/detections

This repository contains all public indicators identified by 401trg during the course of our investigations. It also includes relevant yara rules and ids signatures to detect these indicators.

Primary LanguagePythonOtherNOASSERTION

Detections

This repository contains all public indicators identified by 401trg during the course of our investigations. It also includes relevant yara rules and IDS signatures to detect these indicators.

Our public PGP Key can be found here.

Reports

Published Post IOC : IDS : PCAP : PDF
May 03, 2018 Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers 20180503_Burning_Umbrella_Area_1_indicators.csv
20180503_Burning_Umbrella_Area_2_indicators.csv
20180503_Burning_Umbrella_Area_3_indicators.csv
20180503_Burning_Umbrella_Area_5_indicators.csv
20180503_Burning_Umbrella_Area_6_indicators.csv
20180503_Burning_Umbrella_Area_7_indicators.csv
20180503_Burning_Umbrella_Area_8_indicators.csv
20180503_Burning_Umbrella.pdf
Apr 02, 2018 Building a Data Lake for Threat Research
Feb 22, 2018 Analysis of Active Satori Botnet Infections 20180222_Analysis_of_Active_Satori_Botnet_Infections_indicators
20180222_Analysis_of_Active_Satori_Botnet_Infections__ids
Dec 20, 2017 An Introduction to SMB for Network Security Analysts 20171220_Introduction_to_SMB_pcaps
20171220_Introduction_to_SMB_pdf
Nov 28, 2017 Triaging Large Packet Captures - Methods for Extracting & Analyzing Domains
Nov 14, 2017 Using Emerging Threats Suricata Ruleset to Scan PCAP
Nov 01, 2017 Exposing a Phishing Kit 20171101_ExposingPhishing_indicators
20171101_ExposingPhishing_ids
Oct 26, 2017 Large Scale IRCbot Infection Attempts 20171026_LargeScaleIRC_indicators
20171026_LargeScaleIRC_ids
Oct 16, 2017 An Update on Winnti 20171016_UpdateWinnti_indicators
20171016_UpdateWinnti_ids
Oct 10, 2017 Turla Watering Hole Campaigns 2016/2017 20171010_TurlaWateringHole_indicators
20171010_TurlaWateringHole_ids
Oct 02, 2017 Identifying and Triaging DNS Traffic on Your Network
Sept 28, 2017 Triaging Large Packet Captures - 4 Key TShark Commands to Start Your Investigation
Jul 11, 2017 Winnti (LEAD/APT17) Evolution - Going Open Source 20170711_WinntiEvolution_indicators

IDS

This directory contains IDS signatures to detect the indicators located in the IOC directory. These signatures are compatible with Suricata v4.0.4.

IOC

This directory contains IOCs from posts at 401trg.com. The csv files follow the unified format described below. These indicators are not defanged and should be considered malicious.

PCAPS

This directory contains example pcaps from "knowledge" posts at 401trg.com.

PDF

This directory contains PDFs of 401TRG long-form posts.

Unified Format

All IOC files are in CSV and have the following format: Indicator,Type,Description,Reference

There are several types of indicators:

  • COOKIE
  • CERT SHA1
  • CODE SIGN CERT SERIAL
  • DOMAIN
  • EMAIL
  • FILE MD5
  • IP
  • PHONE
  • URL

Example:

Indicator,Type,Description,Reference
asdf.asdf.com,DOMAIN,This is a malicious domain,https://401trg.com/this-post-does-not-exist

The description field is left blank when there is no context to add to the indicator. The reference field will contain a link to the 401TRG post that disclosed the indicator.

License

All data is provided under Apache License, Version 2.0 which can be found here.