[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant
The file has been deleted from the CISCP feed. There was no record on the AIS/FEDGOV feed. -Marlon -----Original Message----- From: Gloria, David [mailto:david.gloria@hq.dhs.gov] Sent: Friday, March 31, 2017 10:46 AM To: Ferguson, Megan C. (CTR); Taylor, Marlon; Taylor, Marlon; Moody, Herbert (CTR); Werntz, Preston Cc: Publications-Team@us-cert.gov; Masterson, Sharon (CTR); Tumbarello, Stephen; Taxiiadmins; Wisener, Katherine Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant Thanks Megan! Marlon - Can you tell us when the file was removed from the CISCP feed? ________________________________ From: publications-team-bounces@us-cert.gov on behalf of Ferguson, Megan C. (CTR) Sent: Friday, March 31, 2017 10:35:53 AM To: Taylor, Marlon; Taylor, Marlon; Moody, Herbert (CTR); Werntz, Preston Cc: Publications-Team@us-cert.gov; Masterson, Sharon (CTR); Tumbarello, Stephen; Taxiiadmins Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant Good morning Marlon, CTIS will be able to provide you a copy of the AIS-IB-17-20083.stix.xml. They are also the people to talk to regarding the AIS feed. Pubs definitely uploaded to file to Katniss, but has no visibility on the AIS feed. Please let us know if you have any questions, V/r, Megan Ferguson Supporting NCCIC/US-CERT MOE: megan.ferguson.ctr@us-cert.gov A-LAN: megan.ferguson@associates.hq.dhs.gov 703-235-8839 -----Original Message----- From: publications-team-bounces@us-cert.gov [mailto:publications-team-bounces@us-cert.gov] On Behalf Of Taylor, Marlon Sent: Friday, March 31, 2017 9:45 AM To: Taylor, Marlon; Moody, Herbert (CTR); Werntz, Preston Cc: Publications-Team@us-cert.gov; Masterson, Sharon (CTR); Tumbarello, Stephen; Taxiiadmins Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant Hi Pubs, "IB-17-20083" only showed up in the CISCP Feed. Was it send to AIS? -Marlon -----Original Message----- From: Taylor, Marlon [mailto:Marlon.Taylor@us-cert.gov] Sent: Friday, March 31, 2017 8:36 AM To: Taylor, Marlon <Marlon.Taylor@hq.dhs.gov>; Moody, Herbert (CTR) <herbert.l.moody@associates.hq.dhs.gov>; Werntz, Preston <Preston.Werntz@HQ.DHS.GOV> Cc: Masterson, Sharon (CTR) <sharon.masterson@associates.hq.dhs.gov>; Tumbarello, Stephen <Steve.Tumbarello@hq.dhs.gov>; Taxiiadmins <taxiiadmins@us-cert.gov>; Publications-Team@us-cert.gov Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant Hi Pubs, Lamont provided the attached file. Do you have the AIS file mentioned at the bottom of this thread (AIS-IB-17-20083.stix.xml)? -Marlon -----Original Message----- From: Taylor, Marlon [mailto:Marlon.Taylor@hq.dhs.gov] Sent: Thursday, March 30, 2017 5:42 PM To: Moody, Herbert (CTR); Werntz, Preston Cc: Masterson, Sharon (CTR); Tumbarello, Stephen; Taxiiadmins; Taylor, Marlon; Publications-Team@us-cert.gov Subject: RE: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant Hi Lamont, Would you provide a copy of the XML file? -Marlon -----Original Message----- From: Moody, Herbert (CTR) Sent: Thursday, March 30, 2017 5:39 PM To: Werntz, Preston <Preston.Werntz@HQ.DHS.GOV>; Taylor, Marlon <Marlon.Taylor@hq.dhs.gov> Cc: Masterson, Sharon (CTR) <sharon.masterson@associates.hq.dhs.gov>; Tumbarello, Stephen <Steve.Tumbarello@hq.dhs.gov>; taxiiadmins@us-cert.gov; marlon.taylor@us-cert.gov; Publications-Team@us-cert.gov Subject: FW: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant Good afternoon, The below Indicator Bulletin was recalled/canceled. We have taken the steps to remove the content from the HSIN Portal, but have concerns about possible propagation via AIS. Can you please ensure it is removed from sharing within AIS? We understand this is a hot tasker and greatly appreciate your assistance. Thanks! Best regards, Herbert Lamont Moody Supporting NCCIC/US-CERT Herbert.moody.ctr@us-cert.gov Herbert.l.moody@associates.hq.dhs.gov 703.634.9419 - Mobile -----Original Message----- From: publications-team-bounces@us-cert.gov [mailto:publications-team-bounces@us-cert.gov] On Behalf Of Gloria, David Sent: Thursday, March 30, 2017 4:35 PM To: Pubs Cc: US-CERT Senior Watch Officer Subject: FW: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant Please delete this IB from the Portal ASAP. Thanks! -----Original Message----- From: publications-team-bounces@us-cert.gov [mailto:publications-team-bounces@us-cert.gov] On Behalf Of Ferguson, Megan C. (CTR) Sent: Thursday, March 30, 2017 10:42 AM To: Lord, Kayla G. Cc: Ward, Sean (CTR); Glover, Lance (CTR); Fontanez, Martin (CTR); Dang, Truong (CTR); 'publications-team@us-cert.gov' Subject: POSTED: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant Kayla, IB-17-20083 (TLP:AMBER) FOUO has been posted to the HSIN Portal. V/r, Megan Ferguson Supporting NCCIC/US-CERT MOE: megan.ferguson.ctr@us-cert.gov A-LAN: megan.ferguson@associates.hq.dhs.gov 703-235-8839 -----Original Message----- From: publications-team-bounces@us-cert.gov [mailto:publications-team-bounces@us-cert.gov] On Behalf Of Lord, Kayla G. Sent: Thursday, March 30, 2017 6:49 AM To: 'publications-team@us-cert.gov' Cc: Ward, Sean (CTR); Glover, Lance (CTR); Fontanez, Martin (CTR); Dang, Truong (CTR) Subject: FW: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant Good morning, The attached IB is approved for publishing. Please publish the attached IB to the appropriate portal compartments. Thank you. V/r, Kayla Lord -----Original Message----- From: Fontanez, Martin (CTR) Sent: Wednesday, March 29, 2017 9:05 PM To: Lord, Kayla G.; Kimroman, Jennifer; Burgee, Kwadwo O. Cc: Glover, Lance (CTR); Baker, Jeffrey (CTR); Murphy, Corey (CTR); Taylor, Aaron (CTR); Peal, Alexander (CTR); York, David (CTR); Thompson, Tony A; Ward, Sean (CTR); Hansen, Gary (CTR); Johnson, Bryan (CTR); Dang, Truong (CTR) Subject: IB-17-20083-Indicator of Compromise Possibly Associated with Suspected Intrusion Set Actors Leveraging REDLEAVES Implant Kayla et al IB-17-20083 has been peer reviewed, validated with XML-SPY, and is ready for your final review and approval. The IOCs have been vetted using the abbreviated indicator vetting process. The stix file submitted thru the bandaid script and the output is below. ============================ Attempting to fix the file: O:/Analysis/STIX GUI (US-CERT)/BandAid/IB-17-20083.stix.xml Performing XPATH fix... Total <marking:Marking> tags: 1 Total invalid tags before fix: 0 Incorrect XPATH not present! Adding AIS headers... Complete! AIS version saved at: O:/Analysis/STIX GUI (US-CERT)/BandAid/AIS-IB-17-20083.stix.xml Done! ============================ Martin M Fontanez CTIS Cyber Threat Analyst Supporting NCCIC/US-CERT Martin.fontanez.ctr@us-cert.gov Martin.fontanez@hq.dhs.gov 703-235-8560
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]