Detections
This repository contains all public indicators identified by 401trg during the course of our investigations. It also includes relevant yara rules and IDS signatures to detect these indicators.
Our public PGP Key can be found here.
Reports
Published |
Post |
IOC : IDS : PCAP : PDF |
May 03, 2018 |
Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers |
20180503_Burning_Umbrella_Area_1_indicators.csv 20180503_Burning_Umbrella_Area_2_indicators.csv 20180503_Burning_Umbrella_Area_3_indicators.csv 20180503_Burning_Umbrella_Area_5_indicators.csv 20180503_Burning_Umbrella_Area_6_indicators.csv 20180503_Burning_Umbrella_Area_7_indicators.csv 20180503_Burning_Umbrella_Area_8_indicators.csv 20180503_Burning_Umbrella.pdf |
Apr 02, 2018 |
Building a Data Lake for Threat Research |
|
Feb 22, 2018 |
Analysis of Active Satori Botnet Infections |
20180222_Analysis_of_Active_Satori_Botnet_Infections_indicators 20180222_Analysis_of_Active_Satori_Botnet_Infections__ids |
Dec 20, 2017 |
An Introduction to SMB for Network Security Analysts |
20171220_Introduction_to_SMB_pcaps 20171220_Introduction_to_SMB_pdf |
Nov 28, 2017 |
Triaging Large Packet Captures - Methods for Extracting & Analyzing Domains |
|
Nov 14, 2017 |
Using Emerging Threats Suricata Ruleset to Scan PCAP |
|
Nov 01, 2017 |
Exposing a Phishing Kit |
20171101_ExposingPhishing_indicators 20171101_ExposingPhishing_ids |
Oct 26, 2017 |
Large Scale IRCbot Infection Attempts |
20171026_LargeScaleIRC_indicators 20171026_LargeScaleIRC_ids |
Oct 16, 2017 |
An Update on Winnti |
20171016_UpdateWinnti_indicators 20171016_UpdateWinnti_ids |
Oct 10, 2017 |
Turla Watering Hole Campaigns 2016/2017 |
20171010_TurlaWateringHole_indicators 20171010_TurlaWateringHole_ids |
Oct 02, 2017 |
Identifying and Triaging DNS Traffic on Your Network |
|
Sept 28, 2017 |
Triaging Large Packet Captures - 4 Key TShark Commands to Start Your Investigation |
|
Jul 11, 2017 |
Winnti (LEAD/APT17) Evolution - Going Open Source |
20170711_WinntiEvolution_indicators |
IDS
This directory contains IDS signatures to detect the indicators located in the IOC directory. These signatures are compatible with Suricata v4.0.4.
IOC
This directory contains IOCs from posts at 401trg.com. The csv files follow the unified format described below. These indicators are not defanged and should be considered malicious.
PCAPS
This directory contains example pcaps from "knowledge" posts at 401trg.com.
PDF
This directory contains PDFs of 401TRG long-form posts.
Unified Format
All IOC files are in CSV and have the following format:
Indicator,Type,Description,Reference
There are several types of indicators:
-
COOKIE
-
CERT SHA1
-
CODE SIGN CERT SERIAL
-
DOMAIN
-
EMAIL
-
FILE MD5
-
IP
-
PHONE
-
URL
Example:
Indicator,Type,Description,Reference
asdf.asdf.com,DOMAIN,This is a malicious domain,https://401trg.com/this-post-does-not-exist
The description field is left blank when there is no context to add to the indicator. The reference field will contain a link to the 401TRG post that disclosed the indicator.
License
All data is provided under Apache License, Version 2.0 which can be found here.