Name | Category | Info |
---|---|---|
Mail.ru Jun20 | Email/WebMail | Mail.ru Group is a Russian Internet Company. It was started in 1998 as an e-mail service agent. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. |
Ok.ru Jun20 | Social Networking/Search | Odnoklassniki, OK.ru is a social network service for classmates and old friends. It is especially used in Russia and former Soviet Republics. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. |
VKontakte Jun20 | Social Networking/Search | Simulates the use of the VKontakte (VK) as of June 2020. This protocol can be used to simulate VKontakte (VK) website which is a social media/social networking platform mostly used by russian speakers, where the user performs actions like Login, Viewing feed, Posting message & Logout. |
Zoom Meeting Media | Voice/Video/Media | Zoom is a popular teleconferencing application with rich messaging and multimedia features. This flow is a 2-arm simulation of the multimedia protocols used in Zoom conference meeting. Zoom offers clients for both desktop and mobile users. The clients in this flow conform to versions following 4.6.11 software release. Zoom application uses proprietary RTP technology for audio and video streams over UDP. It uses a proprietary stream control mechanism over TLS. This simulation allows adding an arbitrary number of users with flexible features for various user interaction scenarios in a Zoom meeting. |
Name | Category | Info |
---|---|---|
Mail.ru Jun20 | Email/WebMail | Simulates the use of Mail.ru website with web browser as of June 2020. The user logins to an account, sends a mail, views a mail and logouts. |
Mail.ru Jun20 Send Mail | Email/WebMail | Simulates the use of Mail.ru website with web browser as of June 2020. The user logins to an account, sends a mail and logouts. |
Mail.ru Jun20 View Mail | Email/WebMail | Simulates the use of Mail.ru website with web browser as of June 2020. The user logins to an account, views a mail and logouts. |
OK.ru Jun20 | Social Networking/Search | Simulates the use of OK.ru as of June 2020. The user logs in to OK.ru, views the feed, posts a message and logs out. |
OK.ru Jun20 Post Message | Social Networking/Search | Simulates the use of OK.ru as of June 2020. The user logs in to OK.ru, posts a message and logs out. |
OK.ru Jun20 View Feed | Social Networking/Search | Simulates the use of OK.ru as of June 2020. The user logs in to OK.ru, views the feed and logs out. |
VKontakte Jun20 | Social Networking/Search | Simulates the use of the VKontakte (VK) as of June 2020. This user loads the login page, logins into the website, views feed, posts a message & logs out. |
VKontakte Jun20 Post Message | Social Networking/Search | Simulates the use of the VKontakte (VK) as of June 2020. This user loads the login page, logins into the website, posts a message & logs out. |
VKontakte Jun20 View Feed | Social Networking/Search | Simulates the use of the VKontakte (VK) as of June 2020. This user loads the login page, logins into the website, views feed & logs out. |
Zoom Meeting Conference (2 Users) | Voice/Video/Media | This is a simulation of Zoom Conference Meeting (version >= 4.6) application with two users: User-1 with a mobile client, and User-2 with a PC client. User-1 has hosted the meeting and User-2 joins the meeting and performs: exchanging instant messages with User-1, retrieving the message history, streaming audio / video for 15 seconds. |
HTTP Standard Response Size 64K | Testing and Measurement | Simulates a scenario where the client sends a GET request to the server and the server sends a 200 OK response with a standard 64KB (65536) payload. |
HTTP Standard Response Size 1M | Testing and Measurement | Simulates a scenario where the client sends a GET request to the server and the server sends a 200 OK response with a standard 1MB (1048576) payload. |
TLSv1.2 HTTP Standard Response Size 64K | Testing and Measurement | Simulates HTTP client-server communication where the server sends a 200 OK response with a standard 64KB (65536) payload. TLSv1.2 and cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 are used for traffic encryption. |
TLSv1.2 HTTP Standard Response Size 1M | Testing and Measurement | Simulates HTTP client-server communication where the server sends a 200 OK response with a standard 1MB (1048576) payload. TLSv1.2 and cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 are used for traffic encryption. |
Afreeca TV Jan20 Bandwidth | Voice/Video/Media | Added the bandwidth version of the Afreeca TV Jan20 superflow. The parameters here are set for high bandwidth that could be used in Sandvine profiles. |
Name | Info |
---|---|
BreakingPoint Sandvine 2019 EMEA Upstream | It simulates the upstream traffic generated by the top 11 applications reported in the Sandvine Global Internet Phenomena Report September 2019 for EMEA region. |
BreakingPoint Sandvine 2019 EMEA Downstream | It simulates the downstream traffic generated by the top 11 applications reported in the Sandvine Global Internet Phenomena Report September 2019 for EMEA region. |
BreakingPoint Sandvine 2018 APAC Upstream | It simulates the upstream traffic generated by the top 8 applications reported in the Sandvine Global Internet Phenomena Report October 2018 for APAC region. |
BreakingPoint Sandvine 2018 Americas Upstream | It simulates the upstream traffic generated by the top 9 applications reported in the Sandvine Global Internet Phenomena Report September 2018 for America. |
BreakingPoint Sandvine 2018 APAC Downstream | It simulates the downstream traffic generated by the top 10 applications reported in the Sandvine Global Internet Phenomena Report October 2018 for APAC region. |
Name | Info | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Dridex May 2020 Malware Campaign | This strikelist contains 3 strikes simulating the 'Dridex May 2020 Malware Campaign'. 1. The first strike sends a phishing email with a malicious link. 2. The 2nd strike simulates the download of the Dridex malware. Once a user has opened the link in the phishing email, Dridex malware is downloaded via an HTTP GET request. 3. For the third strike, the victim issues an HTTP GET request, and the attacker replies with both the base64 encoded CNC IP address and a future file to retrieve. The victim then performs an HTTP GET request to download the file stated in the attacker's first base64 encoded reply. Once this request is received the attacker replies with a zipped VBA file. Finally the victim performs 2 CNC POST requests. Both requests are sent with unknown binary data. It contains the following sequence of strikes: 1) /strikes/phishing/dridex_manager_subject_phishing_email.xml 2) /strikes/malware/apt/dridex_may_2020_malware_campaign/malware_f88f5dfa79a83aae6c3a5e4d417d9e184b4d0c4c.xml 3) /strikes/botnets/apt/dridex_may_2020_malware_campaign/dridex_may_2020_malware_campaign_command_and_control.xml
|
CVSS | ID | References | Category | Info |
---|---|---|---|---|
9.3 | E20-0yvx1 | CVE-2020-0605CVSSCVSSv3URL | Exploits | A code execution vulnerability exists in some versions of Microsoft .NET Framework. The vulnerability is due to insecure deserialization of XPS files by the 'XamlReader::Load()' function within 'PresentationFramework.dll'. A remote attacker could exploit this vulnerability by enticing a target user to download and open a crafted XPS file, which may result in the execution of arbitrary code. |
9.0 | E20-0zxg1 | CVE-2020-1956CVSSCVSSv3URL | Exploits | A command injection vulnerability exists in in Apache Kylin project versions 2.3.0-2.3.2, 2.4.0-2.4.1, 2.5.0-2.5.2, 2.6.0-2.6.4 and 3.0.0. The vulnerability is due to lack of validation for user-supplied input to 'migrate' REST API endpoint. A remote authenticated attacker may execute arbitrary commands by sending a crafted POST request. |
7.6 | E20-0yxu1 | CVE-2020-0674CVSSCVSSv3URL | Exploits | This strike exploits a vulnerability in the Microsoft Internet Explorer scripting engine. Specifically, an attacker can craft an HTML page containing a Javascript script which creates an array of objects, and the object is reassigned in a custom sort function which then calls 'CollectGarbage()' resulting in use after free condition due to a dangling pointer. A remote attacker could exploit this vulnerability by enticing the target user to open a specially crafted web page. Successful exploitation could lead to arbitrary code execution in the security context of the target user. |
6.8 | E20-13cm1 | CVE-2020-6390CVSSCVSSv3GOOGLE-2001 | Exploits | This strike exploits a vulnerability in Google Chrome. Specifically, an attacker can craft JavaScript in such a way that when read_requests are modified from inside the accessor, the loop's iterator becomes invalid, and contuining to iterate through will cause out of bounds memory to be accessed. This can cause a denial of service condition in the browser or potentially lead to remote code execution. |
6.8 | E20-15ze1 | CVE-2020-9802CVSSCVSSv3GOOGLE-2020 | Exploits | This strike exploits a vulnerability in Apple Webkit. Specifically, an attacker can craft JavaScript in such a way that Checked and Unchecked ArithNegate operations are incorrectly swapped during Common Subexpression Elimination. This will lead to out-of-bounds memory access on an array after being JIT compiled. |
5.0 | E20-XZ24L | CVSSCVSSv3URL | Phishing | This strike simulates a phishing email that has been seen in the wild pushing Dridex malware. This specific phishing attempt is related to the 'Dridex May 2020 Malware Campaign', and it tries to trick the user into clicking a malicious link by asking a vague question, about something received from a manger, to the victim. |
Ticket | Info |
---|---|
ATIBPS-16791 | When running with evasion profile of all variants enabled, the variants generated now respect the various evasion profiles defined in the strike. This may result in seeing encrypted traffic for strikes if the strike states to use TLS by default. Configuring the evasion profiles manually will override this behavior. |
ATIBPS-16769 | Fixed Maze Ransomware Campaign strikes description. |