Killing The Bear - v1



What's this?

Killing the Bear aims to centralize and compile and classify, in the simplest and most up-to-date way possible, all information concerning APTs and organized groups in general.
Using information from external sources and reports from researchers around the world, it extracts IOCs and other data of interest to help keep emerging threats in the spotlight.
All extracted IOCs are stored by target and date in AlienVault.
Parallel to this Gitbook, there is also a newsletter that I publish on my Linkedin for my entire network of contacts with the most up-to-date news and IOCs from my targets.
You can reach Killing The Bear from Github too.

How useful information?

A classification as atomized and relational as possible of various actors, including but not limited:
  • Actors
  • Countries
  • TTPs
  • Campaigns
  • Malware
  • Tools
  • Timeline (actions did by and to them)
  • Relations between them
  • Library
  • Long etc...

What kind of IOCs?

  • Hashes (MD5, SHA1, SHA256)
  • CIDR
  • IPs (v4 and v6)
  • Urls
  • Domains
  • Hostnames
  • SSL Fingerprint
  • Yara
  • CVEs
  • Etc...

How should I use this?

Whenever you see a link in this gitbook, it will take you to an Alienvault Pulse. There you can extract the IOCs or implement them directly in your SOC.
Either way, this is ammunition for your SOC, your Blue Team and your CTI.
Use the info listed here to prevent before you become prey.
And if the day comes when you have a shot at any of the groups listed here, make them pay.

How can I search for something?

Almost everything has been implemented so that you can search by tags.
If you are interested in vulnerabilities, just search for "cve" in the search field and it will take you to all those IOCs that have associated CVEs.
If you are looking for a particular malware family associated with several IOCs or Groups, proceed in the same way by entering the name of the malware you want to search for.
Same for dates (month only has "3 letters" ex:Apr)
For a more in-depth and API-enabled search, go to my AlientVault and search for "Killing The Bear".

Who manages all this?

Myself. Right now I'm just running the project in my spare time, but all help is welcome.
And who am I? just another guy in this sector who has a couple of unfinished business with the bad guys and a promise to keep.
The project is born from the idea of trying to give the community one day a centralized point to hunt the devil, away from all the discrepancies and commercial bullshit where everyone calls things what they want. That doesn't help.
Evil is Evil, and it should be called the same, whether it comes from Crowdstrike or from the other side of the world.

How can I collaborate?

Any source of information, or raw information that you can pass me, is more than welcome.
Any analysis report, github repo, findings, suspected campaigns, everything is welcome.
In the header of this page you have a link to "Allmylinks" where you can see several sites where you can contact me.
However, the easiest way for this project is for you to do it by sending me an email to [email protected]. Please send it to me in encrypted form. You can find my public key on any server, however, you will also find it in the header.
I will add a "Contributors" section and add the ID of your choice to that list.
I always give credit to the source, but the amount of information I have to manage is immense, so if you see IOCs of yours and you are not referenced correctly in the AlientVault, please let me know and I will solve it asap.

Why are there so many empty entries?

Good question.
The project is at a really early stage. I can't pick and choose the most relevant information that is going to come to me day by day, so in many occasions I get something interesting about a group or campaign that I haven't been able to fill in its entry yet, but I add it to complete it little by little.
The whole Gitbook will be filled in and populated over time.


Copyright © Killing The Bear - Jorge Testa 2022 .
Unless otherwise specified, information from external sources and third parties added to this book belongs to its original authors. The book "Killing The Bear" and its references are authored by Jorge Jiménez (aka Jorge Testa) and licensed under the Attribution-NonCommercial 4.0 International (CC BY-NC 4.0).
For any questions, suggestions, collaborations or commercial proposals, please visit All My Links and get in touch with me.
Last modified 7mo ago