Name | Category | Info |
---|---|---|
DNS Query Response With Conditional Request | Distributed Computing | This is a simple DNS query and response for an A record with a conditional request. The \x01\x00 is essentially looking for the DNS Query message from the client. |
HTTP Single GET with Standard Response Size 512K | Testing and Measurement | Simulates a scenario where the client sends a single GET request to the server and the server sends a 200 OK response with a standard 512 KB file. |
Netflix Client Get 15secs Movie | Voice/Video/Media | This simulates the Netflix video streaming where the client requests a 15secs movie from the server. |
WhatsApp 512KB | Chat/IM | This simulates the WhatsApp messaging application. The user signs in and sends a message of 512 KB in size. |
Youtube MP4 720p | Voice/Video/Media | This plays a 30-second YouTube MP4 video with 720p resolution at 2508 kbit/s. |
Name | Info | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
RIG EK GandCrab Oct 2020 Campaign | This strikelist contains 5 strikes simulating the 'RIG EK GandCrab Oct 2020 Campaign'. 1. The first strike simulates the visit of the RIG exploit kit page, the server replies with an HTTP redirect link to the further exploit page. 2. The second strike simulates the download of the CVE-2016-0189 file used by the RIG exploit kit. 3. The third strike simulates the download of the CVE-2018-4878 file used by the RIG exploit kit. 4. The fourth strike simulates the download of the encrypted GandCrab malware. 5. The fifth strike simulates the traffic that occurs after the execution of the GandCrab malware. The victim issues an HTTP GET request to the C2 server without any information been exfiltrated. This request is not malicious. It contains the following sequence of strikes: 1) /strikes/botnets/apt/rig_ek_gandcrab_oct_2020_campaign/rig_ek_gandcrab_oct_2020_campaign_gate.xml 2) /strikes/malware/apt/rig_ek_gandcrab_oct_2020_campaign/malware_df0fc71b70cc21caec43f4f7f495bb4a1e610249.xml 3) /strikes/malware/apt/rig_ek_gandcrab_oct_2020_campaign/malware_d11f6dd0338946828c238e62dba3b79d8e0b8692.xml 4) /strikes/malware/apt/rig_ek_gandcrab_oct_2020_campaign/malware_36164eee39cbb47247c5fff3e1788f7e80993943.xml 5) /strikes/botnets/apt/rig_ek_gandcrab_oct_2020_campaign/rig_ek_gandcrab_oct_2020_campaign_command_control.xml
|
CVSS | ID | References | Category | Info |
---|---|---|---|---|
9.8 | E20-13h11 | CVE-2020-6549CVSSCVSSv3CWE-416GOOGLE-2063 | Exploits | This strike exploits a vulnerability in Google Chrome. Specifically, a Use-After-Free condition occurs when the MediaElementEventListener::UpdateSources function is invoked in a specific manner. When this happens a denial of service condition, or potentially remote code execution, may occur. |
9.3 | E20-0zk02 | CVE-2020-1472CVSSCVSSv3CWE-269URL | Exploits | This strike exploits the vulnerability known as 'Zerologon'. This privilege escalation vulnerability is due to the insecure usage of AES-CFB8 encryption for Netlogon sessions in Microsoft Netlogon Remote Protocol (MS-NRPC). This is the SMB version of the ZeroLogon. A remote (same LAN) unauthenticated attacker can exploit this vulnerability to impersonate the identity of any machine on a network when attempting to authenticate to the Domain Controller which may result in the complete takeover of a Windows domain. |
9.0 | E20-11ny1 | CVE-2020-4206CVSSCVSSv3CWE-20 | Exploits | This strike exploits a command injection vulnerability in IBM Spectrum Protect Plus. The vulnerability is due to a lack of input sanitization for injection or invalid characters in the timezone parameter. When an attacker sends an HTTP POST request to the "/emi/api/changetimezone" URI, command execution can occur. |
7.8 | D20-a4p31 | CVE-2020-26567CVSSCVSSv3CWE-284 | Denial | This strike exploits a vulnerability inside D-Link Wireless N Unified Service Routers (DSR-250N) 3.12 that can cause a denial of service attack. The device which allows unauthenticated attackers in the same local network to execute a CGI script which reboots the device. The attack can be triggered without authentication. |
5.0 | E20-5nyw1 | CVE-2018-18264CVSSCVSSv3CWE-306 | Exploits | This strike exploits an information disclosure vulnerability in Kubernetes Dashboard. The vulnerability allows unauthorized access to the kubernetes-dashboard-certs secret object. When an HTTP GET request is sent to /api/v1/secret/kube-system/kubernetes-dashboard-certs, access to the kubernetes-dashboard-certs object is not restricted and the server responds with the TLS certificate and private key. |
4.3 | E20-9w031 | CVE-2020-15299CVSSCVSSv3CWE-79URL | Exploits | This strike exploits a reflected cross-site scripting vulnerability in KingComposer plugin through 2.9.4 for WordPress. The vulnerability takes advantage of kc-online-preset-data parameter to send base64 encoded Javascript. A remote, unauthenticated attacker can exploit this vulnerability by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset. As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing the payload in the kc-online-preset-data parameter, that malicious payload would be decoded and executed in the victim's browser. |
ID | Info |
---|---|
E20-0zk01 | CVE-2020-1472 or 'ZeroLogon' strike which sets the DC password to all zeros is now a verified strike. Running this strike in one-arm mode against a real DC will set the password to allzeros. Note: The DC name needs to be HYDRA-DC. |
Ticket | Info |
---|---|
ATIBPS-10140 | Fixed the issue where the alert messages of HTTPS simulated were not properly encrypted. |
ATIBPS-16865 | Fixed the SMB protocol from prepending three 0x00 characters before the data when sending a file. |
ATIBPS-16868 | Fixed the miscalculation of Credential Length when RPC protocol runs through NAT (from 0x2f to 0x30). |