ioc[.]one - OSINT Cyber Threat Intelligence Database

. Further TTPs associated with SVR cyber actors

Show in Graph

Common Information

Type	Value
UUID	f8dcf063-7a41-44b4-8fad-7b818eb80141
Fingerprint	f6f5a47c56e6fefb5f3d12e30343b0874436eb9ecfba672d06efa14db9eb5e79
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 7, 2021, 11:19 a.m.
Added to db	March 10, 2024, 6:15 a.m.
Last updated	Aug. 31, 2024, 7:26 a.m.
Headline	. Further TTPs associated with SVR cyber actors
Title	. Further TTPs associated with SVR cyber actors
Detected Hints/Tags/Attributes	113/3/49

Source URLs

	Redirection	Url
Details	Source	https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf

URL Provider

Details	Provider	Source level domain
Details	ncsc.gov.uk	www.ncsc.gov.uk

Attributes

Details	Type	#Events	Value
Details	CVE	150	cve-2018-13379
Details	CVE	18	cve-2019-1653
Details	CVE	66	cve-2019-2725
Details	CVE	22	cve-2019-9670
Details	CVE	128	cve-2019-11510
Details	CVE	161	cve-2019-19781
Details	CVE	10	cve-2019-7609
Details	CVE	17	cve-2020-4006
Details	CVE	77	cve-2020-5902
Details	CVE	68	cve-2020-14882
Details	CVE	52	cve-2021-21972
Details	CVE	184	cve-2021-26855
Details	CVE	90	cve-2021-26857
Details	CVE	92	cve-2021-26858
Details	CVE	126	cve-2021-27065
Details	Domain	12	user.read
Details	Domain	98	www.ncsc.gov.uk
Details	File	258	robots.txt
Details	File	11	sample.txt
Details	File	65	info.txt
Details	File	17	example.txt
Details	File	207	login.php
Details	File	2	signin.php
Details	File	47	api.php
Details	File	1	samples.php
Details	File	218	min.js
Details	MITRE ATT&CK Techniques	56	T1595.002
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	104	T1505.003
Details	MITRE ATT&CK Techniques	36	T1195.002
Details	MITRE ATT&CK Techniques	137	T1059.005
Details	MITRE ATT&CK Techniques	74	T1573.002
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	52	T1071.004
Details	MITRE ATT&CK Techniques	113	T1552
Details	MITRE ATT&CK Techniques	26	T1552.004
Details	MITRE ATT&CK Techniques	52	T1199
Details	MITRE ATT&CK Techniques	21	T1114.002
Details	MITRE ATT&CK Techniques	306	T1078
Details	Threat Actor Identifier - APT	665	APT29
Details	Url	4	https://www.ncsc.gov.uk/guidance/mitigating-malware.
Details	Url	4	https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-
Details	Url	3	https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-
Details	Url	5	https://www.ncsc.gov.uk/phishing
Details	Url	4	https://www.ncsc.gov.uk/guidance/introduction-logging-security-
Details	Url	4	https://www.ncsc.gov.uk/guidance/preventing-lateral-movement
Details	Yara rule	1	rule sliver_github_file_paths_function_names { meta: author = "NCSC UK" description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary" strings: $p1 = "/sliver/" $p2 = "sliverpb." $fn1 = "RevToSelfReq" $fn2 = "ScreenshotReq" $fn3 = "IfconfigReq" $fn4 = "SideloadReq" $fn5 = "InvokeMigrateReq" $fn6 = "KillSessionReq" $fn7 = "ImpersonateReq" $fn8 = "NamedPipesReq" condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and (all of ($p) or 3 of ($fn)) }
Details	Yara rule	1	rule sliver_proxy_isNotFound_retn_cmp_uniq { meta: author = "NCSC UK" description = "Detects Sliver implant framework based on some unique CMPs within the Proxy isNotFound function. False positives may occur" strings: $ = { C6 44 24 18 00 C3 81 F9 B3 B5 E9 B2 } $ = { 8B 48 10 81 F9 0C AE D6 82 } condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them }
Details	Yara rule	1	rule sliver_nextCCServer_calcs { meta: author = "NCSC UK" description = "Detects Sliver implant framework based on instructions from the nextCCServer function. False positives may occur" strings: $ = { 48 89 D3 48 99 48 F7 F9 48 39 CA ?? ?? 48 C1 E2 04 48 8B 04 13 48 8B 4C 13 08 } condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them }