Report - raw.githubusercontent.com/EmpireProject/Empire/master/data/module

Report Overview

Visitedpublic

2024-02-28 21:51:10

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP	Fingerprints
raw.githubusercontent.com	35802	2014-02-06	2014-03-01 08:08:08	2024-02-28 10:05:43	552 B	594 kB	185.199.109.133

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Detects Empire component - file Invoke-Mimikatz.ps1
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Detects Empire component
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Detects Empire component
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Detects Empire component
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Detects Empire component
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Detects Invoke-Mimikatz String
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	PowerShell with PE Reflective Injection
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Detects strings found in Runspace Post Exploitation Toolkit
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Detects suspicious PowerShell code that uses Kernel32, RemoteProccess handles or shellcode
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Auto-generated rule - file Invoke-Mimikatz.ps1
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1
2024-02-28	medium	raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1	Windows.Hacktool.Mimikatz

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

GET raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1

185.199.109.133

200 OK

593 kB

URL

raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1

IP / ASN

185.199.109.133

#54113 FASTLY

Requested byN/A

Resource Info

File typeASCII text, with CRLF line terminators

First Seen2024-02-21

Last Seen2024-08-20

Times Seen2

Size593 kB (592850 bytes)

MD5bd4aec0252146bc959431a6cac4909a2

SHA109e03d328c7fc16b90d10c9d0cb7312b2381e760

SHA256b2fb364e1a457f258e4e3f628584fd724d959483f076fb0d2711b713d0ef501a

Certificate Info

IssuerDigiCert Inc

Subject*.github.io

FingerprintA1:46:14:C7:2A:1D:52:79:F6:AA:2B:B2:C5:0A:3B:D3:F5:02:06:75

ValidityTue, 21 Feb 2023 00:00:00 GMT - Wed, 20 Mar 2024 23:59:59 GMT

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Detects Empire component - file Invoke-Mimikatz.ps1
Public Nextron YARA rules	malware	Detects Empire component
Public Nextron YARA rules	malware	Detects Empire component
Public Nextron YARA rules	malware	Detects Empire component
Public Nextron YARA rules	malware	Detects Empire component
Public Nextron YARA rules	malware	Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1
Public Nextron YARA rules	malware	Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1
Public Nextron YARA rules	malware	Detects Invoke-Mimikatz String
Public Nextron YARA rules	malware	PowerShell with PE Reflective Injection
Public Nextron YARA rules	malware	Detects strings found in Runspace Post Exploitation Toolkit
Public Nextron YARA rules	malware	Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1
Public Nextron YARA rules	malware	Detects suspicious PowerShell code that uses Kernel32, RemoteProccess handles or shellcode
Public Nextron YARA rules	malware	Auto-generated rule - file Invoke-Mimikatz.ps1
Public Nextron YARA rules	malware	Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1
Elastic Security YARA Rules	malware	Windows.Hacktool.Mimikatz

HTTP Headers

GET /EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1 HTTP/1.1
Host: raw.githubusercontent.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: text/plain; charset=utf-8
etag: W/"c155201b8f273fe94536b0fecfa55869745aa85e9e03ded79ee436051a29cc84"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: 1210:0EB0:1AB2DB8:1BD19EE:65DFAAB5
content-encoding: gzip
accept-ranges: bytes
date: Wed, 28 Feb 2024 21:50:46 GMT
via: 1.1 varnish
x-served-by: cache-hel1410027-HEL
x-cache: MISS
x-cache-hits: 0
x-timer: S1709157046.884271,VS0,VE232
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: fefe5472f8c7d9999a0de2d77314b0799485f07d
expires: Wed, 28 Feb 2024 21:55:46 GMT
source-age: 0
content-length: 592850
X-Firefox-Spdy: h2