{ "type": "URL", "indicator": "https://github.com/dafthack/DomainPasswordSpray", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://github.com/dafthack/DomainPasswordSpray", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #87", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #560", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3904012559, "indicator": "https://github.com/dafthack/DomainPasswordSpray", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Unknown" ], "malware_families": [], "industries": [ "Technology", "Telecommunications", "Government", "Healthcare", "Education" ], "unique_indicators": 4463 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.com", "whois": "http://whois.domaintools.com/github.com", "domain": "github.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://github.com/dafthack/DomainPasswordSpray", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://github.com/dafthack/DomainPasswordSpray", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776591669.0909173 }