6 - Sample Attack Analyses for best viewing this tab should be set at a size of 75%
return to main See also Tab 1 - Blogs by major Cybersecurity Research Groups
LINKS Campaigns Cyber Attack Success is a function of the attacker's goals, sophistication, planning, motivation, personnel experience, techniques, tools, time available, as well as the victim's vulnerabilities and defenses.
Malware Lists, Packaged Exploits, RATS
Malware Available for Analysis Use MITRE ATT&CK to view Groups, Techniques and Malware
Indicators of Compromise Use Threatminer to do research for locating articles on specific attack characteristics
https://www.threatminer.org/
 
Campaign Reports and Significant Examples [back to Top] see also https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents 
Name URL for Report Perpetrators? Target(s) Date(s)
1 Airports https://icitech.org/hacking-our-nations-airports/     5/1/2019
2 APT 1 In Depth https://www.fireeye.com/blog/threat-research/2013/02/mandiant-exposes-apt1-chinas-cyber-espionage-units.html      
3 Capital One https://web.mit.edu/smadnick/www/wp/2020-07.pdf    Credit Cards 7/1/2020
4 Carbanak (4 parts) Financial Sector Attacks 1 - https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html FIN7 Banking 4/1/2019
5 Carbanak (4 parts) Financial Sector Attacks 2 - https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html FIN7 Banking 4/1/2019
6 Carbanak (4 parts) Financial Sector Attacks 3 - https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html FIN7 Banking 4/1/2019
7 Carbanak (4 parts) Financial Sector Attacks 4 - https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html FIN7 Banking 4/1/2019
8 Chinese Naikon PLA Unit https://www.forbes.com/sites/zakdoffman/2020/05/07/chinese-military-cyber-spies-just-caught-crossing-a-very-dangerous-new-line/      
9 Cobalt Kitty https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf      
10 Cyber Jihad https://krypt3ia.files.wordpress.com/2016/06/icit-brief-the-anatomy-of-cyber-jihad1.pdf     6/1/2016
11 Detecting Lateral Movement https://www.toshellandback.com/2017/02/11/psexec/  https://www.crowdstrike.com/epp-101/lateral-movement/ Electronic Freight Management US DOT 2/1/2017
12 Equifax        
13 FakeUpdates https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks   FakeUpdates. In this newer campaign, the threat actors leveraged victim systems to deploy malware such as Dridex or NetSupport  
14 Finding Evil in Windows 10 Compressed Memory, Part One: Volatility and Rekall Tools https://www.fireeye.com/blog/threat-research/2019/07/finding-evil-in-windows-ten-compressed-memory-part-one.html     7/25/2019
15 GameOver Zeus https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends-wp.pdf Evgeniy Bogachev    
16 Google in the Wild Series https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html     7/12/1905
17 Grizzley Steppe - Russian Hacking https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf    Rowhammering  
18 Hammertoss https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf      
19 Hard Pass: Declining APT34’s Invite to Join Their Professional Network https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html     7/18/2019
20 Havex Energy Sector Attack https://www.f-secure.com/weblog/archives/00002718.html ; https://www.f-secure.com/v-descs/backdoor_w32_havex.shtml Russia,     
21 Heartbleed https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/09/everything-you-need-to-know-about-the-heartbleed-vulnerability/      
22 Hot Pot, a Persistent Browser Hijacking Rootkit https://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/       
23 Hunting COM Objects (Part Two) https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html     6/11/2019
24 Insider Threat (Company Man) https://www.fbi.gov/news/stories/economic-espionage      
25 Iran https://www.ironnet.com/blog/iranian-cyber-attack-updates   9/1/2021
26 Iranian Cyber Offensive Capability HP Security Briefing 11 https://krypt3ia.files.wordpress.com/2014/03/companion-to-hpsr-threat-intelligence-briefing-episode-11-final.pdf      
27 Iranian Cyber Operations https://www.secureworks.com/blog/business-as-usual-for-iranian-operations-despite-increased-tensions     2/1/2020
28 Israeli Soldier Android Phones https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/      
29 JP Morgan http://money.cnn.com/2015/11/10/technology/jpmorgan-hack-charges/index.html Gery Shalon, Israeli; Ziv Orenstein, Israeli;     
30 Leafminer espionage Middle East https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/leafminer-espionage-middle-east   7/1/2018
31 Malware A Case Study of WannaCry Ransomware https://arxiv.org/pdf/1709.08753.pdf Chen Q. & Bridges, R.  16th IEEE International Conference on Machine Learning and Applications (ICMLA). 2017   7/9/1905
32 Mandiant_APT1_Chinese Cyber Espionage Report https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf   Democratic National Committee  
33 Maroochy Shire (2 case studies) Sewage System Attack https://securitylab.disi.unitn.it/lib/exe/fetch.php?media=teaching:seceng:2014:grc-boden-sewage_spillover-fisma-study.pdf Insider Attack - Vitek Boden Sewage Processing 2/1/2000
34 Maroochy Shire (2 case studies) Sewage System Attack https://cams.mit.edu/wp-content/uploads/2017-09.pdf Insider Attack - Vitek Boden   2/1/2000
35 Mimikatz & Zerologon Authentication Vulnerabilities https://www.tenable.com/blog/cve-2020-1472-microsoft-finalizes-patch-for-zerologon-to-enable-enforcement-mode-by-default      2/1/2021
36 MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages https://www.fireeye.com/blog/threat-research/2013/12/misosms.html   12/16/2013  | by Blaine Stancill, Sebastian Vogl, Omar Sardar
37 Muddy Waters - Iranian APT https://research.checkpoint.com/2019/the-muddy-waters-of-apt-attacks/   4/1/2019  | by Matt Bromiley, Noah Klapprodt, Nick Schroeder, Jessica Rocchio
38 North Korean Cyber Offensive Capability HP Security Briefing 16 https://cryptome.org/2014/12/hp-nk-cyber-threat.pdf    | by Brett Hawkins
39 Operation North Star https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/#Target%20of%20Interest%20%E2%80%93%20Defense%20&%20Aerospace%20Campaign     Jul 29 2020
40 Ramsay 2 tool for air gapped nets https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/ Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks      | by Vinay Pidathala, Zheng Bu, Hitesh Dharmdasani, Jinjian Zhai
41 Ransomeware Analysis and Defense https://pdfs.semanticscholar.org/c989/e243e8c09bac5d4644a4af99e573b64f205c.pdf Jones, J. and Shashidhar, N. International Journal of Information Security Science Vol 6 No. 4 SpyEye  
42 Ransomeware Attacks https://d3bq4d0pqn52ro.cloudfront.net/   Jing An Telescope Factory  
43 RSA        
44 Russia arrests Malware Author https://www.zdnet.com/google-amp/article/russian-authorities-make-rare-arrest-of-malware-author/     11/1/2020
45 Sednit (3 parts) https://www.eset.com/afr/about/newsroom/press-releases-afr/research/dissection-of-sednit-espionage-group-1/ APT28 / Fancy Bear / Sofacy    
46 Shamoon 3  Varient https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/     7/10/2005
47 Shamoon Saudi ARAMCO https://malwareindepth.com/shamoon-2012/       series of Zero Day vulnerabilities from
48 Showing Vulnerability to a Machine: Automated Prioritization of Software Vulnerabilities https://www.fireeye.com/blog/threat-research/2019/08/automated-prioritization-of-software-vulnerabilities.html    
49 Sofacy from APT28 https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/    11/1/2018
50 Sofacy from APT28 https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/   2/1/2018
51 Solarwinds https://www.cnet.com/news/solarwinds-hack-officially-blamed-on-russia-what-you-need-to-know/ Microsoft Hack https://www.cnet.com/news/microsoft-says-solarwinds-hackers-viewed-source-code/    
52 Sony      
53 Sophisticated  https://www.zdnet.com/article/google-reveals-sophisticated-windows-android-hacking-operation/    
54 Stuxnet https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf  Equation Group Uranium Refinement Centrifuges  
55 Stuxnet addl https://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/    
56 Supply Chain Attack  using Cluster Analysis https://www.mandiant.com/sites/default/files/2021-09/rpt-malware-supply-chain.pdf   9/1/2021 good in depth linking of IOCs to APTs
57 Target Stores (4 parts) Retail Point of Sale Attack 1 - http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/   https://krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf   1/1/2014
58 Target Stores (4 parts) Retail Point of Sale Attack 2 - http://krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf   1/1/2014
59 Target Stores (4 parts) Retail Point of Sale Attack 3 - http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/   2/1/2014
60 Target Stores (4 parts) Retail Point of Sale Attack 4 - https://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/   2/1/2014
61 TRITON https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html   
62 Uber Executive Indictment https://www.wired.com/story/uber-exec-joe-sullivan-data-breach-indictment/    
63 Ukraine https://blog.isa.org/lessons-learned-forensic-analysis-ukrainian-power-grid-cyberattack-malware      
64 Ukrainian Electric Grid Attack https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf Russia    
65 Web IN73CTION Attack CVE-2013-5576 http://index-of.co.uk/Hacking-Coleccion/Companion to HPSR Threat Intelligence Briefing Episode 8 final.pdf      
     
Malicious Software & Components - includes: Viruses, Trojans, Spyware, Ransomware, Worms,  Adware, Cryptojacking, Downloaders, & other common tools that may be used for hacking [back to Top]
  Large (500+) list of Malicious Software https://attack.mitre.org/software/  
  Cyber Analytics Repository from MITRE https://car.mitre.org/
Threats & Risks See: https://www.broadcom.com/support/security-center/a-z  formerly https://www.symantec.com/security-center/a-z
Threat Hunter Playbook https://threathunterplaybook.com/
Exploit Database https://www.exploit-db.com/ 44,000 + entries as of Sept 2021
  Data Breaches See: https://en.wikipedia.org/wiki/List_of_data_breaches
Malware Source Lists for Researchers https://zeltser.com/malicious-ip-blocklists/
Pen Test Routines by category https://pentestlab.blog/
Malware Descriptions https://securelist.com/tag/malware-descriptions/
Malpedia https://malpedia.caad.fkie.fraunhofer.de/
MITRE Malware descriptors & content https://attack.mitre.org/software/
Packaged Exploits - Major Examples   [back to Top]
WannaCry https://attack.mitre.org/software/S0366/
Petya https://en.wikipedia.org/wiki/Petya_(malware)
NotPetya https://attack.mitre.org/software/S0368/
EternalBlue https://en.wikipedia.org/wiki/EternalBlue
PowerStats https://attack.mitre.org/software/S0223/
W32 Exploits on Windows OS 32 bit version & Apps Running on that version 
W64 Exploits on Windows OS 64 bit version "
W95 Exploits on Windows 95 OS "
W97 Exploits on Windows 97 OS "
Remote Access Trojan (RAT) Software   [back to Top]
Black Shades https://en.wikipedia.org/wiki/Blackshades
Cybergate  
Dark Comet  
Evenge RAT  
Jspy  
Nanocore  
NJ RAT  
Plasma  
  Poison Ivy https://attack.mitre.org/software/S0012/
Catchamus, Sagerunex, Hannotog  
Ransomware Families [back to Top]
WannaCry  
LockerGoga  
MegaCortex  
Ryuk  
Maze, and now SNAKEHOSE  
SNAKEHOSE  
 
Sites offering malware for analysis [back to top]
ANY.RUN: Registration required  
Contagio Malware Dump: Password required  
CAPE Sandbox  
Das Malwerk  
FreeTrojanBotnet: Registration required  
Hybrid Analysis: Registration required  
KernelMode.info: Registration required  
MalShare: Registration required  
Malware.lu’s AVCaesar: Registration required  
Malware DB  
Objective-See Collection: Mac malware  
PacketTotal: Malware inside downloadable PCAP files  
SNDBOX: Registration required  
theZoo aka Malware DB  
URLhaus: Links to live sites hosting malware  
VirusBay: Registration required  
VirusShare  
Virusign  
VirusSign: Registration required  
 
[back to Top]
Indicators of Compromise -Samples & Sources [back to Top]
MITRE Techniques (IOCs) https://attack.mitre.org/techniques/enterprise/ https://attack.mitre.org/techniques/enterprise/                  
FireEye/Mandiant IOCs https://www.mandiant.com/blog/basics-series-openioc/ https://www.mandiant.com/blog/basics-series-openioc/                  
IOC Bucket https://www.iocbucket.com/search https://www.iocbucket.com/search                  
Alienvault https://otx.alienvault.com/browse/global/indicators https://otx.alienvault.com/browse/global/indicators                  
IBM https://exchange.xforce.ibmcloud.com/ https://exchange.xforce.ibmcloud.com/                  
Unauthorized Access                      
Disguised email OR url source E.G. bitly                    
Misspellings, Grammar, Foreign language indicators, etc                      
Session Recordings session hijacking session hijacking Be careful not to infect yourself when accessing and experimenting with malicious software.
Packet Capture running pcap winpcap running pcap winpcap https://zeltser.com/automated-malware-analysis/                
Network State Monitoring     My other lists of online security resources outline Automated Malware Analysis Services and On-Line Tools for Malicious Website Lookups. Also, take a look at tips sharing malware samples with other researchers.
Suspicious Binaries e.g. not matching hash, not known to be part of an application e.g. not matching hash, not known to be part of an application                  
Suspicious Process Code (e.g. PowerShell)                      
Suspicious Services                      
Inferring Admin Accounts                      
Autoruns                      
Registry Access & Content                      
Priviledge User Account activity Excessive or Reduced  Excessive or Reduced  Updated May 2, 2019                
Database Read/Write Volume Out of bounds high/low; high activity; impermissable access alerts Out of bounds high/low; high activity; impermissable access alerts                  
Lateral Movement Detection mimikatz; https://www.splunk.com/en_us/blog/security/spotting-the-signs-of-lateral-movement.html mimikatz; https://www.splunk.com/en_us/blog/security/spotting-the-signs-of-lateral-movement.html                  
Threat Miner Site       1/11/1900              
Threat Crowd Search Engine       2/2/1900              
Geographic Anomolies       2/28/1900              
Port Scanning       1/28/1900              
Mismatched Port requests       3/7/1900              
DDOS attempts       1/19/1900              
HTML Anomolies large package sizes, denied Gets & Posts large package sizes, denied Gets & Posts   1/22/1900              
Misuse of Patching       1/17/1900              
Alerts from Memory        1/13/1900              
Hash Anolmolies       1/22/1900              
IDS/IPS strings of code identified in known attacks       1/9/1900              
Firewall alerts       1/14/1900              
IOC Bucket - malware https://www.iocbucket.com/search     11/9/1900              
LinkedIn https://www.linkedin.com/pulse/9-great-sites-ioc-searching-ely-kahn/                    
Splunk https://www.splunk.com/blog/2017/07/06/hunting-with-splunk-the-basics.html                    
Bad IPs Blacklists https://www.spamhaus.org/lookup      
Malware Domain List http://www.malwaredomainlist.com/mdl.php       
Unusual Outbound Network Traffic https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Anomalies in Privileged User Account Activity https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Geographical Irregularities https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Log-In Red Flags https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Increases in Database Read Volume https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
HTML Response Sizes https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Large Numbers of Requests for the Same File https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Mismatched Port-Application Traffic https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Suspicious Registry or System File Changes https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Unusual DNS Requests https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Unexpected Patching of Systems https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Mobile Device Profile Changes https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Bundles of Data in the Wrong Place https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Web Traffic with Unhuman Behavior https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
Signs of DDoS Activity https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise       
LinkedIn https://www.linkedin.com/pulse/9-great-sites-ioc-searching-ely-kahn/  
Splunk https://www.splunk.com/blog/2017/07/06/hunting-with-splunk-the-basics.html  
National Vulnerability Database https://nvd.nist.gov/vuln/search Vulnerabilities  
National Software Reference Library https://www.nist.gov/software-quality-group/national-software-reference-library-nsrl Hashes  
Password Rainbow Tables http://ophcrack.sourceforge.net/tables.php One Way Password Hashes  
National Checklist Repository https://nvd.nist.gov/ncp/repository Checklists  
Malware Check https://www.virustotal.com/gui/home/upload Has all known malware signatures  
Virus Bay https://beta.virusbay.io/    
UNB Cyber Datasets https://www.unb.ca/cic/datasets/index.html Wide array of captured traffic: botnets, dark web,