f0805f6040978ce819a0262c6cdc5d7284d673f2934d95f2442e49d94062b96c[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

f0805f6040978ce819a0262c6cdc5d7284d673f2934d95f2442e49d94062b96c.zip
Size

14.8MB
MD5

df2892a87294fc3fe4c59dd8d0b8d493
SHA1

e5877cbcfac0629dab29d785d6b09aa1670f552e
SHA256

f0805f6040978ce819a0262c6cdc5d7284d673f2934d95f2442e49d94062b96c
SHA512

b9ee1377b20ce6f00505740a3acd7532c9f22b7f8d00f36a9c1f0da2b479a2c25935ad537aac69bd8e217255e4683baa11b59e8f3335fd08ce086fbe1568670b
SSDEEP

393216:1f95eY4G3xL8LtwEk0RwJpuU/2wnkd894DuPgonZRCVIV+8WSdnQOz96P:1VwGhmlQpuU/3+RyPguZRoIVLQS6P

Score

3^/10

pdf link

Malware Config

Signatures

One or more HTTP URLs in PDF identified
Detects presence of HTTP links in PDF files.
pdf link

Files

f0805f6040978ce819a0262c6cdc5d7284d673f2934d95f2442e49d94062b96c.zip
.zip
AA21-321A-Iranian Government-Sponsored APT Actors Exploiting Vulnerabilities_1.pdf
.pdf
- https://attack.mitre.org/versions/v10/tactics/TA0002
- https://www.ic3.gov/media/news/2021/210402.pdf
- https://attack.mitre.org/versions/v10/techniques/T1560/001
- https://attack.mitre.org/versions/v10/tactics/TA0004
- http://cve.mitre.org/cgi-bin/cvename.cgi
- https://attack.mitre.org/versions/v10/tactics/TA0010/
- https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf
- https://attack.mitre.org/versions/v10/tactics/TA0003
- https://attack.mitre.org/versions/v10/techniques/T1486
- https://rewardsforjustice.net/english
- https://attack.mitre.org/versions/v10/tactics/TA0040
- https://attack.mitre.org/versions/v10/techniques/T1053/005
- https://edit.us-cert.gov/sites/default/files/publications/AA21-321A.stix.xml
- https://www.ic3.gov/media/news/2021/210527.pdf
- https://attack.mitre.org/versions/v10/tactics/TA0010
- https://attack.mitre.org/versions/v10/techniques/enterprise/
- https://attack.mitre.org/versions/v10/tactics/TA0042
- https://www.us-cert.cisa.gov/iran
- https://attack.mitre.org/versions/v10/tactics/TA0006
- https://attack.mitre.org/versions/v10/software/S0002/
- https://attack.mitre.org/versions/v10/techniques/T1136/001
- https://attack.mitre.org/versions/v10/tactics/TA0009
- https://attack.mitre.org/versions/v10/techniques/T1136/002
- https://attack.mitre.org/versions/v10/techniques/T1588/001
- https://attack.mitre.org/versions/v10/tactics/TA0001/
- https://attack.mitre.org/versions/v10/techniques/T1190/
- https://attack.mitre.org/versions/v10/techniques/T1588/002
- https://www.cisa.gov/cyber-hygiene-services
- https://us-cert.cisa.gov/sites/default/files/publications/AA21-321A.stix.xml
- https://www.cyber.gov.au/
- https://www.cisa.gov/stopransomware/?name=CVE-2021-34473
- https://www.us-cert.cisa.gov/iran?name=CVE-2021-34473
- https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf?name=CVE-2019-5591
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812
- https://attack.mitre.org/versions/v10/techniques/T1560/001?name=CVE-2018-13379
- https://us-cert.gov/sites/default/files/publications/AA21-321A.stix.xml
- https://us-cert.cisa.gov/ncas/tips/ST04-002
- https://us-cert.cisa.gov/ncas/tips/ST05-012
- https://www.fbi.gov/contact-us/field-offices
- https://usdhs.sharepoint.com/teams/PublicationsTeam/Shared%20Documents/TEST--%20Product%20Tracker/JCSA_Iranian%20Government-Sponsored%20APT%20Cyber%20Actors%20Exploiting%20Microsoft%20Exchange%20and%20Fortinet%20Vulnerabilities/cisa.gov/tlp
- http://us-cert.cisa.gov/Iran.
- http://StopRansomware.gov
- http://cyber.gov.au
- http://frp_0.34.3_windows_amd64.zip
- http://frp_0.33.0_windows_amd64.zip
- Show all
APT35 Automates Initial Access Using ProxyShell.pdf
.pdf
- https://thedfirreport.com/category/apt35/
- https://thedfirreport.com/category/exploit/
- https://thedfirreport.com/category/fast-reverse-proxy/
- https://thedfirreport.com/category/proxyshell/
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
- https://attack.mitre.org/groups/G0059/
- https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
- https://github.com/fatedier/frp
- https://thedfirreport.com/
- https://thedfirreport.com/services/
- https://www.patreon.com/thedfirreport
- https://twitter.com/samaritan_o
- https://twitter.com/Kostastsale
- https://twitter.com/svch0st
- https://twitter.com/RoxpinTeddy
- https://www.mandiant.com/resources/greater-visibilityt
- https://thedfirreport.com/wp-content/uploads/2022/03/9893-02.png
- https://thedfirreport.com/wp-content/uploads/2022/03/9893-03.png
- https://thedfirreport.com/wp-content/uploads/2022/03/9893-04.png
- https://thedfirreport.com/wp-content/uploads/2022/03/9893-05.png
- https://www.virustotal.com/gui/file/1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e/community
- https://valhalla.nextron-systems.com/info/rule/HKTL_PUA_FRP_FastReverseProxy_Oct21_1
- https://valhalla.nextron-systems.com/info/rule/APT_MAL_Go_FRP_CharmingKitten_Jan22_1
- https://thedfirreport.com/wp-content/uploads/2022/03/9893-06.png
- https://thedfirreport.com/wp-content/uploads/2022/03/9893-06.5.png
- https://lolbas-project.github.io/lolbas/Libraries/comsvcs/
- https://thedfirreport.com/wp-content/uploads/2022/03/9893-07.png
- https://thedfirreport.com/wp-content/uploads/2022/03/9893-09.png
- https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/exchange_webshell_creation
- https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/defaultaccount_usage
- https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_local_system_owner_account_discovery.yml
- https://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml
- https://github.com/SigmaHQ/sigma/blob/777d218adc789b7f1b146701793e78799324d87d/rules/windows/process_creation/win_susp_net_execution.yml
- https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_net_user_add.yml
- https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_netsh_fw_add.yml
- https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_netsh_allow_port_rdp.yml
- https://github.com/SigmaHQ/sigma/blob/1425ede905514b7dbf3c457561aaf2ff27274724/rules/windows/process_creation/win_non_interactive_powershell.yml
- https://github.com/SigmaHQ/sigma/blob/682e0458a336c3a6e93b18f7e972e1d67ef01598/rules/windows/process_creation/win_powershell_defender_exclusion.yml
- https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml
- https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
- https://github.com/SigmaHQ/sigma/blob/ed4e771700681b36eb8dd74a13dffc94c857bb46/rules/windows/process_creation/win_multiple_suspicious_cli.yml
- https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml
- https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_service_execution.yml
- https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_webshell_spawn.yml
- https://github.com/SigmaHQ/sigma/blob/6f5271275e9ac22be9ded8b9252bce064e524153/rules/windows/process_creation/win_susp_powershell_parent_process.yml
- https://github.com/SigmaHQ/sigma/blob/ed4e771700681b36eb8dd74a13dffc94c857bb46/rules/windows/process_creation/win_susp_script_exec_from_temp.yml
- https://github.com/SigmaHQ/sigma/blob/503df469687fe4d14d2119a95723485d079ec0d9/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml
- https://github.com/SigmaHQ/sigma/blob/1cfca93354d25e458db40f8d48403602b46bbf03/rules/windows/process_creation/win_webshell_detection.yml
- https://github.com/SigmaHQ/sigma/blob/57cdfd261266b81255e330723f4adf270fc4c4f8/rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml
- https://github.com/SigmaHQ/sigma/blob/57cdfd261266b81255e330723f4adf270fc4c4f8/rules/windows/registry_event/registry_event_defender_disabled.yml
- https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_shell_spawn_susp_program.yml
- https://github.com/SigmaHQ/sigma/blob/98d7380a40d503ffd225420f7318b79d9f5097b8/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml
- https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/file_event/sysmon_webshell_creation_detect.yml
- Show all
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit - Check Point Research.pdf
.pdf
- https://web.archive.org/web/20211210111026/github.com/feihong-cs/JNDIExploit
- https://research.checkpoint.com/2021/the-laconic-log4shell-faq/
- https://research.checkpoint.com/?attachment_id=25735
- https://www.youtube.com/watch?v=nilzxS9rxEM
- https://blog.google/threat-analysis-group/countering-threats-iran/
- https://www.virustotal.com/gui/file/5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5/detection
- https://otx.alienvault.com/pulse/5f2a8a6e42fa8609e26f3cff/related
- https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
- https://www.checkpoint.com/infinity-vision/
- Show all
COBALT MIRAGE conducts ransomware operations in U.S. _ Secureworks.pdf
.pdf
- https://www.secureworks.com/blog
- https://twitter.com/intent/tweet?url=https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us&text=COBALT%20MIRAGE%20Conducts%20Ransomware%20Operations%20in%20U.S.&via=Secureworks
- https://www.linkedin.com/shareArticle?mini=true&url=https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us&source=Secureworks
- https://www.facebook.com/sharer/sharer.php?u=https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us
- https://www.secureworks.com/research/threat-profiles/cobalt-mirage
- https://www.secureworks.com/research/threat-profiles/cobalt-illusion
- https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
- https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/
- https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10
- https://diskcryptor.org/
- https://www.secureworks.com/products
- https://www.secureworks.com/services
- https://www.secureworks.com/about/why-secureworks
- https://www.secureworks.com/about/partners
- https://www.secureworks.com/resources
- https://www.secureworks.com/about
- https://www.secureworks.com/products/taegis/try-taegis
- https://www.secureworks.com/
- https://www.secureworks.com/contact/emergency-response
- https://www.secureworks.com/contact
- https://www.secureworks.com/about/events
- https://www.secureworks.com/customer-support
- https://portal.secureworks.com/portal/loginIDP
- https://nvd.nist.gov/vuln/detail/CVE-2018-13379
- https://nvd.nist.gov/vuln/detail/CVE-2020-12812
- https://nvd.nist.gov/vuln/detail/CVE-2019-5591
- https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
- https://nvd.nist.gov/vuln/detail/CVE-2021-34473
- https://nvd.nist.gov/vuln/detail/CVE-2021-34523
- https://nvd.nist.gov/vuln/detail/CVE-2021-31207
- https://www.cisa.gov/uscert/ncas/alerts/aa21-321a
- https://docs.python-requests.org/en/latest/
- https://github.com/fatedier/frp
- https://www.secureworks.com/blog/log4j-vulnerability-faqs
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://www.secureworks.com/about/press/secureworks-hands-on-keyboard-detector-identifies-malicious-threat-actors
- https://www.bleepingcomputer.com/news/security/blackshadow-hackers-breach-israeli-hosting-firm-and-extort-customers/
- https://www.secureworks.com/blog/log4shell-easy-to-launch-the-attack-but-hard-to-stick-the-landing
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
- https://www.secureworks.com/research/threat-profiles/cobalt-foxglove
- https://www.virustotal.com/gui/file/014e73d083df4a5816bd838d03a1b38e1438914154fe0bb7d988d05df0407b84/relations
- https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
- https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear
- https://www.secureworks.com/research/ransomware-evolution
- https://www.secureworks.com/resources/wc-ransomware-trends-the-evolution-of-threat
- https://www.secureworks.com/resources/rp-ransomware-defense-survey-2017
- https://www.secureworks.com/resources/vd-a-deeper-look-into-how-xdr-powers-rapid-attack-detection-and-response
- https://www.secureworks.com/resources/wp-rfp-template
- http://www.linkedin.com/company/secureworks
- https://twitter.com/secureworks
- https://www.facebook.com/secureworks
- https://github.com/secureworks
- https://www.secureworks.com/careers
- https://www.secureworks.com/rss-feed
- https://pages.secureworks.com/email-subscription.html
- https://www.secureworks.com/sitemap
- https://www.secureworks.com/privacy-policy
- https://content.secureworks.com/-/media/Files/Corporate/modernslaverystatement_22_v2.ashx?la=en&modified=20220621140318&hash=3BAB8B573B52F601CBC3AA9A121F649E
- https://www.secureworks.com/terms-conditions
- https://www.secureworks.com/accessibility-statement
- https://www.delltechnologies.com/
- https://pages.secureworks.com/UnsubscribePage.html?mkt_unsubscribe=1
- Show all
Cobalt Mirage Ransomware Group Steps Up Its Game in 2022 - ATTACK Simulator.pdf
.pdf
- https://attacksimulator.com/blog/ransomware-6-essential-aspects/
- https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us
- https://attacksimulator.com/blog/patch-these-5-vulnerabilities-now/
- https://attacksimulator.com/blog/proxy-token-vulnerability-email/
- https://attacksimulator.com/cybersecurity-awareness-training-plans/
- https://attacksimulator.com/get-a-quote/
- https://www.zdnet.com/article/these-ransomware-attackers-sent-their-ransom-note-to-the-victims-printer/
- https://www.securitymagazine.com/articles/97620-cobalt-mirage-conducts-ransomware-operations-in-us
Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 - Microsoft Security Blog.pdf
.pdf
- https://www.microsoft.com/
- https://www.cyberwarcon.com/
- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
- https://www.fortiguard.com/psirt/FG-IR-18-384
- https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
- https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/
- https://github.com/0xZDH/o365spray
Exchange Exploit Leads to Domain Wide Ransomware.pdf
.pdf
- https://thedfirreport.com/category/apt35/
- https://thedfirreport.com/category/exploit/
- https://thedfirreport.com/category/fast-reverse-proxy/
- https://thedfirreport.com/category/plink/
- https://thedfirreport.com/category/proxyshell/
- https://thedfirreport.com/category/ransomware/
- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
- https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
- https://attack.mitre.org/groups/G0059/
- https://github.com/fatedier/frp
- https://github.com/DavidXanatos/DiskCryptor
- https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell
- https://www.ncsc.gov.ie/pdfs/MS_Proxyshell_060921.pdf
- https://www.mandiant.com/resources/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers
- https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
- https://thedfirreport.com/
- https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
- https://thedfirreport.com/services/
- https://www.patreon.com/thedfirreport
- https://twitter.com/0xtornado
- https://twitter.com/v3t0_
- https://twitter.com/samaritan_o
- https://twitter.com/svch0st
- https://twitter.com/orange_8361
- https://thedfirreport.com/wp-content/uploads/2021/11/5d0eb2f1c8944faf7dfe1063e8abbccc58f38382fea4ecaa01b8e581c76d858b.png
- https://thedfirreport.com/wp-content/uploads/2021/11/39a3f7cd78ddbeac5e672df04999be461a14ebd7dc5d1726b1e037049849811d.png
- https://thedfirreport.com/wp-content/uploads/2021/11/2d8fc60bb1f37a14e73f36bcacbc57784c6d816eab4c2f2542c963160279adff.png
- https://thedfirreport.com/wp-content/uploads/2021/11/4f00effd2d326db8f55c27006aad80ffaf4d25cdda059cc397d9d7ae1538631f.png
- https://thedfirreport.com/wp-content/uploads/2021/11/698c2ba5d0d4708b5d47fc8d7c5cddde918d526e5a06fc913f120d0a15d635d8.png
- https://thedfirreport.com/wp-content/uploads/2021/11/875114a0effd7f5fcd1ed099bea36dfef07ddb1060d65dc21446ebfff8cbc4d8.png
- https://thedfirreport.com/wp-content/uploads/2021/11/88e1bbfafc42458aa8a27efeb95530d5282ceb0af2170db607d20bbf63484b7b.png
- https://thedfirreport.com/wp-content/uploads/2021/11/06cd805e9bdccced882075d49cfc8e6a51282897d54961934769e47c7515e417.png
- https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#defaultaccount
- https://car.mitre.org/analytics/CAR-2019-08-001/
- https://thedfirreport.com/wp-content/uploads/2021/11/91263d06cdcad9625480f8e871da2278d2c4c5c9ca099ca3cc352d07c75676f1.png
- https://thedfirreport.com/wp-content/uploads/2021/11/b556b01c17c3d37d842bf28069b803b158c7662c1f1ae283804c70b53fbf5f41.png
- https://thedfirreport.com/wp-content/uploads/2021/11/b96c195d6f4439fa8c7856645e7f9f09f125d19354574f505970a66616f284f6.png
- https://thedfirreport.com/wp-content/uploads/2021/11/a05c10b5fd69f6339dc74ae3d4c0aa6d829bb0b1b55e31747e50e9985b5b0995.png
- https://www.virustotal.com/gui/ip-address/148.251.71.182/relations
- https://thedfirreport.com/wp-content/uploads/2021/11/361b17b00609f43da0447cf3ea3d08098556075e4a0a8d9710a01bb31f3ae9e8.png
- https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
- https://thedfirreport.com/wp-content/uploads/2021/11/BitLocker-and-DiskCryptor-Ransom-Execution.png
- https://thedfirreport.com/wp-content/uploads/2021/11/6898-1.png
- https://thedfirreport.com/wp-content/uploads/2021/11/6898-2.png
- https://thedfirreport.com/wp-content/uploads/2021/11/2c43c4d94e2b7375ec689e5963cd8ca6612ff15fa7b81f3cae6c77c18a94ac44.png
- https://github.com/DavidXanatos/DiskCryptor/releases/tag/v1.2.3
- https://en.wikipedia.org/wiki/BitLocker
- https://thedfirreport.com/wp-content/uploads/2021/11/6898-7.png
- https://thedfirreport.com/wp-content/uploads/2021/11/6898-5.png
- https://thedfirreport.com/wp-content/uploads/2021/11/6898ransom.png
- https://github.com/SigmaHQ/sigma/blob/59000b993d6280d9bf063eefdcdf30ea0e83aa5e/rules/windows/process_creation/win_susp_schtask_creation.yml
- https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_webshell_detection.yml
- https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_system_exe_anomaly.yml
- https://github.com/SigmaHQ/sigma/blob/a936f1afb78f14c3ecabc689bd283f58df21f328/rules/windows/file_event/sysmon_creation_system_file.yml
- https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml
- https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml
- https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_impacket_lateralization.yml
- https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
- Show all
Iranian APT Group Phosphorus Targets Medical Researchers _ Decipher.pdf
.pdf
- https://duo.com/decipher/article_author/dfisher
- https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential
- https://duo.com/decipher
- https://duo.com/decipher/microsoft-s-got-99-domains-used-to-phish-someone
- https://duo.com/decipher/microsoft-identifies-targeted-attacks-on-presidential-campaign-government-officials
Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks.pdf
.pdf
Log4j2 In The Wild _ Iranian-Aligned Threat Actor _TunnelVision_ Actively Exploiting VMware Horizon - SentinelOne.pdf
.pdf
PowerLess Trojan_ Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage.pdf
.pdf