Convert Figma logo to code with AI

blackorbird logoAPT_REPORT

Interesting APT Report Collection And Some Special IOC

2,358
504
2,358
0
View on GitHub

Top Related Projects

mandiant's avatar

red_team_tool_countermeasures

2,642

mitre's avatar

cti

1,711

Cyber Threat Intelligence Repository expressed in STIX 2.0

MISP's avatar

MISP

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Quick Overview

The blackorbird/APT_REPORT repository is a collection of reports and analysis on various Advanced Persistent Threat (APT) groups and their activities. The repository provides detailed information on the tactics, techniques, and procedures (TTPs) used by these threat actors, as well as indicators of compromise (IOCs) and other relevant data.

Pros

  • Comprehensive collection of APT reports from various sources
  • Detailed analysis of threat actor TTPs and IOCs
  • Valuable resource for security researchers and analysts

Cons

  • Reports may not be regularly updated
  • Some reports may be in languages other than English
  • Lack of a centralized search or filtering mechanism

Getting Started

Since this repository is a collection of reports and analysis, and not a code library, there are no code examples or quick start instructions to provide. Users can browse the repository and download the reports of interest to learn more about the various APT groups and their activities.

Competitor Comparisons

mandiant logo

red_team_tool_countermeasures

2,642

Pros of red_team_tool_countermeasures

  • Provides a comprehensive list of countermeasures against various red team tools, which can be valuable for security professionals.
  • Includes detailed descriptions and mitigation strategies for each tool, making it a useful reference.
  • Covers a wide range of tools, from initial access to lateral movement and privilege escalation.

Cons of red_team_tool_countermeasures

  • Does not provide the same level of detail on specific APT groups and their tactics, techniques, and procedures (TTPs) as APT_REPORT.
  • May not be as up-to-date as APT_REPORT, as it is a static repository.
  • Focuses more on countermeasures rather than providing in-depth analysis of the tools themselves.

Code Comparison

APT_REPORT:

def get_apt_report(url):
    """
    Fetch the latest APT report from the given URL.
    """
    try:
        response = requests.get(url)
        response.raise_for_status()
        return response.text
    except requests.exceptions.RequestException as e:
        print(f"Error fetching APT report: {e}")
        return None

red_team_tool_countermeasures:

def detect_mimikatz():
    """
    Detect the presence of Mimikatz on the system.
    """
    try:
        # Check for the presence of Mimikatz executable
        if os.path.exists("C:\\Windows\\System32\\mimikatz.exe"):
            return True
        else:
            return False
    except Exception as e:
        print(f"Error detecting Mimikatz: {e}")
        return False
mitre logo

cti

1,711

Cyber Threat Intelligence Repository expressed in STIX 2.0

Pros of mitre/cti

  • Comprehensive collection of threat intelligence data, including threat actor profiles, malware, and attack patterns.
  • Well-structured and organized data, making it easier to navigate and extract relevant information.
  • Active community involvement and contributions, ensuring the repository is regularly updated.

Cons of mitre/cti

  • Less focused on specific APT groups compared to blackorbird/APT_REPORT.
  • May require more effort to extract and analyze data specific to certain APT groups.
  • Larger repository size, which can make it more challenging to navigate for specific use cases.

Code Comparison

mitre/cti (sample):

{
    "type": "threat-actor",
    "id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "created": "2016-08-01T00:00:00.000Z",
    "modified": "2016-08-01T00:00:00.000Z",
    "name": "Adversary Bravo",
    "description": "Adversary Bravo is a threat actor group that has been observed targeting organizations in the energy sector.",
    "aliases": ["Threat Group 123", "TG-123"],
    "goals": ["Disrupt energy production", "Gather intelligence on energy infrastructure"],
    "sophistication": "advanced",
    "resource_level": "medium",
    "primary_motivation": "ideology"
}

blackorbird/APT_REPORT (sample):

APT Group: APT10
Aliases: Stone Panda, MenuPass, Red Apollo, POTASSIUM
Targeted Sectors: Managed Service Providers (MSPs), Telecommunications, Manufacturing, Aerospace, and more
Suspected Origin: China
Malware Used: PlugX, Derusbi, Backdoor.Pirpi, Backdoor.Havex, Backdoor.Elise, Backdoor.Datper, and more
MISP logo

MISP

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Pros of MISP

  • MISP is a well-established and widely-used platform for sharing threat intelligence, with a large and active community.
  • MISP provides a comprehensive set of features for managing and sharing threat data, including support for various data formats and taxonomies.
  • MISP has a strong focus on collaboration and information sharing, making it a valuable tool for security teams and researchers.

Cons of MISP

  • MISP can have a steeper learning curve compared to some other threat intelligence platforms, especially for users who are new to the concept of threat intelligence sharing.
  • MISP may require more resources (e.g., server infrastructure, maintenance) compared to some other threat intelligence platforms, which could be a barrier for smaller organizations.

Code Comparison

MISP:

from pymisp import ExpandedPyMISP, MISPEvent, MISPObject, MISPAttribute
from keys import misp_url, misp_key

misp = ExpandedPyMISP(misp_url, misp_key, debug=True)

event = MISPEvent()
event.info = 'New Threat Event'
event.distribution = 0
event.threat_level_id = 2

attribute = MISPAttribute()
attribute.type = 'ip-src'
attribute.value = '8.8.8.8'
event.add_attribute(attribute)

misp.add_event(event)

blackorbird/APT_REPORT:

import requests
from bs4 import BeautifulSoup

url = 'https://github.com/blackorbird/APT_REPORT'
response = requests.get(url)
soup = BeautifulSoup(response.text, 'html.parser')

for link in soup.find_all('a', href=True):
    if 'blackorbird/APT_REPORT' in link['href']:
        print(link['href'])

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

APT_REPORT collected by @blackorbird https://twitter.com/blackorbird

Interesting apt report & sample & malware & technology & intellegence collection

APT Group for country

Threat Actor Groups Tracked by Palo Alto Networks Unit 42

https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/

Sample

Group123

▶ScarCruft continues to evolve, introduces Bluetooth harvester https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ (May 13, 2019)

▶Group123 Attempts to attack 'printing paper' APT disguised as a guide to organization and conferences https://blog.alyac.co.kr/2287 (May 2 , 2019)

▶Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive https://blog.alyac.co.kr/2268 (April 22 , 2019)

▶ group123 APT organization, 'Operation High Expert' https://blog.alyac.co.kr/2226 (April 2 , 2019)

▶ Rocketman APT Campaign Returned to Operation Holiday Wiper https://blog.alyac.co.kr/2089 (Jan 23, 2019)

▶ 'Operation Blackbird', the mobile invasion of the ' https://blog.alyac.co.kr/2035 (Dec 13, 2018)

▶ group123 'Operation Korean Sword' is underway https://blog.alyac.co.kr/1985 (Nov. 16, 2018)

▶ group123 Group's latest APT campaign - 'Operation Rocket Man' https://blog.alyac.co.kr/1853 (Aug. 22, 2018)

▶ group123, Flash Player Zero-Day (CVE-2018-4878) Attack Attention https://blog.alyac.co.kr/1521 (Feb 02, 2018)

▶ 'group123' group 'survey on the total number of discovery of separated families in North and South' https://blog.alyac.co.kr/1767 (July 28, 2014)

▶ Rocketman APT campaign, 'Operation Golden Bird' https://blog.alyac.co.kr/2205 (March 20, 2013)

▶ Korea In The Crosshairs https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html (Jan 16, 2018)

▶FreeMilk: A Highly Targeted Spear Phishing Campaign https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/ (Oct 5, 2017)

baby related kimsuky

▶BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat (April 26, 2019) https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

▶Operation Giant Baby, a giant threat (March 28, 2019) https://blog.alyac.co.kr/2223

▶ Malicious code installed with coin purse program(Alibaba) (March 15, 2019) https://asec.ahnlab.com/1209

▶ New BabyShark Malware Targets U.S. National Security Think Tanks (Feb. 22, 2019) https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

▶ Korea's latest APT attack, Operation Mystery Baby Attention! (Feb 11, 2018) https://blog.alyac.co.kr/1963

▶ Returned to Korea as Operation Baby Coin, APT attacker, overseas target in 2010 (Apr. 19, 2014) https://blog.alyac.co.kr/1640

kimsuky

▶Kimsuky, Blue House Green Support / Sangchunjae Estimate https://blog.alyac.co.kr/2645

▶Kimsuky, cyber security bureau Cryptographic Cases (May 28 , 2019) https://blog.alyac.co.kr/2338

▶Kimsuky, Korea Cryptographic Exchange Event Impersonation APT Attack (May 28 , 2019) https://blog.alyac.co.kr/2336

▶Kimsuky 'Fake striker' APT campaign aimed at Korea (May 20 , 2019) https://blog.alyac.co.kr/2315

▶ Analysis of "Smoke Screen" in APT campaign aimed at Korea and America (April 17 , 2019) https://blog.alyac.co.kr/2243

▶ Encrypted APT attack, Kimsuky organization's 'smoke screen' PART 2 (May 13 , 2019) https://blog.alyac.co.kr/2299

▶ Kimsuky Organization, Operation Stealth Power Silence Operation (April 3 , 2019) https://blog.alyac.co.kr/2234

▶ Kimsuky Organization, Watering Hole Started "Operation Low Kick"(March 21, 2019) https://blog.alyac.co.kr/2209

Jaku

▶ SiliVaccine: Inside North Korea’s Anti-Virus (May 1, 2018) https://research.checkpoint.com/silivaccine-a-look-inside-north-koreas-anti-virus/

Lazarus

▶Lazarus Group Goes 'Fileless',an implant w/ remote download & in-memory execution https://objective-see.com/blog/blog_0x51.html

▶LAZARUS APT TARGETS MAC USERS WITH POISONED WORD DOCUMENT https://www.sentinelone.com/blog/lazarus-apt-targets-mac-users-poisoned-word-document/

Konni

▶Konni's APT Group conducts attacks with Russian-North Korean trade and economic investment documents https://blog.alyac.co.kr/2535

▶APT Campaign 'Konni' & 'Kimsuky' find commonality in organizations (June 10, 2019) https://blog.alyac.co.kr/2347

▶Korean Kusa Konni Organization, Blue Sky Utilizing 'Amadey' Russia Botnet (May 16, 2019) https://blog.alyac.co.kr/2308

▶The Konni APT Campaign and 'Operation Hunter Adonis' (Jan 1 ,2019) https://blog.alyac.co.kr/2061

Oceanlotus

▶Threat Spotlight: Ratsnif - New Network Vermin from OceanLotus (July 1, 2019) https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html

▶Analysis report on the attack on mobile devices by Oceanlotus (May 24, 2019)

https://mp.weixin.qq.com/s/L-tCvLPOOMhP0ndgdqhkNQ

▶ Oceanlotus in the first quarter of 2019 for the attack technology of China.(April 24, 2019) https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A

▶ Deobfuscating APT32 Flow Graphs with Cutter and Radare2 (April 24, 2019) https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/

▶ OceanLotus Steganography Malware Analysis White Paper (April 2 , 2019) https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html

▶OceanLotus: macOS malware update(April 9 , 2019)

https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/

APT28

▶ CB TAU Threat Intelligence Notification: Hunting APT28 Downloaders (April 5 , 2019) https://www.carbonblack.com/2019/04/05/cb-threat-intelligence-notification-hunting-apt28-downloaders/

Turla

▶ A dive into Turla PowerShell usage (May 29 , 2019) https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

tick

▶ tick group new campaign, attack north korean and japan https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=28186 (April 1 , 2019)

Winnti

▶ bayer-says-has-detected-contained-cyber-attack (April 5 , 2019)

https://www.reuters.com/article/us-bayer-cyber/bayer-says-has-detected-contained-cyber-attack-idUSKCN1RG0NN

https://www.tagesschau.de/inland/hackerangriff-bayer-101.html

Middle East Asia

Muddywater

▶ Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques(May 20,2019)

https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html

ZooPark

▶ APT-C-38 attack activity revealed (May 27,2019) http://blogs.360.cn/post/analysis-of-APT-C-38.html

APT Group for finance

CARBANAK

▶ CARBANAK Week Part One: A Rare Occurrence (April 22, 2019) https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html

londonblue (Nigeria)

▶ Evolving Tactics: London Blue Starts Spoofing Target Domains (April 4 , 2019) PDF is in the folder https://www.agari.com/email-security-blog/london-blue-evolving-tactics/

Fin6

▶ Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware(April 5 , 2019) https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

Fin7

▶ On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation (August 01, 2018) https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html