Detections

This repository contains all public indicators identified by 401trg during the course of our investigations. It also includes relevant yara rules and IDS signatures to detect these indicators.

Our public PGP Key can be found here.

Reports

| Published | Post | IOC : IDS : PCAP : PDF | |-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------| | May 03, 2018 | Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers | 20180503_Burning_Umbrella_Area_1_indicators.csv <br> 20180503_Burning_Umbrella_Area_2_indicators.csv <br> 20180503_Burning_Umbrella_Area_3_indicators.csv <br> 20180503_Burning_Umbrella_Area_5_indicators.csv <br> 20180503_Burning_Umbrella_Area_6_indicators.csv <br> 20180503_Burning_Umbrella_Area_7_indicators.csv <br> 20180503_Burning_Umbrella_Area_8_indicators.csv <br> 20180503_Burning_Umbrella.pdf | | Apr 02, 2018 | Building a Data Lake for Threat Research | | | Feb 22, 2018 | Analysis of Active Satori Botnet Infections | 20180222_Analysis_of_Active_Satori_Botnet_Infections_indicators <br> 20180222_Analysis_of_Active_Satori_Botnet_Infections__ids | | Dec 20, 2017 | An Introduction to SMB for Network Security Analysts | 20171220_Introduction_to_SMB_pcaps <br> 20171220_Introduction_to_SMB_pdf | | Nov 28, 2017 | Triaging Large Packet Captures - Methods for Extracting & Analyzing Domains | | | Nov 14, 2017 | Using Emerging Threats Suricata Ruleset to Scan PCAP | | | Nov 01, 2017 | Exposing a Phishing Kit | 20171101_ExposingPhishing_indicators <br> 20171101_ExposingPhishing_ids | | Oct 26, 2017 | Large Scale IRCbot Infection Attempts | 20171026_LargeScaleIRC_indicators <br> 20171026_LargeScaleIRC_ids| | Oct 16, 2017 | An Update on Winnti |20171016_UpdateWinnti_indicators <br> 20171016_UpdateWinnti_ids | | Oct 10, 2017 | Turla Watering Hole Campaigns 2016/2017 | 20171010_TurlaWateringHole_indicators <br> 20171010_TurlaWateringHole_ids | | Oct 02, 2017 | Identifying and Triaging DNS Traffic on Your Network | | | Sept 28, 2017 | Triaging Large Packet Captures - 4 Key TShark Commands to Start Your Investigation | | | Jul 11, 2017 | Winnti (LEAD/APT17) Evolution - Going Open Source | 20170711_WinntiEvolution_indicators |

IDS

This directory contains IDS signatures to detect the indicators located in the IOC directory. These signatures are compatible with Suricata v4.0.4.

IOC

This directory contains IOCs from posts at 401trg.com. The csv files follow the unified format described below. These indicators are not defanged and should be considered malicious.

PCAPS

This directory contains example pcaps from "knowledge" posts at 401trg.com.

PDF

This directory contains PDFs of 401TRG long-form posts.

Unified Format

All IOC files are in CSV and have the following format: Indicator,Type,Description,Reference

There are several types of indicators:

• COOKIE
• CERT SHA1
• CODE SIGN CERT SERIAL
• DOMAIN
• EMAIL
• FILE MD5
• IP
• PHONE
• URL

Example:

Indicator,Type,Description,Reference
asdf.asdf.com,DOMAIN,This is a malicious domain,https://401trg.com/this-post-does-not-exist

The description field is left blank when there is no context to add to the indicator. The reference field will contain a link to the 401TRG post that disclosed the indicator.

License

All data is provided under Apache License, Version 2.0 which can be found here.