add the stuff floating from other machines

Forensics/IOCs/README.md

@@ -0,0 +1,2 @@
+# IoCs
+

Forensics/IOCs/kaspersky_careto_C2.txt

@@ -0,0 +1,17 @@
+190.10.9.209
+190.105.232.46
+196.40.84.94
+200.122.160.25
+202.150.211.102
+202.150.214.50
+202.75.56.123
+202.75.56.231
+202.75.58.153
+210.48.153.236
+223.25.232.161
+37.235.63.127
+75.126.146.114
+81.0.233.15
+82.208.40.11
+62.149.227.3
+75.126.146.114

Forensics/IOCs/kaspersky_careto_domains.txt

@@ -0,0 +1,26 @@
+nthost.shacknet.nu
+tunga.homedns.org
+prosoccer1.dyndns.info
+prosoccer2.dyndns.info
+nav1002.ath.cx
+pininfarina.dynalias.com
+wqq.dyndns.org
+pl400.dyndns.org
+services.serveftp.org
+sv.serveftp.org
+cherry1962.dyndns.org
+carrus.gotdns.com
+ricush.ath.cx
+takami.podzone.net
+dfup.selfip.org
+wwnav.selfip.net
+fast8.homeftp.org
+ctronlinenews.dyndns.tv
+mango66.dyndns.org
+gx5639.dyndns.tv
+services.serveftp.org
+*.redirserver.net
+*.swupdt.com
+*.msupdt.com
+*.appleupdt.com
+*.linkconf.net

Forensics/IOCs/kaspersky_careto_files.txt

@@ -0,0 +1,48 @@
+%system%\objframe.dll
+%system%\shlink32.dll
+%system%\shlink64.dll
+cdllait32.dll
+cdllait64.dll
+cdlluninstallws32.dll
+cdlluninstallws64.dll
+cdlluninstallsgh32.dll
+cdlluninstallsgh64.dll
+%system%\c_50225.nls
+%system%\c_50227.nls
+%system%\c_50229.nls
+%system%\c_51932.nls
+%system%\c_51936.nls
+%system%\c_51949.nls
+%system%\c_51950.nls
+%system%\c_57002.nls
+%system%\c_57006.nls
+%system%\c_57008.nls
+%system%\c_57010.nls
+%system%\cdgext32.dll
+%system%\cfgbkmgrs.dll
+%system%\cfgmgr64.dll
+%system%\comsvrpcs.dll
+%system%\d3dx8_20.dll
+%system%\dllcomm.dll
+%system%\drivers\wmimgr.sys
+%system%\drvinfo.bin
+%system%\FCache.bin
+%system%\FFExtendedCommand.dll
+%system%\gpktcsp32.dll
+%system%\HPQueue.bin
+%system%\LPQueue.bin
+%system%\mdwmnsp.dll
+%system%\rpcdist.dll
+%system%\scsvrft.dll
+%system%\sdptbw.dll
+%system%\slbkbw.dll
+%system%\skypeie6plugin.dll
+%system%\wmspdmgr.dll
+%temp%\~DF01AC74D8BE15EE01.tmp
+%temp%\~DF23BF45A473C42B56.tmp
+%temp%\~DFA0528CD81300F372.tmp
+%temp%\~DF8471938479DA49221.tmp
+%appdata%\microsoft\c_27803.nls
+%appdata%\microsoft\objframe.dll
+%appdata%\microsoft\shmgr.dll
+%systemdrive%\boot.ini

Forensics/IOCs/kaspersky_careto_files_no-env-vars.txt

@@ -0,0 +1,48 @@
+windows\objframe.dll
+windows\shlink32.dll
+windows\shlink64.dll
+cdllait32.dll
+cdllait64.dll
+cdlluninstallws32.dll
+cdlluninstallws64.dll
+cdlluninstallsgh32.dll
+cdlluninstallsgh64.dll
+windows\c_50225.nls
+windows\c_50227.nls
+windows\c_50229.nls
+windows\c_51932.nls
+windows\c_51936.nls
+windows\c_51949.nls
+windows\c_51950.nls
+windows\c_57002.nls
+windows\c_57006.nls
+windows\c_57008.nls
+windows\c_57010.nls
+windows\cdgext32.dll
+windows\cfgbkmgrs.dll
+windows\cfgmgr64.dll
+windows\comsvrpcs.dll
+windows\d3dx8_20.dll
+windows\dllcomm.dll
+windows\drivers\wmimgr.sys
+windows\drvinfo.bin
+windows\FCache.bin
+windows\FFExtendedCommand.dll
+windows\gpktcsp32.dll
+windows\HPQueue.bin
+windows\LPQueue.bin
+windows\mdwmnsp.dll
+windows\rpcdist.dll
+windows\scsvrft.dll
+windows\sdptbw.dll
+windows\slbkbw.dll
+windows\skypeie6plugin.dll
+windows\wmspdmgr.dll
+%temp%\~DF01AC74D8BE15EE01.tmp
+%temp%\~DF23BF45A473C42B56.tmp
+%temp%\~DFA0528CD81300F372.tmp
+%temp%\~DF8471938479DA49221.tmp
+%appdata%\microsoft\c_27803.nls
+%appdata%\microsoft\objframe.dll
+%appdata%\microsoft\shmgr.dll
+%systemdrive%\boot.ini

Forensics/IOCs/kaspersky_careto_registry.txt

@@ -0,0 +1 @@
+[HKLM\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}\InprocServer32]

Forensics/README.md

@@ -1,5 +1,6 @@
 # Forensics
 
+
 ## Disk Forensics
 
 ### Basic useful CLI tools:
@@ -88,10 +89,9 @@ $ BOOT_IMAGE=/vmlinuz-3.5.0-23-generic
 
 * [Lots of material on Volatility and Memory Forensics here](volatility.md)
 * [On OSX Memory Forensics](osx_memory_forensics.md)
-* I highly recommend their training.
 
 
----------------
+
 ## Scripts
 
 #### PDFs
@@ -101,7 +101,7 @@ Tools to test a PDF file:
 - pdf-parser
 
 
------------
+
 ## References
 
 * [File system analysis](http://wiki.sleuthkit.org/index.php?title=FS_Analysis)