Name | Category | Info |
---|---|---|
Pastebin | Data Transfer/File Sharing | Pastebin is a website where a user can store any text online for easy sharing. The website is mainly used by programmers to store pieces of sources code or configuration information, but anyone can paste any type of text. The idea behind the site is to make it more convenient for people to share large amounts of text online. |
Name | Category | Info |
---|---|---|
Pastebin Create Paste | Data Transfer/File Sharing | This Super Flow simulates the creation of a new paste on Pastebin website. |
Name | Info | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Andariel-2017 Campaign Scenario - 1 |
Canned test simulating Andariel-2017 Attack Scenario, as described in https://global.ahnlab.com/global/upload/download/techreport/%5BAhnLab%5DAndariel_a_Subgroup_of_Lazarus%20(3).pdf.
It sends 2 strikes in the following sequence:
|
||||||||||||||||||||||||
Andariel-2019 Infection Procedure - 1 |
Canned test simulating Andariel-2019 Infection Procedure - 1.
It sends 5 strikes in the following order:
|
||||||||||||||||||||||||
Andariel-2019 Infection Procedure - 2 |
Canned test simulating Andariel-2019 Infection Procedure - 2.
It sends 5 strikes in the following order:
|
CVSS | ID | References | Category | Info |
---|---|---|---|---|
9.0 | E20-100s1 |
CVSS-9.0 (AV:N/AC:L/AU:N/C:P/I:P/A:C) CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EXPLOITDB-46684 URL |
Exploits | An OS command injection vulnerability exists in Dell KACE K1000 versions before 6.4.120822, due to lack of sanitization of user-supplied data. By sending a crafted 'kuid' parameter in a HTTP request to '/service/krashrpt.php', a remote unauthenticated attacker may execute arbitrary OS commands as the user 'www'. |
9.0 | E20-10pg1 |
CVE-2019-0193 CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C) CVSSV3-7.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H URL |
Exploits | This strike exploits a script injection vulnerability in Apache Solr via "dataConfig" parameter in the DataImportHandler module. DataImportHandler (DIH) module allows the user to pull in data from databases and other sources. The "dataConfig" parameter allows to specify the entire DIH config as a request parameter. Since a DIH config can contain scripts, this allows the attacker to construct a threatening request on the server. Successful exploitation will result in code execution, in the context of the user running the Apache Solr service. |
7.5 | E20-14zq1 |
CVE-2020-8518 CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EXPLOITDB-48215 |
Exploits | A PHP code injection vulnerability exists in Horde Groupware Webmail Edition 5.2.22 due to lack of user-supplied data sanitization. Remote authenticated attackers may send a crafted 'quote' parameter in a HTTP request to 'mnemo/data.php' to achieve PHP code execution. |
7.5 | E20-10e31 |
CVE-2020-2555 CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H URL ZDI-20-128 |
Exploits | This strike exploits an insecure deserialization vulnerability in Oracle Coherence library, which is used in popular products such as Oracle WebLogic Server. Coherence Library is a key component for Oracle to implement highly reliable and scalable cluster computing. The vulnerability is a result of insufficient validation of T3 requests. The server allows deserialization of classes in objects embedded with T3 protocol messages. Successful exploitation leads to remote code execution, in the context of the user running the Oracle WebLogic Service. |
6.8 | E20-mx8m1 |
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P) CVSSV3-8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H URL |
Exploits | This strike exploits a virtualenv variable path loading vulnerability inside Microsoft Visual Code Studio. Specifically, the vulnerability is due to how VSCode selects and loads the virtualenv from a project folder. This project folder can be loaded without user interaction only requiring for the user to click on the python .py file to execute the code. By adding a malicious folder to the workspace and opening a python file inside the project the added code to execute inside the extension will run. The project zip package included in this strike will prompt the user to install an extension to run. Once installed clicking the python file will execute the calculator app on macOS. |
4.3 | E20-13de1 |
CVE-2020-6418 CVSS-4.3 (AV:N/AC:M/AU:N/C:N/I:N/A:P) CVSSV3-6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H URL |
Exploits | A type confusion vulnerability exists in V8 JavaScript engine in Google Chrome prior to 80.0.3987.122. The vulnerability may be triggered by changing array elements types (e.g. from SmallInteger to Double) after optimization takes place. By successfully exploiting this flaw, an attacker can execute arbitrary code in the context or the Chrome's 'renderer' process. |
B20-An47a1 | Botnets | This strikes simulates Andariel 2017 Command and Control traffic after installing 'Rifdoor' module. | ||
B20-An5d31 | Botnets | This strikes simulates Andariel-2019 Command and Control traffic after installing 'ApolloZeus Loader' module. | ||
B20-An0981 | Botnets | This strikes simulates Andariel-2019 Command and Control traffic after installing 'Signed Rifdoor' module. | ||
B20-An0c41 | Botnets | This strikes simulates Andariel-2019 Command and Control traffic after installing 'proto' module. | ||
M20-An1371 | Malware | This strike simulates the network transfer of Andariel-2019 'ApolloZeus Loader' module. | ||
M20-An16c1 | Malware | This strike simulates the network transfer of Andariel-2019 'Signed Proto Downloader' module. | ||
M20-An7441 | Malware | This strike simulates the network transfer of Andariel-2019 'Signed Rifdoor' module. | ||
M20-An3401 | Malware | This strike simulates the network transfer of Andariel-2017 'Rifdoor' module. |
Ticket | Info |
---|---|
ATIBPS-16560 | Fix HTTP parameter name for strike for CVE-2019-16759. |