401trg / detections

Detections

This repository contains all public indicators identified by 401trg during the course of our investigations. It also includes relevant yara rules and IDS signatures to detect these indicators.

Our public PGP Key can be found here.

Reports

Published	Post	IOC : IDS : PCAP : PDF
May 03, 2018	Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers	20180503_Burning_Umbrella_Area_1_indicators.csv 20180503_Burning_Umbrella_Area_2_indicators.csv 20180503_Burning_Umbrella_Area_3_indicators.csv 20180503_Burning_Umbrella_Area_5_indicators.csv 20180503_Burning_Umbrella_Area_6_indicators.csv 20180503_Burning_Umbrella_Area_7_indicators.csv 20180503_Burning_Umbrella_Area_8_indicators.csv 20180503_Burning_Umbrella.pdf
Apr 02, 2018	Building a Data Lake for Threat Research
Feb 22, 2018	Analysis of Active Satori Botnet Infections	20180222_Analysis_of_Active_Satori_Botnet_Infections_indicators 20180222_Analysis_of_Active_Satori_Botnet_Infections__ids
Dec 20, 2017	An Introduction to SMB for Network Security Analysts	20171220_Introduction_to_SMB_pcaps 20171220_Introduction_to_SMB_pdf
Nov 28, 2017	Triaging Large Packet Captures - Methods for Extracting & Analyzing Domains
Nov 14, 2017	Using Emerging Threats Suricata Ruleset to Scan PCAP
Nov 01, 2017	Exposing a Phishing Kit	20171101_ExposingPhishing_indicators 20171101_ExposingPhishing_ids
Oct 26, 2017	Large Scale IRCbot Infection Attempts	20171026_LargeScaleIRC_indicators 20171026_LargeScaleIRC_ids
Oct 16, 2017	An Update on Winnti	20171016_UpdateWinnti_indicators 20171016_UpdateWinnti_ids
Oct 10, 2017	Turla Watering Hole Campaigns 2016/2017	20171010_TurlaWateringHole_indicators 20171010_TurlaWateringHole_ids
Oct 02, 2017	Identifying and Triaging DNS Traffic on Your Network
Sept 28, 2017	Triaging Large Packet Captures - 4 Key TShark Commands to Start Your Investigation
Jul 11, 2017	Winnti (LEAD/APT17) Evolution - Going Open Source	20170711_WinntiEvolution_indicators

IDS

This directory contains IDS signatures to detect the indicators located in the IOC directory. These signatures are compatible with Suricata v4.0.4.

IOC

This directory contains IOCs from posts at 401trg.com. The csv files follow the unified format described below. These indicators are not defanged and should be considered malicious.

PCAPS

This directory contains example pcaps from "knowledge" posts at 401trg.com.

PDF

This directory contains PDFs of 401TRG long-form posts.

Unified Format

All IOC files are in CSV and have the following format: Indicator,Type,Description,Reference

There are several types of indicators:

COOKIE
CERT SHA1
CODE SIGN CERT SERIAL
DOMAIN
EMAIL
FILE MD5
IP
PHONE
URL

Example:

Indicator,Type,Description,Reference
asdf.asdf.com,DOMAIN,This is a malicious domain,https://401trg.com/this-post-does-not-exist

The description field is left blank when there is no context to add to the indicator. The reference field will contain a link to the 401TRG post that disclosed the indicator.

License

All data is provided under Apache License, Version 2.0 which can be found here.

401trg / detections

README.md

Detections

Reports

IDS

IOC

PCAPS

PDF

Unified Format

License

About

Releases 3

Packages

Contributors 2

Languages

401trg / detections

Join GitHub today

GitHub is where the world builds software

Launching GitHub Desktop

Launching GitHub Desktop

Launching Xcode

Launching Visual Studio

Latest commit

Git stats

Files

README.md

Detections

Reports

IDS

IOC

PCAPS

PDF

Unified Format

License

About

Topics

Resources

License

Releases 3

Packages 0

Contributors 2

Languages

Essential cookies

Always active

Analytics cookies

Packages