| Name | Category | Info |
|---|---|---|
| Ctrip Dec21 | Social Networking/Search | Ctrip is a Chinese on-line travel service website. It allows users to search for a destination, view the travel notes, book the hotel and purchase transportation tickets. |
| E*Trade Mobile Dec 2021 | Secure Data Transfer | E*Trade is a popular personal investment and security trading application in North America. |
| Taobao Mobile | Voice/Video/Media | Simulates Taobao mobile as of December 2021, where the user watches Taobao live and purchases products. |
| Name | Category | Tags | Info |
|---|---|---|---|
| Ctrip Dec21 | Social Networking/Search | ChinaApp E-Commerce |
Simulates Ctrip as of December 2021. The user opens the website, searches for the destination, views the travel notes and books a hotel. |
| Ctrip Dec21 Bandwidth | Social Networking/Search | ChinaApp E-Commerce |
The use of the Ctrip application as of December 2021. All of the available actions for this flow are exercised. |
| E*Trade Mobile Dec 2021 | Secure Data Transfer | Financial Mobile SimulatedTLS |
E*Trade is a popular personal investment and security trading application in North America. This simulates the use of the latest E*Trade mobile application, including user login, viewing portfolio, trading stocks, reading market insight news, watching an informational video and logs out. |
| Taobao Mobile | Voice/Video/Media | ChinaApp E-Commerce MobileApp SimulatedTLS |
Simulates Taobao mobile as of December 2021, where the user watches Taobao live and purchases products. |
| Name | Info |
|---|---|
| Top Financial Mobile Apps North America | This simulates the traffic of the top 6 financial mobile applications in North America in 2021. |
| Name | Info | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emotet Dec 2021 Campaign | The Emotet banking Trojan was first seen in 2014. Emotet was designed as a banking malware that attempted to steal sensitive and private information. * https://www.malwarebytes.com/emotet This strikelist contains 3 strikes simulating the 'Emotet Dec 2021 Campaign'. 1. The first strike simulates the download of a Word document. If the Word document is opened, an embedded macro would attempt to download the Emotet malware. 2. The second strike simulates the download of the Emotet malware. 3. The third strike simulates the command and control traffic that occurs after executing the Emotet malware. The victim sends an HTTP message to the attacker containing base64 encoded SHA256 hashed hostname. The attacker sends an HTTP reply message containing binary data. It contains the following sequence of strikes: 1) /strikes/malware/apt/emotet_dec_2021_campaign/malware_4a3d10bfa418811b9a4f3732996954fa37924422.xml 2) /strikes/malware/apt/emotet_dec_2021_campaign/malware_99e30480c9f1d4864d006e1dfea6f2904daf30bf.xml 3) /strikes/botnets/apt/emotet_dec_2021_campaign/emotet_dec_2021_campaign_command_control.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 10.0 | E21-cnhg2 | CVE-2021-44228CVSSCVSSv3CWE-20URL | Exploits | A JNDI Injection vulnerability exists in Apache Log4j versions 2.0 - 2.14. The vulnerability is due to improper handling of logged messages in the JndiManager class. By sending a crafted message to be logged by the target application, a remote unauthenticated attacker may execute arbitrary code on the target system. *NOTE: When running this strike in OneArm mode, the attacker will send a request to make the vulnerable server attempt to make a LDAP request to a JNDI server running on 192.168.2.7 port 1389 to retrieve the serialized object which will execute mktemp command. |
| 7.5 | E21-cnd91 | CVE-2021-44077CVSSCVSSv3CWE-287URL | Exploits | This strike exploits an arbitrary file write vulnerability that has been reported in Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus. The vulnerability is due to insufficient validation of input data. An unauthenticated remote attacker can exploit this vulnerability by submitting a crafted request to the target server. Successful exploitation results in the writing of an arbitrary file to the target application, potentially leading to execution of arbitrary code as SYSTEM. |
| 4.3 | D21-9xpx1 | CVE-2020-17525CVSSCVSSv3CWE-476URL | Denial | This strike exploits a NULL Pointer Dereference vulnerability in the mod_authz_svn Apache HTTPD module of Apache Subversion. The vulnerability is due to improper handling of requests for non-existing repository URLs when the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option. A remote, unauthenticated attacker can exploit this vulnerability by sending a request to a non-exiting repository which results in a crash of the HTTPD worker handling the request, leading to denial of service conditions. *NOTE: When running this strike in OneArm mode, the exploit will trigger only if the repository to which the request is sent to doesn't exists on the server. In the false-postive evasion, the strike sends a request to a repository named 'repo1' which is assumed to be pre-existing on the server. |
| 3.5 | E21-caw31 | CVE-2021-27907CVSSCVSSv3CWE-79URL | Exploits | This strike exploits a stored cross-site scripting vulnerability in the Markdown component of Apache Superset. This vulnerability is due to insufficient validation of Markdown snippet in a dashboard. A remote authenticated attacker can exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary script execution in the target user's browser. |
| Component | Info |
|---|---|
| Security | Added new TCP evasion which allows segments to be of randomised length. |
| Security | Added new IP evasion which allows fragments to be of randomised length. |
| Ticket | Info |
|---|---|
| ATIBPS-17684 | Fixed typo in the description of strike D11-xik01. |
| ATIBPS-17821 | Removing depreciated strikes from canned strike list. |
| ATIBPS-17883 | Correcting the default behaviour of SMTP content-type boundary evasion. |
| ATIBPS-17886 | Fixed direction to s2c for file transfer strikes E21-a6j81 and E21-ac4h1. |
| ATIBPS-17889 | Fixed an issue where strikes with no_nat keyword were not skipped when running over a Network Neighborhood where one or more interfaces were configured with NAT. |