{
    "type": "bundle",
    "id": "bundle--b2edc56f-4445-4658-9b64-e46060b3531c",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--703b0d0d-f70a-4de2-bff5-d252e8d966f9",
            "created": "2023-03-08T12:51:48.041368Z",
            "modified": "2025-01-30T02:20:08.905936Z",
            "name": "Google",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--cf5337b1-6136-4a4e-9613-dc8407f53447",
            "created": "2026-06-24T20:59:09.575343Z",
            "modified": "2026-06-24T20:59:09.575343Z",
            "name": "YARA Rule",
            "pattern": "rule UC_ttp_BlackMatter__SafeBoot {\r\nmeta:\r\nauthor = \"Google Cloud Threat Intelligence\"\r\ndescription = \"Detects a machine's configuration being changed to safe boot\"\r\next_description = \"Known command line for Black Matter's SafeBoot\"\r\nevents:\r\n($e.principal.process.file.full_path = /bootcfg/ nocase and\r\n($e.principal.process.command_line = /\\/raw \\/a \\/safeboot:network \\/id 1/ or\r\n($e.principal.process.command_line = /\\/raw \\/fastdetect \\/id 1/)) or\r\n($e.principal.process.file.full_path = /bcdedit/ nocase and\r\n($e.principal.process.command_line = /\\/raw \\/set \\/{current\\} safeboot network/ or\r\n$e.principal.process.command_line = /\\/raw \\/deletevalue \\{current\\} safeboot/)))\r\ncondition:\r\n$e\r\n}",
            "pattern_type": "yara",
            "valid_from": "2021-11-26T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--4117a9c4-82b7-4313-a320-ee8b961d0345",
            "created": "2026-06-24T20:59:09.576148Z",
            "modified": "2026-06-24T20:59:09.576148Z",
            "name": "YARA Rule",
            "pattern": "rule UC_ttp_BlackMatter__RegKeys {\r\nmeta:\r\nauthor = \"Google Cloud Threat Intelligence\"\r\ndescription = \"Known registry keys used by Black Matter\"\r\nevents:\r\n// Modifying the privacy settings screen settings\r\n($e.principal.registry.registry_key = /software\\\\policies\\\\microsoft\\\\windows\\\\oobe/ nocase\r\nand\r\n$e.principal.registry.registry_value_name = \"disableprivacyexperience\" nocase) or\r\n// Storing the screen's resolution in the registry\r\n($e.principal.registry.registry_key = /SOFTWARE\\\\[A-Za-z0-9]{8}/ and\r\n($e.principal.registry.registry_value_name = /hScreen/ or\r\n$e.principal.registry.registry_value_name = /vScreen/ )) or\r\n// RunOnce key\r\n($e.principal.registry.registry_key =\r\n/SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce/ nocase and\r\n$e.principal.registry.registry_value_name = /[A-Z]{3}[0-9]{3}[a-z]{3}/ )\r\ncondition:\r\n$e\r\n}",
            "pattern_type": "yara",
            "valid_from": "2021-11-26T00:00:00Z"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--16f749cf-22a2-4cae-a704-e0803eece602",
            "created_by_ref": "identity--703b0d0d-f70a-4de2-bff5-d252e8d966f9",
            "created": "2026-06-24T20:59:09.580271Z",
            "modified": "2026-06-24T20:59:09.580271Z",
            "name": "Threat Horizons-Cloud Threat Intelligence",
            "published": "2021-11-26T00:00:00Z",
            "object_refs": [
                "identity--703b0d0d-f70a-4de2-bff5-d252e8d966f9",
                "indicator--cf5337b1-6136-4a4e-9613-dc8407f53447",
                "indicator--4117a9c4-82b7-4313-a320-ee8b961d0345"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf"
                }
            ]
        }
    ]
}