu\"], \"Timestamp\": \"2018-08-17T00:30:42.194Z\", \"Name\": \"sshDictAttacker\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported in Threat List\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Previous sightings on 3 sources: BlockList.de: Fail2ban Reporting Service, Abuse.ch: Feodo IP Blocklist, Proxies: SOCKS Open Proxies. Observed between Jun 15, 2019, and Oct 3, 2020.\", \"Sources\": [\"report:OhgwUx\", \"report:OtiCOp\", \"report:SYQe08\"], \"Timestamp\": \"2021-12-28T22:05:41.272Z\", \"Name\": \"historicalThreatListMembership\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C Server\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"3 sightings on 1 source: Polyswarm Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 181.112.52.26:449 as TA0011 (Command and Control) for Trickbot using configuration extraction on sample dcc42c0bd075f283c71ac327c845498454dcd9528386df5b296fdf89ba105bfa\", \"Sources\": [\"hyihHO\"], \"Timestamp\": \"2021-07-15T12:42:04.656Z\", \"Name\": \"intermediateCncServer\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Current C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"5 sightings on 1 source: Polyswarm Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 181.112.52.26:449 as TA0011 (Command and Control) for Trickbot using configuration extraction on sample b827a4587bc6162715693c71e432769ec6272c130bb87e14bc683f5bd7caf834\", \"Sources\": [\"hyihHO\"], \"Timestamp\": \"2021-12-22T04:10:08.558Z\", \"Name\": \"recentCncServer\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "181.112.52.26", "Risk": "99", "RiskString": "8/64"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Linked to Intrusion Method\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"4 sightings on 1 source: PasteBin. 3 related intrusion methods: Trojan, Banking Trojan, QakBot. Most recent link (Nov 7, 2021): https://pastebin.com/u8neEVnz\", \"Sources\": [\"Jv_xrR\"], \"Timestamp\": \"2021-11-07T09:05:40.000Z\", \"Name\": \"linkedIntrusion\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported in Threat List\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Previous sightings on 1 source: Abuse.ch: Feodo IP Blocklist. Observed between Nov 29, 2021, and Dec 10, 2021.\", \"Sources\": [\"report:OtiCOp\"], \"Timestamp\": \"2021-12-29T02:11:39.014Z\", \"Name\": \"historicalThreatListMembership\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent Honeypot Sighting\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: Project Honey Pot. Most recent link (Dec 19, 2021): https://www.projecthoneypot.org/ip_77.79.56.210\", \"Sources\": [\"OSz1F0\"], \"Timestamp\": \"2021-12-19T11:30:02.000Z\", \"Name\": \"recentHoneypot\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Recent C&C Server\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"12 sightings on 2 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions. Joe Security malware sandbox identified 77.79.56.210:443 as TA0011 (Command and Control) QakBot using configuration extraction on sample 8f97195fc90ce520e75db6785204da0adbda9be5464bb27cd4dcc5b23b547651\", \"Sources\": [\"b5tNVA\", \"h_iZX8\"], \"Timestamp\": \"2021-11-03T16:57:54.000Z\", \"Name\": \"intermediateCncServer\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Recently Active C&C Server\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Qakbot. Communication observed on TCP:443. Last observed on Dec 23, 2021.\", \"Sources\": [\"report:aEft3k\"], \"Timestamp\": \"2021-12-29T02:11:39.012Z\", \"Name\": \"intermediateActiveCnc\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Current C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"10 sightings on 2 sources: Recorded Future Command & Control List, Polyswarm Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 77.79.56.210:443 as TA0011 (Command and Control) for QakBot using configuration extraction on sample 77b34084de82afac57fbe2c6442dbe7d07c53da5ec87eaf2210b852f0d943cd5\", \"Sources\": [\"b5tNVA\", \"hyihHO\"], \"Timestamp\": \"2021-12-29T02:00:05.439Z\", \"Name\": \"recentCncServer\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "77.79.56.210", "Risk": "99", "RiskString": "6/64"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Linked to Intrusion Method\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"34 sightings on 5 sources: Malware News - Malware Analysis, News and Indicators, PasteBin, Segurana Informtica, The Cyber Feed, Kaspersky Securelist and Lab. 3 related intrusion methods: Trojan, Banking Trojan, QakBot. Most recent link (Dec 3, 2021): https://pastebin.com/xJ0kmeYQ\", \"Sources\": [\"gBDK5G\", \"Jv_xrR\", \"VW7VQs\", \"g162EU\", \"4n\"], \"Timestamp\": \"2021-12-03T16:51:53.000Z\", \"Name\": \"linkedIntrusion\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historical Threat Researcher\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"4 sightings on 1 source: Kaspersky Securelist and Lab. Most recent link (Sep 2, 2021): https://securelist.com/qakbot-technical-analysis/103931/\", \"Sources\": [\"4n\"], \"Timestamp\": \"2021-09-02T10:00:32.000Z\", \"Name\": \"threatResearcher\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported as a Defanged IP\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"6 sightings on 3 sources: Malware News - Malware Analysis, News and Indicators, urlscan.io, Kaspersky Securelist and Lab. Most recent link (Dec 1, 2021): https://urlscan.io/result/c5b4e2d5-acf0-4fc5-b7bd-e8afac3e5f5a/\", \"Sources\": [\"gBDK5G\", \"WNRa7q\", \"4n\"], \"Timestamp\": \"2021-12-01T10:54:33.863Z\", \"Name\": \"defanged\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Reported in Threat List\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Previous sightings on 1 source: Abuse.ch: Feodo IP Blocklist. Observed between Nov 19, 2021, and Nov 21, 2021.\", \"Sources\": [\"report:OtiCOp\"], \"Timestamp\": \"2021-12-29T07:17:33.217Z\", \"Name\": \"historicalThreatListMembership\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recent C&C Server\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"234 sightings on 4 sources: Recorded Future Command & Control List, Polyswarm Sandbox Analysis - Malware C2 Extractions, PasteBin, Joe Security Sandbox Analysis - Malware C2 Extractions. Joe Security malware sandbox identified 24.139.72.117:443 as TA0011 (Command and Control) QakBot using configuration extraction on sample 8f97195fc90ce520e75db6785204da0adbda9be5464bb27cd4dcc5b23b547651\", \"Sources\": [\"b5tNVA\", \"hyihHO\", \"Jv_xrR\", \"h_iZX8\"], \"Timestamp\": \"2021-11-03T16:57:54.000Z\", \"Name\": \"intermediateCncServer\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Recently Active C&C Server\", \"CriticalityLabel\": \"Suspicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Qakbot. Communication observed on TCP:443. Last observed on Dec 23, 2021.\", \"Sources\": [\"report:aEft3k\"], \"Timestamp\": \"2021-12-29T07:17:33.215Z\", \"Name\": \"intermediateActiveCnc\", \"MitigationString\": \"\", \"Criticality\": 2.0}, {\"Rule\": \"Current C&C Server\", \"CriticalityLabel\": \"Very Malicious\", \"EvidenceString\": \"87 sightings on 2 sources: Polyswarm Sandbox Analysis - Malware C2 Extractions, Joe Security Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 24.139.72.117:443 as TA0011 (Command and Control) for QakBot using configuration extraction on sample 7ea5720ac7efeb49873f95870d546632d6c8c187ee6e2fc515acfe974483ee0e\", \"Sources\": [\"hyihHO\", \"h_iZX8\"], \"Timestamp\": \"2021-12-29T07:00:21.416Z\", \"Name\": \"recentCncServer\", \"MitigationString\": \"\", \"Criticality\": 4.0}]}", "Name": "24.139.72.117", "Risk": "99", "RiskString": "7/64"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/\", \"Sources\": [\"Ctq\", \"idn:fook.news\", \"idn:urdupresss.com\", \"POs2u-\", \"idn:apple.news\", \"idn:cryptoinfoos.com.ng\", \"g9rk5F\", \"idn:thewindowsupdate.com\", \"idn:nationalcybersecuritynews.today\", \"gBDK5G\", \"idn:microsoft.com\", \"idn:techsecuritenews.com\", \"idn:mblogs.info\", \"J6UzbO\", \"idn:viralamo.com\", \"idn:sellorbuyhomefast.com\", \"idn:crazyboy.tech\", \"idn:times24h.com\", \"idn:buzzfeeg.com\", \"idn:dsmenders.com\", \"WroSbs\", \"idn:vzonetvgh.com\"], \"Timestamp\": \"2021-07-20T00:00:00.000Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Reported by Insikt Group\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd\", \"Sources\": [\"VKz42X\"], \"Timestamp\": \"2021-07-10T00:00:00.000Z\", \"Name\": \"recentAnalystNote\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "http://144.34.179.162/a", "Risk": "87", "RiskString": "2/24"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"41 sightings on 19 sources including: Stock market news Company News MarketScreenercom, GlobeNewswire | Software, Yahoo!, globenewswirecom, otcdynamics.com. Most recent link (Oct 3, 2021): https://telecomkh.info/?p=4004\", \"Sources\": [\"XBl0xf\", \"c2unu0\", \"DVW\", \"NPgRlV\", \"idn:otcdynamics.com\", \"idn:norteenlinea.com\", \"N4OmGX\", \"idn:snewsonline.com\", \"idn:nationalcybersecuritynews.today\", \"dCod5e\", \"hZ14Az\", \"idn:securityopenlab.it\", \"idn:clevertechmx.blogspot.com\", \"cJzvLR\", \"eNeV39\", \"dCotni\", \"dCo6X1\", \"jB6Hnn\", \"idn:telecomkh.info\"], \"Timestamp\": \"2021-10-03T12:53:49.605Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Phishing Techniques\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Nov 14, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-11-14T00:00:00.000Z\", \"Name\": \"phishingSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Distribution\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Nov 14, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-11-14T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Active URL on Weaponized Domain\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: No-IP. Behavior observed: Malware Distribution, Phishing Techniques. Last observed on Dec 20, 2021.\", \"Sources\": [\"report:aRJ1CU\"], \"Timestamp\": \"2021-12-29T07:08:29.105Z\", \"Name\": \"recentWeaponizedURL\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "http://adminsys.serveftp.com/nensa/fabio/ex/478632215/zer7855/nuns566623", "Risk": "85", "RiskString": "4/24"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"17 sightings on 14 sources including: Security Affairs, sensorstechforum.com, Heimdal Security Blog, securitynewspaper, BBS Kafan Card Forum. Most recent link (Dec 22, 2021): https://d335luupugsy2.cloudfront.net/cms%2Ffiles%2F183750%2F1640120040Log4j_-_Explorao_por_grupos_APT.pdf\", \"Sources\": [\"JNe6Hu\", \"TQnwKJ\", \"OfMf0W\", \"TefIEN\", \"VyuDZP\", \"Z7kln5\", \"bd-Dtt\", \"kKLjNc\", \"Y7TWfI\", \"idn:redpacketsecurity.com\", \"idn:eccouncil.org\", \"idn:comparaland.com\", \"idn:d335luupugsy2.cloudfront.net\", \"KVRURg\"], \"Timestamp\": \"2021-12-22T16:01:42.134Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Reported by Insikt Group\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Insikt Group. 1 report: Khonsari Ransomware and Orcus RAT Exploit Log4Shell (CVE-2021-44228), Samples Uploaded on MalwareBazaar. Most recent link (Dec 17, 2021): https://app.recordedfuture.com/live/sc/4SWiMAS816Gj\", \"Sources\": [\"VKz42X\"], \"Timestamp\": \"2021-12-17T00:00:00.000Z\", \"Name\": \"recentAnalystNote\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "http://3.145.115.94/zambo/groenhuyzen.exe", "Risk": "79", "RiskString": "2/24"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"53 sightings on 14 sources including: HackDig Posts, Anquanke News, mrhacker.co, Sesin at, Check Point Research. Most recent link (Feb 6, 2021): https://cdn.www.gob.pe/uploads/document/file/1580907/Alerta%20integrada%20de%20seguridad%20digital%20N%C2%B0%xxx-xx-xxxx-PECERT%20.pdf\", \"Sources\": [\"POs2u-\", \"U13S_U\", \"idn:mrhacker.co\", \"Z3TZAQ\", \"N4OmGX\", \"UqKvRr\", \"gBDK5G\", \"JExgHv\", \"QxXv_c\", \"J6UzbO\", \"eTNyK6\", \"idn:privacy.com.sg\", \"e6Ewt_\", \"idn:reportcybercrime.com\"], \"Timestamp\": \"2021-02-06T12:52:09.042Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Detected Malware Distribution\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-12-28T00:00:00.000Z\", \"Name\": \"recentMalwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "http://gxbrowser.net", "Risk": "79", "RiskString": "2/24"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"33 sightings on 12 sources including: Palo Alto Networks, tistory.com, HackDig Posts, Anquanke News, airmagnet.technology. Most recent tweet: Continued MR.Dropper's attack. (Targething korean cryptocurrency exchange) #hcapital #ioc MD5 : eb459b47be479b61375d7b3c7c568425 URL : hxxps://881[.]000webhostapp[.]com/1.txt PDB : D:\\\\Attack\\\\DropperBuild\\\\x64\\\\Release\\\\Dropper.pdb https://t.co/FpsinliQqx [Beyond The Binary]. Most recent link (Sep 3, 2018): https://twitter.com/wugeej/statuses/1036413512732426240\", \"Sources\": [\"JwO7jp\", \"idn:tistory.com\", \"POs2u-\", \"U13S_U\", \"ThoB0I\", \"idn:airmagnet.technology\", \"LErKlN\", \"WuLz1r\", \"KdwTwF\", \"VfsacJ\", \"jjf3_B\", \"idn:brica.de\"], \"Timestamp\": \"2018-09-03T00:40:11.000Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Referenced by Insikt Group\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"2 sightings on 1 source: Insikt Group. 2 reports including \\\"Fractured Block\u201d Campaign Targets Korean Users. Most recent link (Dec 09, 2018): https://app.recordedfuture.com/live/sc/1RuTxKrDf8Qt\", \"Sources\": [\"VKz42X\"], \"Timestamp\": \"2018-12-09T00:00:00.000Z\", \"Name\": \"relatedNote\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Active URL on Weaponized Domain\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: 000Webhost. Behavior observed: Malware Distribution. Last observed on Oct 16, 2021.\", \"Sources\": [\"report:aRJ1CU\"], \"Timestamp\": \"2021-12-29T07:07:42.477Z\", \"Name\": \"recentWeaponizedURL\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "https://881.000webhostapp.com/1.txt", "Risk": "78", "RiskString": "3/24"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"38 sightings on 7 sources including: cybersecdn.com, WeLiveSecurity Spain, deepcheck.one, hackeridiot.com, PasteBin. Most recent link (May 27, 2021): https://cybersecdn.com/index.php/2021/05/27/janeleiro-the-time-traveler-a-new-old-banking-trojan-in-brazil/\", \"Sources\": [\"idn:cybersecdn.com\", \"fWD1r9\", \"idn:deepcheck.one\", \"idn:hackeridiot.com\", \"Jv_xrR\", \"ONMgMx\", \"idn:nationalcybersecuritynews.today\"], \"Timestamp\": \"2021-05-27T22:48:00.256Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Distribution\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 15, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-06-15T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Reported by Insikt Group\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Insikt Group. 1 report: New Janeleiro Banking Trojan Targets Corporate Users in Brazil. Most recent link (Apr 06, 2021): https://app.recordedfuture.com/live/sc/4wolQHrxLiwd\", \"Sources\": [\"VKz42X\"], \"Timestamp\": \"2021-04-06T00:00:00.000Z\", \"Name\": \"recentAnalystNote\", \"MitigationString\": \"\", \"Criticality\": 3.0}, {\"Rule\": \"Recently Active URL on Weaponized Domain\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: DuckDNS. Behavior observed: Malware Distribution. Last observed on Oct 15, 2021.\", \"Sources\": [\"report:aRJ1CU\"], \"Timestamp\": \"2021-12-29T06:34:00.698Z\", \"Name\": \"recentWeaponizedURL\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "http://comunicador.duckdns.org/catalista/lixo/index.php", "Risk": "78", "RiskString": "4/24"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Recently Active URL on Weaponized Domain\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: Afraid.org. Behavior observed: Malware Distribution, Phishing Techniques. Last observed on Dec 28, 2021.\", \"Sources\": [\"report:aRJ1CU\"], \"Timestamp\": \"2021-12-28T22:15:49.631Z\", \"Name\": \"recentWeaponizedURL\", \"MitigationString\": \"\", \"Criticality\": 3.0}, {\"Rule\": \"Recently Detected Phishing Techniques\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"2 sightings on 2 sources: Bitdefender, Urlscan.io. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021.\", \"Sources\": [\"d3Awkm\", \"eKv4Jm\"], \"Timestamp\": \"2021-12-28T00:00:00.000Z\", \"Name\": \"recentPhishingSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 3.0}, {\"Rule\": \"Recently Detected Malware Distribution\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-12-28T00:00:00.000Z\", \"Name\": \"recentMalwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "https://www.jeanninecatddns.chickenkiller.com/signin-authflow", "Risk": "75", "RiskString": "3/24"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"24 sightings on 9 sources including: Malware News - Malware Analysis, News and Indicators, microsoft.com, sociabble.com, 4-traders.com, MarketScreener.com | Stock Market News. Most recent link (Aug 13, 2021): https://www.marketscreener.com/quote/stock/MICROSOFT-CORPORATION-4835/news/Microsoft-Attackers-use-Morse-code-other-encryption-methods-in-evasive-phishing-campaign-36161110/?utm_medium=RSS&utm_content=20210813\", \"Sources\": [\"gBDK5G\", \"idn:microsoft.com\", \"idn:sociabble.com\", \"KBTQ2e\", \"dCotni\", \"g9rk5F\", \"Z7kln5\", \"idn:cda.ms\", \"idn:thewindowsupdate.com\"], \"Timestamp\": \"2021-08-13T17:03:19.000Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Distribution\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Aug 13, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-08-13T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Reported by Insikt Group\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Insikt Group. 1 report: Microsoft Warns of Attacks Targeting Microsoft Office 365 Users. Most recent link (Aug 12, 2021): https://app.recordedfuture.com/live/sc/4BBhpn1ApBQR\", \"Sources\": [\"VKz42X\"], \"Timestamp\": \"2021-08-12T00:00:00.000Z\", \"Name\": \"recentAnalystNote\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "http://coollab.jp/dir/root/p/09908.js", "Risk": "75", "RiskString": "3/24"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"23 sightings on 9 sources including: The Official Google Blog, eccouncil.org, frsecure.com, SoyaCincau, PasteBin. Most recent tweet: Actor controlled sites and accounts Research Blog https://blog.br0vvnn[.]io. Most recent link (Jan 27, 2021): https://twitter.com/techn0m4nc3r/statuses/1354296736357953539\", \"Sources\": [\"Gzt\", \"idn:eccouncil.org\", \"idn:frsecure.com\", \"J-8-Nr\", \"Jv_xrR\", \"g9rk5F\", \"cUg0pv\", \"K5LKj8\", \"fVAueu\"], \"Timestamp\": \"2021-01-27T05:14:38.000Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Phishing Techniques\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 30, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-05-30T00:00:00.000Z\", \"Name\": \"phishingSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Reported by Insikt Group\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Insikt Group. 1 report: Google Warns of Ongoing Attacks Targeting Security Researchers. Most recent link (Jan 25, 2021): https://app.recordedfuture.com/live/sc/5QCqZ2ZH4lwc\", \"Sources\": [\"VKz42X\"], \"Timestamp\": \"2021-01-25T00:00:00.000Z\", \"Name\": \"recentAnalystNote\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "https://blog.br0vvnn.io", "Risk": "75", "RiskString": "3/24"} -{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"24 sightings on 10 sources including: lnkd.in, digitalforensicsmagazineblog PH, mediosdemexico.com, Palo Alto Networks, Security Art Work. Most recent link (Mar 4, 2016): https://lnkd.in/egi-nMa\", \"Sources\": [\"idn:lnkd.in\", \"JNe6Gc\", \"idn:mediosdemexico.com\", \"JwO7jp\", \"LCN_6T\", \"KA0p6S\", \"LErKlN\", \"jjf3_B\", \"KE9Xit\", \"J4bouj\"], \"Timestamp\": \"2016-03-04T14:33:36.543Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Detected Malware Distribution\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 27, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-12-27T00:00:00.000Z\", \"Name\": \"recentMalwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "http://init.icloud-analysis.com", "Risk": "75", "RiskString": "2/24"} diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_assorted.json.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_assorted.json.log-expected.json deleted file mode 100644 index bf98453990f..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_assorted.json.log-expected.json +++ /dev/null @@ -1,4125 +0,0 @@ -[ - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 96.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 0, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "18 sightings on 2 sources: Proofpoint, The Daily Advance. Most recent link (Nov 12, 2018): https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy#.W-nmxyGcuiY.twitter", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "QQA438", - "KvPSaU" - ], - "Timestamp": "2018-11-12T20:48:08.675Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Mar 23, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-03-23T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: Proofpoint Researchers Observe sLoad and Ramnit in Campaigns Against The U.K. and Italy. Most recent link (Oct 23, 2018): https://app.recordedfuture.com/live/sc/4KSWum2M6Lx7", - "MitigationString": "", - "Name": "relatedNote", - "Rule": "Historically Referenced by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2018-10-23T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "21 sightings on 4 sources: Proofpoint, PasteBin, The Daily Advance, @DGAFeedAlerts. Most recent tweet: New ramnit Dom: xohrikvjhiu[.]eu IP: 13[.]90[.]196[.]81 NS: https://t.co/nTqEOuAW2E https://t.co/QdrtFSplyz. Most recent link (Nov 16, 2019): https://twitter.com/DGAFeedAlerts/statuses/1195824847915491329", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "QQA438", - "Jv_xrR", - "SlNfa3", - "KvPSaU" - ], - "Timestamp": "2019-11-16T22:03:55.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T07:12:02.455Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "xohrikvjhiu.eu" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 95.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 2445, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Malwr.com. Most recent link (Jul 6, 2017): https://malwr.com/analysis/ZmMxNWJlYWU1NTI4NDA1Nzg3YTc5MWViNTA0YTNhYmQ/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-07-06T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: MALWARE BREAKDOWN. Most recent link (May 17, 2017): https://malwarebreakdown.com/2017/05/17/seamless-malvertising-campaign-leads-to-rig-ek-at-185-154-53-33-and-drops-ramnit/", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "ST7rfx" - ], - "Timestamp": "2017-05-17T19:31:06.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jul 9, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-07-09T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-216d34d4-67bd-4add-ae6e-4ddec27dcb0e (Jul 25, 2019).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Historically Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2019-07-25T00:46:19.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jul 19, 2021, and Jul 21, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:Tluf00" - ], - "Timestamp": "2021-12-29T07:21:52.311Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T07:21:52.303Z" - } - ], - "recordedfuture.risk_string": "6/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "wgwuhauaqcrx.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 95.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 5039, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/NzhlZjJmMDA1MTMyNGM5NDg3YTQwMzI5YzAzMzY1NTg/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-05-08T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 30, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-06-30T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: wbmpvebw[.]com IP: 209[.]99[.]40[.]220 NS: https://t.co/bH4I7LoMNf https://t.co/KTCPYU87bT. Most recent link (Jan 4, 2020): https://twitter.com/DGAFeedAlerts/statuses/1213551578264821760", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2020-01-04T20:03:37.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Feb 18, 2021, and Feb 24, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:Tluf00" - ], - "Timestamp": "2021-12-29T07:16:05.008Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T07:16:05.007Z" - } - ], - "recordedfuture.risk_string": "6/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "wbmpvebw.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 7641, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Malwr.com. Most recent link (Apr 11, 2016): https://malwr.com/analysis/YjVjNzlmNjdhMDMyNDY2MjkzY2FkMjQzOWJiNmUyOWI/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2016-04-11T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 15, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-06-15T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: ckgryagcibbcf[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/nKWfZguQSF https://t.co/czXUwYeuxf. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333576053207040", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2021-02-01T20:08:18.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:40:44.358Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "ckgryagcibbcf.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 9829, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/NzhlZjJmMDA1MTMyNGM5NDg3YTQwMzI5YzAzMzY1NTg/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-05-08T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 17, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-06-17T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: jpuityvakjgg[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/nKWfZguQSF https://t.co/czXUwYeuxf. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333600627683330", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2021-02-01T20:08:24.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:46:28.155Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "jpuityvakjgg.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 12014, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/MDcwMzAxMzhkZGIwNGI5Y2I0ZGMyMDY1NzhlZmUzNGI/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-05-08T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 30, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-06-30T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: jexgpprgph[.]com IP: 209[.]99[.]40[.]222 NS: https://t.co/IGcQwMvzjy https://t.co/J2gdsVMl8U. Most recent link (Dec 13, 2018): https://twitter.com/DGAFeedAlerts/statuses/1073277207919947778", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2018-12-13T18:03:21.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:40:30.778Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "jexgpprgph.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 14197, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Malwr.com. Most recent link (Apr 11, 2016): https://malwr.com/analysis/YjVjNzlmNjdhMDMyNDY2MjkzY2FkMjQzOWJiNmUyOWI/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2016-04-11T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jul 27, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-07-27T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: cascotqhij[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/czXUwYeuxf https://t.co/nKWfZguQSF. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333566758682629", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2021-02-01T20:08:16.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:34:06.062Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "cascotqhij.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 16379, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Malwr.com. Most recent link (Jul 6, 2017): https://malwr.com/analysis/ZmMxNWJlYWU1NTI4NDA1Nzg3YTc5MWViNTA0YTNhYmQ/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-07-06T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: MALWARE BREAKDOWN. Most recent link (May 17, 2017): https://malwarebreakdown.com/2017/05/17/seamless-malvertising-campaign-leads-to-rig-ek-at-185-154-53-33-and-drops-ramnit/", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "ST7rfx" - ], - "Timestamp": "2017-05-17T19:31:06.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Apr 1, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-04-01T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-e26bfe3a-8f67-4f57-9449-3f183fe94c07 (Jul 25, 2019).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Historically Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2019-07-25T01:51:04.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:45:21.381Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "npcvnorvyhelagx.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 18551, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/MDcwMzAxMzhkZGIwNGI5Y2I0ZGMyMDY1NzhlZmUzNGI/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-05-08T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 6, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-05-06T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: uxlyihgvfnqcrfcf[.]com IP: 209[.]99[.]40[.]224 NS: https://t.co/03Dbt4N72t https://t.co/l29AcRDSvE. Most recent link (Jan 4, 2020): https://twitter.com/DGAFeedAlerts/statuses/1213551575332982790", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2020-01-04T20:03:36.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:35:26.677Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "uxlyihgvfnqcrfcf.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 20744, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "3 sightings on 1 source: Malwr.com. Most recent link (Jul 6, 2017): https://malwr.com/analysis/ZDQ0ODcwOTZiN2FmNDExNmExYzA3YjUwOTcxYmRlMjE/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-07-06T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 6, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-05-06T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: bjfwfqviu[.]com IP: 23[.]96[.]57[.]36 NS: https://t.co/nTqEOuAW2E https://t.co/NnqzXB3b3P. Most recent link (Jul 3, 2019): https://twitter.com/DGAFeedAlerts/statuses/1146524855602429953", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2019-07-03T21:03:21.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-fd72a0d2-bcbd-43b4-910b-9898e979a562 (Jul 24, 2019).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Historically Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2019-07-24T23:40:35.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:48:58.905Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "bjfwfqviu.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 22981, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "32 sightings on 27 sources including: Carder Forum (carder.uk), wordpress.com, AAPKS.com, malwareresearch, @phishingalert, @GelosSnake, @neonprimetime, @rpsanch. 7 related attack vectors including Crimeware, Phishing, Remote Code Execution, Malvertising, Click Fraud. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "T1bwMv", - "LC-zVm", - "QFvaUy", - "P_upBR", - "T2OA5Q", - "K20lXV", - "TGgDPZ", - "hkIDTa", - "LqRZCN", - "Vd51cf", - "ha2FFj", - "UmsU31", - "K7wUX2", - "P_ivKa", - "Qj3TQr", - "idn:wordpress.com", - "J-mrOR", - "QPbAan", - "VeioBt", - "WlbRkJ", - "K7sErA", - "TvfQzk", - "TP1vbk", - "SrKvJ0", - "SqCj4s", - "VXaDYo", - "bk2VX4" - ], - "Timestamp": "2021-12-25T03:23:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "6 sightings on 6 sources including: Messaging Platforms - Uncategorized, @_mr_touch. Most recent tweet: Active cred #phishing/malware distribution campaign on 185.186.245.101 with kits targeting @Office365 and @WeTransfer brands. Windows malware submitted to VT here: https://t.co/edCd4sOnAI domains: https://t.co/4GdqctLwkY cc: @malwrhunterteam @JayTHL @SteveD3 @thepacketrat https://t.co/e9d3R7fzIq. Most recent link (May 28, 2019): https://twitter.com/PhishingAi/statuses/1133376801831436289", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "XV7DoD", - "Ym7dzt", - "LKKAV1", - "VeioBt", - "Y7TWfI", - "KGS-xC" - ], - "Timestamp": "2019-05-28T14:17:41.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "119 sightings on 42 sources including: Malware-Traffic-Analysis.net - Blog Entries, Doc Player, GhostBin, Data Breach Today.eu | Updates, Codex - Recent changes en. 43 related malware families including Dardesh, AZORult, Emotet, Ryuk Ransomware, GandCrab. Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "TvGJYk", - "LErKlJ", - "QWOrKl", - "LKKAV1", - "W4ygGi", - "PATKM7", - "T1bwMv", - "TY6igj", - "LjkJhE", - "kuKt0c", - "QAy9GA", - "LbYmLr", - "K20lXV", - "QZe7TG", - "idn:droppdf.com", - "QAmbRP", - "V_o1DL", - "TbciDE", - "XV7DoD", - "P_j5Dw", - "QNmgPm", - "TGXqeD", - "KGS-xC", - "L3kVdM", - "QMfGAr", - "h6VVAH", - "doLlw5", - "UrsUKT", - "JOU", - "MIKjae", - "P_oIyV", - "QJ6TQK", - "RfVd0T", - "J6UzbO", - "Ql9O5c", - "USKpXp", - "TP1vbk", - "SrKvJ0", - "Tq2nAb", - "P_ov9o", - "VXaDYo", - "idn:index-of.es" - ], - "Timestamp": "2021-11-27T23:07:37.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "5 sightings on 3 sources: Malware-Traffic-Analysis.net - Blog Entries, ReversingLabs, PolySwarm. Most recent link (Dec 15, 2018): https://www.malware-traffic-analysis.net/2018/12/14/index.html", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "LErKlJ", - "TbciDE", - "doLlw5" - ], - "Timestamp": "2020-07-11T09:55:23.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-12195723-7c56-4c63-b828-fc340dd4050a (Dec 20, 2018).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2018-12-20T21:13:36.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "50 sightings on 10 sources including: Security Bloggers Network, TechTarget Search Security, Bleeping Computer, Guided Collection, Bleepingcomputer Forums. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "NSAcUx", - "KCdHcb", - "J6UzbO", - "Rlso4a", - "hkE5DK", - "cJMUDF", - "TZRwk8", - "QMTzEI", - "LUhTGd", - "J5NRun" - ], - "Timestamp": "2021-12-21T08:40:00.000Z" - } - ], - "recordedfuture.risk_string": "6/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "38e992eb852ab0c4ac03955fb0dc9bb38e64010fdf9c05331d2b02b6e05689c2", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 28220, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "69 sightings on 18 sources including: Stock market news Company News MarketScreenercom, HackDig Posts, Sesin at, US CERT CISA Alerts, citizensudo.com. 6 related attack vectors including Powershell Attack, Supply Chain Attack, Target Destination Manipulation, Reconnaissance, C&C Server. Most recent link (Apr 15, 2021): https://www.cisa.gov/uscert/ncas/alerts/aa20-352a", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "XBl0xf", - "POs2u-", - "Z3TZAQ", - "hhY_oz", - "idn:citizensudo.com", - "VKz42X", - "PA-rR4", - "POs2tz", - "idn:firsthackersnews.com", - "KcjdRW", - "dCotni", - "idn:comodo.com", - "gI8s5W", - "hibUwt", - "rN", - "idn:reportcybercrime.com", - "idn:eshielder.com", - "idn:edsitrend.com" - ], - "Timestamp": "2021-04-15T00:00:00.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "175 sightings on 31 sources including: 4-traders.com, SentinelLabs, Sesin at, Cisco Japan Blog, McAfee. 8 related malware families including WebShell, Ransomware, Backdoor, Backdoor Shell, SUNBURST. Most recent tweet: Malcode highlighted in 'App_Web_logoimagehandler.ashx.b6031896.dll' (c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71) #SolarWinds #SUNBURST https://t.co/lyvnVHuTb2. Most recent link (Dec 16, 2020): https://twitter.com/_mynameisgeff/statuses/1339070792705830913", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "TuWseX", - "KBTQ2e", - "eP3CYX", - "Z3TZAQ", - "clDYM8", - "rN", - "VKz42X", - "idn:elemendar.com", - "idn:securitysummitperu.com", - "PA-rR4", - "idn:terabitweb.com", - "eTNyK6", - "gBQB48", - "bMZlEg", - "idn:edsitrend.com", - "idn:infoblox.com", - "UZNze8", - "Z2mQh2", - "XBl0xf", - "dCpZqs", - "jmpFm1", - "T5", - "doLlw5", - "gBDK5G", - "MIKjae", - "idn:firsthackersnews.com", - "jjf3_B", - "Jv_xrR", - "dCotni", - "idn:comodo.com", - "hibUwt" - ], - "Timestamp": "2020-12-16T04:52:10.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "11 sightings on 2 sources: GitHub, Insikt Group. 5 related cyber vulnerabilities: CWE-20, CWE-287, CVE-2020-10148, CVE-2020-1938, CWE-269. Most recent link (Dec 27, 2021): https://github.com/teamt5-it/official-website-v2/blob/master/_site/_next/data/64e2c6f134e73517d6ff737822e83cd75cf633c6/tw/posts/ithome-ghostcat-apache-tomcat-ajp-vulnerability.json", - "MitigationString": "", - "Name": "linkedToVuln", - "Rule": "Linked to Vulnerability", - "Sources": [ - "MIKjae", - "VKz42X" - ], - "Timestamp": "2021-12-27T07:36:54.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "6 sightings on 2 sources: Sophos Virus and Spyware Threats, PolySwarm. Most recent link (Dec 17, 2020): https://news.sophos.com/fr-fr/2020/12/15/cyberattaque-contre-solarwinds-comment-savoir-si-vous-etes-concerne/", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "K16tAG", - "doLlw5" - ], - "Timestamp": "2020-12-20T15:18:53.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "3 sightings on 1 source: DHS Automated Indicator Sharing. 3 reports including AA20-352A APT Compromise of Govt Agencies, Critical Infrastructure, and Private Sector Organizations, from CISA, Government Facilities Sector, CISA, Government Facilities Sector, NCCIC:STIX_Package-673aacd1-1852-4d44-bd93-0c44940a6358 (Feb 3, 2021).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2021-02-03T21:32:08.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "13 sightings on 1 source: Insikt Group. 4 reports including Researchers Linked Supernova Malware to Spiral Group. Most recent link (Mar 08, 2021): https://app.recordedfuture.com/live/sc/5DIp4RIUiJz6", - "MitigationString": "", - "Name": "analystNote", - "Rule": "Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-03-08T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "28 sightings on 8 sources including: Dancho Danchev's Blog, SecureWorks, Talos Intel, Unit 42 Palo Alto Networks, Cisco Japan Blog. Most recent link (Mar 12, 2021): https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group?es_p=13420131", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "JfqIbv", - "Z2mQh2", - "PA-rR4", - "jjf3_B", - "clDYM8", - "T5", - "rN", - "J5NRun" - ], - "Timestamp": "2021-03-12T20:30:37.672Z" - } - ], - "recordedfuture.risk_string": "7/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 33228, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "6 sightings on 5 sources: GitHub, SANS Internet Storm Center, Messaging Platforms - Uncategorized, @decalage2, @simonwargniez. 3 related attack vectors: Remote Code Execution, Zero Day Exploit, Cyberattack. Most recent tweet: Great lists of software affected by #Log4Shell / CVE-2021-44228 / Log4J RCE: https://t.co/TpEQXKgMGW by @ncsc_nl https://t.co/FA5i8zR5Z1 by @CISAgov https://t.co/0xVZJvMcpU by @SwitHak https://t.co/788knvztWV https://t.co/WMkXslhgWS #log4j #log4j2. Most recent link (Dec 15, 2021): https://twitter.com/decalage2/statuses/1471121875816353800", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "LUf99I", - "MIKjae", - "JYxY8X", - "Y7TWfI", - "KIRe_w" - ], - "Timestamp": "2021-12-15T14:16:01.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "11 sightings on 3 sources: bund.de, SANS Internet Storm Center, Sesin at. 2 related malware families: Ransomware, Botnet. Most recent link (Dec 20, 2021): https://www.jpcert.or.jp/english/at/2021/at210050.html", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "idn:bund.de", - "JYxY8X", - "Z3TZAQ" - ], - "Timestamp": "2021-12-20T04:54:00.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "108 sightings on 78 sources including: bund.de, tistory.com, PasteBin, Sesin at, Messaging Platforms - Uncategorized. 24 related cyber vulnerabilities including CWE-22, CWE-611, CVE-2019-19781, CVE-2020-16898, CWE-20. Most recent tweet: Security advisories, bulletins, and vendor responses related to Log4Shell #Log4Shell #Log4j #cybersecurity #infosec #vendorsecurity https://t.co/Vpwrhdppm7. Most recent link (Dec 22, 2021): https://twitter.com/arrgibbs/statuses/1473733864459841538", - "MitigationString": "", - "Name": "linkedToVuln", - "Rule": "Linked to Vulnerability", - "Sources": [ - "VQpQDR", - "KFu3Rc", - "LUf99I", - "SGCsBG", - "U94lUG", - "KFcv42", - "QT0CFv", - "UHvtcg", - "KFUbjU", - "KHwUI5", - "KKSt8d", - "idn:bund.de", - "VmIbAC", - "QGT0Vy", - "ejfM20", - "KGlTEd", - "QCoXJo", - "RXSwU8", - "idn:tistory.com", - "LpdVul", - "K-eKsL", - "TKYCSz", - "SkABVK", - "SdGk_x", - "LI6d7O", - "LQIfBf", - "U6B2hC", - "f7_CfD", - "LKt0HB", - "RHS4v8", - "KKmN5m", - "YfJqp2", - "Jv_xrR", - "RJ2_NX", - "VZXzSv", - "k0QC11", - "KFWBRs", - "LRk_pt", - "Qn2VRQ", - "kGHFKP", - "ShBO5M", - "T-GSBp", - "KNdyHF", - "QLCTXP", - "Z3TZAQ", - "Khf99v", - "KHZhjO", - "SHH61D", - "Knx_su", - "LL8-pr", - "QpmWTf", - "KIRe_w", - "QIea7F", - "SlhG3F", - "KIdj8R", - "SQqKS8", - "Lq6DNq", - "QpYsBa", - "d-ZMP2", - "LOoye8", - "QEUmiJ", - "ewfPjC", - "LBNFpV", - "QTpbKE", - "Y7TWfI", - "KGS-xC", - "eifkGz", - "au2SGr", - "SKw4tT", - "KGW5kn", - "Q9y5Ki", - "KGxw1d", - "MIKjae", - "LO5p1C", - "JYxY8X", - "KJsMEF", - "QBLBHH", - "k7WJ2k" - ], - "Timestamp": "2021-12-22T19:15:08.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Naked Security. Most recent link (Dec 18, 2021): https://news.sophos.com/en-us/2021/12/17/log4shell-response-and-mitigation-recommendations/", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "J2_htN" - ], - "Timestamp": "2021-12-18T00:20:04.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "10 sightings on 7 sources including: ISC Sans Diary Archive, SecureWorks, InfoCON: green, ISC | Latest Headlines, SANS Internet Storm Center. Most recent link (Dec 20, 2021): https://www.jpcert.or.jp/english/at/2021/at210050.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "TCw6v6", - "Z2mQh2", - "2d", - "cJuZvt", - "JYxY8X", - "J2_htN", - "jXNbON" - ], - "Timestamp": "2021-12-20T04:54:00.000Z" - } - ], - "recordedfuture.risk_string": "5/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.md5": "b66db3a06c2955a9cb71a8718970c592", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 37390, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jul 6, 2017, and Jul 17, 2017.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:Tluf00" - ], - "Timestamp": "2021-12-24T20:03:09.087Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "14 sightings on 5 sources including: Assiste.Forum, @arturodicorinto. 2 related attack vectors: ShellCode, Cyberattack. Most recent tweet: They're getting quicker at updating.. #petya #cyberattack https://t.co/px0g9BSpod. Most recent link (Jun 27, 2017): https://twitter.com/SupersizedSam/statuses/879764638845587461", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "LP7dc7", - "LRlngp", - "Sl8XTb", - "QMfGAr", - "J-y3tn" - ], - "Timestamp": "2017-06-27T18:13:29.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "10 sightings on 9 sources including: BitcoinTalk.org, @Noemi_hcke. Most recent tweet: #petya related hashes in #virustotal https://t.co/Cv7Pltjhia https://t.co/P3otYPoxBj #ransomware #malware #sha256. Most recent link (Jun 28, 2017): https://twitter.com/Menardconnect/statuses/879885997831368705", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "ThowaF", - "KUtKjP", - "K84j7t", - "MghdWI", - "K8rrfe", - "QlWPRW", - "KFsPRz", - "S-Anbb", - "KE9dMF" - ], - "Timestamp": "2017-06-28T02:15:44.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "834 sightings on 201 sources including: New Jersey Cybersecurity & Communications Integration Cell, lnkd.in, avtech24h.com, Malwr.com, Talos Intel. 21 related malware families including ICS Malware, PetrWrap, Emotet, Trojan, NotPetya. Most recent tweet: #ransomware 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 f65a7dadff844f2dc44a3bd43e1c0d600b1a6c66f6d02734d8f385872ccab0bc b6e8dc95ec939a1f3b184da559c8010ab3dc773e426e63e5aa7ffc44174d8a9d 9e1609ab7f01b56a9476494d9b3bf5997380d466744b07ec5d9b20e416b10f08. Most recent link (Apr 9, 2021): https://twitter.com/RedBeardIOCs/statuses/1380600677249003521", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "jbVMcB", - "idn:lnkd.in", - "idn:avtech24h.com", - "K84j7t", - "Sl8XTb", - "KGRhOC", - "NKaUXl", - "KIoGAG", - "PA-rR4", - "LRlngp", - "rN", - "Jxh46H", - "KFL44X", - "TbciDE", - "KFNVB9", - "OJpx5g", - "K-CGye", - "KK6oqV", - "WR_Ohh", - "idn:twitter.com", - "fgwEcq", - "QYsx0D", - "KIFtR_", - "Lp_esG", - "TSFWTw", - "KGHzAY", - "P_oEH3", - "KBTQ2e", - "QCGHCy", - "JYxY5G", - "UQsrUj", - "idn:cert.ro", - "idn:bluvector.io", - "KFUJTL", - "TFUkSW", - "P0Gs9I", - "K8ofB1", - "KVnnHP", - "TpaXxw", - "U5qdTI", - "idn:zscaler.com", - "L3kVdM", - "QMfGAr", - "KIk8aS", - "Kzw0Pm", - "hcELIE", - "POs2tz", - "KD6Na4", - "idn:globalsecuritymag.com", - "LDd0sl", - "KVP0jz", - "Lj8CsQ", - "K8rrfe", - "LDejRI", - "J-y3tn", - "WXutod", - "idn:infosecurityfactory.nl", - "LBlc7C", - "idn:bg.org.tr", - "QS89Bd", - "K9SiDc", - "Qe89bv", - "TiY1wu", - "idn:undernews.fr", - "idn:iteefactory.nl", - "KFRGd_", - "KFVuR_", - "4n", - "S-Anbb", - "KFNZEC", - "TSazOG", - "K9Skh1", - "MghdWI", - "idn:securityiscoming.com", - "QS89BG", - "LVg9nH", - "KFiGli", - "K9Vq9B", - "KLbNtt", - "VyWQM7", - "NTakwX", - "KGoarP", - "idn:gelsene.net", - "LwURWv", - "KGX8VB", - "ThoB0I", - "TAIz7D", - "QBHQ61", - "TiY1w7", - "idn:kompasiana.com", - "idn:t.co", - "KfDTG0", - "idn:ictsecuritymagazine.com", - "Liz5-u", - "MIKjae", - "JYxY8X", - "KUtKjP", - "idn:cert.pl", - "Lpm4nc", - "idn:boozallen.com", - "RVFHk_", - "KGmazP", - "M_7iBk", - "TStw1W", - "LFcJLk", - "K0TN7r", - "KVRURg", - "UNe62M", - "iL8bPu", - "K76BjK", - "VRixQe", - "idn:dfir.pro", - "KF-l77", - "idn:gixtools.net", - "P_oIyV", - "KGzicb", - "LGryD9", - "idn:fb.me", - "K5nCn5", - "ThKuX0", - "SYrUYn", - "KFKbZE", - "MAe5tQ", - "KGm6gS", - "W4ygGi", - "g9rk5F", - "idn:menshaway.blogspot.com", - "KFsPRz", - "LDm9iS", - "RV8KWp", - "KTuH6e", - "P_uJi3", - "KG_Bgt", - "QAmbRP", - "idn:csirt.cz", - "LZYvHh", - "L0HtmN", - "KWLqO-", - "LtUj1D", - "QMTzDr", - "idn:dy.si", - "Lo8Box", - "K-4reD", - "KFTeBZ", - "KKzFno", - "QMTzEI", - "KFYLd8", - "KGABt4", - "LIizBt", - "idn:herjavecgroup.com", - "QAAZRn", - "K66Zgw", - "KWz-My", - "Lb0b3F", - "idn:emsisoft.vn", - "LodOTm", - "KE9dMF", - "O-Wf5x", - "LG2dQX", - "P_-RZy", - "LK7o9D", - "K60PUk", - "KKUqfz", - "idn:logrhythm.com", - "Jv_xrR", - "LP7dc7", - "MFNOaz", - "TefIES", - "KGdGg3", - "KHNdvY", - "QBTxvB", - "idn:swordshield.com", - "ThowaF", - "idn:binarydefense.com", - "idn:indusface.com", - "QBtnC2", - "QlWPRW", - "KHZhjO", - "idn:idcloudhost.com", - "LRFVsB", - "KG2JTH", - "KIm1im", - "LAfpKN", - "BaV", - "KGW3VP", - "KFcp5q", - "LCN_6T", - "idn:avastvn.com", - "KFTnbG", - "TiCWjw", - "Lmhpq3", - "KGS-xC", - "KFVthB", - "idn:finyear.com", - "KFji4N", - "P_7M19", - "K-b0DI", - "LV1UMS", - "idn:safe-cyberdefense.com", - "Kjk3fx", - "Q1wlJN" - ], - "Timestamp": "2021-04-09T19:17:06.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: GitHub. 2 related cyber vulnerabilities: CWE-20, CVE-2017-0143. Most recent link (Oct 10, 2021): https://github.com/demisto/content/blob/master/Packs/RecordedFuture/Integrations/RecordedFuture/example_commands.txt", - "MitigationString": "", - "Name": "linkedToVuln", - "Rule": "Linked to Vulnerability", - "Sources": [ - "MIKjae" - ], - "Timestamp": "2021-10-10T08:21:25.825Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "5 sightings on 3 sources: Recorded Future Malware Detonation, ReversingLabs, PolySwarm. Most recent link (Jun 27, 2017): ReversingLabs malware file analysis.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TAIz7D", - "TbciDE", - "doLlw5" - ], - "Timestamp": "2020-12-17T22:59:03.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-21cebba6-46ed-464e-ad5a-32a8063e1400 (Jun 27, 2017).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2017-06-27T17:18:01.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "91 sightings on 19 sources including: Security News Concentrator, Fortinet, Trend Micro, CrowdStrike, FireEye Threat Research Blog. Most recent link (Dec 20, 2019): https://threatvector.cylance.com/en_us/home/threat-spotlight-petya-like-ransomware-is-nasty-wiper.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "QS89Bd", - "KVP0jz", - "T5", - "JYxY5G", - "WR_Ohh", - "Jt4ExJ", - "Kzw0Pm", - "JQH96m", - "2d", - "JYxY8X", - "rN", - "PA-rR4", - "VyWQM7", - "Lp_esG", - "ONMgMx", - "4n", - "QMTzEI", - "83", - "K0TN7r" - ], - "Timestamp": "2019-12-20T01:04:11.602Z" - } - ], - "recordedfuture.risk_string": "8/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 45000, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "6 sightings on 6 sources including: malwareresearch, AAPKS.com, @Shouvik95232310, @santGM. 3 related attack vectors: Phishing, Click Fraud, Typosquatting. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "WlbRkJ", - "ha2FFj", - "K7wUX2", - "P_ivKa", - "J-mrOR", - "P_upBR" - ], - "Timestamp": "2021-12-25T03:23:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Messaging Platforms - Uncategorized. Most recent link (Oct 18, 2021): https://t.me/An0nymousTeam/1429", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "Y7TWfI" - ], - "Timestamp": "2021-10-18T12:09:43.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "47 sightings on 16 sources including: Ichunqiu Forum, Doc Player, ArXiv, GitHub, droppdf.com. 18 related malware families including Fakespy, Trojan, Offensive Security Tools (OST), Spyware, Dardesh. Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "TGXqeD", - "W4ygGi", - "L3kVdM", - "QMfGAr", - "kuKt0c", - "QAy9GA", - "JOU", - "MIKjae", - "P_oIyV", - "QJ6TQK", - "idn:droppdf.com", - "Ql9O5c", - "QAmbRP", - "Tq2nAb", - "TbciDE", - "idn:index-of.es" - ], - "Timestamp": "2021-11-27T23:07:37.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: ReversingLabs. Most recent link (Jul 1, 2019): ReversingLabs malware file analysis.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TbciDE" - ], - "Timestamp": "2019-07-01T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "16 sightings on 4 sources: Guided Collection, Bleepingcomputer Forums, ISC | All Updates, Malwarebytes Unpacked. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "Rlso4a", - "hkE5DK", - "TZRwk8", - "J5NRun" - ], - "Timestamp": "2021-12-21T08:40:00.000Z" - } - ], - "recordedfuture.risk_string": "5/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "ad2ad0249fafe85877bc79a01e1afd1a44d983c064ad8cb5bc694d29d166217b", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 48393, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "31 sightings on 4 sources: @m0rb, @bad_packets, @InfoSex11, @luc4m. 2 related attack vectors: DDOS, Command Injection. Most recent tweet: 2021-06-17T23:29:30 - Commented: https://t.co/j2a05iXOiI #malware #commandinjection. Most recent link (Jun 17, 2021): https://twitter.com/m0rb/statuses/1405668962462011401", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "KFwzec", - "TGgDPZ", - "cgGiXI", - "LMcjZ7" - ], - "Timestamp": "2021-06-17T23:29:31.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "3 sightings on 2 sources: @bad_packets, @swarmdotmarket. Most recent tweet: New #Mozi #malware targets #IoT devices -- research via @BlackLotusLabs -- Samples here in PolySwarm, free to download: https://t.co/JYkyEPPWmH https://t.co/jioPHPnJj9 #threatintel #botnet #infosec Most recent link (Apr 20, 2020): https://twitter.com/PolySwarm/statuses/1252347003457073155", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "TGgDPZ", - "UBjcy3" - ], - "Timestamp": "2020-04-20T21:22:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "87 sightings on 15 sources including: lumen.com, HackDig Posts, Anquanke News, Daily Dot, centurylink.com. 7 related malware families including Mozi Botnet, Trojan, Qbot, Mirai, DDOS Toolkit. Most recent tweet: New #Mozi #malware targets #IoT devices -- research via @BlackLotusLabs -- Samples here in PolySwarm, free to download: https://t.co/JYkyEPPWmH https://t.co/jioPHPnJj9 #threatintel #botnet #infosec. Most recent link (Apr 20, 2020): https://twitter.com/PolySwarm/statuses/1252347003457073155", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "idn:lumen.com", - "POs2u-", - "U13S_U", - "Jzl3yj", - "idn:centurylink.com", - "doLlw5", - "POs2t2", - "idn:cyberswachhtakendra.gov.in", - "idn:hackxsecurity.com", - "TGgDPZ", - "Jv_xrR", - "TSFWTv", - "LMcjZ7", - "UBjcy3", - "TbciDE" - ], - "Timestamp": "2020-04-20T21:22:47.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "5 sightings on 3 sources: Recorded Future Malware Detonation, ReversingLabs, PolySwarm. Most recent link (Nov 28, 2019): ReversingLabs malware file analysis.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TAIz7D", - "TbciDE", - "doLlw5" - ], - "Timestamp": "2021-04-04T07:46:20.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Trend Micro. Most recent link (Mar 11, 2021): https://documents.trendmicro.com/assets/pdf/Technical_Brief_Uncleanable_and_Unkillable_The_Evolution_of_IoT_Botnets_Through_P2P_Networking.pdf", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "T5" - ], - "Timestamp": "2021-03-11T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "5/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 51700, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "29 sightings on 24 sources including: Carder Forum (carder.uk), wordpress.com, AAPKS.com, malwareresearch, @phishingalert, @GelosSnake, @rpsanch, @rce_coder. 7 related attack vectors including Crimeware, Phishing, Remote Code Execution, Malvertising, Click Fraud. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "T1bwMv", - "LC-zVm", - "P_upBR", - "T2OA5Q", - "K20lXV", - "TGgDPZ", - "hkIDTa", - "LqRZCN", - "Vd51cf", - "ha2FFj", - "UmsU31", - "ddafo3", - "K7wUX2", - "P_ivKa", - "idn:wordpress.com", - "J-mrOR", - "QPbAan", - "VeioBt", - "WlbRkJ", - "TvfQzk", - "TP1vbk", - "SrKvJ0", - "SqCj4s", - "VXaDYo" - ], - "Timestamp": "2021-12-25T03:23:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "10 sightings on 7 sources including: SANS Institute Course Selector Results, Messaging Platforms - Uncategorized, @ecstatic_nobel, @Artilllerie. Most recent tweet: Active cred #phishing/malware distribution campaign on 185.186.245.101 with kits targeting @Office365 and @WeTransfer brands. Windows malware submitted to VT here: https://t.co/edCd4sOnAI domains: https://t.co/4GdqctLwkY cc: @malwrhunterteam @JayTHL @SteveD3 @thepacketrat https://t.co/e9d3R7fzIq. Most recent link (May 28, 2019): https://twitter.com/PhishingAi/statuses/1133376801831436289", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "Ym7dzt", - "LKKAV1", - "OuKV3V", - "VeioBt", - "Y7TWfI", - "KGS-xC", - "KFSXln" - ], - "Timestamp": "2019-05-28T14:17:41.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "114 sightings on 42 sources including: Doc Player, GhostBin, Codex - Recent changes en, droppdf.com, ReversingLabs. 41 related malware families including Dardesh, AZORult, Emotet, GandCrab, Offensive Security Tools (OST). Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "QWOrKl", - "LKKAV1", - "W4ygGi", - "PATKM7", - "T1bwMv", - "LjkJhE", - "kuKt0c", - "QAy9GA", - "LbYmLr", - "K20lXV", - "QZe7TG", - "idn:droppdf.com", - "QAmbRP", - "TbciDE", - "P_j5Dw", - "QNmgPm", - "TGXqeD", - "POs2u-", - "KGS-xC", - "L3kVdM", - "QMfGAr", - "h6VVAH", - "doLlw5", - "UrsUKT", - "JOU", - "MIKjae", - "P_oIyV", - "QJ6TQK", - "RfVd0T", - "J6UzbO", - "POs2tz", - "VfsacJ", - "Jv_xrR", - "Ql9O5c", - "USKpXp", - "TP1vbk", - "SrKvJ0", - "Tq2nAb", - "KFSXln", - "P_ov9o", - "VXaDYo", - "idn:index-of.es" - ], - "Timestamp": "2021-11-27T23:07:37.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Messaging Platforms - Uncategorized. 2 related cyber vulnerabilities: CVE-2016-6663, CWE-362.", - "MitigationString": "", - "Name": "linkedToVuln", - "Rule": "Linked to Vulnerability", - "Sources": [ - "Y7TWfI" - ], - "Timestamp": "2021-12-29T07:27:12.565Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 19, 2018): ReversingLabs malware file analysis.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TbciDE", - "doLlw5" - ], - "Timestamp": "2021-02-10T09:10:10.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "45 sightings on 9 sources including: Security Bloggers Network, Bleeping Computer, Guided Collection, Bleepingcomputer Forums, TheServerSide.com | Updates. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "NSAcUx", - "J6UzbO", - "Rlso4a", - "hkE5DK", - "cJMUDF", - "TZRwk8", - "QMTzEI", - "LUhTGd", - "J5NRun" - ], - "Timestamp": "2021-12-21T08:40:00.000Z" - } - ], - "recordedfuture.risk_string": "6/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "fecddb7f3fa478be4687ca542c0ecf232ec35a0c2418c8bfe4875686ec373c1e", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 56767, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1688 sightings on 26 sources including: lnkd.in, Doc Player, Cyber4Sight, voicebox.pt, VKontakte. 2 related malware families: Wcry, Ransomware. Most recent link (Sep 13, 2017): https://malwr.com/analysis/ZmIzN2E3MzQyM2I0NDYwODllOWRhMmQxODg3YzMxZDA/", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "idn:lnkd.in", - "W4ygGi", - "S2tpaX", - "idn:voicebox.pt", - "SIjHV9", - "PJHGaq", - "PA-rR4", - "Z2mQh2", - "e_", - "idn:gofastbuy.com", - "idn:ziftsolutions.com", - "POs2u-", - "KHpcuE", - "QccsRc", - "idn:dfir.pro", - "idn:nksc.lt", - "idn:dy.si", - "KZFCph", - "rN", - "QYsx0D", - "idn:logrhythm.com", - "Jv_xrR", - "idn:safe-cyberdefense.com", - "4n", - "QS89Bx", - "NKaUXl" - ], - "Timestamp": "2017-09-13T00:00:00.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "2 sightings on 1 source: Recorded Future Malware Detonation.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TAIz7D" - ], - "Timestamp": "2020-10-13T10:46:31.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "58 sightings on 5 sources: SecureWorks, InfoCON: green, McAfee, Talos Intel, Kaspersky Securelist and Lab. Most recent link (Jun 28, 2018): https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27077/en_US/McAfee_Labs_WannaCry_June24_2018.pdf", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "Z2mQh2", - "2d", - "rN", - "PA-rR4", - "4n" - ], - "Timestamp": "2018-06-28T08:11:36.570Z" - } - ], - "recordedfuture.risk_string": "3/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 58710, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "6 sightings on 6 sources including: malwareresearch, AAPKS.com, @Shouvik95232310, @santGM. 3 related attack vectors: Phishing, Click Fraud, Typosquatting. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "WlbRkJ", - "ha2FFj", - "K7wUX2", - "P_ivKa", - "J-mrOR", - "P_upBR" - ], - "Timestamp": "2021-12-25T03:23:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Messaging Platforms - Uncategorized. Most recent link (Oct 18, 2021): https://t.me/An0nymousTeam/1429", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "Y7TWfI" - ], - "Timestamp": "2021-10-18T12:09:43.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "43 sightings on 14 sources including: Ichunqiu Forum, Doc Player, ArXiv, GitHub, droppdf.com. 19 related malware families including Fakespy, Trojan, Offensive Security Tools (OST), Spyware, Dardesh. Most recent tweet: RT @demonslay335: #STOP #Djvu #Ransomware extension \".mogera\" (v090): https://t.co/wlMcSE2EHj | https://t.co/XAYkOoOReU. Most recent link (May 27, 2019): https://twitter.com/DrolSecurity/statuses/1133117241388621825", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "TGXqeD", - "W4ygGi", - "L3kVdM", - "QMfGAr", - "QAy9GA", - "JOU", - "MIKjae", - "P_oIyV", - "QJ6TQK", - "idn:droppdf.com", - "Ql9O5c", - "QAmbRP", - "Tq2nAb", - "idn:index-of.es" - ], - "Timestamp": "2019-05-27T21:06:17.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Mar 8, 2021): https://polyswarm.network/scan/results/file/85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "doLlw5" - ], - "Timestamp": "2021-03-08T13:00:15.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "16 sightings on 4 sources: Guided Collection, Bleepingcomputer Forums, ISC | All Updates, Malwarebytes Unpacked. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "Rlso4a", - "hkE5DK", - "TZRwk8", - "J5NRun" - ], - "Timestamp": "2021-12-21T08:40:00.000Z" - } - ], - "recordedfuture.risk_string": "5/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 62010, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "7 sightings on 7 sources including: malwareresearch, Malwr.com, AAPKS.com, @Shouvik95232310, @santGM, @aa419. 4 related attack vectors: Phishing, Click Fraud, Typosquatting, Keylogger. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "WlbRkJ", - "ha2FFj", - "K7wUX2", - "NKaUXl", - "P_ivKa", - "J-mrOR", - "P_upBR" - ], - "Timestamp": "2021-12-25T03:23:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Messaging Platforms - Uncategorized. Most recent link (Oct 18, 2021): https://t.me/An0nymousTeam/1429", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "Y7TWfI" - ], - "Timestamp": "2021-10-18T12:09:43.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "54 sightings on 17 sources including: Ichunqiu Forum, Doc Player, Malwr.com, ArXiv, GitHub. 19 related malware families including Fakespy, Dardesh, Djvu Ransomware, SAVEfiles, Trojan. Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "TGXqeD", - "W4ygGi", - "L3kVdM", - "QMfGAr", - "NKaUXl", - "kuKt0c", - "QAy9GA", - "JOU", - "MIKjae", - "P_oIyV", - "QJ6TQK", - "idn:droppdf.com", - "Ql9O5c", - "QAmbRP", - "Tq2nAb", - "TbciDE", - "idn:index-of.es" - ], - "Timestamp": "2021-11-27T23:07:37.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: ReversingLabs. Most recent link (Aug 13, 2017): ReversingLabs malware file analysis.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TbciDE" - ], - "Timestamp": "2017-08-13T00:33:27.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "16 sightings on 4 sources: Guided Collection, Bleepingcomputer Forums, ISC | All Updates, Malwarebytes Unpacked. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "Rlso4a", - "hkE5DK", - "TZRwk8", - "J5NRun" - ], - "Timestamp": "2021-12-21T08:40:00.000Z" - } - ], - "recordedfuture.risk_string": "5/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "7531fcea7002c8b52a8d023d0f3bb938efb2cbfec91d2433694930b426d84865", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 65443, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Qakbot. Communication observed on TCP:443, TCP:6881, TCP:995. Exfiltration behavior observed. Last observed on Dec 27, 2021.", - "MitigationString": "", - "Name": "recentActiveCnc", - "Rule": "Actively Communicating C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-29T02:11:16.663Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "164 sightings on 4 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions, Abuse.ch: Feodo IP Blocklist, Polyswarm Sandbox Analysis - Malware C2 Extractions. Joe Security malware sandbox identified 103.143.8.71:443 as TA0011 (Command and Control) QakBot using configuration extraction on sample 8f97195fc90ce520e75db6785204da0adbda9be5464bb27cd4dcc5b23b547651", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "h_iZX8", - "report:OtiCOp", - "hyihHO" - ], - "Timestamp": "2021-12-29T02:11:16.658Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "7 sightings on 1 source: PasteBin. 3 related intrusion methods: Trojan, Banking Trojan, QakBot. Most recent link (Nov 8, 2021): https://pastebin.com/G1Jvm5T0", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "Jv_xrR" - ], - "Timestamp": "2021-11-08T16:27:15.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: GitHub. Most recent link (Nov 16, 2021): https://github.com/pan-unit42/tweets/blob/master/2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged IP", - "Sources": [ - "MIKjae" - ], - "Timestamp": "2021-11-16T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "4/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "103.143.8.71", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 67656, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "12 sightings on 2 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions. Command & Control host identified on Dec 24, 2021.", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "h_iZX8" - ], - "Timestamp": "2021-12-24T08:07:09.925Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 2 sources: Bitdefender IP Reputation, hpHosts Latest Additions. Bitdefender detected suspicious traffic involving 185.19.85.136 associated with Bitdefender threat name Trojan.GenericKD.34300483 on Apr 30, 2021", - "MitigationString": "", - "Name": "multiBlacklist", - "Rule": "Historical Multicategory Blocklist", - "Sources": [ - "iFMVSl", - "Ol_aRZ" - ], - "Timestamp": "2021-04-30T04:50:06.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: GitHub. 2 related intrusion methods: Nanocore, Remote Access Trojan. Most recent link (Jan 1, 2021): https://github.com/GlacierSheep/DomainBlockList/blob/master/trail/static_nanocore_(malware).domainset", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "MIKjae" - ], - "Timestamp": "2021-01-01T16:56:57.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 1 source: Recorded Future Fast Flux DNS IP List. Observed between Feb 13, 2021, and Feb 13, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:SW8xpk" - ], - "Timestamp": "2021-12-28T19:20:46.641Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "9 sightings on 2 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions. Command & Control host identified on Oct 29, 2021.", - "MitigationString": "", - "Name": "intermediateCncServer", - "Rule": "Recent C&C Server", - "Sources": [ - "b5tNVA", - "h_iZX8" - ], - "Timestamp": "2021-10-29T08:07:54.495Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Asyncrat. Communication observed on TCP:6060. Last observed on Dec 21, 2021.", - "MitigationString": "", - "Name": "intermediateActiveCnc", - "Rule": "Recently Active C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-28T19:20:46.639Z" - } - ], - "recordedfuture.risk_string": "6/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "185.19.85.136", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 70518, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike Team Servers. Communication observed on TCP:443, TCP:8443. Last observed on Dec 26, 2021.", - "MitigationString": "", - "Name": "recentActiveCnc", - "Rule": "Actively Communicating C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-28T18:45:41.875Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "2 sightings on 1 source: Recorded Future Command & Control List. Command & Control host identified on Jul 5, 2021.", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA" - ], - "Timestamp": "2021-07-05T08:04:23.139Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: C2IntelFeeds IPC2s. Most recent link (Aug 15, 2021): https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s-30day.csv?q=45.112.206.18_20210815", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Historically Linked to Cyber Attack", - "Sources": [ - "k_7zaW" - ], - "Timestamp": "2021-08-15T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "12 sightings on 2 sources: C2IntelFeeds IPC2s, @drb_ra. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent tweet: Cobalt Strike server found C2: HTTPS @ 45[.]112[.]206[.]18:443 C2 Server: 45[.]112[.]206[.]13,/IE9CompatViewList[.]xml Country: Hong Kong ASN: HK kwaifong group limited #C2 #cobaltstrike. Most recent link (Nov 26, 2021): https://twitter.com/drb_ra/statuses/1464248045118590978", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "k_7zaW", - "jqWX2B" - ], - "Timestamp": "2021-11-26T15:01:53.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "10 sightings on 1 source: @drb_ra. Most recent tweet: Cobalt Strike server found C2: HTTPS @ 45[.]112[.]206[.]18:443 C2 Server: 45[.]112[.]206[.]13,/IE9CompatViewList[.]xml Country: Hong Kong ASN: HK kwaifong group limited #C2 #cobaltstrike. Most recent link (Nov 26, 2021): https://twitter.com/drb_ra/statuses/1464248045118590978", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged IP", - "Sources": [ - "jqWX2B" - ], - "Timestamp": "2021-11-26T15:01:53.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 2 sources: Cobalt Strike Default Certificate Detected - Shodan / Recorded Future, Recorded Future Analyst Community Trending Indicators. Observed between Jul 8, 2021, and Dec 9, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:aD1qtM", - "report:Tluf00" - ], - "Timestamp": "2021-12-28T18:45:41.877Z" - } - ], - "recordedfuture.risk_string": "6/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "45.112.206.18", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 73755, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "5 sightings on 2 sources: Polyswarm Sandbox Analysis - Malware C2 Extractions, Joe Security Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 190.55.186.229:80 as TA0011 (Command and Control) for Emotet using configuration extraction on sample c9709d56b92047cd55fb097feb6cb7a8de6f3edc5ea79a429363938a69aae580", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "hyihHO", - "h_iZX8" - ], - "Timestamp": "2021-12-27T19:00:49.975Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "5 sightings on 1 source: AbuseIP Database. Most recent link (Aug 25, 2020): https://www.abuseipdb.com/check/190.55.186.229", - "MitigationString": "", - "Name": "multiBlacklist", - "Rule": "Historical Multicategory Blocklist", - "Sources": [ - "UneVVu" - ], - "Timestamp": "2020-08-25T20:01:29.075Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "87 sightings on 1 source: Cryptolaemus Pastedump. Most recent link (Jan 25, 2021): https://paste.cryptolaemus.com/emotet/2021/01/25/emotet-malware-IoCs_01-25-21.html", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Historical Positive Malware Verdict", - "Sources": [ - "Z7kln2" - ], - "Timestamp": "2021-01-25T23:59:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: External Sensor Spam. 190.55.186.229 was historically observed as spam. No longer observed as of Nov 16, 2021.", - "MitigationString": "", - "Name": "spam", - "Rule": "Historical Spam Source", - "Sources": [ - "kBCI-b" - ], - "Timestamp": "2021-11-16T01:06:21.965Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Unit 42 Palo Alto Networks. Most recent link (Apr 9, 2021): https://unit42.paloaltonetworks.com/emotet-command-and-control/", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "jjf3_B" - ], - "Timestamp": "2021-04-09T12:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "239 sightings on 5 sources: paloaltonetworks.jp, Palo Alto Networks, Unit 42 Palo Alto Networks, PasteBin, Cryptolaemus Pastedump. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Mar 14, 2021): https://unit42.paloaltonetworks.jp/attack-chain-overview-emotet-in-december-2020-and-january-2021/", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "idn:paloaltonetworks.jp", - "JwO7jp", - "jjf3_B", - "Jv_xrR", - "Z7kln2" - ], - "Timestamp": "2021-03-14T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "6 sightings on 3 sources: paloaltonetworks.jp, Palo Alto Networks, Unit 42 Palo Alto Networks. Most recent link (Apr 9, 2021): https://unit42.paloaltonetworks.com/emotet-command-and-control/", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged IP", - "Sources": [ - "idn:paloaltonetworks.jp", - "JwO7jp", - "jjf3_B" - ], - "Timestamp": "2021-04-09T12:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 2 sources: University of Science and Technology of China Black IP List, Abuse.ch: Feodo IP Blocklist. Observed between Feb 26, 2021, and Dec 27, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:Q1ghC0", - "report:OtiCOp" - ], - "Timestamp": "2021-12-28T19:33:55.849Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "31 sightings on 3 sources: Palo Alto Networks, Polyswarm Sandbox Analysis - Malware C2 Extractions, Unit 42 Palo Alto Networks. Polyswarm malware sandbox identified 190.55.186.229:80 as TA0011 (Command and Control) for Emotet using configuration extraction on sample a88734cd5c38211a4168bc7701516a50e6aef5ef20d2b1a915edae23c1b345db", - "MitigationString": "", - "Name": "intermediateCncServer", - "Rule": "Recent C&C Server", - "Sources": [ - "JwO7jp", - "hyihHO", - "jjf3_B" - ], - "Timestamp": "2021-10-19T12:21:34.268Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Talos IP Blacklist.", - "MitigationString": "", - "Name": "recentMultiBlacklist", - "Rule": "Recent Multicategory Blocklist", - "Sources": [ - "report:VW6jeN" - ], - "Timestamp": "2021-12-28T19:33:55.846Z" - } - ], - "recordedfuture.risk_string": "10/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "190.55.186.229", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 78659, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Emotet. Communication observed on TCP:443. Exfiltration behavior observed. Last observed on Dec 26, 2021.", - "MitigationString": "", - "Name": "recentActiveCnc", - "Rule": "Actively Communicating C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-28T22:05:35.688Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "2 sightings on 2 sources: Recorded Future Command & Control List, Abuse.ch: Feodo IP Blocklist. Command & Control host identified on Dec 1, 2021.", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "report:OtiCOp" - ], - "Timestamp": "2021-12-01T08:06:11.827Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: PasteBin. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Dec 2, 2021): https://pastebin.com/SusxCK2b", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "Jv_xrR" - ], - "Timestamp": "2021-12-02T15:58:10.000Z" - } - ], - "recordedfuture.risk_string": "3/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "62.210.82.223", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 80121, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Bazarloader. Communication observed on TCP:443. Exfiltration behavior observed. Last observed on Dec 25, 2021.", - "MitigationString": "", - "Name": "recentActiveCnc", - "Rule": "Actively Communicating C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-29T06:21:27.731Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "2 sightings on 2 sources: Recorded Future Command & Control List, Abuse.ch: Feodo IP Blocklist. Command & Control host identified on Nov 25, 2021.", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "report:OtiCOp" - ], - "Timestamp": "2021-11-25T08:06:42.384Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 2 sources: Project Honey Pot, @HoneyFog. Most recent tweet: Fog44: 87.120.254.96->22. Most recent link (Dec 14, 2016): https://twitter.com/HoneyFog/statuses/809032869792378880", - "MitigationString": "", - "Name": "honeypot", - "Rule": "Historical Honeypot Sighting", - "Sources": [ - "P_izv4", - "OSz1F0" - ], - "Timestamp": "2016-12-14T13:50:41.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: External Sensor Spam. 87.120.254.96 was historically observed as spam. No longer observed as of Nov 16, 2021.", - "MitigationString": "", - "Name": "spam", - "Rule": "Historical Spam Source", - "Sources": [ - "kBCI-b" - ], - "Timestamp": "2021-11-16T03:19:58.721Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: GitHub. Most recent link (Nov 8, 2021): https://github.com/pan-unit42/tweets/blob/master/2021-11-05-TA551-IOCs.txt", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged IP", - "Sources": [ - "MIKjae" - ], - "Timestamp": "2021-11-08T00:00:00.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: University of Science and Technology of China Black IP List.", - "MitigationString": "", - "Name": "recentMultiBlacklist", - "Rule": "Recent Multicategory Blocklist", - "Sources": [ - "report:Q1ghC0" - ], - "Timestamp": "2021-12-29T06:21:27.693Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: CloudSEK. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Dec 22, 2021): https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/", - "MitigationString": "", - "Name": "recentLinkedIntrusion", - "Rule": "Recently Linked to Intrusion Method", - "Sources": [ - "k837l0" - ], - "Timestamp": "2021-12-22T09:45:33.000Z" - } - ], - "recordedfuture.risk_string": "7/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "87.120.254.96", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 83263, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Covenant. Communication observed on TCP:7443. Exfiltration behavior observed. Last observed on Dec 27, 2021.", - "MitigationString": "", - "Name": "recentActiveCnc", - "Rule": "Actively Communicating C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-28T18:42:08.923Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "19 sightings on 2 sources: Recorded Future Command & Control List, @TheDFIRReport. Most recent tweet: Here's some newer C2 servers we're tracking: #BazarLoader 64.227.73.80 64.225.71.198 #Covenant 167.71.67.196 45.146.165.76 #PoshC2 193.36.15.192 #Empire 64.227.21.255 #Metasploit 91.221.70.143 Full list available @ https://t.co/QT6o626hsR #ThreatFeed. Most recent link (Sep 1, 2021): https://twitter.com/TheDFIRReport/statuses/1433055791964049412", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "dZgcRz" - ], - "Timestamp": "2021-09-01T13:15:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 3 sources: Cobalt Strike Default Certificate Detected - Shodan / Recorded Future, CINS: CI Army List, Recorded Future Analyst Community Trending Indicators. Observed between Jan 22, 2021, and Sep 25, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:aD1qtM", - "report:OchJ-t", - "report:Tluf00" - ], - "Timestamp": "2021-12-28T18:42:08.925Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: DShield: Recommended Block List.", - "MitigationString": "", - "Name": "recentMultiBlacklist", - "Rule": "Recent Multicategory Blocklist", - "Sources": [ - "report:OchJ-o" - ], - "Timestamp": "2021-12-28T18:42:08.917Z" - } - ], - "recordedfuture.risk_string": "4/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "45.146.165.76", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 85476, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "5 sightings on 1 source: Polyswarm Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 181.112.52.26:449 as TA0011 (Command and Control) for Trickbot using configuration extraction on sample b827a4587bc6162715693c71e432769ec6272c130bb87e14bc683f5bd7caf834", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "hyihHO" - ], - "Timestamp": "2021-12-22T04:10:08.558Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @HoneyFog. Most recent tweet: Fog44: 181.112.52.26->22. I've never seen this IP before. Most recent link (Oct 6, 2017): https://twitter.com/HoneyFog/statuses/916371734928019456", - "MitigationString": "", - "Name": "honeypot", - "Rule": "Historical Honeypot Sighting", - "Sources": [ - "P_izv4" - ], - "Timestamp": "2017-10-06T18:37:01.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "4 sightings on 1 source: AbuseIP Database. Most recent link (Aug 17, 2018): https://www.abuseipdb.com/check/181.112.52.26", - "MitigationString": "", - "Name": "multiBlacklist", - "Rule": "Historical Multicategory Blocklist", - "Sources": [ - "UneVVu" - ], - "Timestamp": "2018-08-17T00:30:42.194Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2339 sightings on 9 sources including: TBN, BlackHatWorld Forum, Carding Mafia Forum, Inforge Forum Hacker Trucchi Giochi Informatica, ProxyFire - The Best Proxy Software and Forum. Most recent link (Jun 29, 2019): https://Black%20Hat%20World%20Forum%20(Obfuscated)/seo/ssl-proxies-occasional-update.927669/page-44#post-12210196", - "MitigationString": "", - "Name": "openProxies", - "Rule": "Historical Open Proxies", - "Sources": [ - "RqhhJr", - "KjGS3i", - "VU4Qnc", - "P7sZbk", - "OQ_oQH", - "Qk8WdX", - "Qk8Wdg", - "QqgtXJ", - "KhvyCV" - ], - "Timestamp": "2019-06-29T01:18:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "4 sightings on 1 source: AbuseIP Database. Most recent link (Aug 17, 2018): https://www.abuseipdb.com/check/181.112.52.26", - "MitigationString": "", - "Name": "sshDictAttacker", - "Rule": "Historical SSH/Dictionary Attacker", - "Sources": [ - "UneVVu" - ], - "Timestamp": "2018-08-17T00:30:42.194Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "10 sightings on 3 sources: Manato Kumagai Hatena Blog, sentinelone.com, PasteBin. 6 related intrusion methods including TrickLoader, Trojan, Emotet, Banking Trojan, Trickbot. Most recent link (Feb 26, 2020): https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "TiY1wa", - "idn:sentinelone.com", - "Jv_xrR" - ], - "Timestamp": "2020-02-26T15:00:17.035Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 3 sources: BlockList.de: Fail2ban Reporting Service, Abuse.ch: Feodo IP Blocklist, Proxies: SOCKS Open Proxies. Observed between Jun 15, 2019, and Oct 3, 2020.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:OhgwUx", - "report:OtiCOp", - "report:SYQe08" - ], - "Timestamp": "2021-12-28T22:05:41.272Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "3 sightings on 1 source: Polyswarm Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 181.112.52.26:449 as TA0011 (Command and Control) for Trickbot using configuration extraction on sample dcc42c0bd075f283c71ac327c845498454dcd9528386df5b296fdf89ba105bfa", - "MitigationString": "", - "Name": "intermediateCncServer", - "Rule": "Recent C&C Server", - "Sources": [ - "hyihHO" - ], - "Timestamp": "2021-07-15T12:42:04.656Z" - } - ], - "recordedfuture.risk_string": "8/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "181.112.52.26", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 89684, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "10 sightings on 2 sources: Recorded Future Command & Control List, Polyswarm Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 77.79.56.210:443 as TA0011 (Command and Control) for QakBot using configuration extraction on sample 77b34084de82afac57fbe2c6442dbe7d07c53da5ec87eaf2210b852f0d943cd5", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "hyihHO" - ], - "Timestamp": "2021-12-29T02:00:05.439Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "4 sightings on 1 source: PasteBin. 3 related intrusion methods: Trojan, Banking Trojan, QakBot. Most recent link (Nov 7, 2021): https://pastebin.com/u8neEVnz", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "Jv_xrR" - ], - "Timestamp": "2021-11-07T09:05:40.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 1 source: Abuse.ch: Feodo IP Blocklist. Observed between Nov 29, 2021, and Dec 10, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:OtiCOp" - ], - "Timestamp": "2021-12-29T02:11:39.014Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "12 sightings on 2 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions. Joe Security malware sandbox identified 77.79.56.210:443 as TA0011 (Command and Control) QakBot using configuration extraction on sample 8f97195fc90ce520e75db6785204da0adbda9be5464bb27cd4dcc5b23b547651", - "MitigationString": "", - "Name": "intermediateCncServer", - "Rule": "Recent C&C Server", - "Sources": [ - "b5tNVA", - "h_iZX8" - ], - "Timestamp": "2021-11-03T16:57:54.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Project Honey Pot. Most recent link (Dec 19, 2021): https://www.projecthoneypot.org/ip_77.79.56.210", - "MitigationString": "", - "Name": "recentHoneypot", - "Rule": "Recent Honeypot Sighting", - "Sources": [ - "OSz1F0" - ], - "Timestamp": "2021-12-19T11:30:02.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Qakbot. Communication observed on TCP:443. Last observed on Dec 23, 2021.", - "MitigationString": "", - "Name": "intermediateActiveCnc", - "Rule": "Recently Active C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-29T02:11:39.012Z" - } - ], - "recordedfuture.risk_string": "6/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "77.79.56.210", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 92645, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "87 sightings on 2 sources: Polyswarm Sandbox Analysis - Malware C2 Extractions, Joe Security Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 24.139.72.117:443 as TA0011 (Command and Control) for QakBot using configuration extraction on sample 7ea5720ac7efeb49873f95870d546632d6c8c187ee6e2fc515acfe974483ee0e", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "hyihHO", - "h_iZX8" - ], - "Timestamp": "2021-12-29T07:00:21.416Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "4 sightings on 1 source: Kaspersky Securelist and Lab. Most recent link (Sep 2, 2021): https://securelist.com/qakbot-technical-analysis/103931/", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "4n" - ], - "Timestamp": "2021-09-02T10:00:32.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "34 sightings on 5 sources: Malware News - Malware Analysis, News and Indicators, PasteBin, Segurana Informtica, The Cyber Feed, Kaspersky Securelist and Lab. 3 related intrusion methods: Trojan, Banking Trojan, QakBot. Most recent link (Dec 3, 2021): https://pastebin.com/xJ0kmeYQ", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "gBDK5G", - "Jv_xrR", - "VW7VQs", - "g162EU", - "4n" - ], - "Timestamp": "2021-12-03T16:51:53.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "6 sightings on 3 sources: Malware News - Malware Analysis, News and Indicators, urlscan.io, Kaspersky Securelist and Lab. Most recent link (Dec 1, 2021): https://urlscan.io/result/c5b4e2d5-acf0-4fc5-b7bd-e8afac3e5f5a/", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged IP", - "Sources": [ - "gBDK5G", - "WNRa7q", - "4n" - ], - "Timestamp": "2021-12-01T10:54:33.863Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 1 source: Abuse.ch: Feodo IP Blocklist. Observed between Nov 19, 2021, and Nov 21, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:OtiCOp" - ], - "Timestamp": "2021-12-29T07:17:33.217Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "234 sightings on 4 sources: Recorded Future Command & Control List, Polyswarm Sandbox Analysis - Malware C2 Extractions, PasteBin, Joe Security Sandbox Analysis - Malware C2 Extractions. Joe Security malware sandbox identified 24.139.72.117:443 as TA0011 (Command and Control) QakBot using configuration extraction on sample 8f97195fc90ce520e75db6785204da0adbda9be5464bb27cd4dcc5b23b547651", - "MitigationString": "", - "Name": "intermediateCncServer", - "Rule": "Recent C&C Server", - "Sources": [ - "b5tNVA", - "hyihHO", - "Jv_xrR", - "h_iZX8" - ], - "Timestamp": "2021-11-03T16:57:54.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Qakbot. Communication observed on TCP:443. Last observed on Dec 23, 2021.", - "MitigationString": "", - "Name": "intermediateActiveCnc", - "Rule": "Recently Active C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-29T07:17:33.215Z" - } - ], - "recordedfuture.risk_string": "7/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "24.139.72.117", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 87.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 96399, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "Ctq", - "idn:fook.news", - "idn:urdupresss.com", - "POs2u-", - "idn:apple.news", - "idn:cryptoinfoos.com.ng", - "g9rk5F", - "idn:thewindowsupdate.com", - "idn:nationalcybersecuritynews.today", - "gBDK5G", - "idn:microsoft.com", - "idn:techsecuritenews.com", - "idn:mblogs.info", - "J6UzbO", - "idn:viralamo.com", - "idn:sellorbuyhomefast.com", - "idn:crazyboy.tech", - "idn:times24h.com", - "idn:buzzfeeg.com", - "idn:dsmenders.com", - "WroSbs", - "idn:vzonetvgh.com" - ], - "Timestamp": "2021-07-20T00:00:00.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-07-10T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "2/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "144.34.179.162", - "threat.indicator.url.original": "http://144.34.179.162/a", - "threat.indicator.url.path": "/a", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 85.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 97973, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Nov 14, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-11-14T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Nov 14, 2021.", - "MitigationString": "", - "Name": "phishingSiteDetected", - "Rule": "Historically Detected Phishing Techniques", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-11-14T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "41 sightings on 19 sources including: Stock market news Company News MarketScreenercom, GlobeNewswire | Software, Yahoo!, globenewswirecom, otcdynamics.com. Most recent link (Oct 3, 2021): https://telecomkh.info/?p=4004", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "XBl0xf", - "c2unu0", - "DVW", - "NPgRlV", - "idn:otcdynamics.com", - "idn:norteenlinea.com", - "N4OmGX", - "idn:snewsonline.com", - "idn:nationalcybersecuritynews.today", - "dCod5e", - "hZ14Az", - "idn:securityopenlab.it", - "idn:clevertechmx.blogspot.com", - "cJzvLR", - "eNeV39", - "dCotni", - "dCo6X1", - "jB6Hnn", - "idn:telecomkh.info" - ], - "Timestamp": "2021-10-03T12:53:49.605Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: No-IP. Behavior observed: Malware Distribution, Phishing Techniques. Last observed on Dec 20, 2021.", - "MitigationString": "", - "Name": "recentWeaponizedURL", - "Rule": "Recently Active URL on Weaponized Domain", - "Sources": [ - "report:aRJ1CU" - ], - "Timestamp": "2021-12-29T07:08:29.105Z" - } - ], - "recordedfuture.risk_string": "4/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "adminsys.serveftp.com", - "threat.indicator.url.original": "http://adminsys.serveftp.com/nensa/fabio/ex/478632215/zer7855/nuns566623", - "threat.indicator.url.path": "/nensa/fabio/ex/478632215/zer7855/nuns566623", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 79.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 100260, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "17 sightings on 14 sources including: Security Affairs, sensorstechforum.com, Heimdal Security Blog, securitynewspaper, BBS Kafan Card Forum. Most recent link (Dec 22, 2021): https://d335luupugsy2.cloudfront.net/cms%2Ffiles%2F183750%2F1640120040Log4j_-_Explorao_por_grupos_APT.pdf", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "JNe6Hu", - "TQnwKJ", - "OfMf0W", - "TefIEN", - "VyuDZP", - "Z7kln5", - "bd-Dtt", - "kKLjNc", - "Y7TWfI", - "idn:redpacketsecurity.com", - "idn:eccouncil.org", - "idn:comparaland.com", - "idn:d335luupugsy2.cloudfront.net", - "KVRURg" - ], - "Timestamp": "2021-12-22T16:01:42.134Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: Khonsari Ransomware and Orcus RAT Exploit Log4Shell (CVE-2021-44228), Samples Uploaded on MalwareBazaar. Most recent link (Dec 17, 2021): https://app.recordedfuture.com/live/sc/4SWiMAS816Gj", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-12-17T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "2/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "3.145.115.94", - "threat.indicator.url.extension": "exe", - "threat.indicator.url.original": "http://3.145.115.94/zambo/groenhuyzen.exe", - "threat.indicator.url.path": "/zambo/groenhuyzen.exe", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 79.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 101674, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "53 sightings on 14 sources including: HackDig Posts, Anquanke News, mrhacker.co, Sesin at, Check Point Research. Most recent link (Feb 6, 2021): https://cdn.www.gob.pe/uploads/document/file/1580907/Alerta%20integrada%20de%20seguridad%20digital%20N%C2%B0%xxx-xx-xxxx-PECERT%20.pdf", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "POs2u-", - "U13S_U", - "idn:mrhacker.co", - "Z3TZAQ", - "N4OmGX", - "UqKvRr", - "gBDK5G", - "JExgHv", - "QxXv_c", - "J6UzbO", - "eTNyK6", - "idn:privacy.com.sg", - "e6Ewt_", - "idn:reportcybercrime.com" - ], - "Timestamp": "2021-02-06T12:52:09.042Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021.", - "MitigationString": "", - "Name": "recentMalwareSiteDetected", - "Rule": "Recently Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-12-28T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "2/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "gxbrowser.net", - "threat.indicator.url.original": "http://gxbrowser.net", - "threat.indicator.url.path": "", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 78.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 102952, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Insikt Group. 2 reports including \"Fractured Block\u201d Campaign Targets Korean Users. Most recent link (Dec 09, 2018): https://app.recordedfuture.com/live/sc/1RuTxKrDf8Qt", - "MitigationString": "", - "Name": "relatedNote", - "Rule": "Historically Referenced by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2018-12-09T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "33 sightings on 12 sources including: Palo Alto Networks, tistory.com, HackDig Posts, Anquanke News, airmagnet.technology. Most recent tweet: Continued MR.Dropper's attack. (Targething korean cryptocurrency exchange) #hcapital #ioc MD5 : eb459b47be479b61375d7b3c7c568425 URL : hxxps://881[.]000webhostapp[.]com/1.txt PDB : D:\\Attack\\DropperBuild\\x64\\Release\\Dropper.pdb https://t.co/FpsinliQqx [Beyond The Binary]. Most recent link (Sep 3, 2018): https://twitter.com/wugeej/statuses/1036413512732426240", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "JwO7jp", - "idn:tistory.com", - "POs2u-", - "U13S_U", - "ThoB0I", - "idn:airmagnet.technology", - "LErKlN", - "WuLz1r", - "KdwTwF", - "VfsacJ", - "jjf3_B", - "idn:brica.de" - ], - "Timestamp": "2018-09-03T00:40:11.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: 000Webhost. Behavior observed: Malware Distribution. Last observed on Oct 16, 2021.", - "MitigationString": "", - "Name": "recentWeaponizedURL", - "Rule": "Recently Active URL on Weaponized Domain", - "Sources": [ - "report:aRJ1CU" - ], - "Timestamp": "2021-12-29T07:07:42.477Z" - } - ], - "recordedfuture.risk_string": "3/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "881.000webhostapp.com", - "threat.indicator.url.extension": "txt", - "threat.indicator.url.original": "https://881.000webhostapp.com/1.txt", - "threat.indicator.url.path": "/1.txt", - "threat.indicator.url.scheme": "https" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 78.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 104946, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 15, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-06-15T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "38 sightings on 7 sources including: cybersecdn.com, WeLiveSecurity Spain, deepcheck.one, hackeridiot.com, PasteBin. Most recent link (May 27, 2021): https://cybersecdn.com/index.php/2021/05/27/janeleiro-the-time-traveler-a-new-old-banking-trojan-in-brazil/", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "idn:cybersecdn.com", - "fWD1r9", - "idn:deepcheck.one", - "idn:hackeridiot.com", - "Jv_xrR", - "ONMgMx", - "idn:nationalcybersecuritynews.today" - ], - "Timestamp": "2021-05-27T22:48:00.256Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: DuckDNS. Behavior observed: Malware Distribution. Last observed on Oct 15, 2021.", - "MitigationString": "", - "Name": "recentWeaponizedURL", - "Rule": "Recently Active URL on Weaponized Domain", - "Sources": [ - "report:aRJ1CU" - ], - "Timestamp": "2021-12-29T06:34:00.698Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: New Janeleiro Banking Trojan Targets Corporate Users in Brazil. Most recent link (Apr 06, 2021): https://app.recordedfuture.com/live/sc/4wolQHrxLiwd", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-04-06T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "4/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "comunicador.duckdns.org", - "threat.indicator.url.extension": "php", - "threat.indicator.url.original": "http://comunicador.duckdns.org/catalista/lixo/index.php", - "threat.indicator.url.path": "/catalista/lixo/index.php", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 75.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 107085, - "recordedfuture.evidence_details": [ - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: Afraid.org. Behavior observed: Malware Distribution, Phishing Techniques. Last observed on Dec 28, 2021.", - "MitigationString": "", - "Name": "recentWeaponizedURL", - "Rule": "Recently Active URL on Weaponized Domain", - "Sources": [ - "report:aRJ1CU" - ], - "Timestamp": "2021-12-28T22:15:49.631Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021.", - "MitigationString": "", - "Name": "recentMalwareSiteDetected", - "Rule": "Recently Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-12-28T00:00:00.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "2 sightings on 2 sources: Bitdefender, Urlscan.io. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021.", - "MitigationString": "", - "Name": "recentPhishingSiteDetected", - "Rule": "Recently Detected Phishing Techniques", - "Sources": [ - "d3Awkm", - "eKv4Jm" - ], - "Timestamp": "2021-12-28T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "3/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "www.jeanninecatddns.chickenkiller.com", - "threat.indicator.url.original": "https://www.jeanninecatddns.chickenkiller.com/signin-authflow", - "threat.indicator.url.path": "/signin-authflow", - "threat.indicator.url.scheme": "https" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 75.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 108580, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Aug 13, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-08-13T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "24 sightings on 9 sources including: Malware News - Malware Analysis, News and Indicators, microsoft.com, sociabble.com, 4-traders.com, MarketScreener.com | Stock Market News. Most recent link (Aug 13, 2021): https://www.marketscreener.com/quote/stock/MICROSOFT-CORPORATION-4835/news/Microsoft-Attackers-use-Morse-code-other-encryption-methods-in-evasive-phishing-campaign-36161110/?utm_medium=RSS&utm_content=20210813", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "gBDK5G", - "idn:microsoft.com", - "idn:sociabble.com", - "KBTQ2e", - "dCotni", - "g9rk5F", - "Z7kln5", - "idn:cda.ms", - "idn:thewindowsupdate.com" - ], - "Timestamp": "2021-08-13T17:03:19.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: Microsoft Warns of Attacks Targeting Microsoft Office 365 Users. Most recent link (Aug 12, 2021): https://app.recordedfuture.com/live/sc/4BBhpn1ApBQR", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-08-12T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "3/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "coollab.jp", - "threat.indicator.url.extension": "js", - "threat.indicator.url.original": "http://coollab.jp/dir/root/p/09908.js", - "threat.indicator.url.path": "/dir/root/p/09908.js", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 75.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 110421, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 30, 2021.", - "MitigationString": "", - "Name": "phishingSiteDetected", - "Rule": "Historically Detected Phishing Techniques", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-05-30T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "23 sightings on 9 sources including: The Official Google Blog, eccouncil.org, frsecure.com, SoyaCincau, PasteBin. Most recent tweet: Actor controlled sites and accounts Research Blog https://blog.br0vvnn[.]io. Most recent link (Jan 27, 2021): https://twitter.com/techn0m4nc3r/statuses/1354296736357953539", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "Gzt", - "idn:eccouncil.org", - "idn:frsecure.com", - "J-8-Nr", - "Jv_xrR", - "g9rk5F", - "cUg0pv", - "K5LKj8", - "fVAueu" - ], - "Timestamp": "2021-01-27T05:14:38.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: Google Warns of Ongoing Attacks Targeting Security Researchers. Most recent link (Jan 25, 2021): https://app.recordedfuture.com/live/sc/5QCqZ2ZH4lwc", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-01-25T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "3/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "blog.br0vvnn.io", - "threat.indicator.url.original": "https://blog.br0vvnn.io", - "threat.indicator.url.path": "", - "threat.indicator.url.scheme": "https" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 75.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 112107, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "24 sightings on 10 sources including: lnkd.in, digitalforensicsmagazineblog PH, mediosdemexico.com, Palo Alto Networks, Security Art Work. Most recent link (Mar 4, 2016): https://lnkd.in/egi-nMa", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "idn:lnkd.in", - "JNe6Gc", - "idn:mediosdemexico.com", - "JwO7jp", - "LCN_6T", - "KA0p6S", - "LErKlN", - "jjf3_B", - "KE9Xit", - "J4bouj" - ], - "Timestamp": "2016-03-04T14:33:36.543Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 27, 2021.", - "MitigationString": "", - "Name": "recentMalwareSiteDetected", - "Rule": "Recently Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-12-27T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "2/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "init.icloud-analysis.com", - "threat.indicator.url.original": "http://init.icloud-analysis.com", - "threat.indicator.url.path": "", - "threat.indicator.url.scheme": "http" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_domain_default.csv.log b/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_domain_default.csv.log deleted file mode 100644 index f904e04374b..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_domain_default.csv.log +++ /dev/null @@ -1,10 +0,0 @@ -"Name","Risk","RiskString","EvidenceDetails" -"xohrikvjhiu.eu","96","5/45","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""21 sightings on 4 sources: Proofpoint, PasteBin, The Daily Advance, @DGAFeedAlerts. Most recent tweet: New ramnit Dom: xohrikvjhiu[.]eu IP: 13[.]90[.]196[.]81 NS: https://t.co/nTqEOuAW2E https://t.co/QdrtFSplyz. Most recent link (Nov 16, 2019): https://twitter.com/DGAFeedAlerts/statuses/1195824847915491329"", ""Sources"": [""QQA438"", ""Jv_xrR"", ""SlNfa3"", ""KvPSaU""], ""Timestamp"": ""2019-11-16T22:03:55.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""18 sightings on 2 sources: Proofpoint, The Daily Advance. Most recent link (Nov 12, 2018): https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy#.W-nmxyGcuiY.twitter"", ""Sources"": [""QQA438"", ""KvPSaU""], ""Timestamp"": ""2018-11-12T20:48:08.675Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Referenced by Insikt Group"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Insikt Group. 1 report: Proofpoint Researchers Observe sLoad and Ramnit in Campaigns Against The U.K. and Italy. Most recent link (Oct 23, 2018): https://app.recordedfuture.com/live/sc/4KSWum2M6Lx7"", ""Sources"": [""VKz42X""], ""Timestamp"": ""2018-10-23T00:00:00.000Z"", ""Name"": ""relatedNote"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Operation"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Mar 23, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-03-23T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C DNS Name"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bambenek Consulting C&C Blocklist."", ""Sources"": [""report:QhR8Qs""], ""Timestamp"": ""2021-12-29T07:12:02.455Z"", ""Name"": ""recentCncSite"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"wgwuhauaqcrx.com","95","6/45","{""EvidenceDetails"": [{""Rule"": ""Historically Reported by DHS AIS"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-216d34d4-67bd-4add-ae6e-4ddec27dcb0e (Jul 25, 2019)."", ""Sources"": [""UZNze8""], ""Timestamp"": ""2019-07-25T00:46:19.000Z"", ""Name"": ""dhsAis"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: MALWARE BREAKDOWN. Most recent link (May 17, 2017): https://malwarebreakdown.com/2017/05/17/seamless-malvertising-campaign-leads-to-rig-ek-at-185-154-53-33-and-drops-ramnit/"", ""Sources"": [""ST7rfx""], ""Timestamp"": ""2017-05-17T19:31:06.000Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported in Threat List"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jul 19, 2021, and Jul 21, 2021."", ""Sources"": [""report:Tluf00""], ""Timestamp"": ""2021-12-29T07:21:52.311Z"", ""Name"": ""historicalThreatListMembership"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Operation"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jul 9, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-07-09T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Malware Analysis DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 1 source: Malwr.com. Most recent link (Jul 6, 2017): https://malwr.com/analysis/ZmMxNWJlYWU1NTI4NDA1Nzg3YTc5MWViNTA0YTNhYmQ/"", ""Sources"": [""NKaUXl""], ""Timestamp"": ""2017-07-06T00:00:00.000Z"", ""Name"": ""malwareAnalysis"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C DNS Name"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bambenek Consulting C&C Blocklist."", ""Sources"": [""report:QhR8Qs""], ""Timestamp"": ""2021-12-29T07:21:52.303Z"", ""Name"": ""recentCncSite"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"wbmpvebw.com","95","6/45","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: wbmpvebw[.]com IP: 209[.]99[.]40[.]220 NS: https://t.co/bH4I7LoMNf https://t.co/KTCPYU87bT. Most recent link (Jan 4, 2020): https://twitter.com/DGAFeedAlerts/statuses/1213551578264821760"", ""Sources"": [""SlNfa3""], ""Timestamp"": ""2020-01-04T20:03:37.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html"", ""Sources"": [""KVQ2PB""], ""Timestamp"": ""2017-03-08T01:18:17.569Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported in Threat List"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Feb 18, 2021, and Feb 24, 2021."", ""Sources"": [""report:Tluf00""], ""Timestamp"": ""2021-12-29T07:16:05.008Z"", ""Name"": ""historicalThreatListMembership"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Operation"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 30, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-06-30T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Malware Analysis DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/NzhlZjJmMDA1MTMyNGM5NDg3YTQwMzI5YzAzMzY1NTg/"", ""Sources"": [""NKaUXl""], ""Timestamp"": ""2017-05-08T00:00:00.000Z"", ""Name"": ""malwareAnalysis"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C DNS Name"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bambenek Consulting C&C Blocklist."", ""Sources"": [""report:QhR8Qs""], ""Timestamp"": ""2021-12-29T07:16:05.007Z"", ""Name"": ""recentCncSite"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"ckgryagcibbcf.com","94","5/45","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: ckgryagcibbcf[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/nKWfZguQSF https://t.co/czXUwYeuxf. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333576053207040"", ""Sources"": [""SlNfa3""], ""Timestamp"": ""2021-02-01T20:08:18.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html"", ""Sources"": [""KVQ2PB""], ""Timestamp"": ""2017-03-08T01:18:17.569Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Operation"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 15, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-06-15T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Malware Analysis DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Malwr.com. Most recent link (Apr 11, 2016): https://malwr.com/analysis/YjVjNzlmNjdhMDMyNDY2MjkzY2FkMjQzOWJiNmUyOWI/"", ""Sources"": [""NKaUXl""], ""Timestamp"": ""2016-04-11T00:00:00.000Z"", ""Name"": ""malwareAnalysis"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C DNS Name"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bambenek Consulting C&C Blocklist."", ""Sources"": [""report:QhR8Qs""], ""Timestamp"": ""2021-12-29T06:40:44.358Z"", ""Name"": ""recentCncSite"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"jpuityvakjgg.com","94","5/45","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: jpuityvakjgg[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/nKWfZguQSF https://t.co/czXUwYeuxf. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333600627683330"", ""Sources"": [""SlNfa3""], ""Timestamp"": ""2021-02-01T20:08:24.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html"", ""Sources"": [""KVQ2PB""], ""Timestamp"": ""2017-03-08T01:18:17.569Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Operation"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 17, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-06-17T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Malware Analysis DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/NzhlZjJmMDA1MTMyNGM5NDg3YTQwMzI5YzAzMzY1NTg/"", ""Sources"": [""NKaUXl""], ""Timestamp"": ""2017-05-08T00:00:00.000Z"", ""Name"": ""malwareAnalysis"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C DNS Name"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bambenek Consulting C&C Blocklist."", ""Sources"": [""report:QhR8Qs""], ""Timestamp"": ""2021-12-29T06:46:28.155Z"", ""Name"": ""recentCncSite"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"jexgpprgph.com","94","5/45","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: jexgpprgph[.]com IP: 209[.]99[.]40[.]222 NS: https://t.co/IGcQwMvzjy https://t.co/J2gdsVMl8U. Most recent link (Dec 13, 2018): https://twitter.com/DGAFeedAlerts/statuses/1073277207919947778"", ""Sources"": [""SlNfa3""], ""Timestamp"": ""2018-12-13T18:03:21.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html"", ""Sources"": [""KVQ2PB""], ""Timestamp"": ""2017-03-08T01:18:17.569Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Operation"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 30, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-06-30T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Malware Analysis DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/MDcwMzAxMzhkZGIwNGI5Y2I0ZGMyMDY1NzhlZmUzNGI/"", ""Sources"": [""NKaUXl""], ""Timestamp"": ""2017-05-08T00:00:00.000Z"", ""Name"": ""malwareAnalysis"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C DNS Name"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bambenek Consulting C&C Blocklist."", ""Sources"": [""report:QhR8Qs""], ""Timestamp"": ""2021-12-29T06:40:30.778Z"", ""Name"": ""recentCncSite"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"cascotqhij.com","94","5/45","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: cascotqhij[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/czXUwYeuxf https://t.co/nKWfZguQSF. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333566758682629"", ""Sources"": [""SlNfa3""], ""Timestamp"": ""2021-02-01T20:08:16.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html"", ""Sources"": [""KVQ2PB""], ""Timestamp"": ""2017-03-08T01:18:17.569Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Operation"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jul 27, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-07-27T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Malware Analysis DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Malwr.com. Most recent link (Apr 11, 2016): https://malwr.com/analysis/YjVjNzlmNjdhMDMyNDY2MjkzY2FkMjQzOWJiNmUyOWI/"", ""Sources"": [""NKaUXl""], ""Timestamp"": ""2016-04-11T00:00:00.000Z"", ""Name"": ""malwareAnalysis"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C DNS Name"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bambenek Consulting C&C Blocklist."", ""Sources"": [""report:QhR8Qs""], ""Timestamp"": ""2021-12-29T06:34:06.062Z"", ""Name"": ""recentCncSite"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"npcvnorvyhelagx.com","94","5/45","{""EvidenceDetails"": [{""Rule"": ""Historically Reported by DHS AIS"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-e26bfe3a-8f67-4f57-9449-3f183fe94c07 (Jul 25, 2019)."", ""Sources"": [""UZNze8""], ""Timestamp"": ""2019-07-25T01:51:04.000Z"", ""Name"": ""dhsAis"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: MALWARE BREAKDOWN. Most recent link (May 17, 2017): https://malwarebreakdown.com/2017/05/17/seamless-malvertising-campaign-leads-to-rig-ek-at-185-154-53-33-and-drops-ramnit/"", ""Sources"": [""ST7rfx""], ""Timestamp"": ""2017-05-17T19:31:06.000Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Operation"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Apr 1, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-04-01T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Malware Analysis DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 1 source: Malwr.com. Most recent link (Jul 6, 2017): https://malwr.com/analysis/ZmMxNWJlYWU1NTI4NDA1Nzg3YTc5MWViNTA0YTNhYmQ/"", ""Sources"": [""NKaUXl""], ""Timestamp"": ""2017-07-06T00:00:00.000Z"", ""Name"": ""malwareAnalysis"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C DNS Name"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bambenek Consulting C&C Blocklist."", ""Sources"": [""report:QhR8Qs""], ""Timestamp"": ""2021-12-29T06:45:21.381Z"", ""Name"": ""recentCncSite"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"uxlyihgvfnqcrfcf.com","94","5/45","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: uxlyihgvfnqcrfcf[.]com IP: 209[.]99[.]40[.]224 NS: https://t.co/03Dbt4N72t https://t.co/l29AcRDSvE. Most recent link (Jan 4, 2020): https://twitter.com/DGAFeedAlerts/statuses/1213551575332982790"", ""Sources"": [""SlNfa3""], ""Timestamp"": ""2020-01-04T20:03:36.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html"", ""Sources"": [""KVQ2PB""], ""Timestamp"": ""2017-03-08T01:18:17.569Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Operation"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 6, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-05-06T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Malware Analysis DNS Name"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/MDcwMzAxMzhkZGIwNGI5Y2I0ZGMyMDY1NzhlZmUzNGI/"", ""Sources"": [""NKaUXl""], ""Timestamp"": ""2017-05-08T00:00:00.000Z"", ""Name"": ""malwareAnalysis"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C DNS Name"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bambenek Consulting C&C Blocklist."", ""Sources"": [""report:QhR8Qs""], ""Timestamp"": ""2021-12-29T06:35:26.677Z"", ""Name"": ""recentCncSite"", ""MitigationString"": """", ""Criticality"": 4.0}]}" diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_domain_default.csv.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_domain_default.csv.log-expected.json deleted file mode 100644 index a07a14a023c..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_domain_default.csv.log-expected.json +++ /dev/null @@ -1,777 +0,0 @@ -[ - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 96.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 45, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "18 sightings on 2 sources: Proofpoint, The Daily Advance. Most recent link (Nov 12, 2018): https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy#.W-nmxyGcuiY.twitter", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "QQA438", - "KvPSaU" - ], - "Timestamp": "2018-11-12T20:48:08.675Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Mar 23, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-03-23T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: Proofpoint Researchers Observe sLoad and Ramnit in Campaigns Against The U.K. and Italy. Most recent link (Oct 23, 2018): https://app.recordedfuture.com/live/sc/4KSWum2M6Lx7", - "MitigationString": "", - "Name": "relatedNote", - "Rule": "Historically Referenced by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2018-10-23T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "21 sightings on 4 sources: Proofpoint, PasteBin, The Daily Advance, @DGAFeedAlerts. Most recent tweet: New ramnit Dom: xohrikvjhiu[.]eu IP: 13[.]90[.]196[.]81 NS: https://t.co/nTqEOuAW2E https://t.co/QdrtFSplyz. Most recent link (Nov 16, 2019): https://twitter.com/DGAFeedAlerts/statuses/1195824847915491329", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "QQA438", - "Jv_xrR", - "SlNfa3", - "KvPSaU" - ], - "Timestamp": "2019-11-16T22:03:55.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T07:12:02.455Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "xohrikvjhiu.eu" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 95.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 2436, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Malwr.com. Most recent link (Jul 6, 2017): https://malwr.com/analysis/ZmMxNWJlYWU1NTI4NDA1Nzg3YTc5MWViNTA0YTNhYmQ/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-07-06T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: MALWARE BREAKDOWN. Most recent link (May 17, 2017): https://malwarebreakdown.com/2017/05/17/seamless-malvertising-campaign-leads-to-rig-ek-at-185-154-53-33-and-drops-ramnit/", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "ST7rfx" - ], - "Timestamp": "2017-05-17T19:31:06.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jul 9, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-07-09T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-216d34d4-67bd-4add-ae6e-4ddec27dcb0e (Jul 25, 2019).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Historically Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2019-07-25T00:46:19.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jul 19, 2021, and Jul 21, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:Tluf00" - ], - "Timestamp": "2021-12-29T07:21:52.311Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T07:21:52.303Z" - } - ], - "recordedfuture.risk_string": "6/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "wgwuhauaqcrx.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 95.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 4976, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/NzhlZjJmMDA1MTMyNGM5NDg3YTQwMzI5YzAzMzY1NTg/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-05-08T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 30, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-06-30T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: wbmpvebw[.]com IP: 209[.]99[.]40[.]220 NS: https://t.co/bH4I7LoMNf https://t.co/KTCPYU87bT. Most recent link (Jan 4, 2020): https://twitter.com/DGAFeedAlerts/statuses/1213551578264821760", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2020-01-04T20:03:37.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Feb 18, 2021, and Feb 24, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:Tluf00" - ], - "Timestamp": "2021-12-29T07:16:05.008Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T07:16:05.007Z" - } - ], - "recordedfuture.risk_string": "6/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "wbmpvebw.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 7524, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Malwr.com. Most recent link (Apr 11, 2016): https://malwr.com/analysis/YjVjNzlmNjdhMDMyNDY2MjkzY2FkMjQzOWJiNmUyOWI/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2016-04-11T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 15, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-06-15T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: ckgryagcibbcf[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/nKWfZguQSF https://t.co/czXUwYeuxf. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333576053207040", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2021-02-01T20:08:18.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:40:44.358Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "ckgryagcibbcf.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 9658, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/NzhlZjJmMDA1MTMyNGM5NDg3YTQwMzI5YzAzMzY1NTg/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-05-08T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 17, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-06-17T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: jpuityvakjgg[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/nKWfZguQSF https://t.co/czXUwYeuxf. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333600627683330", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2021-02-01T20:08:24.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:46:28.155Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "jpuityvakjgg.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 11789, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/MDcwMzAxMzhkZGIwNGI5Y2I0ZGMyMDY1NzhlZmUzNGI/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-05-08T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 30, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-06-30T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: jexgpprgph[.]com IP: 209[.]99[.]40[.]222 NS: https://t.co/IGcQwMvzjy https://t.co/J2gdsVMl8U. Most recent link (Dec 13, 2018): https://twitter.com/DGAFeedAlerts/statuses/1073277207919947778", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2018-12-13T18:03:21.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:40:30.778Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "jexgpprgph.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 13918, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Malwr.com. Most recent link (Apr 11, 2016): https://malwr.com/analysis/YjVjNzlmNjdhMDMyNDY2MjkzY2FkMjQzOWJiNmUyOWI/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2016-04-11T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jul 27, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-07-27T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: cascotqhij[.]com IP: 18[.]235[.]92[.]123 NS: https://t.co/czXUwYeuxf https://t.co/nKWfZguQSF. Most recent link (Feb 1, 2021): https://twitter.com/DGAFeedAlerts/statuses/1356333566758682629", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2021-02-01T20:08:16.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:34:06.062Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "cascotqhij.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 16046, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Malwr.com. Most recent link (Jul 6, 2017): https://malwr.com/analysis/ZmMxNWJlYWU1NTI4NDA1Nzg3YTc5MWViNTA0YTNhYmQ/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-07-06T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: MALWARE BREAKDOWN. Most recent link (May 17, 2017): https://malwarebreakdown.com/2017/05/17/seamless-malvertising-campaign-leads-to-rig-ek-at-185-154-53-33-and-drops-ramnit/", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "ST7rfx" - ], - "Timestamp": "2017-05-17T19:31:06.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Apr 1, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-04-01T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-e26bfe3a-8f67-4f57-9449-3f183fe94c07 (Jul 25, 2019).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Historically Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2019-07-25T01:51:04.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:45:21.381Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "npcvnorvyhelagx.com" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 94.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 18164, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Malwr.com. Most recent link (May 8, 2017): https://malwr.com/analysis/MDcwMzAxMzhkZGIwNGI5Y2I0ZGMyMDY1NzhlZmUzNGI/", - "MitigationString": "", - "Name": "malwareAnalysis", - "Rule": "Historical Malware Analysis DNS Name", - "Sources": [ - "NKaUXl" - ], - "Timestamp": "2017-05-08T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Dynamoos Blog. Most recent link (Mar 8, 2017): http://blog.dynamoo.com/2013/05/something-evil-on-xxx-xx-xxxx.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "KVQ2PB" - ], - "Timestamp": "2017-03-08T01:18:17.569Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 6, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Operation", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-05-06T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New ramnit Dom: uxlyihgvfnqcrfcf[.]com IP: 209[.]99[.]40[.]224 NS: https://t.co/03Dbt4N72t https://t.co/l29AcRDSvE. Most recent link (Jan 4, 2020): https://twitter.com/DGAFeedAlerts/statuses/1213551575332982790", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged DNS Name", - "Sources": [ - "SlNfa3" - ], - "Timestamp": "2020-01-04T20:03:36.000Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Bambenek Consulting C&C Blocklist.", - "MitigationString": "", - "Name": "recentCncSite", - "Rule": "Recent C&C DNS Name", - "Sources": [ - "report:QhR8Qs" - ], - "Timestamp": "2021-12-29T06:35:26.677Z" - } - ], - "recordedfuture.risk_string": "5/45", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "domain-name", - "threat.indicator.url.domain": "uxlyihgvfnqcrfcf.com" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_hash_default.csv.log b/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_hash_default.csv.log deleted file mode 100644 index 58d47795d10..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_hash_default.csv.log +++ /dev/null @@ -1,10 +0,0 @@ -"Name","Algorithm","Risk","RiskString","EvidenceDetails" -"38e992eb852ab0c4ac03955fb0dc9bb38e64010fdf9c05331d2b02b6e05689c2","SHA-256","89","6/14","{""EvidenceDetails"": [{""Rule"": ""Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""50 sightings on 10 sources including: Security Bloggers Network, TechTarget Search Security, Bleeping Computer, Guided Collection, Bleepingcomputer Forums. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561"", ""Sources"": [""NSAcUx"", ""KCdHcb"", ""J6UzbO"", ""Rlso4a"", ""hkE5DK"", ""cJMUDF"", ""TZRwk8"", ""QMTzEI"", ""LUhTGd"", ""J5NRun""], ""Timestamp"": ""2021-12-21T08:40:00.000Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Linked to Attack Vector"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""32 sightings on 27 sources including: Carder Forum (carder.uk), wordpress.com, AAPKS.com, malwareresearch, @phishingalert, @GelosSnake, @neonprimetime, @rpsanch. 7 related attack vectors including Crimeware, Phishing, Remote Code Execution, Malvertising, Click Fraud. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752"", ""Sources"": [""T1bwMv"", ""LC-zVm"", ""QFvaUy"", ""P_upBR"", ""T2OA5Q"", ""K20lXV"", ""TGgDPZ"", ""hkIDTa"", ""LqRZCN"", ""Vd51cf"", ""ha2FFj"", ""UmsU31"", ""K7wUX2"", ""P_ivKa"", ""Qj3TQr"", ""idn:wordpress.com"", ""J-mrOR"", ""QPbAan"", ""VeioBt"", ""WlbRkJ"", ""K7sErA"", ""TvfQzk"", ""TP1vbk"", ""SrKvJ0"", ""SqCj4s"", ""VXaDYo"", ""bk2VX4""], ""Timestamp"": ""2021-12-25T03:23:47.000Z"", ""Name"": ""linkedToVector"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Cyber Attack"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""6 sightings on 6 sources including: Messaging Platforms - Uncategorized, @_mr_touch. Most recent tweet: Active cred #phishing/malware distribution campaign on 185.186.245.101 with kits targeting @Office365 and @WeTransfer brands. Windows malware submitted to VT here: https://t.co/edCd4sOnAI domains: https://t.co/4GdqctLwkY cc: @malwrhunterteam @JayTHL @SteveD3 @thepacketrat https://t.co/e9d3R7fzIq. Most recent link (May 28, 2019): https://twitter.com/PhishingAi/statuses/1133376801831436289"", ""Sources"": [""XV7DoD"", ""Ym7dzt"", ""LKKAV1"", ""VeioBt"", ""Y7TWfI"", ""KGS-xC""], ""Timestamp"": ""2019-05-28T14:17:41.000Z"", ""Name"": ""linkedToCyberAttack"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Malware"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""119 sightings on 42 sources including: Malware-Traffic-Analysis.net - Blog Entries, Doc Player, GhostBin, Data Breach Today.eu | Updates, Codex - Recent changes en. 43 related malware families including Dardesh, AZORult, Emotet, Ryuk Ransomware, GandCrab. Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se vocĆŖ jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. TĆ“ rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321"", ""Sources"": [""TvGJYk"", ""LErKlJ"", ""QWOrKl"", ""LKKAV1"", ""W4ygGi"", ""PATKM7"", ""T1bwMv"", ""TY6igj"", ""LjkJhE"", ""kuKt0c"", ""QAy9GA"", ""LbYmLr"", ""K20lXV"", ""QZe7TG"", ""idn:droppdf.com"", ""QAmbRP"", ""V_o1DL"", ""TbciDE"", ""XV7DoD"", ""P_j5Dw"", ""QNmgPm"", ""TGXqeD"", ""KGS-xC"", ""L3kVdM"", ""QMfGAr"", ""h6VVAH"", ""doLlw5"", ""UrsUKT"", ""JOU"", ""MIKjae"", ""P_oIyV"", ""QJ6TQK"", ""RfVd0T"", ""J6UzbO"", ""Ql9O5c"", ""USKpXp"", ""TP1vbk"", ""SrKvJ0"", ""Tq2nAb"", ""P_ov9o"", ""VXaDYo"", ""idn:index-of.es""], ""Timestamp"": ""2021-11-27T23:07:37.000Z"", ""Name"": ""linkedToMalware"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Reported by DHS AIS"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-12195723-7c56-4c63-b828-fc340dd4050a (Dec 20, 2018)."", ""Sources"": [""UZNze8""], ""Timestamp"": ""2018-12-20T21:13:36.000Z"", ""Name"": ""dhsAis"", ""MitigationString"": """", ""Criticality"": 3.0}, {""Rule"": ""Positive Malware Verdict"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""5 sightings on 3 sources: Malware-Traffic-Analysis.net - Blog Entries, ReversingLabs, PolySwarm. Most recent link (Dec 15, 2018): https://www.malware-traffic-analysis.net/2018/12/14/index.html"", ""Sources"": [""LErKlJ"", ""TbciDE"", ""doLlw5""], ""Timestamp"": ""2020-07-11T09:55:23.000Z"", ""Name"": ""positiveMalwareVerdict"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71","SHA-256","89","7/14","{""EvidenceDetails"": [{""Rule"": ""Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""28 sightings on 8 sources including: Dancho Danchev's Blog, SecureWorks, Talos Intel, Unit 42 Palo Alto Networks, Cisco Japan Blog. Most recent link (Mar 12, 2021): https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group?es_p=13420131"", ""Sources"": [""JfqIbv"", ""Z2mQh2"", ""PA-rR4"", ""jjf3_B"", ""clDYM8"", ""T5"", ""rN"", ""J5NRun""], ""Timestamp"": ""2021-03-12T20:30:37.672Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Linked to Attack Vector"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""69 sightings on 18 sources including: Stock market news Company News MarketScreenercom, HackDig Posts, Sesin at, US CERT CISA Alerts, citizensudo.com. 6 related attack vectors including Powershell Attack, Supply Chain Attack, Target Destination Manipulation, Reconnaissance, C&C Server. Most recent link (Apr 15, 2021): https://www.cisa.gov/uscert/ncas/alerts/aa20-352a"", ""Sources"": [""XBl0xf"", ""POs2u-"", ""Z3TZAQ"", ""hhY_oz"", ""idn:citizensudo.com"", ""VKz42X"", ""PA-rR4"", ""POs2tz"", ""idn:firsthackersnews.com"", ""KcjdRW"", ""dCotni"", ""idn:comodo.com"", ""gI8s5W"", ""hibUwt"", ""rN"", ""idn:reportcybercrime.com"", ""idn:eshielder.com"", ""idn:edsitrend.com""], ""Timestamp"": ""2021-04-15T00:00:00.000Z"", ""Name"": ""linkedToVector"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Vulnerability"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""11 sightings on 2 sources: GitHub, Insikt Group. 5 related cyber vulnerabilities: CWE-20, CWE-287, CVE-2020-10148, CVE-2020-1938, CWE-269. Most recent link (Dec 27, 2021): https://github.com/teamt5-it/official-website-v2/blob/master/_site/_next/data/64e2c6f134e73517d6ff737822e83cd75cf633c6/tw/posts/ithome-ghostcat-apache-tomcat-ajp-vulnerability.json"", ""Sources"": [""MIKjae"", ""VKz42X""], ""Timestamp"": ""2021-12-27T07:36:54.000Z"", ""Name"": ""linkedToVuln"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Malware"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""175 sightings on 31 sources including: 4-traders.com, SentinelLabs, Sesin at, Cisco Japan Blog, McAfee. 8 related malware families including WebShell, Ransomware, Backdoor, Backdoor Shell, SUNBURST. Most recent tweet: Malcode highlighted in 'App_Web_logoimagehandler.ashx.b6031896.dll' (c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71) #SolarWinds #SUNBURST https://t.co/lyvnVHuTb2. Most recent link (Dec 16, 2020): https://twitter.com/_mynameisgeff/statuses/1339070792705830913"", ""Sources"": [""TuWseX"", ""KBTQ2e"", ""eP3CYX"", ""Z3TZAQ"", ""clDYM8"", ""rN"", ""VKz42X"", ""idn:elemendar.com"", ""idn:securitysummitperu.com"", ""PA-rR4"", ""idn:terabitweb.com"", ""eTNyK6"", ""gBQB48"", ""bMZlEg"", ""idn:edsitrend.com"", ""idn:infoblox.com"", ""UZNze8"", ""Z2mQh2"", ""XBl0xf"", ""dCpZqs"", ""jmpFm1"", ""T5"", ""doLlw5"", ""gBDK5G"", ""MIKjae"", ""idn:firsthackersnews.com"", ""jjf3_B"", ""Jv_xrR"", ""dCotni"", ""idn:comodo.com"", ""hibUwt""], ""Timestamp"": ""2020-12-16T04:52:10.000Z"", ""Name"": ""linkedToMalware"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Reported by DHS AIS"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""3 sightings on 1 source: DHS Automated Indicator Sharing. 3 reports including AA20-352A APT Compromise of Govt Agencies, Critical Infrastructure, and Private Sector Organizations, from CISA, Government Facilities Sector, CISA, Government Facilities Sector, NCCIC:STIX_Package-673aacd1-1852-4d44-bd93-0c44940a6358 (Feb 3, 2021)."", ""Sources"": [""UZNze8""], ""Timestamp"": ""2021-02-03T21:32:08.000Z"", ""Name"": ""dhsAis"", ""MitigationString"": """", ""Criticality"": 3.0}, {""Rule"": ""Positive Malware Verdict"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""6 sightings on 2 sources: Sophos Virus and Spyware Threats, PolySwarm. Most recent link (Dec 17, 2020): https://news.sophos.com/fr-fr/2020/12/15/cyberattaque-contre-solarwinds-comment-savoir-si-vous-etes-concerne/"", ""Sources"": [""K16tAG"", ""doLlw5""], ""Timestamp"": ""2020-12-20T15:18:53.000Z"", ""Name"": ""positiveMalwareVerdict"", ""MitigationString"": """", ""Criticality"": 3.0}, {""Rule"": ""Reported by Insikt Group"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""13 sightings on 1 source: Insikt Group. 4 reports including Researchers Linked Supernova Malware to Spiral Group. Most recent link (Mar 08, 2021): https://app.recordedfuture.com/live/sc/5DIp4RIUiJz6"", ""Sources"": [""VKz42X""], ""Timestamp"": ""2021-03-08T00:00:00.000Z"", ""Name"": ""analystNote"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"b66db3a06c2955a9cb71a8718970c592","MD5","89","5/14","{""EvidenceDetails"": [{""Rule"": ""Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""10 sightings on 7 sources including: ISC Sans Diary Archive, SecureWorks, InfoCON: green, ISC | Latest Headlines, SANS Internet Storm Center. Most recent link (Dec 20, 2021): https://www.jpcert.or.jp/english/at/2021/at210050.html"", ""Sources"": [""TCw6v6"", ""Z2mQh2"", ""2d"", ""cJuZvt"", ""JYxY8X"", ""J2_htN"", ""jXNbON""], ""Timestamp"": ""2021-12-20T04:54:00.000Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Linked to Attack Vector"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""6 sightings on 5 sources: GitHub, SANS Internet Storm Center, Messaging Platforms - Uncategorized, @decalage2, @simonwargniez. 3 related attack vectors: Remote Code Execution, Zero Day Exploit, Cyberattack. Most recent tweet: Great lists of software affected by #Log4Shell / CVE-2021-44228 / Log4J RCE: https://t.co/TpEQXKgMGW by @ncsc_nl https://t.co/FA5i8zR5Z1 by @CISAgov https://t.co/0xVZJvMcpU by @SwitHak https://t.co/788knvztWV https://t.co/WMkXslhgWS #log4j #log4j2. Most recent link (Dec 15, 2021): https://twitter.com/decalage2/statuses/1471121875816353800"", ""Sources"": [""LUf99I"", ""MIKjae"", ""JYxY8X"", ""Y7TWfI"", ""KIRe_w""], ""Timestamp"": ""2021-12-15T14:16:01.000Z"", ""Name"": ""linkedToVector"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Vulnerability"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""108 sightings on 78 sources including: bund.de, tistory.com, PasteBin, Sesin at, Messaging Platforms - Uncategorized. 24 related cyber vulnerabilities including CWE-22, CWE-611, CVE-2019-19781, CVE-2020-16898, CWE-20. Most recent tweet: Security advisories, bulletins, and vendor responses related to Log4Shell #Log4Shell #Log4j #cybersecurity #infosec #vendorsecurity https://t.co/Vpwrhdppm7. Most recent link (Dec 22, 2021): https://twitter.com/arrgibbs/statuses/1473733864459841538"", ""Sources"": [""VQpQDR"", ""KFu3Rc"", ""LUf99I"", ""SGCsBG"", ""U94lUG"", ""KFcv42"", ""QT0CFv"", ""UHvtcg"", ""KFUbjU"", ""KHwUI5"", ""KKSt8d"", ""idn:bund.de"", ""VmIbAC"", ""QGT0Vy"", ""ejfM20"", ""KGlTEd"", ""QCoXJo"", ""RXSwU8"", ""idn:tistory.com"", ""LpdVul"", ""K-eKsL"", ""TKYCSz"", ""SkABVK"", ""SdGk_x"", ""LI6d7O"", ""LQIfBf"", ""U6B2hC"", ""f7_CfD"", ""LKt0HB"", ""RHS4v8"", ""KKmN5m"", ""YfJqp2"", ""Jv_xrR"", ""RJ2_NX"", ""VZXzSv"", ""k0QC11"", ""KFWBRs"", ""LRk_pt"", ""Qn2VRQ"", ""kGHFKP"", ""ShBO5M"", ""T-GSBp"", ""KNdyHF"", ""QLCTXP"", ""Z3TZAQ"", ""Khf99v"", ""KHZhjO"", ""SHH61D"", ""Knx_su"", ""LL8-pr"", ""QpmWTf"", ""KIRe_w"", ""QIea7F"", ""SlhG3F"", ""KIdj8R"", ""SQqKS8"", ""Lq6DNq"", ""QpYsBa"", ""d-ZMP2"", ""LOoye8"", ""QEUmiJ"", ""ewfPjC"", ""LBNFpV"", ""QTpbKE"", ""Y7TWfI"", ""KGS-xC"", ""eifkGz"", ""au2SGr"", ""SKw4tT"", ""KGW5kn"", ""Q9y5Ki"", ""KGxw1d"", ""MIKjae"", ""LO5p1C"", ""JYxY8X"", ""KJsMEF"", ""QBLBHH"", ""k7WJ2k""], ""Timestamp"": ""2021-12-22T19:15:08.000Z"", ""Name"": ""linkedToVuln"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Malware"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""11 sightings on 3 sources: bund.de, SANS Internet Storm Center, Sesin at. 2 related malware families: Ransomware, Botnet. Most recent link (Dec 20, 2021): https://www.jpcert.or.jp/english/at/2021/at210050.html"", ""Sources"": [""idn:bund.de"", ""JYxY8X"", ""Z3TZAQ""], ""Timestamp"": ""2021-12-20T04:54:00.000Z"", ""Name"": ""linkedToMalware"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Positive Malware Verdict"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Naked Security. Most recent link (Dec 18, 2021): https://news.sophos.com/en-us/2021/12/17/log4shell-response-and-mitigation-recommendations/"", ""Sources"": [""J2_htN""], ""Timestamp"": ""2021-12-18T00:20:04.000Z"", ""Name"": ""positiveMalwareVerdict"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","SHA-256","89","8/14","{""EvidenceDetails"": [{""Rule"": ""Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""91 sightings on 19 sources including: Security News Concentrator, Fortinet, Trend Micro, CrowdStrike, FireEye Threat Research Blog. Most recent link (Dec 20, 2019): https://threatvector.cylance.com/en_us/home/threat-spotlight-petya-like-ransomware-is-nasty-wiper.html"", ""Sources"": [""QS89Bd"", ""KVP0jz"", ""T5"", ""JYxY5G"", ""WR_Ohh"", ""Jt4ExJ"", ""Kzw0Pm"", ""JQH96m"", ""2d"", ""JYxY8X"", ""rN"", ""PA-rR4"", ""VyWQM7"", ""Lp_esG"", ""ONMgMx"", ""4n"", ""QMTzEI"", ""83"", ""K0TN7r""], ""Timestamp"": ""2019-12-20T01:04:11.602Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported in Threat List"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jul 6, 2017, and Jul 17, 2017."", ""Sources"": [""report:Tluf00""], ""Timestamp"": ""2021-12-24T20:03:09.087Z"", ""Name"": ""historicalThreatListMembership"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Linked to Attack Vector"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""14 sightings on 5 sources including: Assiste.Forum, @arturodicorinto. 2 related attack vectors: ShellCode, Cyberattack. Most recent tweet: They're getting quicker at updating.. #petya #cyberattack https://t.co/px0g9BSpod. Most recent link (Jun 27, 2017): https://twitter.com/SupersizedSam/statuses/879764638845587461"", ""Sources"": [""LP7dc7"", ""LRlngp"", ""Sl8XTb"", ""QMfGAr"", ""J-y3tn""], ""Timestamp"": ""2017-06-27T18:13:29.000Z"", ""Name"": ""linkedToVector"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Vulnerability"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: GitHub. 2 related cyber vulnerabilities: CWE-20, CVE-2017-0143. Most recent link (Oct 10, 2021): https://github.com/demisto/content/blob/master/Packs/RecordedFuture/Integrations/RecordedFuture/example_commands.txt"", ""Sources"": [""MIKjae""], ""Timestamp"": ""2021-10-10T08:21:25.825Z"", ""Name"": ""linkedToVuln"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Cyber Attack"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""10 sightings on 9 sources including: BitcoinTalk.org, @Noemi_hcke. Most recent tweet: #petya related hashes in #virustotal https://t.co/Cv7Pltjhia https://t.co/P3otYPoxBj #ransomware #malware #sha256. Most recent link (Jun 28, 2017): https://twitter.com/Menardconnect/statuses/879885997831368705"", ""Sources"": [""ThowaF"", ""KUtKjP"", ""K84j7t"", ""MghdWI"", ""K8rrfe"", ""QlWPRW"", ""KFsPRz"", ""S-Anbb"", ""KE9dMF""], ""Timestamp"": ""2017-06-28T02:15:44.000Z"", ""Name"": ""linkedToCyberAttack"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Malware"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""834 sightings on 201 sources including: New Jersey Cybersecurity & Communications Integration Cell, lnkd.in, avtech24h.com, Malwr.com, Talos Intel. 21 related malware families including ICS Malware, PetrWrap, Emotet, Trojan, NotPetya. Most recent tweet: #ransomware 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 f65a7dadff844f2dc44a3bd43e1c0d600b1a6c66f6d02734d8f385872ccab0bc b6e8dc95ec939a1f3b184da559c8010ab3dc773e426e63e5aa7ffc44174d8a9d 9e1609ab7f01b56a9476494d9b3bf5997380d466744b07ec5d9b20e416b10f08. Most recent link (Apr 9, 2021): https://twitter.com/RedBeardIOCs/statuses/1380600677249003521"", ""Sources"": [""jbVMcB"", ""idn:lnkd.in"", ""idn:avtech24h.com"", ""K84j7t"", ""Sl8XTb"", ""KGRhOC"", ""NKaUXl"", ""KIoGAG"", ""PA-rR4"", ""LRlngp"", ""rN"", ""Jxh46H"", ""KFL44X"", ""TbciDE"", ""KFNVB9"", ""OJpx5g"", ""K-CGye"", ""KK6oqV"", ""WR_Ohh"", ""idn:twitter.com"", ""fgwEcq"", ""QYsx0D"", ""KIFtR_"", ""Lp_esG"", ""TSFWTw"", ""KGHzAY"", ""P_oEH3"", ""KBTQ2e"", ""QCGHCy"", ""JYxY5G"", ""UQsrUj"", ""idn:cert.ro"", ""idn:bluvector.io"", ""KFUJTL"", ""TFUkSW"", ""P0Gs9I"", ""K8ofB1"", ""KVnnHP"", ""TpaXxw"", ""U5qdTI"", ""idn:zscaler.com"", ""L3kVdM"", ""QMfGAr"", ""KIk8aS"", ""Kzw0Pm"", ""hcELIE"", ""POs2tz"", ""KD6Na4"", ""idn:globalsecuritymag.com"", ""LDd0sl"", ""KVP0jz"", ""Lj8CsQ"", ""K8rrfe"", ""LDejRI"", ""J-y3tn"", ""WXutod"", ""idn:infosecurityfactory.nl"", ""LBlc7C"", ""idn:bg.org.tr"", ""QS89Bd"", ""K9SiDc"", ""Qe89bv"", ""TiY1wu"", ""idn:undernews.fr"", ""idn:iteefactory.nl"", ""KFRGd_"", ""KFVuR_"", ""4n"", ""S-Anbb"", ""KFNZEC"", ""TSazOG"", ""K9Skh1"", ""MghdWI"", ""idn:securityiscoming.com"", ""QS89BG"", ""LVg9nH"", ""KFiGli"", ""K9Vq9B"", ""KLbNtt"", ""VyWQM7"", ""NTakwX"", ""KGoarP"", ""idn:gelsene.net"", ""LwURWv"", ""KGX8VB"", ""ThoB0I"", ""TAIz7D"", ""QBHQ61"", ""TiY1w7"", ""idn:kompasiana.com"", ""idn:t.co"", ""KfDTG0"", ""idn:ictsecuritymagazine.com"", ""Liz5-u"", ""MIKjae"", ""JYxY8X"", ""KUtKjP"", ""idn:cert.pl"", ""Lpm4nc"", ""idn:boozallen.com"", ""RVFHk_"", ""KGmazP"", ""M_7iBk"", ""TStw1W"", ""LFcJLk"", ""K0TN7r"", ""KVRURg"", ""UNe62M"", ""iL8bPu"", ""K76BjK"", ""VRixQe"", ""idn:dfir.pro"", ""KF-l77"", ""idn:gixtools.net"", ""P_oIyV"", ""KGzicb"", ""LGryD9"", ""idn:fb.me"", ""K5nCn5"", ""ThKuX0"", ""SYrUYn"", ""KFKbZE"", ""MAe5tQ"", ""KGm6gS"", ""W4ygGi"", ""g9rk5F"", ""idn:menshaway.blogspot.com"", ""KFsPRz"", ""LDm9iS"", ""RV8KWp"", ""KTuH6e"", ""P_uJi3"", ""KG_Bgt"", ""QAmbRP"", ""idn:csirt.cz"", ""LZYvHh"", ""L0HtmN"", ""KWLqO-"", ""LtUj1D"", ""QMTzDr"", ""idn:dy.si"", ""Lo8Box"", ""K-4reD"", ""KFTeBZ"", ""KKzFno"", ""QMTzEI"", ""KFYLd8"", ""KGABt4"", ""LIizBt"", ""idn:herjavecgroup.com"", ""QAAZRn"", ""K66Zgw"", ""KWz-My"", ""Lb0b3F"", ""idn:emsisoft.vn"", ""LodOTm"", ""KE9dMF"", ""O-Wf5x"", ""LG2dQX"", ""P_-RZy"", ""LK7o9D"", ""K60PUk"", ""KKUqfz"", ""idn:logrhythm.com"", ""Jv_xrR"", ""LP7dc7"", ""MFNOaz"", ""TefIES"", ""KGdGg3"", ""KHNdvY"", ""QBTxvB"", ""idn:swordshield.com"", ""ThowaF"", ""idn:binarydefense.com"", ""idn:indusface.com"", ""QBtnC2"", ""QlWPRW"", ""KHZhjO"", ""idn:idcloudhost.com"", ""LRFVsB"", ""KG2JTH"", ""KIm1im"", ""LAfpKN"", ""BaV"", ""KGW3VP"", ""KFcp5q"", ""LCN_6T"", ""idn:avastvn.com"", ""KFTnbG"", ""TiCWjw"", ""Lmhpq3"", ""KGS-xC"", ""KFVthB"", ""idn:finyear.com"", ""KFji4N"", ""P_7M19"", ""K-b0DI"", ""LV1UMS"", ""idn:safe-cyberdefense.com"", ""Kjk3fx"", ""Q1wlJN""], ""Timestamp"": ""2021-04-09T19:17:06.000Z"", ""Name"": ""linkedToMalware"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Reported by DHS AIS"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-21cebba6-46ed-464e-ad5a-32a8063e1400 (Jun 27, 2017)."", ""Sources"": [""UZNze8""], ""Timestamp"": ""2017-06-27T17:18:01.000Z"", ""Name"": ""dhsAis"", ""MitigationString"": """", ""Criticality"": 3.0}, {""Rule"": ""Positive Malware Verdict"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""5 sightings on 3 sources: Recorded Future Malware Detonation, ReversingLabs, PolySwarm. Most recent link (Jun 27, 2017): ReversingLabs malware file analysis."", ""Sources"": [""TAIz7D"", ""TbciDE"", ""doLlw5""], ""Timestamp"": ""2020-12-17T22:59:03.000Z"", ""Name"": ""positiveMalwareVerdict"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"ad2ad0249fafe85877bc79a01e1afd1a44d983c064ad8cb5bc694d29d166217b","SHA-256","89","5/14","{""EvidenceDetails"": [{""Rule"": ""Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""16 sightings on 4 sources: Guided Collection, Bleepingcomputer Forums, ISC | All Updates, Malwarebytes Unpacked. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561"", ""Sources"": [""Rlso4a"", ""hkE5DK"", ""TZRwk8"", ""J5NRun""], ""Timestamp"": ""2021-12-21T08:40:00.000Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Linked to Attack Vector"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""6 sightings on 6 sources including: malwareresearch, AAPKS.com, @Shouvik95232310, @santGM. 3 related attack vectors: Phishing, Click Fraud, Typosquatting. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752"", ""Sources"": [""WlbRkJ"", ""ha2FFj"", ""K7wUX2"", ""P_ivKa"", ""J-mrOR"", ""P_upBR""], ""Timestamp"": ""2021-12-25T03:23:47.000Z"", ""Name"": ""linkedToVector"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Cyber Attack"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: Messaging Platforms - Uncategorized. Most recent link (Oct 18, 2021): https://t.me/An0nymousTeam/1429"", ""Sources"": [""Y7TWfI""], ""Timestamp"": ""2021-10-18T12:09:43.000Z"", ""Name"": ""linkedToCyberAttack"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Malware"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""47 sightings on 16 sources including: Ichunqiu Forum, Doc Player, ArXiv, GitHub, droppdf.com. 18 related malware families including Fakespy, Trojan, Offensive Security Tools (OST), Spyware, Dardesh. Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se vocĆŖ jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. TĆ“ rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321"", ""Sources"": [""TGXqeD"", ""W4ygGi"", ""L3kVdM"", ""QMfGAr"", ""kuKt0c"", ""QAy9GA"", ""JOU"", ""MIKjae"", ""P_oIyV"", ""QJ6TQK"", ""idn:droppdf.com"", ""Ql9O5c"", ""QAmbRP"", ""Tq2nAb"", ""TbciDE"", ""idn:index-of.es""], ""Timestamp"": ""2021-11-27T23:07:37.000Z"", ""Name"": ""linkedToMalware"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Positive Malware Verdict"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: ReversingLabs. Most recent link (Jul 1, 2019): ReversingLabs malware file analysis."", ""Sources"": [""TbciDE""], ""Timestamp"": ""2019-07-01T00:00:00.000Z"", ""Name"": ""positiveMalwareVerdict"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a","SHA-256","89","5/14","{""EvidenceDetails"": [{""Rule"": ""Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Trend Micro. Most recent link (Mar 11, 2021): https://documents.trendmicro.com/assets/pdf/Technical_Brief_Uncleanable_and_Unkillable_The_Evolution_of_IoT_Botnets_Through_P2P_Networking.pdf"", ""Sources"": [""T5""], ""Timestamp"": ""2021-03-11T00:00:00.000Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Linked to Attack Vector"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""31 sightings on 4 sources: @m0rb, @bad_packets, @InfoSex11, @luc4m. 2 related attack vectors: DDOS, Command Injection. Most recent tweet: 2021-06-17T23:29:30 - Commented: https://t.co/j2a05iXOiI #malware #commandinjection. Most recent link (Jun 17, 2021): https://twitter.com/m0rb/statuses/1405668962462011401"", ""Sources"": [""KFwzec"", ""TGgDPZ"", ""cgGiXI"", ""LMcjZ7""], ""Timestamp"": ""2021-06-17T23:29:31.000Z"", ""Name"": ""linkedToVector"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Cyber Attack"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""3 sightings on 2 sources: @bad_packets, @swarmdotmarket. Most recent tweet: New #Mozi #malware targets #IoT devices -- research via @BlackLotusLabs -- Samples here in PolySwarm, free to download: https://t.co/JYkyEPPWmH https://t.co/jioPHPnJj9 #threatintel #botnet #infosec Most recent link (Apr 20, 2020): https://twitter.com/PolySwarm/statuses/1252347003457073155"", ""Sources"": [""TGgDPZ"", ""UBjcy3""], ""Timestamp"": ""2020-04-20T21:22:47.000Z"", ""Name"": ""linkedToCyberAttack"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Malware"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""87 sightings on 15 sources including: lumen.com, HackDig Posts, Anquanke News, Daily Dot, centurylink.com. 7 related malware families including Mozi Botnet, Trojan, Qbot, Mirai, DDOS Toolkit. Most recent tweet: New #Mozi #malware targets #IoT devices -- research via @BlackLotusLabs -- Samples here in PolySwarm, free to download: https://t.co/JYkyEPPWmH https://t.co/jioPHPnJj9 #threatintel #botnet #infosec. Most recent link (Apr 20, 2020): https://twitter.com/PolySwarm/statuses/1252347003457073155"", ""Sources"": [""idn:lumen.com"", ""POs2u-"", ""U13S_U"", ""Jzl3yj"", ""idn:centurylink.com"", ""doLlw5"", ""POs2t2"", ""idn:cyberswachhtakendra.gov.in"", ""idn:hackxsecurity.com"", ""TGgDPZ"", ""Jv_xrR"", ""TSFWTv"", ""LMcjZ7"", ""UBjcy3"", ""TbciDE""], ""Timestamp"": ""2020-04-20T21:22:47.000Z"", ""Name"": ""linkedToMalware"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Positive Malware Verdict"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""5 sightings on 3 sources: Recorded Future Malware Detonation, ReversingLabs, PolySwarm. Most recent link (Nov 28, 2019): ReversingLabs malware file analysis."", ""Sources"": [""TAIz7D"", ""TbciDE"", ""doLlw5""], ""Timestamp"": ""2021-04-04T07:46:20.000Z"", ""Name"": ""positiveMalwareVerdict"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"fecddb7f3fa478be4687ca542c0ecf232ec35a0c2418c8bfe4875686ec373c1e","SHA-256","89","6/14","{""EvidenceDetails"": [{""Rule"": ""Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""45 sightings on 9 sources including: Security Bloggers Network, Bleeping Computer, Guided Collection, Bleepingcomputer Forums, TheServerSide.com | Updates. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561"", ""Sources"": [""NSAcUx"", ""J6UzbO"", ""Rlso4a"", ""hkE5DK"", ""cJMUDF"", ""TZRwk8"", ""QMTzEI"", ""LUhTGd"", ""J5NRun""], ""Timestamp"": ""2021-12-21T08:40:00.000Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Linked to Attack Vector"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""29 sightings on 24 sources including: Carder Forum (carder.uk), wordpress.com, AAPKS.com, malwareresearch, @phishingalert, @GelosSnake, @rpsanch, @rce_coder. 7 related attack vectors including Crimeware, Phishing, Remote Code Execution, Malvertising, Click Fraud. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752"", ""Sources"": [""T1bwMv"", ""LC-zVm"", ""P_upBR"", ""T2OA5Q"", ""K20lXV"", ""TGgDPZ"", ""hkIDTa"", ""LqRZCN"", ""Vd51cf"", ""ha2FFj"", ""UmsU31"", ""ddafo3"", ""K7wUX2"", ""P_ivKa"", ""idn:wordpress.com"", ""J-mrOR"", ""QPbAan"", ""VeioBt"", ""WlbRkJ"", ""TvfQzk"", ""TP1vbk"", ""SrKvJ0"", ""SqCj4s"", ""VXaDYo""], ""Timestamp"": ""2021-12-25T03:23:47.000Z"", ""Name"": ""linkedToVector"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Vulnerability"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: Messaging Platforms - Uncategorized. 2 related cyber vulnerabilities: CVE-2016-6663, CWE-362."", ""Sources"": [""Y7TWfI""], ""Timestamp"": ""2021-12-29T07:27:12.565Z"", ""Name"": ""linkedToVuln"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Cyber Attack"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""10 sightings on 7 sources including: SANS Institute Course Selector Results, Messaging Platforms - Uncategorized, @ecstatic_nobel, @Artilllerie. Most recent tweet: Active cred #phishing/malware distribution campaign on 185.186.245.101 with kits targeting @Office365 and @WeTransfer brands. Windows malware submitted to VT here: https://t.co/edCd4sOnAI domains: https://t.co/4GdqctLwkY cc: @malwrhunterteam @JayTHL @SteveD3 @thepacketrat https://t.co/e9d3R7fzIq. Most recent link (May 28, 2019): https://twitter.com/PhishingAi/statuses/1133376801831436289"", ""Sources"": [""Ym7dzt"", ""LKKAV1"", ""OuKV3V"", ""VeioBt"", ""Y7TWfI"", ""KGS-xC"", ""KFSXln""], ""Timestamp"": ""2019-05-28T14:17:41.000Z"", ""Name"": ""linkedToCyberAttack"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Malware"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""114 sightings on 42 sources including: Doc Player, GhostBin, Codex - Recent changes en, droppdf.com, ReversingLabs. 41 related malware families including Dardesh, AZORult, Emotet, GandCrab, Offensive Security Tools (OST). Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se vocĆŖ jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. TĆ“ rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321"", ""Sources"": [""QWOrKl"", ""LKKAV1"", ""W4ygGi"", ""PATKM7"", ""T1bwMv"", ""LjkJhE"", ""kuKt0c"", ""QAy9GA"", ""LbYmLr"", ""K20lXV"", ""QZe7TG"", ""idn:droppdf.com"", ""QAmbRP"", ""TbciDE"", ""P_j5Dw"", ""QNmgPm"", ""TGXqeD"", ""POs2u-"", ""KGS-xC"", ""L3kVdM"", ""QMfGAr"", ""h6VVAH"", ""doLlw5"", ""UrsUKT"", ""JOU"", ""MIKjae"", ""P_oIyV"", ""QJ6TQK"", ""RfVd0T"", ""J6UzbO"", ""POs2tz"", ""VfsacJ"", ""Jv_xrR"", ""Ql9O5c"", ""USKpXp"", ""TP1vbk"", ""SrKvJ0"", ""Tq2nAb"", ""KFSXln"", ""P_ov9o"", ""VXaDYo"", ""idn:index-of.es""], ""Timestamp"": ""2021-11-27T23:07:37.000Z"", ""Name"": ""linkedToMalware"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Positive Malware Verdict"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 19, 2018): ReversingLabs malware file analysis."", ""Sources"": [""TbciDE"", ""doLlw5""], ""Timestamp"": ""2021-02-10T09:10:10.000Z"", ""Name"": ""positiveMalwareVerdict"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b","SHA-256","89","3/14","{""EvidenceDetails"": [{""Rule"": ""Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""58 sightings on 5 sources: SecureWorks, InfoCON: green, McAfee, Talos Intel, Kaspersky Securelist and Lab. Most recent link (Jun 28, 2018): https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27077/en_US/McAfee_Labs_WannaCry_June24_2018.pdf"", ""Sources"": [""Z2mQh2"", ""2d"", ""rN"", ""PA-rR4"", ""4n""], ""Timestamp"": ""2018-06-28T08:11:36.570Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Linked to Malware"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1688 sightings on 26 sources including: lnkd.in, Doc Player, Cyber4Sight, voicebox.pt, VKontakte. 2 related malware families: Wcry, Ransomware. Most recent link (Sep 13, 2017): https://malwr.com/analysis/ZmIzN2E3MzQyM2I0NDYwODllOWRhMmQxODg3YzMxZDA/"", ""Sources"": [""idn:lnkd.in"", ""W4ygGi"", ""S2tpaX"", ""idn:voicebox.pt"", ""SIjHV9"", ""PJHGaq"", ""PA-rR4"", ""Z2mQh2"", ""e_"", ""idn:gofastbuy.com"", ""idn:ziftsolutions.com"", ""POs2u-"", ""KHpcuE"", ""QccsRc"", ""idn:dfir.pro"", ""idn:nksc.lt"", ""idn:dy.si"", ""KZFCph"", ""rN"", ""QYsx0D"", ""idn:logrhythm.com"", ""Jv_xrR"", ""idn:safe-cyberdefense.com"", ""4n"", ""QS89Bx"", ""NKaUXl""], ""Timestamp"": ""2017-09-13T00:00:00.000Z"", ""Name"": ""linkedToMalware"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Positive Malware Verdict"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""2 sightings on 1 source: Recorded Future Malware Detonation."", ""Sources"": [""TAIz7D""], ""Timestamp"": ""2020-10-13T10:46:31.000Z"", ""Name"": ""positiveMalwareVerdict"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce","SHA-256","89","5/14","{""EvidenceDetails"": [{""Rule"": ""Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""16 sightings on 4 sources: Guided Collection, Bleepingcomputer Forums, ISC | All Updates, Malwarebytes Unpacked. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561"", ""Sources"": [""Rlso4a"", ""hkE5DK"", ""TZRwk8"", ""J5NRun""], ""Timestamp"": ""2021-12-21T08:40:00.000Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Linked to Attack Vector"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""6 sightings on 6 sources including: malwareresearch, AAPKS.com, @Shouvik95232310, @santGM. 3 related attack vectors: Phishing, Click Fraud, Typosquatting. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752"", ""Sources"": [""WlbRkJ"", ""ha2FFj"", ""K7wUX2"", ""P_ivKa"", ""J-mrOR"", ""P_upBR""], ""Timestamp"": ""2021-12-25T03:23:47.000Z"", ""Name"": ""linkedToVector"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Cyber Attack"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: Messaging Platforms - Uncategorized. Most recent link (Oct 18, 2021): https://t.me/An0nymousTeam/1429"", ""Sources"": [""Y7TWfI""], ""Timestamp"": ""2021-10-18T12:09:43.000Z"", ""Name"": ""linkedToCyberAttack"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Linked to Malware"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""43 sightings on 14 sources including: Ichunqiu Forum, Doc Player, ArXiv, GitHub, droppdf.com. 19 related malware families including Fakespy, Trojan, Offensive Security Tools (OST), Spyware, Dardesh. Most recent tweet: RT @demonslay335: #STOP #Djvu #Ransomware extension \"".mogera\"" (v090): https://t.co/wlMcSE2EHj | https://t.co/XAYkOoOReU. Most recent link (May 27, 2019): https://twitter.com/DrolSecurity/statuses/1133117241388621825"", ""Sources"": [""TGXqeD"", ""W4ygGi"", ""L3kVdM"", ""QMfGAr"", ""QAy9GA"", ""JOU"", ""MIKjae"", ""P_oIyV"", ""QJ6TQK"", ""idn:droppdf.com"", ""Ql9O5c"", ""QAmbRP"", ""Tq2nAb"", ""idn:index-of.es""], ""Timestamp"": ""2019-05-27T21:06:17.000Z"", ""Name"": ""linkedToMalware"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Positive Malware Verdict"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: PolySwarm. Most recent link (Mar 8, 2021): https://polyswarm.network/scan/results/file/85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce"", ""Sources"": [""doLlw5""], ""Timestamp"": ""2021-03-08T13:00:15.000Z"", ""Name"": ""positiveMalwareVerdict"", ""MitigationString"": """", ""Criticality"": 3.0}]}" diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_hash_default.csv.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_hash_default.csv.log-expected.json deleted file mode 100644 index 29d9aea5210..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_hash_default.csv.log-expected.json +++ /dev/null @@ -1,1441 +0,0 @@ -[ - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 57, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "32 sightings on 27 sources including: Carder Forum (carder.uk), wordpress.com, AAPKS.com, malwareresearch, @phishingalert, @GelosSnake, @neonprimetime, @rpsanch. 7 related attack vectors including Crimeware, Phishing, Remote Code Execution, Malvertising, Click Fraud. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "T1bwMv", - "LC-zVm", - "QFvaUy", - "P_upBR", - "T2OA5Q", - "K20lXV", - "TGgDPZ", - "hkIDTa", - "LqRZCN", - "Vd51cf", - "ha2FFj", - "UmsU31", - "K7wUX2", - "P_ivKa", - "Qj3TQr", - "idn:wordpress.com", - "J-mrOR", - "QPbAan", - "VeioBt", - "WlbRkJ", - "K7sErA", - "TvfQzk", - "TP1vbk", - "SrKvJ0", - "SqCj4s", - "VXaDYo", - "bk2VX4" - ], - "Timestamp": "2021-12-25T03:23:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "6 sightings on 6 sources including: Messaging Platforms - Uncategorized, @_mr_touch. Most recent tweet: Active cred #phishing/malware distribution campaign on 185.186.245.101 with kits targeting @Office365 and @WeTransfer brands. Windows malware submitted to VT here: https://t.co/edCd4sOnAI domains: https://t.co/4GdqctLwkY cc: @malwrhunterteam @JayTHL @SteveD3 @thepacketrat https://t.co/e9d3R7fzIq. Most recent link (May 28, 2019): https://twitter.com/PhishingAi/statuses/1133376801831436289", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "XV7DoD", - "Ym7dzt", - "LKKAV1", - "VeioBt", - "Y7TWfI", - "KGS-xC" - ], - "Timestamp": "2019-05-28T14:17:41.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "119 sightings on 42 sources including: Malware-Traffic-Analysis.net - Blog Entries, Doc Player, GhostBin, Data Breach Today.eu | Updates, Codex - Recent changes en. 43 related malware families including Dardesh, AZORult, Emotet, Ryuk Ransomware, GandCrab. Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "TvGJYk", - "LErKlJ", - "QWOrKl", - "LKKAV1", - "W4ygGi", - "PATKM7", - "T1bwMv", - "TY6igj", - "LjkJhE", - "kuKt0c", - "QAy9GA", - "LbYmLr", - "K20lXV", - "QZe7TG", - "idn:droppdf.com", - "QAmbRP", - "V_o1DL", - "TbciDE", - "XV7DoD", - "P_j5Dw", - "QNmgPm", - "TGXqeD", - "KGS-xC", - "L3kVdM", - "QMfGAr", - "h6VVAH", - "doLlw5", - "UrsUKT", - "JOU", - "MIKjae", - "P_oIyV", - "QJ6TQK", - "RfVd0T", - "J6UzbO", - "Ql9O5c", - "USKpXp", - "TP1vbk", - "SrKvJ0", - "Tq2nAb", - "P_ov9o", - "VXaDYo", - "idn:index-of.es" - ], - "Timestamp": "2021-11-27T23:07:37.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "5 sightings on 3 sources: Malware-Traffic-Analysis.net - Blog Entries, ReversingLabs, PolySwarm. Most recent link (Dec 15, 2018): https://www.malware-traffic-analysis.net/2018/12/14/index.html", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "LErKlJ", - "TbciDE", - "doLlw5" - ], - "Timestamp": "2020-07-11T09:55:23.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-12195723-7c56-4c63-b828-fc340dd4050a (Dec 20, 2018).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2018-12-20T21:13:36.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "50 sightings on 10 sources including: Security Bloggers Network, TechTarget Search Security, Bleeping Computer, Guided Collection, Bleepingcomputer Forums. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "NSAcUx", - "KCdHcb", - "J6UzbO", - "Rlso4a", - "hkE5DK", - "cJMUDF", - "TZRwk8", - "QMTzEI", - "LUhTGd", - "J5NRun" - ], - "Timestamp": "2021-12-21T08:40:00.000Z" - } - ], - "recordedfuture.risk_string": "6/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "38e992eb852ab0c4ac03955fb0dc9bb38e64010fdf9c05331d2b02b6e05689c2", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 5220, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "69 sightings on 18 sources including: Stock market news Company News MarketScreenercom, HackDig Posts, Sesin at, US CERT CISA Alerts, citizensudo.com. 6 related attack vectors including Powershell Attack, Supply Chain Attack, Target Destination Manipulation, Reconnaissance, C&C Server. Most recent link (Apr 15, 2021): https://www.cisa.gov/uscert/ncas/alerts/aa20-352a", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "XBl0xf", - "POs2u-", - "Z3TZAQ", - "hhY_oz", - "idn:citizensudo.com", - "VKz42X", - "PA-rR4", - "POs2tz", - "idn:firsthackersnews.com", - "KcjdRW", - "dCotni", - "idn:comodo.com", - "gI8s5W", - "hibUwt", - "rN", - "idn:reportcybercrime.com", - "idn:eshielder.com", - "idn:edsitrend.com" - ], - "Timestamp": "2021-04-15T00:00:00.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "175 sightings on 31 sources including: 4-traders.com, SentinelLabs, Sesin at, Cisco Japan Blog, McAfee. 8 related malware families including WebShell, Ransomware, Backdoor, Backdoor Shell, SUNBURST. Most recent tweet: Malcode highlighted in 'App_Web_logoimagehandler.ashx.b6031896.dll' (c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71) #SolarWinds #SUNBURST https://t.co/lyvnVHuTb2. Most recent link (Dec 16, 2020): https://twitter.com/_mynameisgeff/statuses/1339070792705830913", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "TuWseX", - "KBTQ2e", - "eP3CYX", - "Z3TZAQ", - "clDYM8", - "rN", - "VKz42X", - "idn:elemendar.com", - "idn:securitysummitperu.com", - "PA-rR4", - "idn:terabitweb.com", - "eTNyK6", - "gBQB48", - "bMZlEg", - "idn:edsitrend.com", - "idn:infoblox.com", - "UZNze8", - "Z2mQh2", - "XBl0xf", - "dCpZqs", - "jmpFm1", - "T5", - "doLlw5", - "gBDK5G", - "MIKjae", - "idn:firsthackersnews.com", - "jjf3_B", - "Jv_xrR", - "dCotni", - "idn:comodo.com", - "hibUwt" - ], - "Timestamp": "2020-12-16T04:52:10.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "11 sightings on 2 sources: GitHub, Insikt Group. 5 related cyber vulnerabilities: CWE-20, CWE-287, CVE-2020-10148, CVE-2020-1938, CWE-269. Most recent link (Dec 27, 2021): https://github.com/teamt5-it/official-website-v2/blob/master/_site/_next/data/64e2c6f134e73517d6ff737822e83cd75cf633c6/tw/posts/ithome-ghostcat-apache-tomcat-ajp-vulnerability.json", - "MitigationString": "", - "Name": "linkedToVuln", - "Rule": "Linked to Vulnerability", - "Sources": [ - "MIKjae", - "VKz42X" - ], - "Timestamp": "2021-12-27T07:36:54.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "6 sightings on 2 sources: Sophos Virus and Spyware Threats, PolySwarm. Most recent link (Dec 17, 2020): https://news.sophos.com/fr-fr/2020/12/15/cyberattaque-contre-solarwinds-comment-savoir-si-vous-etes-concerne/", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "K16tAG", - "doLlw5" - ], - "Timestamp": "2020-12-20T15:18:53.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "3 sightings on 1 source: DHS Automated Indicator Sharing. 3 reports including AA20-352A APT Compromise of Govt Agencies, Critical Infrastructure, and Private Sector Organizations, from CISA, Government Facilities Sector, CISA, Government Facilities Sector, NCCIC:STIX_Package-673aacd1-1852-4d44-bd93-0c44940a6358 (Feb 3, 2021).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2021-02-03T21:32:08.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "13 sightings on 1 source: Insikt Group. 4 reports including Researchers Linked Supernova Malware to Spiral Group. Most recent link (Mar 08, 2021): https://app.recordedfuture.com/live/sc/5DIp4RIUiJz6", - "MitigationString": "", - "Name": "analystNote", - "Rule": "Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-03-08T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "28 sightings on 8 sources including: Dancho Danchev's Blog, SecureWorks, Talos Intel, Unit 42 Palo Alto Networks, Cisco Japan Blog. Most recent link (Mar 12, 2021): https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group?es_p=13420131", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "JfqIbv", - "Z2mQh2", - "PA-rR4", - "jjf3_B", - "clDYM8", - "T5", - "rN", - "J5NRun" - ], - "Timestamp": "2021-03-12T20:30:37.672Z" - } - ], - "recordedfuture.risk_string": "7/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 10160, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "6 sightings on 5 sources: GitHub, SANS Internet Storm Center, Messaging Platforms - Uncategorized, @decalage2, @simonwargniez. 3 related attack vectors: Remote Code Execution, Zero Day Exploit, Cyberattack. Most recent tweet: Great lists of software affected by #Log4Shell / CVE-2021-44228 / Log4J RCE: https://t.co/TpEQXKgMGW by @ncsc_nl https://t.co/FA5i8zR5Z1 by @CISAgov https://t.co/0xVZJvMcpU by @SwitHak https://t.co/788knvztWV https://t.co/WMkXslhgWS #log4j #log4j2. Most recent link (Dec 15, 2021): https://twitter.com/decalage2/statuses/1471121875816353800", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "LUf99I", - "MIKjae", - "JYxY8X", - "Y7TWfI", - "KIRe_w" - ], - "Timestamp": "2021-12-15T14:16:01.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "11 sightings on 3 sources: bund.de, SANS Internet Storm Center, Sesin at. 2 related malware families: Ransomware, Botnet. Most recent link (Dec 20, 2021): https://www.jpcert.or.jp/english/at/2021/at210050.html", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "idn:bund.de", - "JYxY8X", - "Z3TZAQ" - ], - "Timestamp": "2021-12-20T04:54:00.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "108 sightings on 78 sources including: bund.de, tistory.com, PasteBin, Sesin at, Messaging Platforms - Uncategorized. 24 related cyber vulnerabilities including CWE-22, CWE-611, CVE-2019-19781, CVE-2020-16898, CWE-20. Most recent tweet: Security advisories, bulletins, and vendor responses related to Log4Shell #Log4Shell #Log4j #cybersecurity #infosec #vendorsecurity https://t.co/Vpwrhdppm7. Most recent link (Dec 22, 2021): https://twitter.com/arrgibbs/statuses/1473733864459841538", - "MitigationString": "", - "Name": "linkedToVuln", - "Rule": "Linked to Vulnerability", - "Sources": [ - "VQpQDR", - "KFu3Rc", - "LUf99I", - "SGCsBG", - "U94lUG", - "KFcv42", - "QT0CFv", - "UHvtcg", - "KFUbjU", - "KHwUI5", - "KKSt8d", - "idn:bund.de", - "VmIbAC", - "QGT0Vy", - "ejfM20", - "KGlTEd", - "QCoXJo", - "RXSwU8", - "idn:tistory.com", - "LpdVul", - "K-eKsL", - "TKYCSz", - "SkABVK", - "SdGk_x", - "LI6d7O", - "LQIfBf", - "U6B2hC", - "f7_CfD", - "LKt0HB", - "RHS4v8", - "KKmN5m", - "YfJqp2", - "Jv_xrR", - "RJ2_NX", - "VZXzSv", - "k0QC11", - "KFWBRs", - "LRk_pt", - "Qn2VRQ", - "kGHFKP", - "ShBO5M", - "T-GSBp", - "KNdyHF", - "QLCTXP", - "Z3TZAQ", - "Khf99v", - "KHZhjO", - "SHH61D", - "Knx_su", - "LL8-pr", - "QpmWTf", - "KIRe_w", - "QIea7F", - "SlhG3F", - "KIdj8R", - "SQqKS8", - "Lq6DNq", - "QpYsBa", - "d-ZMP2", - "LOoye8", - "QEUmiJ", - "ewfPjC", - "LBNFpV", - "QTpbKE", - "Y7TWfI", - "KGS-xC", - "eifkGz", - "au2SGr", - "SKw4tT", - "KGW5kn", - "Q9y5Ki", - "KGxw1d", - "MIKjae", - "LO5p1C", - "JYxY8X", - "KJsMEF", - "QBLBHH", - "k7WJ2k" - ], - "Timestamp": "2021-12-22T19:15:08.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Naked Security. Most recent link (Dec 18, 2021): https://news.sophos.com/en-us/2021/12/17/log4shell-response-and-mitigation-recommendations/", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "J2_htN" - ], - "Timestamp": "2021-12-18T00:20:04.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "10 sightings on 7 sources including: ISC Sans Diary Archive, SecureWorks, InfoCON: green, ISC | Latest Headlines, SANS Internet Storm Center. Most recent link (Dec 20, 2021): https://www.jpcert.or.jp/english/at/2021/at210050.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "TCw6v6", - "Z2mQh2", - "2d", - "cJuZvt", - "JYxY8X", - "J2_htN", - "jXNbON" - ], - "Timestamp": "2021-12-20T04:54:00.000Z" - } - ], - "recordedfuture.risk_string": "5/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.md5": "b66db3a06c2955a9cb71a8718970c592", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 14254, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jul 6, 2017, and Jul 17, 2017.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:Tluf00" - ], - "Timestamp": "2021-12-24T20:03:09.087Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "14 sightings on 5 sources including: Assiste.Forum, @arturodicorinto. 2 related attack vectors: ShellCode, Cyberattack. Most recent tweet: They're getting quicker at updating.. #petya #cyberattack https://t.co/px0g9BSpod. Most recent link (Jun 27, 2017): https://twitter.com/SupersizedSam/statuses/879764638845587461", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "LP7dc7", - "LRlngp", - "Sl8XTb", - "QMfGAr", - "J-y3tn" - ], - "Timestamp": "2017-06-27T18:13:29.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "10 sightings on 9 sources including: BitcoinTalk.org, @Noemi_hcke. Most recent tweet: #petya related hashes in #virustotal https://t.co/Cv7Pltjhia https://t.co/P3otYPoxBj #ransomware #malware #sha256. Most recent link (Jun 28, 2017): https://twitter.com/Menardconnect/statuses/879885997831368705", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "ThowaF", - "KUtKjP", - "K84j7t", - "MghdWI", - "K8rrfe", - "QlWPRW", - "KFsPRz", - "S-Anbb", - "KE9dMF" - ], - "Timestamp": "2017-06-28T02:15:44.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "834 sightings on 201 sources including: New Jersey Cybersecurity & Communications Integration Cell, lnkd.in, avtech24h.com, Malwr.com, Talos Intel. 21 related malware families including ICS Malware, PetrWrap, Emotet, Trojan, NotPetya. Most recent tweet: #ransomware 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 f65a7dadff844f2dc44a3bd43e1c0d600b1a6c66f6d02734d8f385872ccab0bc b6e8dc95ec939a1f3b184da559c8010ab3dc773e426e63e5aa7ffc44174d8a9d 9e1609ab7f01b56a9476494d9b3bf5997380d466744b07ec5d9b20e416b10f08. Most recent link (Apr 9, 2021): https://twitter.com/RedBeardIOCs/statuses/1380600677249003521", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "jbVMcB", - "idn:lnkd.in", - "idn:avtech24h.com", - "K84j7t", - "Sl8XTb", - "KGRhOC", - "NKaUXl", - "KIoGAG", - "PA-rR4", - "LRlngp", - "rN", - "Jxh46H", - "KFL44X", - "TbciDE", - "KFNVB9", - "OJpx5g", - "K-CGye", - "KK6oqV", - "WR_Ohh", - "idn:twitter.com", - "fgwEcq", - "QYsx0D", - "KIFtR_", - "Lp_esG", - "TSFWTw", - "KGHzAY", - "P_oEH3", - "KBTQ2e", - "QCGHCy", - "JYxY5G", - "UQsrUj", - "idn:cert.ro", - "idn:bluvector.io", - "KFUJTL", - "TFUkSW", - "P0Gs9I", - "K8ofB1", - "KVnnHP", - "TpaXxw", - "U5qdTI", - "idn:zscaler.com", - "L3kVdM", - "QMfGAr", - "KIk8aS", - "Kzw0Pm", - "hcELIE", - "POs2tz", - "KD6Na4", - "idn:globalsecuritymag.com", - "LDd0sl", - "KVP0jz", - "Lj8CsQ", - "K8rrfe", - "LDejRI", - "J-y3tn", - "WXutod", - "idn:infosecurityfactory.nl", - "LBlc7C", - "idn:bg.org.tr", - "QS89Bd", - "K9SiDc", - "Qe89bv", - "TiY1wu", - "idn:undernews.fr", - "idn:iteefactory.nl", - "KFRGd_", - "KFVuR_", - "4n", - "S-Anbb", - "KFNZEC", - "TSazOG", - "K9Skh1", - "MghdWI", - "idn:securityiscoming.com", - "QS89BG", - "LVg9nH", - "KFiGli", - "K9Vq9B", - "KLbNtt", - "VyWQM7", - "NTakwX", - "KGoarP", - "idn:gelsene.net", - "LwURWv", - "KGX8VB", - "ThoB0I", - "TAIz7D", - "QBHQ61", - "TiY1w7", - "idn:kompasiana.com", - "idn:t.co", - "KfDTG0", - "idn:ictsecuritymagazine.com", - "Liz5-u", - "MIKjae", - "JYxY8X", - "KUtKjP", - "idn:cert.pl", - "Lpm4nc", - "idn:boozallen.com", - "RVFHk_", - "KGmazP", - "M_7iBk", - "TStw1W", - "LFcJLk", - "K0TN7r", - "KVRURg", - "UNe62M", - "iL8bPu", - "K76BjK", - "VRixQe", - "idn:dfir.pro", - "KF-l77", - "idn:gixtools.net", - "P_oIyV", - "KGzicb", - "LGryD9", - "idn:fb.me", - "K5nCn5", - "ThKuX0", - "SYrUYn", - "KFKbZE", - "MAe5tQ", - "KGm6gS", - "W4ygGi", - "g9rk5F", - "idn:menshaway.blogspot.com", - "KFsPRz", - "LDm9iS", - "RV8KWp", - "KTuH6e", - "P_uJi3", - "KG_Bgt", - "QAmbRP", - "idn:csirt.cz", - "LZYvHh", - "L0HtmN", - "KWLqO-", - "LtUj1D", - "QMTzDr", - "idn:dy.si", - "Lo8Box", - "K-4reD", - "KFTeBZ", - "KKzFno", - "QMTzEI", - "KFYLd8", - "KGABt4", - "LIizBt", - "idn:herjavecgroup.com", - "QAAZRn", - "K66Zgw", - "KWz-My", - "Lb0b3F", - "idn:emsisoft.vn", - "LodOTm", - "KE9dMF", - "O-Wf5x", - "LG2dQX", - "P_-RZy", - "LK7o9D", - "K60PUk", - "KKUqfz", - "idn:logrhythm.com", - "Jv_xrR", - "LP7dc7", - "MFNOaz", - "TefIES", - "KGdGg3", - "KHNdvY", - "QBTxvB", - "idn:swordshield.com", - "ThowaF", - "idn:binarydefense.com", - "idn:indusface.com", - "QBtnC2", - "QlWPRW", - "KHZhjO", - "idn:idcloudhost.com", - "LRFVsB", - "KG2JTH", - "KIm1im", - "LAfpKN", - "BaV", - "KGW3VP", - "KFcp5q", - "LCN_6T", - "idn:avastvn.com", - "KFTnbG", - "TiCWjw", - "Lmhpq3", - "KGS-xC", - "KFVthB", - "idn:finyear.com", - "KFji4N", - "P_7M19", - "K-b0DI", - "LV1UMS", - "idn:safe-cyberdefense.com", - "Kjk3fx", - "Q1wlJN" - ], - "Timestamp": "2021-04-09T19:17:06.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: GitHub. 2 related cyber vulnerabilities: CWE-20, CVE-2017-0143. Most recent link (Oct 10, 2021): https://github.com/demisto/content/blob/master/Packs/RecordedFuture/Integrations/RecordedFuture/example_commands.txt", - "MitigationString": "", - "Name": "linkedToVuln", - "Rule": "Linked to Vulnerability", - "Sources": [ - "MIKjae" - ], - "Timestamp": "2021-10-10T08:21:25.825Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "5 sightings on 3 sources: Recorded Future Malware Detonation, ReversingLabs, PolySwarm. Most recent link (Jun 27, 2017): ReversingLabs malware file analysis.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TAIz7D", - "TbciDE", - "doLlw5" - ], - "Timestamp": "2020-12-17T22:59:03.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: STIX Package, from Anomali, Inc., Information Technology Sector, NCCIC:STIX_Package-21cebba6-46ed-464e-ad5a-32a8063e1400 (Jun 27, 2017).", - "MitigationString": "", - "Name": "dhsAis", - "Rule": "Reported by DHS AIS", - "Sources": [ - "UZNze8" - ], - "Timestamp": "2017-06-27T17:18:01.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "91 sightings on 19 sources including: Security News Concentrator, Fortinet, Trend Micro, CrowdStrike, FireEye Threat Research Blog. Most recent link (Dec 20, 2019): https://threatvector.cylance.com/en_us/home/threat-spotlight-petya-like-ransomware-is-nasty-wiper.html", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "QS89Bd", - "KVP0jz", - "T5", - "JYxY5G", - "WR_Ohh", - "Jt4ExJ", - "Kzw0Pm", - "JQH96m", - "2d", - "JYxY8X", - "rN", - "PA-rR4", - "VyWQM7", - "Lp_esG", - "ONMgMx", - "4n", - "QMTzEI", - "83", - "K0TN7r" - ], - "Timestamp": "2019-12-20T01:04:11.602Z" - } - ], - "recordedfuture.risk_string": "8/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 21796, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "6 sightings on 6 sources including: malwareresearch, AAPKS.com, @Shouvik95232310, @santGM. 3 related attack vectors: Phishing, Click Fraud, Typosquatting. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "WlbRkJ", - "ha2FFj", - "K7wUX2", - "P_ivKa", - "J-mrOR", - "P_upBR" - ], - "Timestamp": "2021-12-25T03:23:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Messaging Platforms - Uncategorized. Most recent link (Oct 18, 2021): https://t.me/An0nymousTeam/1429", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "Y7TWfI" - ], - "Timestamp": "2021-10-18T12:09:43.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "47 sightings on 16 sources including: Ichunqiu Forum, Doc Player, ArXiv, GitHub, droppdf.com. 18 related malware families including Fakespy, Trojan, Offensive Security Tools (OST), Spyware, Dardesh. Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "TGXqeD", - "W4ygGi", - "L3kVdM", - "QMfGAr", - "kuKt0c", - "QAy9GA", - "JOU", - "MIKjae", - "P_oIyV", - "QJ6TQK", - "idn:droppdf.com", - "Ql9O5c", - "QAmbRP", - "Tq2nAb", - "TbciDE", - "idn:index-of.es" - ], - "Timestamp": "2021-11-27T23:07:37.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: ReversingLabs. Most recent link (Jul 1, 2019): ReversingLabs malware file analysis.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TbciDE" - ], - "Timestamp": "2019-07-01T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "16 sightings on 4 sources: Guided Collection, Bleepingcomputer Forums, ISC | All Updates, Malwarebytes Unpacked. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "Rlso4a", - "hkE5DK", - "TZRwk8", - "J5NRun" - ], - "Timestamp": "2021-12-21T08:40:00.000Z" - } - ], - "recordedfuture.risk_string": "5/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "ad2ad0249fafe85877bc79a01e1afd1a44d983c064ad8cb5bc694d29d166217b", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 25113, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "31 sightings on 4 sources: @m0rb, @bad_packets, @InfoSex11, @luc4m. 2 related attack vectors: DDOS, Command Injection. Most recent tweet: 2021-06-17T23:29:30 - Commented: https://t.co/j2a05iXOiI #malware #commandinjection. Most recent link (Jun 17, 2021): https://twitter.com/m0rb/statuses/1405668962462011401", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "KFwzec", - "TGgDPZ", - "cgGiXI", - "LMcjZ7" - ], - "Timestamp": "2021-06-17T23:29:31.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "3 sightings on 2 sources: @bad_packets, @swarmdotmarket. Most recent tweet: New #Mozi #malware targets #IoT devices -- research via @BlackLotusLabs -- Samples here in PolySwarm, free to download: https://t.co/JYkyEPPWmH https://t.co/jioPHPnJj9 #threatintel #botnet #infosec Most recent link (Apr 20, 2020): https://twitter.com/PolySwarm/statuses/1252347003457073155", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "TGgDPZ", - "UBjcy3" - ], - "Timestamp": "2020-04-20T21:22:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "87 sightings on 15 sources including: lumen.com, HackDig Posts, Anquanke News, Daily Dot, centurylink.com. 7 related malware families including Mozi Botnet, Trojan, Qbot, Mirai, DDOS Toolkit. Most recent tweet: New #Mozi #malware targets #IoT devices -- research via @BlackLotusLabs -- Samples here in PolySwarm, free to download: https://t.co/JYkyEPPWmH https://t.co/jioPHPnJj9 #threatintel #botnet #infosec. Most recent link (Apr 20, 2020): https://twitter.com/PolySwarm/statuses/1252347003457073155", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "idn:lumen.com", - "POs2u-", - "U13S_U", - "Jzl3yj", - "idn:centurylink.com", - "doLlw5", - "POs2t2", - "idn:cyberswachhtakendra.gov.in", - "idn:hackxsecurity.com", - "TGgDPZ", - "Jv_xrR", - "TSFWTv", - "LMcjZ7", - "UBjcy3", - "TbciDE" - ], - "Timestamp": "2020-04-20T21:22:47.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "5 sightings on 3 sources: Recorded Future Malware Detonation, ReversingLabs, PolySwarm. Most recent link (Nov 28, 2019): ReversingLabs malware file analysis.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TAIz7D", - "TbciDE", - "doLlw5" - ], - "Timestamp": "2021-04-04T07:46:20.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Trend Micro. Most recent link (Mar 11, 2021): https://documents.trendmicro.com/assets/pdf/Technical_Brief_Uncleanable_and_Unkillable_The_Evolution_of_IoT_Botnets_Through_P2P_Networking.pdf", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "T5" - ], - "Timestamp": "2021-03-11T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "5/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 28352, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "29 sightings on 24 sources including: Carder Forum (carder.uk), wordpress.com, AAPKS.com, malwareresearch, @phishingalert, @GelosSnake, @rpsanch, @rce_coder. 7 related attack vectors including Crimeware, Phishing, Remote Code Execution, Malvertising, Click Fraud. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "T1bwMv", - "LC-zVm", - "P_upBR", - "T2OA5Q", - "K20lXV", - "TGgDPZ", - "hkIDTa", - "LqRZCN", - "Vd51cf", - "ha2FFj", - "UmsU31", - "ddafo3", - "K7wUX2", - "P_ivKa", - "idn:wordpress.com", - "J-mrOR", - "QPbAan", - "VeioBt", - "WlbRkJ", - "TvfQzk", - "TP1vbk", - "SrKvJ0", - "SqCj4s", - "VXaDYo" - ], - "Timestamp": "2021-12-25T03:23:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "10 sightings on 7 sources including: SANS Institute Course Selector Results, Messaging Platforms - Uncategorized, @ecstatic_nobel, @Artilllerie. Most recent tweet: Active cred #phishing/malware distribution campaign on 185.186.245.101 with kits targeting @Office365 and @WeTransfer brands. Windows malware submitted to VT here: https://t.co/edCd4sOnAI domains: https://t.co/4GdqctLwkY cc: @malwrhunterteam @JayTHL @SteveD3 @thepacketrat https://t.co/e9d3R7fzIq. Most recent link (May 28, 2019): https://twitter.com/PhishingAi/statuses/1133376801831436289", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "Ym7dzt", - "LKKAV1", - "OuKV3V", - "VeioBt", - "Y7TWfI", - "KGS-xC", - "KFSXln" - ], - "Timestamp": "2019-05-28T14:17:41.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "114 sightings on 42 sources including: Doc Player, GhostBin, Codex - Recent changes en, droppdf.com, ReversingLabs. 41 related malware families including Dardesh, AZORult, Emotet, GandCrab, Offensive Security Tools (OST). Most recent tweet: @Enfenogo @ThetanArena @KardiaChain @wolffungame Se voc\u00ea jogar o .exe do instalador no site https://t.co/yxgkgU58Hr, vai encontrar um trojan minerador. Estou sem acreditar. T\u00f4 rodando o Malware Byte no meu PC pra tentar limpar a merda que eles fizeram. Most recent link (Nov 27, 2021): https://twitter.com/Ronan30451924/statuses/1464732674891960321", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "QWOrKl", - "LKKAV1", - "W4ygGi", - "PATKM7", - "T1bwMv", - "LjkJhE", - "kuKt0c", - "QAy9GA", - "LbYmLr", - "K20lXV", - "QZe7TG", - "idn:droppdf.com", - "QAmbRP", - "TbciDE", - "P_j5Dw", - "QNmgPm", - "TGXqeD", - "POs2u-", - "KGS-xC", - "L3kVdM", - "QMfGAr", - "h6VVAH", - "doLlw5", - "UrsUKT", - "JOU", - "MIKjae", - "P_oIyV", - "QJ6TQK", - "RfVd0T", - "J6UzbO", - "POs2tz", - "VfsacJ", - "Jv_xrR", - "Ql9O5c", - "USKpXp", - "TP1vbk", - "SrKvJ0", - "Tq2nAb", - "KFSXln", - "P_ov9o", - "VXaDYo", - "idn:index-of.es" - ], - "Timestamp": "2021-11-27T23:07:37.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Messaging Platforms - Uncategorized. 2 related cyber vulnerabilities: CVE-2016-6663, CWE-362.", - "MitigationString": "", - "Name": "linkedToVuln", - "Rule": "Linked to Vulnerability", - "Sources": [ - "Y7TWfI" - ], - "Timestamp": "2021-12-29T07:27:12.565Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 19, 2018): ReversingLabs malware file analysis.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TbciDE", - "doLlw5" - ], - "Timestamp": "2021-02-10T09:10:10.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "45 sightings on 9 sources including: Security Bloggers Network, Bleeping Computer, Guided Collection, Bleepingcomputer Forums, TheServerSide.com | Updates. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "NSAcUx", - "J6UzbO", - "Rlso4a", - "hkE5DK", - "cJMUDF", - "TZRwk8", - "QMTzEI", - "LUhTGd", - "J5NRun" - ], - "Timestamp": "2021-12-21T08:40:00.000Z" - } - ], - "recordedfuture.risk_string": "6/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "fecddb7f3fa478be4687ca542c0ecf232ec35a0c2418c8bfe4875686ec373c1e", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 33343, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1688 sightings on 26 sources including: lnkd.in, Doc Player, Cyber4Sight, voicebox.pt, VKontakte. 2 related malware families: Wcry, Ransomware. Most recent link (Sep 13, 2017): https://malwr.com/analysis/ZmIzN2E3MzQyM2I0NDYwODllOWRhMmQxODg3YzMxZDA/", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "idn:lnkd.in", - "W4ygGi", - "S2tpaX", - "idn:voicebox.pt", - "SIjHV9", - "PJHGaq", - "PA-rR4", - "Z2mQh2", - "e_", - "idn:gofastbuy.com", - "idn:ziftsolutions.com", - "POs2u-", - "KHpcuE", - "QccsRc", - "idn:dfir.pro", - "idn:nksc.lt", - "idn:dy.si", - "KZFCph", - "rN", - "QYsx0D", - "idn:logrhythm.com", - "Jv_xrR", - "idn:safe-cyberdefense.com", - "4n", - "QS89Bx", - "NKaUXl" - ], - "Timestamp": "2017-09-13T00:00:00.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "2 sightings on 1 source: Recorded Future Malware Detonation.", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "TAIz7D" - ], - "Timestamp": "2020-10-13T10:46:31.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "58 sightings on 5 sources: SecureWorks, InfoCON: green, McAfee, Talos Intel, Kaspersky Securelist and Lab. Most recent link (Jun 28, 2018): https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27077/en_US/McAfee_Labs_WannaCry_June24_2018.pdf", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "Z2mQh2", - "2d", - "rN", - "PA-rR4", - "4n" - ], - "Timestamp": "2018-06-28T08:11:36.570Z" - } - ], - "recordedfuture.risk_string": "3/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b", - "threat.indicator.type": "file" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 89.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 35218, - "recordedfuture.evidence_details": [ - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "6 sightings on 6 sources including: malwareresearch, AAPKS.com, @Shouvik95232310, @santGM. 3 related attack vectors: Phishing, Click Fraud, Typosquatting. Most recent tweet: Many People sending me this type of link and it's a phishing link @stufflistings @trolling_isart @yabhishekhd Thanks @virustotal for checking. Website where I Checked it https://t.co/q0pzRgZFuW If you clicked you should reset your phone. Am I RIGHT @trolling_isart @stufflistings https://t.co/yINsBtAJhr. Most recent link (Dec 25, 2021): https://twitter.com/galaxyshouvik/statuses/1474581610959818752", - "MitigationString": "", - "Name": "linkedToVector", - "Rule": "Linked to Attack Vector", - "Sources": [ - "WlbRkJ", - "ha2FFj", - "K7wUX2", - "P_ivKa", - "J-mrOR", - "P_upBR" - ], - "Timestamp": "2021-12-25T03:23:47.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Messaging Platforms - Uncategorized. Most recent link (Oct 18, 2021): https://t.me/An0nymousTeam/1429", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Linked to Cyber Attack", - "Sources": [ - "Y7TWfI" - ], - "Timestamp": "2021-10-18T12:09:43.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "43 sightings on 14 sources including: Ichunqiu Forum, Doc Player, ArXiv, GitHub, droppdf.com. 19 related malware families including Fakespy, Trojan, Offensive Security Tools (OST), Spyware, Dardesh. Most recent tweet: RT @demonslay335: #STOP #Djvu #Ransomware extension \".mogera\" (v090): https://t.co/wlMcSE2EHj | https://t.co/XAYkOoOReU. Most recent link (May 27, 2019): https://twitter.com/DrolSecurity/statuses/1133117241388621825", - "MitigationString": "", - "Name": "linkedToMalware", - "Rule": "Linked to Malware", - "Sources": [ - "TGXqeD", - "W4ygGi", - "L3kVdM", - "QMfGAr", - "QAy9GA", - "JOU", - "MIKjae", - "P_oIyV", - "QJ6TQK", - "idn:droppdf.com", - "Ql9O5c", - "QAmbRP", - "Tq2nAb", - "idn:index-of.es" - ], - "Timestamp": "2019-05-27T21:06:17.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Mar 8, 2021): https://polyswarm.network/scan/results/file/85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Positive Malware Verdict", - "Sources": [ - "doLlw5" - ], - "Timestamp": "2021-03-08T13:00:15.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "16 sightings on 4 sources: Guided Collection, Bleepingcomputer Forums, ISC | All Updates, Malwarebytes Unpacked. Most recent link (Dec 21, 2021): https://www.bleepingcomputer.com/forums/t/765398/gmer-scan-reveals-chinese-letter-characters/#entry5298561", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Threat Researcher", - "Sources": [ - "Rlso4a", - "hkE5DK", - "TZRwk8", - "J5NRun" - ], - "Timestamp": "2021-12-21T08:40:00.000Z" - } - ], - "recordedfuture.risk_string": "5/14", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.file.hash.sha256": "85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce", - "threat.indicator.type": "file" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_ip_default.csv.log b/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_ip_default.csv.log deleted file mode 100644 index 1704f899a28..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_ip_default.csv.log +++ /dev/null @@ -1,10 +0,0 @@ -"Name","Risk","RiskString","EvidenceDetails" -"103.143.8.71","99","4/64","{""EvidenceDetails"": [{""Rule"": ""Historically Linked to Intrusion Method"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""7 sightings on 1 source: PasteBin. 3 related intrusion methods: Trojan, Banking Trojan, QakBot. Most recent link (Nov 8, 2021): https://pastebin.com/G1Jvm5T0"", ""Sources"": [""Jv_xrR""], ""Timestamp"": ""2021-11-08T16:27:15.000Z"", ""Name"": ""linkedIntrusion"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported as a Defanged IP"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 1 source: GitHub. Most recent link (Nov 16, 2021): https://github.com/pan-unit42/tweets/blob/master/2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt"", ""Sources"": [""MIKjae""], ""Timestamp"": ""2021-11-16T00:00:00.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Current C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""164 sightings on 4 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions, Abuse.ch: Feodo IP Blocklist, Polyswarm Sandbox Analysis - Malware C2 Extractions. Joe Security malware sandbox identified 103.143.8.71:443 as TA0011 (Command and Control) QakBot using configuration extraction on sample 8f97195fc90ce520e75db6785204da0adbda9be5464bb27cd4dcc5b23b547651"", ""Sources"": [""b5tNVA"", ""h_iZX8"", ""report:OtiCOp"", ""hyihHO""], ""Timestamp"": ""2021-12-29T02:11:16.658Z"", ""Name"": ""recentCncServer"", ""MitigationString"": """", ""Criticality"": 4.0}, {""Rule"": ""Actively Communicating C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Qakbot. Communication observed on TCP:443, TCP:6881, TCP:995. Exfiltration behavior observed. Last observed on Dec 27, 2021."", ""Sources"": [""report:aEft3k""], ""Timestamp"": ""2021-12-29T02:11:16.663Z"", ""Name"": ""recentActiveCnc"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"2001:470:1:c84:0:0:0:17","68","5/64","{""EvidenceDetails"": [{""Rule"": ""Historical Brute Force"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: AbuseIPDB Community Submissions. 2001:470:1:c84::17 was identified as Brute-Force by multiple unique community member submissions. Reported to Recorded Future on Nov 23, 2021."", ""Sources"": [""kAh9jV""], ""Timestamp"": ""2021-11-24T10:21:58.872Z"", ""Name"": ""bruteForce"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent Spam Source"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: AbuseIPDB Spam. 2001:470:1:c84::17 was identified as Web Spam by multiple unique community member submissions. Reported to Recorded Future on Dec 21, 2021."", ""Sources"": [""kAiRKZ""], ""Timestamp"": ""2021-12-23T10:18:14.025Z"", ""Name"": ""recentSpam"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Recent SSH/Dictionary Attacker"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: DataPlane SSH Client Connection List."", ""Sources"": [""report:U8nmOf""], ""Timestamp"": ""2021-12-29T07:19:53.133Z"", ""Name"": ""recentSshDictAttacker"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Recent Multicategory Blocklist"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: BlockList.de: Fail2ban Reporting Service."", ""Sources"": [""report:OhgwUx""], ""Timestamp"": ""2021-12-29T07:19:53.133Z"", ""Name"": ""recentMultiBlacklist"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Recent DDoS"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: AbuseIPDB Community Submissions. 2001:470:1:c84::17 was identified as DDoS Attack by multiple unique community member submissions. Reported to Recorded Future on Dec 21, 2021."", ""Sources"": [""kAh9jV""], ""Timestamp"": ""2021-12-23T10:18:13.994Z"", ""Name"": ""recentDdos"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"185.19.85.136","99","6/64","{""EvidenceDetails"": [{""Rule"": ""Historically Linked to Intrusion Method"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: GitHub. 2 related intrusion methods: Nanocore, Remote Access Trojan. Most recent link (Jan 1, 2021): https://github.com/GlacierSheep/DomainBlockList/blob/master/trail/static_nanocore_(malware).domainset"", ""Sources"": [""MIKjae""], ""Timestamp"": ""2021-01-01T16:56:57.000Z"", ""Name"": ""linkedIntrusion"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Multicategory Blocklist"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 2 sources: Bitdefender IP Reputation, hpHosts Latest Additions. Bitdefender detected suspicious traffic involving 185.19.85.136 associated with Bitdefender threat name Trojan.GenericKD.34300483 on Apr 30, 2021"", ""Sources"": [""iFMVSl"", ""Ol_aRZ""], ""Timestamp"": ""2021-04-30T04:50:06.000Z"", ""Name"": ""multiBlacklist"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported in Threat List"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""Previous sightings on 1 source: Recorded Future Fast Flux DNS IP List. Observed between Feb 13, 2021, and Feb 13, 2021."", ""Sources"": [""report:SW8xpk""], ""Timestamp"": ""2021-12-28T19:20:46.641Z"", ""Name"": ""historicalThreatListMembership"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C Server"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""9 sightings on 2 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions. Command & Control host identified on Oct 29, 2021."", ""Sources"": [""b5tNVA"", ""h_iZX8""], ""Timestamp"": ""2021-10-29T08:07:54.495Z"", ""Name"": ""intermediateCncServer"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Recently Active C&C Server"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Asyncrat. Communication observed on TCP:6060. Last observed on Dec 21, 2021."", ""Sources"": [""report:aEft3k""], ""Timestamp"": ""2021-12-28T19:20:46.639Z"", ""Name"": ""intermediateActiveCnc"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Current C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""12 sightings on 2 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions. Command & Control host identified on Dec 24, 2021."", ""Sources"": [""b5tNVA"", ""h_iZX8""], ""Timestamp"": ""2021-12-24T08:07:09.925Z"", ""Name"": ""recentCncServer"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"45.112.206.18","99","6/64","{""EvidenceDetails"": [{""Rule"": ""Historically Linked to Intrusion Method"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""12 sightings on 2 sources: C2IntelFeeds IPC2s, @drb_ra. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent tweet: Cobalt Strike server found C2: HTTPS @ 45[.]112[.]206[.]18:443 C2 Server: 45[.]112[.]206[.]13,/IE9CompatViewList[.]xml Country: Hong Kong ASN: HK kwaifong group limited #C2 #cobaltstrike. Most recent link (Nov 26, 2021): https://twitter.com/drb_ra/statuses/1464248045118590978"", ""Sources"": [""k_7zaW"", ""jqWX2B""], ""Timestamp"": ""2021-11-26T15:01:53.000Z"", ""Name"": ""linkedIntrusion"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Linked to Cyber Attack"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 1 source: C2IntelFeeds IPC2s. Most recent link (Aug 15, 2021): https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s-30day.csv?q=45.112.206.18_20210815"", ""Sources"": [""k_7zaW""], ""Timestamp"": ""2021-08-15T00:00:00.000Z"", ""Name"": ""linkedToCyberAttack"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported as a Defanged IP"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""10 sightings on 1 source: @drb_ra. Most recent tweet: Cobalt Strike server found C2: HTTPS @ 45[.]112[.]206[.]18:443 C2 Server: 45[.]112[.]206[.]13,/IE9CompatViewList[.]xml Country: Hong Kong ASN: HK kwaifong group limited #C2 #cobaltstrike. Most recent link (Nov 26, 2021): https://twitter.com/drb_ra/statuses/1464248045118590978"", ""Sources"": [""jqWX2B""], ""Timestamp"": ""2021-11-26T15:01:53.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported in Threat List"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""Previous sightings on 2 sources: Cobalt Strike Default Certificate Detected - Shodan / Recorded Future, Recorded Future Analyst Community Trending Indicators. Observed between Jul 8, 2021, and Dec 9, 2021."", ""Sources"": [""report:aD1qtM"", ""report:Tluf00""], ""Timestamp"": ""2021-12-28T18:45:41.877Z"", ""Name"": ""historicalThreatListMembership"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Current C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""2 sightings on 1 source: Recorded Future Command & Control List. Command & Control host identified on Jul 5, 2021."", ""Sources"": [""b5tNVA""], ""Timestamp"": ""2021-07-05T08:04:23.139Z"", ""Name"": ""recentCncServer"", ""MitigationString"": """", ""Criticality"": 4.0}, {""Rule"": ""Actively Communicating C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike Team Servers. Communication observed on TCP:443, TCP:8443. Last observed on Dec 26, 2021."", ""Sources"": [""report:aEft3k""], ""Timestamp"": ""2021-12-28T18:45:41.875Z"", ""Name"": ""recentActiveCnc"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"190.55.186.229","99","10/64","{""EvidenceDetails"": [{""Rule"": ""Historically Linked to Intrusion Method"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""239 sightings on 5 sources: paloaltonetworks.jp, Palo Alto Networks, Unit 42 Palo Alto Networks, PasteBin, Cryptolaemus Pastedump. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Mar 14, 2021): https://unit42.paloaltonetworks.jp/attack-chain-overview-emotet-in-december-2020-and-january-2021/"", ""Sources"": [""idn:paloaltonetworks.jp"", ""JwO7jp"", ""jjf3_B"", ""Jv_xrR"", ""Z7kln2""], ""Timestamp"": ""2021-03-14T00:00:00.000Z"", ""Name"": ""linkedIntrusion"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Threat Researcher"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 1 source: Unit 42 Palo Alto Networks. Most recent link (Apr 9, 2021): https://unit42.paloaltonetworks.com/emotet-command-and-control/"", ""Sources"": [""jjf3_B""], ""Timestamp"": ""2021-04-09T12:00:00.000Z"", ""Name"": ""threatResearcher"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Multicategory Blocklist"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""5 sightings on 1 source: AbuseIP Database. Most recent link (Aug 25, 2020): https://www.abuseipdb.com/check/190.55.186.229"", ""Sources"": [""UneVVu""], ""Timestamp"": ""2020-08-25T20:01:29.075Z"", ""Name"": ""multiBlacklist"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported as a Defanged IP"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""6 sightings on 3 sources: paloaltonetworks.jp, Palo Alto Networks, Unit 42 Palo Alto Networks. Most recent link (Apr 9, 2021): https://unit42.paloaltonetworks.com/emotet-command-and-control/"", ""Sources"": [""idn:paloaltonetworks.jp"", ""JwO7jp"", ""jjf3_B""], ""Timestamp"": ""2021-04-09T12:00:00.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Positive Malware Verdict"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""87 sightings on 1 source: Cryptolaemus Pastedump. Most recent link (Jan 25, 2021): https://paste.cryptolaemus.com/emotet/2021/01/25/emotet-malware-IoCs_01-25-21.html"", ""Sources"": [""Z7kln2""], ""Timestamp"": ""2021-01-25T23:59:00.000Z"", ""Name"": ""positiveMalwareVerdict"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Spam Source"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: External Sensor Spam. 190.55.186.229 was historically observed as spam. No longer observed as of Nov 16, 2021."", ""Sources"": [""kBCI-b""], ""Timestamp"": ""2021-11-16T01:06:21.965Z"", ""Name"": ""spam"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported in Threat List"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""Previous sightings on 2 sources: University of Science and Technology of China Black IP List, Abuse.ch: Feodo IP Blocklist. Observed between Feb 26, 2021, and Dec 27, 2021."", ""Sources"": [""report:Q1ghC0"", ""report:OtiCOp""], ""Timestamp"": ""2021-12-28T19:33:55.849Z"", ""Name"": ""historicalThreatListMembership"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C Server"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""31 sightings on 3 sources: Palo Alto Networks, Polyswarm Sandbox Analysis - Malware C2 Extractions, Unit 42 Palo Alto Networks. Polyswarm malware sandbox identified 190.55.186.229:80 as TA0011 (Command and Control) for Emotet using configuration extraction on sample a88734cd5c38211a4168bc7701516a50e6aef5ef20d2b1a915edae23c1b345db"", ""Sources"": [""JwO7jp"", ""hyihHO"", ""jjf3_B""], ""Timestamp"": ""2021-10-19T12:21:34.268Z"", ""Name"": ""intermediateCncServer"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Recent Multicategory Blocklist"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: Talos IP Blacklist."", ""Sources"": [""report:VW6jeN""], ""Timestamp"": ""2021-12-28T19:33:55.846Z"", ""Name"": ""recentMultiBlacklist"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Current C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""5 sightings on 2 sources: Polyswarm Sandbox Analysis - Malware C2 Extractions, Joe Security Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 190.55.186.229:80 as TA0011 (Command and Control) for Emotet using configuration extraction on sample c9709d56b92047cd55fb097feb6cb7a8de6f3edc5ea79a429363938a69aae580"", ""Sources"": [""hyihHO"", ""h_iZX8""], ""Timestamp"": ""2021-12-27T19:00:49.975Z"", ""Name"": ""recentCncServer"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"62.210.82.223","99","3/64","{""EvidenceDetails"": [{""Rule"": ""Historically Linked to Intrusion Method"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 1 source: PasteBin. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Dec 2, 2021): https://pastebin.com/SusxCK2b"", ""Sources"": [""Jv_xrR""], ""Timestamp"": ""2021-12-02T15:58:10.000Z"", ""Name"": ""linkedIntrusion"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Current C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""2 sightings on 2 sources: Recorded Future Command & Control List, Abuse.ch: Feodo IP Blocklist. Command & Control host identified on Dec 1, 2021."", ""Sources"": [""b5tNVA"", ""report:OtiCOp""], ""Timestamp"": ""2021-12-01T08:06:11.827Z"", ""Name"": ""recentCncServer"", ""MitigationString"": """", ""Criticality"": 4.0}, {""Rule"": ""Actively Communicating C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Emotet. Communication observed on TCP:443. Exfiltration behavior observed. Last observed on Dec 26, 2021."", ""Sources"": [""report:aEft3k""], ""Timestamp"": ""2021-12-28T22:05:35.688Z"", ""Name"": ""recentActiveCnc"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"87.120.254.96","99","7/64","{""EvidenceDetails"": [{""Rule"": ""Historical Honeypot Sighting"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 2 sources: Project Honey Pot, @HoneyFog. Most recent tweet: Fog44: 87.120.254.96->22. Most recent link (Dec 14, 2016): https://twitter.com/HoneyFog/statuses/809032869792378880"", ""Sources"": [""P_izv4"", ""OSz1F0""], ""Timestamp"": ""2016-12-14T13:50:41.000Z"", ""Name"": ""honeypot"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported as a Defanged IP"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: GitHub. Most recent link (Nov 8, 2021): https://github.com/pan-unit42/tweets/blob/master/2021-11-05-TA551-IOCs.txt"", ""Sources"": [""MIKjae""], ""Timestamp"": ""2021-11-08T00:00:00.000Z"", ""Name"": ""defanged"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Spam Source"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: External Sensor Spam. 87.120.254.96 was historically observed as spam. No longer observed as of Nov 16, 2021."", ""Sources"": [""kBCI-b""], ""Timestamp"": ""2021-11-16T03:19:58.721Z"", ""Name"": ""spam"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Linked to Intrusion Method"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: CloudSEK. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Dec 22, 2021): https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/"", ""Sources"": [""k837l0""], ""Timestamp"": ""2021-12-22T09:45:33.000Z"", ""Name"": ""recentLinkedIntrusion"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Recent Multicategory Blocklist"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: University of Science and Technology of China Black IP List."", ""Sources"": [""report:Q1ghC0""], ""Timestamp"": ""2021-12-29T06:21:27.693Z"", ""Name"": ""recentMultiBlacklist"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Current C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""2 sightings on 2 sources: Recorded Future Command & Control List, Abuse.ch: Feodo IP Blocklist. Command & Control host identified on Nov 25, 2021."", ""Sources"": [""b5tNVA"", ""report:OtiCOp""], ""Timestamp"": ""2021-11-25T08:06:42.384Z"", ""Name"": ""recentCncServer"", ""MitigationString"": """", ""Criticality"": 4.0}, {""Rule"": ""Actively Communicating C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Bazarloader. Communication observed on TCP:443. Exfiltration behavior observed. Last observed on Dec 25, 2021."", ""Sources"": [""report:aEft3k""], ""Timestamp"": ""2021-12-29T06:21:27.731Z"", ""Name"": ""recentActiveCnc"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"45.146.165.76","99","4/64","{""EvidenceDetails"": [{""Rule"": ""Historically Reported in Threat List"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""Previous sightings on 3 sources: Cobalt Strike Default Certificate Detected - Shodan / Recorded Future, CINS: CI Army List, Recorded Future Analyst Community Trending Indicators. Observed between Jan 22, 2021, and Sep 25, 2021."", ""Sources"": [""report:aD1qtM"", ""report:OchJ-t"", ""report:Tluf00""], ""Timestamp"": ""2021-12-28T18:42:08.925Z"", ""Name"": ""historicalThreatListMembership"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent Multicategory Blocklist"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""1 sighting on 1 source: DShield: Recommended Block List."", ""Sources"": [""report:OchJ-o""], ""Timestamp"": ""2021-12-28T18:42:08.917Z"", ""Name"": ""recentMultiBlacklist"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Current C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""19 sightings on 2 sources: Recorded Future Command & Control List, @TheDFIRReport. Most recent tweet: Here's some newer C2 servers we're tracking: #BazarLoader 64.227.73.80 64.225.71.198 #Covenant 167.71.67.196 45.146.165.76 #PoshC2 193.36.15.192 #Empire 64.227.21.255 #Metasploit 91.221.70.143 Full list available @ https://t.co/QT6o626hsR #ThreatFeed. Most recent link (Sep 1, 2021): https://twitter.com/TheDFIRReport/statuses/1433055791964049412"", ""Sources"": [""b5tNVA"", ""dZgcRz""], ""Timestamp"": ""2021-09-01T13:15:00.000Z"", ""Name"": ""recentCncServer"", ""MitigationString"": """", ""Criticality"": 4.0}, {""Rule"": ""Actively Communicating C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Covenant. Communication observed on TCP:7443. Exfiltration behavior observed. Last observed on Dec 27, 2021."", ""Sources"": [""report:aEft3k""], ""Timestamp"": ""2021-12-28T18:42:08.923Z"", ""Name"": ""recentActiveCnc"", ""MitigationString"": """", ""Criticality"": 4.0}]}" -"181.112.52.26","99","8/64","{""EvidenceDetails"": [{""Rule"": ""Historical Open Proxies"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2339 sightings on 9 sources including: TBN, BlackHatWorld Forum, Carding Mafia Forum, Inforge Forum Hacker Trucchi Giochi Informatica, ProxyFire - The Best Proxy Software and Forum. Most recent link (Jun 29, 2019): https://Black%20Hat%20World%20Forum%20(Obfuscated)/seo/ssl-proxies-occasional-update.927669/page-44#post-12210196"", ""Sources"": [""RqhhJr"", ""KjGS3i"", ""VU4Qnc"", ""P7sZbk"", ""OQ_oQH"", ""Qk8WdX"", ""Qk8Wdg"", ""QqgtXJ"", ""KhvyCV""], ""Timestamp"": ""2019-06-29T01:18:00.000Z"", ""Name"": ""openProxies"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Honeypot Sighting"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: @HoneyFog. Most recent tweet: Fog44: 181.112.52.26->22. I've never seen this IP before. Most recent link (Oct 6, 2017): https://twitter.com/HoneyFog/statuses/916371734928019456"", ""Sources"": [""P_izv4""], ""Timestamp"": ""2017-10-06T18:37:01.000Z"", ""Name"": ""honeypot"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Linked to Intrusion Method"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""10 sightings on 3 sources: Manato Kumagai Hatena Blog, sentinelone.com, PasteBin. 6 related intrusion methods including TrickLoader, Trojan, Emotet, Banking Trojan, Trickbot. Most recent link (Feb 26, 2020): https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/"", ""Sources"": [""TiY1wa"", ""idn:sentinelone.com"", ""Jv_xrR""], ""Timestamp"": ""2020-02-26T15:00:17.035Z"", ""Name"": ""linkedIntrusion"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical Multicategory Blocklist"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""4 sightings on 1 source: AbuseIP Database. Most recent link (Aug 17, 2018): https://www.abuseipdb.com/check/181.112.52.26"", ""Sources"": [""UneVVu""], ""Timestamp"": ""2018-08-17T00:30:42.194Z"", ""Name"": ""multiBlacklist"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historical SSH/Dictionary Attacker"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""4 sightings on 1 source: AbuseIP Database. Most recent link (Aug 17, 2018): https://www.abuseipdb.com/check/181.112.52.26"", ""Sources"": [""UneVVu""], ""Timestamp"": ""2018-08-17T00:30:42.194Z"", ""Name"": ""sshDictAttacker"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Reported in Threat List"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""Previous sightings on 3 sources: BlockList.de: Fail2ban Reporting Service, Abuse.ch: Feodo IP Blocklist, Proxies: SOCKS Open Proxies. Observed between Jun 15, 2019, and Oct 3, 2020."", ""Sources"": [""report:OhgwUx"", ""report:OtiCOp"", ""report:SYQe08""], ""Timestamp"": ""2021-12-28T22:05:41.272Z"", ""Name"": ""historicalThreatListMembership"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recent C&C Server"", ""CriticalityLabel"": ""Suspicious"", ""EvidenceString"": ""3 sightings on 1 source: Polyswarm Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 181.112.52.26:449 as TA0011 (Command and Control) for Trickbot using configuration extraction on sample dcc42c0bd075f283c71ac327c845498454dcd9528386df5b296fdf89ba105bfa"", ""Sources"": [""hyihHO""], ""Timestamp"": ""2021-07-15T12:42:04.656Z"", ""Name"": ""intermediateCncServer"", ""MitigationString"": """", ""Criticality"": 2.0}, {""Rule"": ""Current C&C Server"", ""CriticalityLabel"": ""Very Malicious"", ""EvidenceString"": ""5 sightings on 1 source: Polyswarm Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 181.112.52.26:449 as TA0011 (Command and Control) for Trickbot using configuration extraction on sample b827a4587bc6162715693c71e432769ec6272c130bb87e14bc683f5bd7caf834"", ""Sources"": [""hyihHO""], ""Timestamp"": ""2021-12-22T04:10:08.558Z"", ""Name"": ""recentCncServer"", ""MitigationString"": """", ""Criticality"": 4.0}]}" diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_ip_default.csv.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_ip_default.csv.log-expected.json deleted file mode 100644 index b2d3e7f3f8f..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_ip_default.csv.log-expected.json +++ /dev/null @@ -1,881 +0,0 @@ -[ - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 45, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Qakbot. Communication observed on TCP:443, TCP:6881, TCP:995. Exfiltration behavior observed. Last observed on Dec 27, 2021.", - "MitigationString": "", - "Name": "recentActiveCnc", - "Rule": "Actively Communicating C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-29T02:11:16.663Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "164 sightings on 4 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions, Abuse.ch: Feodo IP Blocklist, Polyswarm Sandbox Analysis - Malware C2 Extractions. Joe Security malware sandbox identified 103.143.8.71:443 as TA0011 (Command and Control) QakBot using configuration extraction on sample 8f97195fc90ce520e75db6785204da0adbda9be5464bb27cd4dcc5b23b547651", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "h_iZX8", - "report:OtiCOp", - "hyihHO" - ], - "Timestamp": "2021-12-29T02:11:16.658Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "7 sightings on 1 source: PasteBin. 3 related intrusion methods: Trojan, Banking Trojan, QakBot. Most recent link (Nov 8, 2021): https://pastebin.com/G1Jvm5T0", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "Jv_xrR" - ], - "Timestamp": "2021-11-08T16:27:15.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: GitHub. Most recent link (Nov 16, 2021): https://github.com/pan-unit42/tweets/blob/master/2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged IP", - "Sources": [ - "MIKjae" - ], - "Timestamp": "2021-11-16T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "4/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "103.143.8.71", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 68.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 2204, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: AbuseIPDB Community Submissions. 2001:470:1:c84::17 was identified as Brute-Force by multiple unique community member submissions. Reported to Recorded Future on Nov 23, 2021.", - "MitigationString": "", - "Name": "bruteForce", - "Rule": "Historical Brute Force", - "Sources": [ - "kAh9jV" - ], - "Timestamp": "2021-11-24T10:21:58.872Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: AbuseIPDB Community Submissions. 2001:470:1:c84::17 was identified as DDoS Attack by multiple unique community member submissions. Reported to Recorded Future on Dec 21, 2021.", - "MitigationString": "", - "Name": "recentDdos", - "Rule": "Recent DDoS", - "Sources": [ - "kAh9jV" - ], - "Timestamp": "2021-12-23T10:18:13.994Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: BlockList.de: Fail2ban Reporting Service.", - "MitigationString": "", - "Name": "recentMultiBlacklist", - "Rule": "Recent Multicategory Blocklist", - "Sources": [ - "report:OhgwUx" - ], - "Timestamp": "2021-12-29T07:19:53.133Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: DataPlane SSH Client Connection List.", - "MitigationString": "", - "Name": "recentSshDictAttacker", - "Rule": "Recent SSH/Dictionary Attacker", - "Sources": [ - "report:U8nmOf" - ], - "Timestamp": "2021-12-29T07:19:53.133Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: AbuseIPDB Spam. 2001:470:1:c84::17 was identified as Web Spam by multiple unique community member submissions. Reported to Recorded Future on Dec 21, 2021.", - "MitigationString": "", - "Name": "recentSpam", - "Rule": "Recent Spam Source", - "Sources": [ - "kAiRKZ" - ], - "Timestamp": "2021-12-23T10:18:14.025Z" - } - ], - "recordedfuture.risk_string": "5/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "2001:470:1:c84:0:0:0:17", - "threat.indicator.type": "ipv6-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 4263, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "12 sightings on 2 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions. Command & Control host identified on Dec 24, 2021.", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "h_iZX8" - ], - "Timestamp": "2021-12-24T08:07:09.925Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 2 sources: Bitdefender IP Reputation, hpHosts Latest Additions. Bitdefender detected suspicious traffic involving 185.19.85.136 associated with Bitdefender threat name Trojan.GenericKD.34300483 on Apr 30, 2021", - "MitigationString": "", - "Name": "multiBlacklist", - "Rule": "Historical Multicategory Blocklist", - "Sources": [ - "iFMVSl", - "Ol_aRZ" - ], - "Timestamp": "2021-04-30T04:50:06.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: GitHub. 2 related intrusion methods: Nanocore, Remote Access Trojan. Most recent link (Jan 1, 2021): https://github.com/GlacierSheep/DomainBlockList/blob/master/trail/static_nanocore_(malware).domainset", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "MIKjae" - ], - "Timestamp": "2021-01-01T16:56:57.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 1 source: Recorded Future Fast Flux DNS IP List. Observed between Feb 13, 2021, and Feb 13, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:SW8xpk" - ], - "Timestamp": "2021-12-28T19:20:46.641Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "9 sightings on 2 sources: Recorded Future Command & Control List, Joe Security Sandbox Analysis - Malware C2 Extractions. Command & Control host identified on Oct 29, 2021.", - "MitigationString": "", - "Name": "intermediateCncServer", - "Rule": "Recent C&C Server", - "Sources": [ - "b5tNVA", - "h_iZX8" - ], - "Timestamp": "2021-10-29T08:07:54.495Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Asyncrat. Communication observed on TCP:6060. Last observed on Dec 21, 2021.", - "MitigationString": "", - "Name": "intermediateActiveCnc", - "Rule": "Recently Active C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-28T19:20:46.639Z" - } - ], - "recordedfuture.risk_string": "6/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "185.19.85.136", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 7071, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike Team Servers. Communication observed on TCP:443, TCP:8443. Last observed on Dec 26, 2021.", - "MitigationString": "", - "Name": "recentActiveCnc", - "Rule": "Actively Communicating C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-28T18:45:41.875Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "2 sightings on 1 source: Recorded Future Command & Control List. Command & Control host identified on Jul 5, 2021.", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA" - ], - "Timestamp": "2021-07-05T08:04:23.139Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: C2IntelFeeds IPC2s. Most recent link (Aug 15, 2021): https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s-30day.csv?q=45.112.206.18_20210815", - "MitigationString": "", - "Name": "linkedToCyberAttack", - "Rule": "Historically Linked to Cyber Attack", - "Sources": [ - "k_7zaW" - ], - "Timestamp": "2021-08-15T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "12 sightings on 2 sources: C2IntelFeeds IPC2s, @drb_ra. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent tweet: Cobalt Strike server found C2: HTTPS @ 45[.]112[.]206[.]18:443 C2 Server: 45[.]112[.]206[.]13,/IE9CompatViewList[.]xml Country: Hong Kong ASN: HK kwaifong group limited #C2 #cobaltstrike. Most recent link (Nov 26, 2021): https://twitter.com/drb_ra/statuses/1464248045118590978", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "k_7zaW", - "jqWX2B" - ], - "Timestamp": "2021-11-26T15:01:53.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "10 sightings on 1 source: @drb_ra. Most recent tweet: Cobalt Strike server found C2: HTTPS @ 45[.]112[.]206[.]18:443 C2 Server: 45[.]112[.]206[.]13,/IE9CompatViewList[.]xml Country: Hong Kong ASN: HK kwaifong group limited #C2 #cobaltstrike. Most recent link (Nov 26, 2021): https://twitter.com/drb_ra/statuses/1464248045118590978", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged IP", - "Sources": [ - "jqWX2B" - ], - "Timestamp": "2021-11-26T15:01:53.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 2 sources: Cobalt Strike Default Certificate Detected - Shodan / Recorded Future, Recorded Future Analyst Community Trending Indicators. Observed between Jul 8, 2021, and Dec 9, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:aD1qtM", - "report:Tluf00" - ], - "Timestamp": "2021-12-28T18:45:41.877Z" - } - ], - "recordedfuture.risk_string": "6/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "45.112.206.18", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 10254, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "5 sightings on 2 sources: Polyswarm Sandbox Analysis - Malware C2 Extractions, Joe Security Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 190.55.186.229:80 as TA0011 (Command and Control) for Emotet using configuration extraction on sample c9709d56b92047cd55fb097feb6cb7a8de6f3edc5ea79a429363938a69aae580", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "hyihHO", - "h_iZX8" - ], - "Timestamp": "2021-12-27T19:00:49.975Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "5 sightings on 1 source: AbuseIP Database. Most recent link (Aug 25, 2020): https://www.abuseipdb.com/check/190.55.186.229", - "MitigationString": "", - "Name": "multiBlacklist", - "Rule": "Historical Multicategory Blocklist", - "Sources": [ - "UneVVu" - ], - "Timestamp": "2020-08-25T20:01:29.075Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "87 sightings on 1 source: Cryptolaemus Pastedump. Most recent link (Jan 25, 2021): https://paste.cryptolaemus.com/emotet/2021/01/25/emotet-malware-IoCs_01-25-21.html", - "MitigationString": "", - "Name": "positiveMalwareVerdict", - "Rule": "Historical Positive Malware Verdict", - "Sources": [ - "Z7kln2" - ], - "Timestamp": "2021-01-25T23:59:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: External Sensor Spam. 190.55.186.229 was historically observed as spam. No longer observed as of Nov 16, 2021.", - "MitigationString": "", - "Name": "spam", - "Rule": "Historical Spam Source", - "Sources": [ - "kBCI-b" - ], - "Timestamp": "2021-11-16T01:06:21.965Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Unit 42 Palo Alto Networks. Most recent link (Apr 9, 2021): https://unit42.paloaltonetworks.com/emotet-command-and-control/", - "MitigationString": "", - "Name": "threatResearcher", - "Rule": "Historical Threat Researcher", - "Sources": [ - "jjf3_B" - ], - "Timestamp": "2021-04-09T12:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "239 sightings on 5 sources: paloaltonetworks.jp, Palo Alto Networks, Unit 42 Palo Alto Networks, PasteBin, Cryptolaemus Pastedump. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Mar 14, 2021): https://unit42.paloaltonetworks.jp/attack-chain-overview-emotet-in-december-2020-and-january-2021/", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "idn:paloaltonetworks.jp", - "JwO7jp", - "jjf3_B", - "Jv_xrR", - "Z7kln2" - ], - "Timestamp": "2021-03-14T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "6 sightings on 3 sources: paloaltonetworks.jp, Palo Alto Networks, Unit 42 Palo Alto Networks. Most recent link (Apr 9, 2021): https://unit42.paloaltonetworks.com/emotet-command-and-control/", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged IP", - "Sources": [ - "idn:paloaltonetworks.jp", - "JwO7jp", - "jjf3_B" - ], - "Timestamp": "2021-04-09T12:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 2 sources: University of Science and Technology of China Black IP List, Abuse.ch: Feodo IP Blocklist. Observed between Feb 26, 2021, and Dec 27, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:Q1ghC0", - "report:OtiCOp" - ], - "Timestamp": "2021-12-28T19:33:55.849Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "31 sightings on 3 sources: Palo Alto Networks, Polyswarm Sandbox Analysis - Malware C2 Extractions, Unit 42 Palo Alto Networks. Polyswarm malware sandbox identified 190.55.186.229:80 as TA0011 (Command and Control) for Emotet using configuration extraction on sample a88734cd5c38211a4168bc7701516a50e6aef5ef20d2b1a915edae23c1b345db", - "MitigationString": "", - "Name": "intermediateCncServer", - "Rule": "Recent C&C Server", - "Sources": [ - "JwO7jp", - "hyihHO", - "jjf3_B" - ], - "Timestamp": "2021-10-19T12:21:34.268Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: Talos IP Blacklist.", - "MitigationString": "", - "Name": "recentMultiBlacklist", - "Rule": "Recent Multicategory Blocklist", - "Sources": [ - "report:VW6jeN" - ], - "Timestamp": "2021-12-28T19:33:55.846Z" - } - ], - "recordedfuture.risk_string": "10/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "190.55.186.229", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 15104, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Emotet. Communication observed on TCP:443. Exfiltration behavior observed. Last observed on Dec 26, 2021.", - "MitigationString": "", - "Name": "recentActiveCnc", - "Rule": "Actively Communicating C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-28T22:05:35.688Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "2 sightings on 2 sources: Recorded Future Command & Control List, Abuse.ch: Feodo IP Blocklist. Command & Control host identified on Dec 1, 2021.", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "report:OtiCOp" - ], - "Timestamp": "2021-12-01T08:06:11.827Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: PasteBin. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Dec 2, 2021): https://pastebin.com/SusxCK2b", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "Jv_xrR" - ], - "Timestamp": "2021-12-02T15:58:10.000Z" - } - ], - "recordedfuture.risk_string": "3/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "62.210.82.223", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 16512, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Bazarloader. Communication observed on TCP:443. Exfiltration behavior observed. Last observed on Dec 25, 2021.", - "MitigationString": "", - "Name": "recentActiveCnc", - "Rule": "Actively Communicating C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-29T06:21:27.731Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "2 sightings on 2 sources: Recorded Future Command & Control List, Abuse.ch: Feodo IP Blocklist. Command & Control host identified on Nov 25, 2021.", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "report:OtiCOp" - ], - "Timestamp": "2021-11-25T08:06:42.384Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 2 sources: Project Honey Pot, @HoneyFog. Most recent tweet: Fog44: 87.120.254.96->22. Most recent link (Dec 14, 2016): https://twitter.com/HoneyFog/statuses/809032869792378880", - "MitigationString": "", - "Name": "honeypot", - "Rule": "Historical Honeypot Sighting", - "Sources": [ - "P_izv4", - "OSz1F0" - ], - "Timestamp": "2016-12-14T13:50:41.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: External Sensor Spam. 87.120.254.96 was historically observed as spam. No longer observed as of Nov 16, 2021.", - "MitigationString": "", - "Name": "spam", - "Rule": "Historical Spam Source", - "Sources": [ - "kBCI-b" - ], - "Timestamp": "2021-11-16T03:19:58.721Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: GitHub. Most recent link (Nov 8, 2021): https://github.com/pan-unit42/tweets/blob/master/2021-11-05-TA551-IOCs.txt", - "MitigationString": "", - "Name": "defanged", - "Rule": "Historically Reported as a Defanged IP", - "Sources": [ - "MIKjae" - ], - "Timestamp": "2021-11-08T00:00:00.000Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: University of Science and Technology of China Black IP List.", - "MitigationString": "", - "Name": "recentMultiBlacklist", - "Rule": "Recent Multicategory Blocklist", - "Sources": [ - "report:Q1ghC0" - ], - "Timestamp": "2021-12-29T06:21:27.693Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: CloudSEK. 4 related intrusion methods: Trojan, Emotet, Banking Trojan, Botnet. Most recent link (Dec 22, 2021): https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/", - "MitigationString": "", - "Name": "recentLinkedIntrusion", - "Rule": "Recently Linked to Intrusion Method", - "Sources": [ - "k837l0" - ], - "Timestamp": "2021-12-22T09:45:33.000Z" - } - ], - "recordedfuture.risk_string": "7/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "87.120.254.96", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 19600, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Covenant. Communication observed on TCP:7443. Exfiltration behavior observed. Last observed on Dec 27, 2021.", - "MitigationString": "", - "Name": "recentActiveCnc", - "Rule": "Actively Communicating C&C Server", - "Sources": [ - "report:aEft3k" - ], - "Timestamp": "2021-12-28T18:42:08.923Z" - }, - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "19 sightings on 2 sources: Recorded Future Command & Control List, @TheDFIRReport. Most recent tweet: Here's some newer C2 servers we're tracking: #BazarLoader 64.227.73.80 64.225.71.198 #Covenant 167.71.67.196 45.146.165.76 #PoshC2 193.36.15.192 #Empire 64.227.21.255 #Metasploit 91.221.70.143 Full list available @ https://t.co/QT6o626hsR #ThreatFeed. Most recent link (Sep 1, 2021): https://twitter.com/TheDFIRReport/statuses/1433055791964049412", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "b5tNVA", - "dZgcRz" - ], - "Timestamp": "2021-09-01T13:15:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 3 sources: Cobalt Strike Default Certificate Detected - Shodan / Recorded Future, CINS: CI Army List, Recorded Future Analyst Community Trending Indicators. Observed between Jan 22, 2021, and Sep 25, 2021.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:aD1qtM", - "report:OchJ-t", - "report:Tluf00" - ], - "Timestamp": "2021-12-28T18:42:08.925Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "1 sighting on 1 source: DShield: Recommended Block List.", - "MitigationString": "", - "Name": "recentMultiBlacklist", - "Rule": "Recent Multicategory Blocklist", - "Sources": [ - "report:OchJ-o" - ], - "Timestamp": "2021-12-28T18:42:08.917Z" - } - ], - "recordedfuture.risk_string": "4/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "45.146.165.76", - "threat.indicator.type": "ipv4-addr" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 99.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 21759, - "recordedfuture.evidence_details": [ - { - "Criticality": 4.0, - "CriticalityLabel": "Very Malicious", - "EvidenceString": "5 sightings on 1 source: Polyswarm Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 181.112.52.26:449 as TA0011 (Command and Control) for Trickbot using configuration extraction on sample b827a4587bc6162715693c71e432769ec6272c130bb87e14bc683f5bd7caf834", - "MitigationString": "", - "Name": "recentCncServer", - "Rule": "Current C&C Server", - "Sources": [ - "hyihHO" - ], - "Timestamp": "2021-12-22T04:10:08.558Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: @HoneyFog. Most recent tweet: Fog44: 181.112.52.26->22. I've never seen this IP before. Most recent link (Oct 6, 2017): https://twitter.com/HoneyFog/statuses/916371734928019456", - "MitigationString": "", - "Name": "honeypot", - "Rule": "Historical Honeypot Sighting", - "Sources": [ - "P_izv4" - ], - "Timestamp": "2017-10-06T18:37:01.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "4 sightings on 1 source: AbuseIP Database. Most recent link (Aug 17, 2018): https://www.abuseipdb.com/check/181.112.52.26", - "MitigationString": "", - "Name": "multiBlacklist", - "Rule": "Historical Multicategory Blocklist", - "Sources": [ - "UneVVu" - ], - "Timestamp": "2018-08-17T00:30:42.194Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2339 sightings on 9 sources including: TBN, BlackHatWorld Forum, Carding Mafia Forum, Inforge Forum Hacker Trucchi Giochi Informatica, ProxyFire - The Best Proxy Software and Forum. Most recent link (Jun 29, 2019): https://Black%20Hat%20World%20Forum%20(Obfuscated)/seo/ssl-proxies-occasional-update.927669/page-44#post-12210196", - "MitigationString": "", - "Name": "openProxies", - "Rule": "Historical Open Proxies", - "Sources": [ - "RqhhJr", - "KjGS3i", - "VU4Qnc", - "P7sZbk", - "OQ_oQH", - "Qk8WdX", - "Qk8Wdg", - "QqgtXJ", - "KhvyCV" - ], - "Timestamp": "2019-06-29T01:18:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "4 sightings on 1 source: AbuseIP Database. Most recent link (Aug 17, 2018): https://www.abuseipdb.com/check/181.112.52.26", - "MitigationString": "", - "Name": "sshDictAttacker", - "Rule": "Historical SSH/Dictionary Attacker", - "Sources": [ - "UneVVu" - ], - "Timestamp": "2018-08-17T00:30:42.194Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "10 sightings on 3 sources: Manato Kumagai Hatena Blog, sentinelone.com, PasteBin. 6 related intrusion methods including TrickLoader, Trojan, Emotet, Banking Trojan, Trickbot. Most recent link (Feb 26, 2020): https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/", - "MitigationString": "", - "Name": "linkedIntrusion", - "Rule": "Historically Linked to Intrusion Method", - "Sources": [ - "TiY1wa", - "idn:sentinelone.com", - "Jv_xrR" - ], - "Timestamp": "2020-02-26T15:00:17.035Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "Previous sightings on 3 sources: BlockList.de: Fail2ban Reporting Service, Abuse.ch: Feodo IP Blocklist, Proxies: SOCKS Open Proxies. Observed between Jun 15, 2019, and Oct 3, 2020.", - "MitigationString": "", - "Name": "historicalThreatListMembership", - "Rule": "Historically Reported in Threat List", - "Sources": [ - "report:OhgwUx", - "report:OtiCOp", - "report:SYQe08" - ], - "Timestamp": "2021-12-28T22:05:41.272Z" - }, - { - "Criticality": 2.0, - "CriticalityLabel": "Suspicious", - "EvidenceString": "3 sightings on 1 source: Polyswarm Sandbox Analysis - Malware C2 Extractions. Polyswarm malware sandbox identified 181.112.52.26:449 as TA0011 (Command and Control) for Trickbot using configuration extraction on sample dcc42c0bd075f283c71ac327c845498454dcd9528386df5b296fdf89ba105bfa", - "MitigationString": "", - "Name": "intermediateCncServer", - "Rule": "Recent C&C Server", - "Sources": [ - "hyihHO" - ], - "Timestamp": "2021-07-15T12:42:04.656Z" - } - ], - "recordedfuture.risk_string": "8/64", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.ip": "181.112.52.26", - "threat.indicator.type": "ipv4-addr" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_url_default.csv.log b/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_url_default.csv.log deleted file mode 100644 index 1327a0d94f1..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_url_default.csv.log +++ /dev/null @@ -1,10 +0,0 @@ -"Name","Risk","RiskString","EvidenceDetails" -"http://144.34.179.162/a","87","2/24","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged URL"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/"", ""Sources"": [""Ctq"", ""idn:fook.news"", ""idn:urdupresss.com"", ""POs2u-"", ""idn:apple.news"", ""idn:cryptoinfoos.com.ng"", ""g9rk5F"", ""idn:thewindowsupdate.com"", ""idn:nationalcybersecuritynews.today"", ""gBDK5G"", ""idn:microsoft.com"", ""idn:techsecuritenews.com"", ""idn:mblogs.info"", ""J6UzbO"", ""idn:viralamo.com"", ""idn:sellorbuyhomefast.com"", ""idn:crazyboy.tech"", ""idn:times24h.com"", ""idn:buzzfeeg.com"", ""idn:dsmenders.com"", ""WroSbs"", ""idn:vzonetvgh.com""], ""Timestamp"": ""2021-07-20T00:00:00.000Z"", ""Name"": ""defangedURL"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Reported by Insikt Group"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd"", ""Sources"": [""VKz42X""], ""Timestamp"": ""2021-07-10T00:00:00.000Z"", ""Name"": ""recentAnalystNote"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"http://adminsys.serveftp.com/nensa/fabio/ex/478632215/zer7855/nuns566623","85","4/24","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged URL"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""41 sightings on 19 sources including: Stock market news Company News MarketScreenercom, GlobeNewswire | Software, Yahoo!, globenewswirecom, otcdynamics.com. Most recent link (Oct 3, 2021): https://telecomkh.info/?p=4004"", ""Sources"": [""XBl0xf"", ""c2unu0"", ""DVW"", ""NPgRlV"", ""idn:otcdynamics.com"", ""idn:norteenlinea.com"", ""N4OmGX"", ""idn:snewsonline.com"", ""idn:nationalcybersecuritynews.today"", ""dCod5e"", ""hZ14Az"", ""idn:securityopenlab.it"", ""idn:clevertechmx.blogspot.com"", ""cJzvLR"", ""eNeV39"", ""dCotni"", ""dCo6X1"", ""jB6Hnn"", ""idn:telecomkh.info""], ""Timestamp"": ""2021-10-03T12:53:49.605Z"", ""Name"": ""defangedURL"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Phishing Techniques"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Nov 14, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-11-14T00:00:00.000Z"", ""Name"": ""phishingSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Distribution"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Nov 14, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-11-14T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Active URL on Weaponized Domain"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: No-IP. Behavior observed: Malware Distribution, Phishing Techniques. Last observed on Dec 20, 2021."", ""Sources"": [""report:aRJ1CU""], ""Timestamp"": ""2021-12-29T07:08:29.105Z"", ""Name"": ""recentWeaponizedURL"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"http://3.145.115.94/zambo/groenhuyzen.exe","79","2/24","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged URL"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""17 sightings on 14 sources including: Security Affairs, sensorstechforum.com, Heimdal Security Blog, securitynewspaper, BBS Kafan Card Forum. Most recent link (Dec 22, 2021): https://d335luupugsy2.cloudfront.net/cms%2Ffiles%2F183750%2F1640120040Log4j_-_Explorao_por_grupos_APT.pdf"", ""Sources"": [""JNe6Hu"", ""TQnwKJ"", ""OfMf0W"", ""TefIEN"", ""VyuDZP"", ""Z7kln5"", ""bd-Dtt"", ""kKLjNc"", ""Y7TWfI"", ""idn:redpacketsecurity.com"", ""idn:eccouncil.org"", ""idn:comparaland.com"", ""idn:d335luupugsy2.cloudfront.net"", ""KVRURg""], ""Timestamp"": ""2021-12-22T16:01:42.134Z"", ""Name"": ""defangedURL"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Reported by Insikt Group"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Insikt Group. 1 report: Khonsari Ransomware and Orcus RAT Exploit Log4Shell (CVE-2021-44228), Samples Uploaded on MalwareBazaar. Most recent link (Dec 17, 2021): https://app.recordedfuture.com/live/sc/4SWiMAS816Gj"", ""Sources"": [""VKz42X""], ""Timestamp"": ""2021-12-17T00:00:00.000Z"", ""Name"": ""recentAnalystNote"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"http://gxbrowser.net","79","2/24","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged URL"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""53 sightings on 14 sources including: HackDig Posts, Anquanke News, mrhacker.co, Sesin at, Check Point Research. Most recent link (Feb 6, 2021): https://cdn.www.gob.pe/uploads/document/file/1580907/Alerta%20integrada%20de%20seguridad%20digital%20N%C2%B0%xxx-xx-xxxx-PECERT%20.pdf"", ""Sources"": [""POs2u-"", ""U13S_U"", ""idn:mrhacker.co"", ""Z3TZAQ"", ""N4OmGX"", ""UqKvRr"", ""gBDK5G"", ""JExgHv"", ""QxXv_c"", ""J6UzbO"", ""eTNyK6"", ""idn:privacy.com.sg"", ""e6Ewt_"", ""idn:reportcybercrime.com""], ""Timestamp"": ""2021-02-06T12:52:09.042Z"", ""Name"": ""defangedURL"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Detected Malware Distribution"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-12-28T00:00:00.000Z"", ""Name"": ""recentMalwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"https://881.000webhostapp.com/1.txt","78","3/24","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged URL"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""33 sightings on 12 sources including: Palo Alto Networks, tistory.com, HackDig Posts, Anquanke News, airmagnet.technology. Most recent tweet: Continued MR.Dropper's attack. (Targething korean cryptocurrency exchange) #hcapital #ioc MD5 : eb459b47be479b61375d7b3c7c568425 URL : hxxps://881[.]000webhostapp[.]com/1.txt PDB : D:\\Attack\\DropperBuild\\x64\\Release\\Dropper.pdb https://t.co/FpsinliQqx [Beyond The Binary]. Most recent link (Sep 3, 2018): https://twitter.com/wugeej/statuses/1036413512732426240"", ""Sources"": [""JwO7jp"", ""idn:tistory.com"", ""POs2u-"", ""U13S_U"", ""ThoB0I"", ""idn:airmagnet.technology"", ""LErKlN"", ""WuLz1r"", ""KdwTwF"", ""VfsacJ"", ""jjf3_B"", ""idn:brica.de""], ""Timestamp"": ""2018-09-03T00:40:11.000Z"", ""Name"": ""defangedURL"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Referenced by Insikt Group"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""2 sightings on 1 source: Insikt Group. 2 reports including \""Fractured Blockā€ Campaign Targets Korean Users. Most recent link (Dec 09, 2018): https://app.recordedfuture.com/live/sc/1RuTxKrDf8Qt"", ""Sources"": [""VKz42X""], ""Timestamp"": ""2018-12-09T00:00:00.000Z"", ""Name"": ""relatedNote"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Active URL on Weaponized Domain"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: 000Webhost. Behavior observed: Malware Distribution. Last observed on Oct 16, 2021."", ""Sources"": [""report:aRJ1CU""], ""Timestamp"": ""2021-12-29T07:07:42.477Z"", ""Name"": ""recentWeaponizedURL"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"http://comunicador.duckdns.org/catalista/lixo/index.php","78","4/24","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged URL"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""38 sightings on 7 sources including: cybersecdn.com, WeLiveSecurity Spain, deepcheck.one, hackeridiot.com, PasteBin. Most recent link (May 27, 2021): https://cybersecdn.com/index.php/2021/05/27/janeleiro-the-time-traveler-a-new-old-banking-trojan-in-brazil/"", ""Sources"": [""idn:cybersecdn.com"", ""fWD1r9"", ""idn:deepcheck.one"", ""idn:hackeridiot.com"", ""Jv_xrR"", ""ONMgMx"", ""idn:nationalcybersecuritynews.today""], ""Timestamp"": ""2021-05-27T22:48:00.256Z"", ""Name"": ""defangedURL"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Distribution"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 15, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-06-15T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Reported by Insikt Group"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Insikt Group. 1 report: New Janeleiro Banking Trojan Targets Corporate Users in Brazil. Most recent link (Apr 06, 2021): https://app.recordedfuture.com/live/sc/4wolQHrxLiwd"", ""Sources"": [""VKz42X""], ""Timestamp"": ""2021-04-06T00:00:00.000Z"", ""Name"": ""recentAnalystNote"", ""MitigationString"": """", ""Criticality"": 3.0}, {""Rule"": ""Recently Active URL on Weaponized Domain"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: DuckDNS. Behavior observed: Malware Distribution. Last observed on Oct 15, 2021."", ""Sources"": [""report:aRJ1CU""], ""Timestamp"": ""2021-12-29T06:34:00.698Z"", ""Name"": ""recentWeaponizedURL"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"https://www.jeanninecatddns.chickenkiller.com/signin-authflow","75","3/24","{""EvidenceDetails"": [{""Rule"": ""Recently Active URL on Weaponized Domain"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: Afraid.org. Behavior observed: Malware Distribution, Phishing Techniques. Last observed on Dec 28, 2021."", ""Sources"": [""report:aRJ1CU""], ""Timestamp"": ""2021-12-28T22:15:49.631Z"", ""Name"": ""recentWeaponizedURL"", ""MitigationString"": """", ""Criticality"": 3.0}, {""Rule"": ""Recently Detected Phishing Techniques"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""2 sightings on 2 sources: Bitdefender, Urlscan.io. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021."", ""Sources"": [""d3Awkm"", ""eKv4Jm""], ""Timestamp"": ""2021-12-28T00:00:00.000Z"", ""Name"": ""recentPhishingSiteDetected"", ""MitigationString"": """", ""Criticality"": 3.0}, {""Rule"": ""Recently Detected Malware Distribution"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-12-28T00:00:00.000Z"", ""Name"": ""recentMalwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"http://coollab.jp/dir/root/p/09908.js","75","3/24","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged URL"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""24 sightings on 9 sources including: Malware News - Malware Analysis, News and Indicators, microsoft.com, sociabble.com, 4-traders.com, MarketScreener.com | Stock Market News. Most recent link (Aug 13, 2021): https://www.marketscreener.com/quote/stock/MICROSOFT-CORPORATION-4835/news/Microsoft-Attackers-use-Morse-code-other-encryption-methods-in-evasive-phishing-campaign-36161110/?utm_medium=RSS&utm_content=20210813"", ""Sources"": [""gBDK5G"", ""idn:microsoft.com"", ""idn:sociabble.com"", ""KBTQ2e"", ""dCotni"", ""g9rk5F"", ""Z7kln5"", ""idn:cda.ms"", ""idn:thewindowsupdate.com""], ""Timestamp"": ""2021-08-13T17:03:19.000Z"", ""Name"": ""defangedURL"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Distribution"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Aug 13, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-08-13T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Reported by Insikt Group"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Insikt Group. 1 report: Microsoft Warns of Attacks Targeting Microsoft Office 365 Users. Most recent link (Aug 12, 2021): https://app.recordedfuture.com/live/sc/4BBhpn1ApBQR"", ""Sources"": [""VKz42X""], ""Timestamp"": ""2021-08-12T00:00:00.000Z"", ""Name"": ""recentAnalystNote"", ""MitigationString"": """", ""Criticality"": 3.0}]}" -"https://blog.br0vvnn.io","75","3/24","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged URL"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""23 sightings on 9 sources including: The Official Google Blog, eccouncil.org, frsecure.com, SoyaCincau, PasteBin. Most recent tweet: Actor controlled sites and accounts Research Blog https://blog.br0vvnn[.]io. Most recent link (Jan 27, 2021): https://twitter.com/techn0m4nc3r/statuses/1354296736357953539"", ""Sources"": [""Gzt"", ""idn:eccouncil.org"", ""idn:frsecure.com"", ""J-8-Nr"", ""Jv_xrR"", ""g9rk5F"", ""cUg0pv"", ""K5LKj8"", ""fVAueu""], ""Timestamp"": ""2021-01-27T05:14:38.000Z"", ""Name"": ""defangedURL"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Phishing Techniques"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 30, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-05-30T00:00:00.000Z"", ""Name"": ""phishingSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Reported by Insikt Group"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Insikt Group. 1 report: Google Warns of Ongoing Attacks Targeting Security Researchers. Most recent link (Jan 25, 2021): https://app.recordedfuture.com/live/sc/5QCqZ2ZH4lwc"", ""Sources"": [""VKz42X""], ""Timestamp"": ""2021-01-25T00:00:00.000Z"", ""Name"": ""recentAnalystNote"", ""MitigationString"": """", ""Criticality"": 3.0}]}" diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_url_default.csv.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_url_default.csv.log-expected.json deleted file mode 100644 index df135ded0e3..00000000000 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/rf_url_default.csv.log-expected.json +++ /dev/null @@ -1,651 +0,0 @@ -[ - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 87.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 45, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "Ctq", - "idn:fook.news", - "idn:urdupresss.com", - "POs2u-", - "idn:apple.news", - "idn:cryptoinfoos.com.ng", - "g9rk5F", - "idn:thewindowsupdate.com", - "idn:nationalcybersecuritynews.today", - "gBDK5G", - "idn:microsoft.com", - "idn:techsecuritenews.com", - "idn:mblogs.info", - "J6UzbO", - "idn:viralamo.com", - "idn:sellorbuyhomefast.com", - "idn:crazyboy.tech", - "idn:times24h.com", - "idn:buzzfeeg.com", - "idn:dsmenders.com", - "WroSbs", - "idn:vzonetvgh.com" - ], - "Timestamp": "2021-07-20T00:00:00.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-07-10T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "2/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "144.34.179.162", - "threat.indicator.url.original": "http://144.34.179.162/a", - "threat.indicator.url.path": "/a", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 85.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 1565, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Nov 14, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-11-14T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Nov 14, 2021.", - "MitigationString": "", - "Name": "phishingSiteDetected", - "Rule": "Historically Detected Phishing Techniques", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-11-14T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "41 sightings on 19 sources including: Stock market news Company News MarketScreenercom, GlobeNewswire | Software, Yahoo!, globenewswirecom, otcdynamics.com. Most recent link (Oct 3, 2021): https://telecomkh.info/?p=4004", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "XBl0xf", - "c2unu0", - "DVW", - "NPgRlV", - "idn:otcdynamics.com", - "idn:norteenlinea.com", - "N4OmGX", - "idn:snewsonline.com", - "idn:nationalcybersecuritynews.today", - "dCod5e", - "hZ14Az", - "idn:securityopenlab.it", - "idn:clevertechmx.blogspot.com", - "cJzvLR", - "eNeV39", - "dCotni", - "dCo6X1", - "jB6Hnn", - "idn:telecomkh.info" - ], - "Timestamp": "2021-10-03T12:53:49.605Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: No-IP. Behavior observed: Malware Distribution, Phishing Techniques. Last observed on Dec 20, 2021.", - "MitigationString": "", - "Name": "recentWeaponizedURL", - "Rule": "Recently Active URL on Weaponized Domain", - "Sources": [ - "report:aRJ1CU" - ], - "Timestamp": "2021-12-29T07:08:29.105Z" - } - ], - "recordedfuture.risk_string": "4/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "adminsys.serveftp.com", - "threat.indicator.url.original": "http://adminsys.serveftp.com/nensa/fabio/ex/478632215/zer7855/nuns566623", - "threat.indicator.url.path": "/nensa/fabio/ex/478632215/zer7855/nuns566623", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 79.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 3798, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "17 sightings on 14 sources including: Security Affairs, sensorstechforum.com, Heimdal Security Blog, securitynewspaper, BBS Kafan Card Forum. Most recent link (Dec 22, 2021): https://d335luupugsy2.cloudfront.net/cms%2Ffiles%2F183750%2F1640120040Log4j_-_Explorao_por_grupos_APT.pdf", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "JNe6Hu", - "TQnwKJ", - "OfMf0W", - "TefIEN", - "VyuDZP", - "Z7kln5", - "bd-Dtt", - "kKLjNc", - "Y7TWfI", - "idn:redpacketsecurity.com", - "idn:eccouncil.org", - "idn:comparaland.com", - "idn:d335luupugsy2.cloudfront.net", - "KVRURg" - ], - "Timestamp": "2021-12-22T16:01:42.134Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: Khonsari Ransomware and Orcus RAT Exploit Log4Shell (CVE-2021-44228), Samples Uploaded on MalwareBazaar. Most recent link (Dec 17, 2021): https://app.recordedfuture.com/live/sc/4SWiMAS816Gj", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-12-17T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "2/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "3.145.115.94", - "threat.indicator.url.extension": "exe", - "threat.indicator.url.original": "http://3.145.115.94/zambo/groenhuyzen.exe", - "threat.indicator.url.path": "/zambo/groenhuyzen.exe", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 79.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 5158, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "53 sightings on 14 sources including: HackDig Posts, Anquanke News, mrhacker.co, Sesin at, Check Point Research. Most recent link (Feb 6, 2021): https://cdn.www.gob.pe/uploads/document/file/1580907/Alerta%20integrada%20de%20seguridad%20digital%20N%C2%B0%xxx-xx-xxxx-PECERT%20.pdf", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "POs2u-", - "U13S_U", - "idn:mrhacker.co", - "Z3TZAQ", - "N4OmGX", - "UqKvRr", - "gBDK5G", - "JExgHv", - "QxXv_c", - "J6UzbO", - "eTNyK6", - "idn:privacy.com.sg", - "e6Ewt_", - "idn:reportcybercrime.com" - ], - "Timestamp": "2021-02-06T12:52:09.042Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021.", - "MitigationString": "", - "Name": "recentMalwareSiteDetected", - "Rule": "Recently Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-12-28T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "2/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "gxbrowser.net", - "threat.indicator.url.original": "http://gxbrowser.net", - "threat.indicator.url.path": "", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 78.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 6382, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "2 sightings on 1 source: Insikt Group. 2 reports including \"Fractured Block\u201d Campaign Targets Korean Users. Most recent link (Dec 09, 2018): https://app.recordedfuture.com/live/sc/1RuTxKrDf8Qt", - "MitigationString": "", - "Name": "relatedNote", - "Rule": "Historically Referenced by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2018-12-09T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "33 sightings on 12 sources including: Palo Alto Networks, tistory.com, HackDig Posts, Anquanke News, airmagnet.technology. Most recent tweet: Continued MR.Dropper's attack. (Targething korean cryptocurrency exchange) #hcapital #ioc MD5 : eb459b47be479b61375d7b3c7c568425 URL : hxxps://881[.]000webhostapp[.]com/1.txt PDB : D:\\Attack\\DropperBuild\\x64\\Release\\Dropper.pdb https://t.co/FpsinliQqx [Beyond The Binary]. Most recent link (Sep 3, 2018): https://twitter.com/wugeej/statuses/1036413512732426240", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "JwO7jp", - "idn:tistory.com", - "POs2u-", - "U13S_U", - "ThoB0I", - "idn:airmagnet.technology", - "LErKlN", - "WuLz1r", - "KdwTwF", - "VfsacJ", - "jjf3_B", - "idn:brica.de" - ], - "Timestamp": "2018-09-03T00:40:11.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: 000Webhost. Behavior observed: Malware Distribution. Last observed on Oct 16, 2021.", - "MitigationString": "", - "Name": "recentWeaponizedURL", - "Rule": "Recently Active URL on Weaponized Domain", - "Sources": [ - "report:aRJ1CU" - ], - "Timestamp": "2021-12-29T07:07:42.477Z" - } - ], - "recordedfuture.risk_string": "3/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "881.000webhostapp.com", - "threat.indicator.url.extension": "txt", - "threat.indicator.url.original": "https://881.000webhostapp.com/1.txt", - "threat.indicator.url.path": "/1.txt", - "threat.indicator.url.scheme": "https" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 78.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 8308, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jun 15, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-06-15T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "38 sightings on 7 sources including: cybersecdn.com, WeLiveSecurity Spain, deepcheck.one, hackeridiot.com, PasteBin. Most recent link (May 27, 2021): https://cybersecdn.com/index.php/2021/05/27/janeleiro-the-time-traveler-a-new-old-banking-trojan-in-brazil/", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "idn:cybersecdn.com", - "fWD1r9", - "idn:deepcheck.one", - "idn:hackeridiot.com", - "Jv_xrR", - "ONMgMx", - "idn:nationalcybersecuritynews.today" - ], - "Timestamp": "2021-05-27T22:48:00.256Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: DuckDNS. Behavior observed: Malware Distribution. Last observed on Oct 15, 2021.", - "MitigationString": "", - "Name": "recentWeaponizedURL", - "Rule": "Recently Active URL on Weaponized Domain", - "Sources": [ - "report:aRJ1CU" - ], - "Timestamp": "2021-12-29T06:34:00.698Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: New Janeleiro Banking Trojan Targets Corporate Users in Brazil. Most recent link (Apr 06, 2021): https://app.recordedfuture.com/live/sc/4wolQHrxLiwd", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-04-06T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "4/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "comunicador.duckdns.org", - "threat.indicator.url.extension": "php", - "threat.indicator.url.original": "http://comunicador.duckdns.org/catalista/lixo/index.php", - "threat.indicator.url.path": "/catalista/lixo/index.php", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 75.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 10393, - "recordedfuture.evidence_details": [ - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: Afraid.org. Behavior observed: Malware Distribution, Phishing Techniques. Last observed on Dec 28, 2021.", - "MitigationString": "", - "Name": "recentWeaponizedURL", - "Rule": "Recently Active URL on Weaponized Domain", - "Sources": [ - "report:aRJ1CU" - ], - "Timestamp": "2021-12-28T22:15:49.631Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021.", - "MitigationString": "", - "Name": "recentMalwareSiteDetected", - "Rule": "Recently Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-12-28T00:00:00.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "2 sightings on 2 sources: Bitdefender, Urlscan.io. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021.", - "MitigationString": "", - "Name": "recentPhishingSiteDetected", - "Rule": "Recently Detected Phishing Techniques", - "Sources": [ - "d3Awkm", - "eKv4Jm" - ], - "Timestamp": "2021-12-28T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "3/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "www.jeanninecatddns.chickenkiller.com", - "threat.indicator.url.original": "https://www.jeanninecatddns.chickenkiller.com/signin-authflow", - "threat.indicator.url.path": "/signin-authflow", - "threat.indicator.url.scheme": "https" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 75.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 11834, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Aug 13, 2021.", - "MitigationString": "", - "Name": "malwareSiteDetected", - "Rule": "Historically Detected Malware Distribution", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-08-13T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "24 sightings on 9 sources including: Malware News - Malware Analysis, News and Indicators, microsoft.com, sociabble.com, 4-traders.com, MarketScreener.com | Stock Market News. Most recent link (Aug 13, 2021): https://www.marketscreener.com/quote/stock/MICROSOFT-CORPORATION-4835/news/Microsoft-Attackers-use-Morse-code-other-encryption-methods-in-evasive-phishing-campaign-36161110/?utm_medium=RSS&utm_content=20210813", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "gBDK5G", - "idn:microsoft.com", - "idn:sociabble.com", - "KBTQ2e", - "dCotni", - "g9rk5F", - "Z7kln5", - "idn:cda.ms", - "idn:thewindowsupdate.com" - ], - "Timestamp": "2021-08-13T17:03:19.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: Microsoft Warns of Attacks Targeting Microsoft Office 365 Users. Most recent link (Aug 12, 2021): https://app.recordedfuture.com/live/sc/4BBhpn1ApBQR", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-08-12T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "3/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "coollab.jp", - "threat.indicator.url.extension": "js", - "threat.indicator.url.original": "http://coollab.jp/dir/root/p/09908.js", - "threat.indicator.url.path": "/dir/root/p/09908.js", - "threat.indicator.url.scheme": "http" - }, - { - "event.category": "threat", - "event.dataset": "threatintel.recordedfuture", - "event.kind": "enrichment", - "event.module": "threatintel", - "event.risk_score": 75.0, - "event.type": "indicator", - "fileset.name": "recordedfuture", - "input.type": "log", - "log.offset": 13621, - "recordedfuture.evidence_details": [ - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 30, 2021.", - "MitigationString": "", - "Name": "phishingSiteDetected", - "Rule": "Historically Detected Phishing Techniques", - "Sources": [ - "d3Awkm" - ], - "Timestamp": "2021-05-30T00:00:00.000Z" - }, - { - "Criticality": 1.0, - "CriticalityLabel": "Unusual", - "EvidenceString": "23 sightings on 9 sources including: The Official Google Blog, eccouncil.org, frsecure.com, SoyaCincau, PasteBin. Most recent tweet: Actor controlled sites and accounts Research Blog https://blog.br0vvnn[.]io. Most recent link (Jan 27, 2021): https://twitter.com/techn0m4nc3r/statuses/1354296736357953539", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "Gzt", - "idn:eccouncil.org", - "idn:frsecure.com", - "J-8-Nr", - "Jv_xrR", - "g9rk5F", - "cUg0pv", - "K5LKj8", - "fVAueu" - ], - "Timestamp": "2021-01-27T05:14:38.000Z" - }, - { - "Criticality": 3.0, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: Google Warns of Ongoing Attacks Targeting Security Researchers. Most recent link (Jan 25, 2021): https://app.recordedfuture.com/live/sc/5QCqZ2ZH4lwc", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-01-25T00:00:00.000Z" - } - ], - "recordedfuture.risk_string": "3/24", - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", - "threat.feed.name": "[Filebeat] RecordedFuture", - "threat.indicator.type": "url", - "threat.indicator.url.domain": "blog.br0vvnn.io", - "threat.indicator.url.original": "https://blog.br0vvnn.io", - "threat.indicator.url.path": "", - "threat.indicator.url.scheme": "https" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/threatintel.yml.disabled b/x-pack/filebeat/modules.d/threatintel.yml.disabled index dbb88d5d1f6..717de295f33 100644 --- a/x-pack/filebeat/modules.d/threatintel.yml.disabled +++ b/x-pack/filebeat/modules.d/threatintel.yml.disabled @@ -141,32 +141,6 @@ # var.ssl_certificate: path/to/server_ssl_cert.pem # var.ssl_key: path/to/ssl_key.pem - recordedfuture: - enabled: false - - # Input used for ingesting threat intel data - var.input: httpjson - - # Set your API Token. - var.api_token: "" - - # The interval to poll the API for updates - var.interval: 1h - - # The kind of entity to fetch. One of domain, hash, ip or url. - var.entity: domain - - # The list to fetch. See the Recorded Future API Explorer for - # valid lists for each kind of entity. - var.list: default - - # Uncomment to use a different API endpoint. - # The API endpoint used for Recorded Future API calls. - # var.endpoint: "https://api.recordedfuture.com/v2" - - # Uncomment to fetch a custom CSV file via URL. Useful for custom Fusion Files. - # var.custom_url: "https://api.recordedfuture.com/v2/fusion/files/?path=%2Fhome" - threatq: enabled: false