[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
The file has been deleted from the CISCP feed.
There was no record on the AIS/FEDGOV feed.
-Marlon
-----Original Message-----
From: Gloria, David [mailto:david.gloria@hq.dhs.gov]
Sent: Friday, March 31, 2017 10:46 AM
To: Ferguson, Megan C. (CTR); Taylor, Marlon; Taylor, Marlon; Moody, Herbert (CTR); Werntz, Preston
Cc: Publications-Team@us-cert.gov; Masterson, Sharon (CTR); Tumbarello, Stephen; Taxiiadmins; Wisener, Katherine
Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
Thanks Megan!
Marlon - Can you tell us when the file was removed from the CISCP feed?
________________________________
From: publications-team-bounces@us-cert.gov on behalf of Ferguson, Megan C. (CTR)
Sent: Friday, March 31, 2017 10:35:53 AM
To: Taylor, Marlon; Taylor, Marlon; Moody, Herbert (CTR); Werntz, Preston
Cc: Publications-Team@us-cert.gov; Masterson, Sharon (CTR); Tumbarello, Stephen; Taxiiadmins
Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
Good morning Marlon,
CTIS will be able to provide you a copy of the AIS-IB-17-20083.stix.xml. They are also the people to talk to regarding the AIS feed. Pubs definitely uploaded to file to Katniss, but has no visibility on the AIS feed.
Please let us know if you have any questions, V/r,
Megan Ferguson
Supporting NCCIC/US-CERT
MOE: megan.ferguson.ctr@us-cert.gov
A-LAN: megan.ferguson@associates.hq.dhs.gov
703-235-8839
-----Original Message-----
From: publications-team-bounces@us-cert.gov [mailto:publications-team-bounces@us-cert.gov] On Behalf Of Taylor, Marlon
Sent: Friday, March 31, 2017 9:45 AM
To: Taylor, Marlon; Moody, Herbert (CTR); Werntz, Preston
Cc: Publications-Team@us-cert.gov; Masterson, Sharon (CTR); Tumbarello, Stephen; Taxiiadmins
Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
Hi Pubs,
"IB-17-20083" only showed up in the CISCP Feed. Was it send to AIS?
-Marlon
-----Original Message-----
From: Taylor, Marlon [mailto:Marlon.Taylor@us-cert.gov]
Sent: Friday, March 31, 2017 8:36 AM
To: Taylor, Marlon <Marlon.Taylor@hq.dhs.gov>; Moody, Herbert (CTR) <herbert.l.moody@associates.hq.dhs.gov>; Werntz, Preston <Preston.Werntz@HQ.DHS.GOV>
Cc: Masterson, Sharon (CTR) <sharon.masterson@associates.hq.dhs.gov>; Tumbarello, Stephen <Steve.Tumbarello@hq.dhs.gov>; Taxiiadmins <taxiiadmins@us-cert.gov>; Publications-Team@us-cert.gov
Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
Hi Pubs,
Lamont provided the attached file. Do you have the AIS file mentioned at the bottom of this thread (AIS-IB-17-20083.stix.xml)?
-Marlon
-----Original Message-----
From: Taylor, Marlon [mailto:Marlon.Taylor@hq.dhs.gov]
Sent: Thursday, March 30, 2017 5:42 PM
To: Moody, Herbert (CTR); Werntz, Preston
Cc: Masterson, Sharon (CTR); Tumbarello, Stephen; Taxiiadmins; Taylor, Marlon; Publications-Team@us-cert.gov
Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
Hi Lamont,
Would you provide a copy of the XML file?
-Marlon
-----Original Message-----
From: Moody, Herbert (CTR)
Sent: Thursday, March 30, 2017 5:39 PM
To: Werntz, Preston <Preston.Werntz@HQ.DHS.GOV>; Taylor, Marlon <Marlon.Taylor@hq.dhs.gov>
Cc: Masterson, Sharon (CTR) <sharon.masterson@associates.hq.dhs.gov>; Tumbarello, Stephen <Steve.Tumbarello@hq.dhs.gov>; taxiiadmins@us-cert.gov; marlon.taylor@us-cert.gov; Publications-Team@us-cert.gov
Subject: FW: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
Good afternoon,
The below Indicator Bulletin was recalled/canceled. We have taken the steps to remove the content from the HSIN Portal, but have concerns about possible propagation via AIS. Can you please ensure it is removed from sharing within AIS?
We understand this is a hot tasker and greatly appreciate your assistance.
Thanks!
Best regards,
Herbert Lamont Moody
Supporting NCCIC/US-CERT
Herbert.moody.ctr@us-cert.gov
Herbert.l.moody@associates.hq.dhs.gov
703.634.9419 - Mobile
-----Original Message-----
From: publications-team-bounces@us-cert.gov [mailto:publications-team-bounces@us-cert.gov] On Behalf Of Gloria, David
Sent: Thursday, March 30, 2017 4:35 PM
To: Pubs
Cc: US-CERT Senior Watch Officer
Subject: FW: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
Please delete this IB from the Portal ASAP. Thanks!
-----Original Message-----
From: publications-team-bounces@us-cert.gov [mailto:publications-team-bounces@us-cert.gov] On Behalf Of Ferguson, Megan C. (CTR)
Sent: Thursday, March 30, 2017 10:42 AM
To: Lord, Kayla G.
Cc: Ward, Sean (CTR); Glover, Lance (CTR); Fontanez, Martin (CTR); Dang, Truong (CTR); 'publications-team@us-cert.gov'
Subject: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
Kayla,
IB-17-20083 (TLP:AMBER) FOUO has been posted to the HSIN Portal.
V/r,
Megan Ferguson
Supporting NCCIC/US-CERT
MOE: megan.ferguson.ctr@us-cert.gov
A-LAN: megan.ferguson@associates.hq.dhs.gov
703-235-8839
-----Original Message-----
From: publications-team-bounces@us-cert.gov [mailto:publications-team-bounces@us-cert.gov] On Behalf Of Lord, Kayla G.
Sent: Thursday, March 30, 2017 6:49 AM
To: 'publications-team@us-cert.gov'
Cc: Ward, Sean (CTR); Glover, Lance (CTR); Fontanez, Martin (CTR); Dang, Truong (CTR)
Subject: FW: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
Good morning,
The attached IB is approved for publishing. Please publish the attached IB to the appropriate portal compartments. Thank you.
V/r,
Kayla Lord
-----Original Message-----
From: Fontanez, Martin (CTR)
Sent: Wednesday, March 29, 2017 9:05 PM
To: Lord, Kayla G.; Kimroman, Jennifer; Burgee, Kwadwo O.
Cc: Glover, Lance (CTR); Baker, Jeffrey (CTR); Murphy, Corey (CTR); Taylor, Aaron (CTR); Peal, Alexander (CTR); York, David (CTR); Thompson, Tony A; Ward, Sean (CTR); Hansen, Gary (CTR); Johnson, Bryan (CTR); Dang, Truong (CTR)
Subject: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
Kayla et al
IB-17-20083 has been peer reviewed, validated with XML-SPY, and is ready for your final review and approval.
The IOCs have been vetted using the abbreviated indicator vetting process.
The stix file submitted thru the bandaid script and the output is below.
============================
Attempting to fix the file:
O:/Analysis/STIX GUI (US-CERT)/BandAid/IB-17-20083.stix.xml
Performing XPATH fix...
Total <marking:Marking> tags: 1
Total invalid tags before fix: 0
Incorrect XPATH not present!
Adding AIS headers...
Complete! AIS version saved at:
O:/Analysis/STIX GUI (US-CERT)/BandAid/AIS-IB-17-20083.stix.xml
Done!
============================
Martin M Fontanez
CTIS Cyber Threat Analyst
Supporting NCCIC/US-CERT
Martin.fontanez.ctr@us-cert.gov
Martin.fontanez@hq.dhs.gov
703-235-8560
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]