new: [sample-events] A series of MISP events for training, workshop and exercise.

pull/20/head
Alexandre Dulaunoy 2022-04-25 08:40:41 +02:00
parent 9fc442401c
commit fadeb48ad3
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
8 changed files with 34 additions and 0 deletions

View File

@ -0,0 +1,16 @@
# MISP events used as example for MISP trainings and workshop
MISP events in JSON format which can be used in MISP trainings, workshop and exercises.
## Sample events with real cases
- [ATM Vulnerabilities Allow Deposit Forgery Attacks - Galaxy for finance, eventreport](./atm-vulnerabilities-allow-deposit-forgery-attacks.json).
- [Kobalos - Linux threat to high performance computing infrastructure - EventReport, EventGraph](./kobalos-linux-threat-to-hpc.json).
- [Investigation Syrian Electronic Army Activities - graph, timeline usage](./syrian-electronic-army-domain-take-over.json).
- [Targeted phishing - PDF documents / phishkit - YARA tracking - graph, tracking via YARA rules](./targeted-phishing-pdf-phishkit-yara.json).
## Sample events with synthetic data
- [Decaying example](./sample-decaying-example.json). Synthetic data to show the decaying functionality in MISP.
- [Sample spear phishing](./sample-spear-phishing-attempt-targeting-telco.json) created from [exercise](./sample-spear-phishing-attempt-targeting-telco.text).

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,12 @@
From csirt@telco.lu
Dear xy,
We have had a failed spearphishing attempt targeting our CEO recently with the following details:
Our CEO received an E-mail on 03/02/2021 15:56 containing a personalised message about a report card for their child. The attacker pretended to be working for the school of the CEOs daughter, sending the mail from a spoofed address (john.doe@luxembourg.edu). John Doe is a teacher of the student. The email was received from throwaway-email-provider.com (137.221.106.104).
The e-mail contained a malicious file (find it attached) that would try to download a secondary payload from https://evilprovider.com/this-is-not-malicious.exe (also attached, resolves to 2607:5300:60:cd52:304b:760d:da7:d5). It looks like the sample is trying to exploit CVE-2015-5465. After a brief triage, the secondary payload has a hardcoded C2 at https://another.evil.provider.com:57666 (118.217.182.36) to which it tries to exfiltrate local credentials. This is how far we have gotten so far. Please be mindful that this is an ongoing investigation, we would like to avoid informing the attacker of the detection and kindly ask you to only use the contained information to protect your constituents.
Best regards,

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long