| Name | Category | Info |
|---|---|---|
| Mewe Nov20 | Social | Simulates the use of Mewe social media platform as of Nov 2020. |
| Parler Nov20 | Social | Simulates the use of Parler social media platform as of November 2020. |
| Youku Nov20 | Voice/Video/Media | Youku is a Chinese popular video website, it allows users to view, upload, comment, rate and share videos. |
| Name | Category | Info |
|---|---|---|
| DNP3 Enable Unsolicited | SCADA | This simulates the DNP3 Enable Spontaneous Messages operation for all classes. |
| DNP3 Disable Unsolicited | SCADA | This simulates the DNP3 Disable Spontaneous Messages operation for all classes. |
| DNP3 Cold Restart | SCADA | This simulates the DNP3 message exchange when a Cold Restart is requested by the master. The response from the target device indicates the time when the station will become available again. |
| DNP3 Stop Application | SCADA | This simulates the DNP3 Stop Application request sent by the master, an error response coming from the target device (this can happen when password login is required when using DNP3), then the Stop Application request is repeated and it stops the application. |
| DNP3 Unsolicited Response and Confirm | SCADA | This simulates multiple DNP3 Unsolicited Response messages sent by devices to the master indicating their current status and Confirm messages sent by the master to confirm that the Unsolicited Response messages have been received and parsed without error. |
| DNP3 Warm Restart | SCADA | This simulates the DNP3 message exchange when a Warm Restart is requested by the master. The response from the target device indicates the time when the station will become available again. |
| DNP3 Write Time and Date | SCADA | This simulates the DNP3 message exchange when a Write Time and Date message is sent by the master. |
| Mewe Nov 20 | Social | Simulates the use of the Mewe as of November 2020. The user logs into Mewe website, browses posts, posts a status, and logs out. |
| Mewe Nov 20 Browse Feed | Social | Simulates the scenario where the user logs into Mewe website browses posts and logs out. |
| Mewe Nov 20 Post Status | Social | Simulates the scenario where the user logs into Mewe website and posts something and logs out. |
| Microsoft Teams Nov20 Full Conference with 6 Users | Chat/IM | Simulates a 3 minutes full conference between 6 users. At the begining of the Super Flow, a user opens a video conference and starts a screenshare session. The second user enters the video call and the 2 users exchange chat messages. After this, all other 4 users join the conference. User 3 and 4 stay for 1 minute in the conferece, then leave the conference for 1 minute, then join back. After 3 minutes from the begining of the conference, user 1 stops the screenshare and leaves the conference, followed by all the other users. |
| Parler Nov 20 | Social Networking/Search | Simulates the use of the Parler website as of November 2020. All of the available actions for this flow are exercised. |
| Parler Nov 20 Browse Feed | Social Networking/Search | Simulates the scenario where user logs into Parler website, browses posts and logs out. |
| Parler Nov 20 Post Status | Social Networking/Search | Simulates the scenario where user logs into Parler website, posts something and logs out. |
| T.38 Fax Protocol NAT support | Data | Simulates the t.38 fax protocol over UDPTL. A call is first established over SIP where various parameters like a port for t.38 protocol are negotiated. Then the connection switches to t.38 protocol where the caller and the receiver exchanges fax data. NAT support is being added |
| Youku Nov20 Authentication | Voice/Video/Media | Simulates Youku authentication as of Nov 20. The user gets the login page, logs in, then logs out. |
| Youku Video Nov20 | Voice/Video/Media | Simulates Youku Video functionalities as of Nov 20. The user opens the website, browses through the video lists, searches and plays videos. |
| Name | Category | Info |
|---|---|---|
| DDoS Fax 1000-Pages | Data | This denial of service attack represents a situation where the attacker sends 1000 fax pages to the victim to waste ink. |
| DDoS Fax 1000-Pages Blacked Out | Data | This denial of service attack represents a situation where the attacker sends 1000 blacked out fax pages to the victim to waste ink. |
| Name | Info | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Operation Quicksand Nov 2020 Campaign | This strikelist contains 5 strikes simulating the 'Operation Quicksand Nov 2020 Campaign'. 1. The first strike simulates the download of the malicious Excel document. 2. The second strike simulates the download of the Powershell malware after the execution of the malicious Excel document. 3. The third strike simulates the download of the 'CLI.dll' malware after the execution of the malicious Powershell malware. 4. The fourth strike simulates the traffic that occurs after executing the 'CLI.dll' malicious executable. The victim sends an HTTP GET request to the attacker with the victim's computer hostname. 5. The fifth strike simulates the download of the 'PowGoop.dll' malware after the successful connection to the attacker. It contains the following sequence of strikes: 1) /strikes/malware/apt/operation_quicksand_nov_2020_campaign/malware_9804af6865f0ffcc8143761863160b6e8a004ee8.xml.xml 2) /strikes/malware/apt/operation_quicksand_nov_2020_campaign/malware_60b5b41bd598fd844630fdf609539fc854437392.xml.xml 3) /strikes/malware/apt/operation_quicksand_nov_2020_campaign/malware_dc7fca6a34a3a65cf5df6c17435fc5f2f1c62b93.xml.xml 4) /strikes/botnets/apt/operation_quicksand_nov_2020_campaign/operation_quicksand_nov_2020_campaign_command_control.xml 5) /strikes/malware/apt/operation_quicksand_nov_2020_campaign/malware_0984f359c1f8c85da5a0662448a4fedab4c524e5.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 7.5 | E20-9x721 | CVE-2020-16846CVSSCVSSv3CWE-78URL | Exploits | This strike exploits a command injection vulnerability in the SSH client for Salt API component of SaltStack Salt. Specifically, when a POST request is made to the rest_cherrypy service the ssh_port parameter is not properly sanitized. The flaw may be exploited by an authenticated attacker to execute arbitrary code in the context of the root user. This flaw can also be exploited by unauthenticated attacker when combining it with CVE-2020-25592. Note: This strike simulates the unauthenticated attacker behaviour. |
| 7.5 | E20-0ztw1 | CVSSCVSSv3CWE-78EXPLOITDB-46436 | Exploits | This strike exploits a code injection vulnerability in the Belkin Wemo Crock-Pot UPnP API. Specifically it is possible for an attacker to inject code into the SmartDevURL parameter when sending a POST request to the listening basicevent1 service of the Belkin application. The attacker can perform this attack unauthenticated and execute code remotely on the vulnerable device. |
| 6.5 | E20-0gl01 | CVE-2017-6327CVSSCVSSv3CWE-20URL | Exploits | This strike exploits a command injection vulnerability in Symantec Messaging Gateway. The vulnerability is due to authentication bypass in the 'LoginAction' and improper validation of input passed to 'performRestore' method. Specifically, the 'localBackupFileSelection' parameter is not properly sanitized. The flaw may be exploited by an unauthenticated attacker to execute arbitrary code in the context of the root user. |
| 4.3 | E20-wpb71 | CVSSCVSSv3CWE-79URL | Exploits | This strike exploits an XSS code injection vulnerability in the Belkin Wemo application. Specifically it is possible for an attacker to inject code into the ChangeFriendlyName parameter when sending a POST request to the listening basicevent1 service of the Belkin application. The attacker can potentially use this vulnerability to perform various functions like exfiltrating images and GPS tracking, because the Wemo application has been granted access to these services. |
| 4.0 | E20-14qr1 | CVE-2020-8195CVSSCVSSv3CWE-20URL | Exploits | An information disclosure vulnerability exists in Citrix Application Delivery Controller (ADC) and Gateway. This vulnerability can be triggered by calling the function file_download() in the PHP rapi.php script. The flaw may be exploited by an authenticated attacker to access sensitive data. This flaw can also be exploited by unauthenticated attacker when combining it with CVE-2020-8193. |
| Component | Info |
|---|---|
| Apps | Modified the SSH handshake packet sequence to send "New Keys” packet from client to server. |
| Apps | Introduced 3 New tags (IoT, ICS and Healthcare) and applied them to existing flows and superflows. |
| StrikeList | New Strike List for MQTT protocol "MQTT protocol Strikes". The strikes in this list use the Message Queuing Telemetry Transport (MQTT) protocol. MQTT is mostly associated with IoT, telemetry data and messaging. |
| StrikeList | New Strike List "All Strikes except Jumbo" that includes all the strikes present in the 'All Strikes' strikelist excluding the ones which have the 'jumbo' keyword. This strikelist should have all the strikes excluding the ones that need MTU higher than 1500. |
| Ticket | Info |
|---|---|
| ATIBPS-17113 | Fixed the bug (DSCP Tag is not applied for all packets for Skype and Teams Flows). Now if an user sets any IPv4 TOS/DSCP value in the webgen flow parameters, then it will be applied to all the static as well as dynamic webgen generated flows. |
| ATIBPS-16980 | Fixed padding in Option Header for RFC7753 Port Control Protocol. |
| ATIBPS-10839 | The strike cve_2011_3834_nullsoft_winamp_AVI_stream_count_integer_overflow_heap_buffer_overflow.xml has had its stream_count value modified and verified against a vulnerable version of the software. The meta attributes have also been updated. |