Name | Category | Info |
---|---|---|
Gettr Oct21 | Social Networking/Search | Gettr is a social media platform targeted to north America. |
Ikea Oct 2021 | Enterprise Applications | Ikea is a multinational conglomerate that designs and sells ready-to-assemble furniture, kitchen appliances and home accessories, among other goods and home services. |
Railway 12306 Mobile Oct 2021 | Enterprise Applications | Railway 12306 is the Chinese official train tickets purchasing application. |
Robinhood Mobile Oct 2021 | Financial | Robinhood is a popular trading application. |
Tridium Niagara Fox | SCADA | Tridium Niagara Fox is a proprietary protocol used for all network communication between stations as well as between workbench and stations in Niagara Framework. |
Name | Category | Tags | Info |
---|---|---|---|
Gettr Oct 21 | Social Networking/Search | Social Networking | Simulates the use of the Gettr website as of October 2021. All of the available actions for this flow are exercised. |
Gettr Oct 21 Browse | Social Networking/Search | Social Networking | Simulates the scenario when the user Opens Gettr website, Logs in, Browse through posts and Logs out. |
Ikea Oct 2021 | Enterprise Applications | Financial SimulatedTLS |
Ikea is a multinational conglomerate that designs and sells ready-to-assemble furniture, kitchen appliances and home accessories, among other goods and home services. |
Railway 12306 Mobile Oct 2021 | Enterprise Applications | ChinaApp Financial MobileApp SimulatedTLS |
Railway 12306 is the Chinese official train tickets purchasing application. This is simulation of Railway 12306 version 5.4.0.12 where the user checks train timetable and buys a ticket. |
Robinhood Mobile Oct 2021 | Financial | Financial MobileApp SimulatedTLS |
Robinhood is a popular trading application. This is simulation of Robinhood where the user logs in the application, checks news and performs two trades. |
Tridium Niagara Fox | SCADA | ChinaApp ICS |
Simulates a scenario where Tridium Niagara client starts connection with a server. The server responds to the connection with system parameters, sends challenge message and rejects the connection. |
Tridium Niagara Fox Bandwidth | SCADA | ChinaApp ICS |
Simulates a scenario where Tridium Niagara client starts connection with a server. The server responds to the connection with system parameters. |
Name | Info |
---|---|
Sandvine 2021 Global Mobile Social Media Downstream | It simulates the downstream traffic generated by the mix of global social media mobile applications reported in the Sandvine Mobile Internet Phenomena Report May 2021. |
Sandvine 2021 Global Mobile Social Media Upstream | It simulates the upstream traffic generated by the mix of global social media mobile applications reported in the Sandvine Mobile Internet Phenomena Report May 2021. |
Name | Info | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SquirrelWaffle Oct 2021 Campaign | SquirrelWaffle is a piece of malicious software designed to cause chain infections, i.e. cause chain infections, download, and install additional malware. At the time of research, SquirrelWaffle was used to infect systems with Cobalt Strike malicious program. The latter is infamous for being used to inject devices with ransomware. * https://www.pcrisk.com/removal-guides/21881-squirrelwaffle-malware This strikelist contains 5 strikes simulating the 'SquirrelWaffle Oct 2021 Campaign'. 1. The first strike simulates the download of a zip file. This is the first infection vector for this campaign in which the zip file contains a malicious macro-embedded Word document. After macro execution, it downloads the next stage SquirrelWaffle malware. 2. The second strike simulates the download of the SquirrelWaffle malware. 3. The third strike simulates the command and control traffic that occurs after executing the SquirrelWaffle malware. The victim sends an HTTP message to the attacker, and the attacker replies with an HTTP code 200 with customized HTTP body data over port 80. 4. The fourth strike simulates the download of the Cobalt Strike binary. 5. The fifth strike simulates the traffic that occurs after the Cobalt Strike binary executes. The victim and the attacker exchange encrypted payloads over HTTPS port 8080. It contains the following sequence of strikes: 1) /strikes/malware/apt/squirrelwaffle_oct_2021_campaign/malware_50db7914bc6c4e4d0b8e8e69a604221fe2d74716.xml 2) /strikes/malware/apt/squirrelwaffle_oct_2021_campaign/malware_55d3d2226a8af0b6cfcfbe8d590cd880954ca419.xml 3) /strikes/botnets/apt/squirrelwaffle_oct_2021_campaign/squirrelwaffle_oct_2021_campaign_squirrelwaffle_command_control.xml 4) /strikes/malware/apt/squirrelwaffle_oct_2021_campaign/malware_65b43bfe8a5f2481d70b76ebd543b9f5b4baa0f6.xml 5) /strikes/botnets/apt/squirrelwaffle_oct_2021_campaign/squirrelwaffle_oct_2021_campaign_cobalt_strike_command_control.xml
|
CVSS | ID | References | Category | Info |
---|---|---|---|---|
10.0 | E21-c8uy1 | CVE-2021-25274CVSSCVSSv3CWE-502URL | Exploits | This strike exploits an insecure deserialization vulnerability has been reported in SolarWinds Orion, the core platform for multiple SolarWinds products. The vulnerability is due to insufficient validation of messages sent to the MSMQ message queue. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation results in remote code execution under the security context as SYSTEM. |
9.0 | E21-17rh2 | CVE-2020-27871CVSSCVSSv3CWE-22URL | Exploits | This strike exploits an arbitrary file write vulnerability that has been reported in SolarWinds Network Configuration Manager. The vulnerability is due to insufficient validation of file types for vulnerability announcement data files in VulnerabilitySettings.aspx, combined with a lack of restriction on destination paths. A remote, authenticated attacker can exploit this vulnerability by submitting a crafted request to the target server. Successful exploitation results in the writing of an arbitrary file to a location chosen by the attacker, potentially leading to execution of arbitrary code as SYSTEM. |
7.5 | E21-ci6e1 | CVE-2021-37350CVSSCVSSv3CWE-89URL | Exploits | This strike exploits a SQL Injection vulnerability in Nagios XI versions prior to 5.8.5. This vulnerability is due to improper validation of the field_value parameter in the bulkmodifications component. A remote authenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation could allow an attacker to execute SQL commands on the target server. |
7.5 | E21-ci6a1 | CVE-2021-37346CVSSCVSSv3CWE-78URL | Exploits | This strike exploits an Command Injection vulnerability in Nagios XI versions prior to 5.8.5. This vulnerability is due to improper validation of the ip_address parameter in the watchguard wizard component. A remote authenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation could allow an attacker to execute arbitrary commands on the target server. |
6.5 | E21-ci671 | CVE-2021-37343CVSSCVSSv3CWE-22URL | Exploits | This strike exploits a path traversal vulnerability in Nagios XI versions prior to 5.8.5 . This vulnerability is due to improper validation of the job parameter in autodiscovery feature. A remote authenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation could result in arbitrary file creation and further more can result in arbitrary code being executed in the context of the web server. Note: This strike contains just the authentication and the request required to create a backdoor in the web server. |
Component | Info |
---|---|
Security | Added variation for RTF file for Strike E21-ckkc1. |