| Name | Category | Info |
|---|---|---|
| CBS News Dec21 | Voice/Video/Media | CBS News is the news division of the American television and radio service CBS. |
| Pinduoduo Mobile Dec21 | Social Networking/Search | Pinduoduo is a Chinese popular on-line shopping application. It allows users to browse content, search for products and make purchases. This simulates the mobile version of Pinduoduo application. |
| TRDP | SCADA | TRDP (Train Real-Time Data Protocol) is a network protocol for communication in TCN (Train Communication Network). TRDP is defined in IEC 61375-2-3. |
| Name | Category | Tags | Info |
|---|---|---|---|
| CBS News Dec 21 | Voice/Video/Media | News Culture |
Simulates the use of the CBS News website as of October 2021. The user opens the website, searches for news and streams the news video. |
| CBS News Stream Video Dec 21 | Voice/Video/Media | News Culture |
Simulates the use of the CBS News website as of October 2021. The user opens the website and streams a video. |
| Pinduoduo Mobile Dec21 | Social Networking/Search | E-Commerce ChinaApp MobileApp |
Simulates Pinduoduo application as of December 2021. The user opens the application, browses the content, searches for a product and purchases it. |
| Pinduoduo Mobile Dec21 Bandwidth | Social Networking/Search | E-Commerce ChinaApp MobileApp |
The use of the Pinduoduo application as of December 2021. All of the available actions for this flow are exercised. |
| TRDP ClientSim | SCADA | ICS ChinaApp |
Simulates a scenario where a TRDP client sends PD request and MD request to a server. |
| Name | Info | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2021-44228 Log4J Dec 2021 Campaign | Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. When message lookup substitution is enabled, an unauthenticated attacker who can control log messages or log message parameters, could lead to arbitrary code execution loaded from LDAP servers. * https://www.hackingarticles.in/a-detailed-guide-on-log4j-penetration-testing/ This strikelist contains 3 strikes simulating the 'CVE-2021-44228 Log4j Dec 2021 Campaign'. 1. The first strike simulates the exploit of the CVE-2021-44228 vulnerability and the following LDAP look up request and response which contains redirection traffic to http server. 2. The second strike simulates the download of a Java binary. 3. The third strike simulates the download of a shell script after running second strike successfully. It contains the following sequence of strikes: 1) /strikes/botnets/apt/cve_2021_44228_log4j_dec_2021_campaign/cve_2021_44228_log4j_dec_2021_campaign_initial_request.xml 2) /strikes/malware/apt/cve_2021_44228_log4j_dec_2021_campaign/malware_bd97f9eba8b7a879d775714ee1a4a815b73fd210.xml 3) /strikes/malware/apt/cve_2021_44228_log4j_dec_2021_campaign/malware_43ac4c6cfcd8a5a6df94abbb13d2f2c5af8c5d7b.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 8.3 | E21-a40i1 | CVE-2020-25682CVSSCVSSv3CWE-787URL | Exploits | This strike exploits an out-of-bounds write vulnerability in DNSmasq, a DNS and DHCP server. The vulnerability occurs while extracting domain name of a RR record using the extract_name() function while sorting multiple RR records. A remote, unauthenticated attacker controlled server can send a specially crafted DNS reply to a target DNSmasq server. Successful exploitation leads to denial-of-service conditions or in worst case arbitrary code execution with administrative privileges. |
| 7.6 | E22-co461 | CVE-2021-45046CVSSCVSSv3CWE-610URL | Exploits | A JNDI Injection vulnerability exists in Apache Log4j version 2.0-beta9 to 2.15.0, excluding 2.12.2. The vulnerability is due to improper handling of logged messages when the logging configuration uses a non-default Pattern Layout. An attacker who can control an item in the MapMessage or StrucutredDataMessage can exploit this vulnerability by sending a crafted message to be logged by the target application, a remote unauthenticated attacker can cause denial of service or in certain configuration execute arbitrary code on the target system. This vulnerability is due to the incomplete fix for CVE-2021-44228. *NOTE: This strike uses the local hostname check bypass method. |
| 7.5 | E21-c5qz1 | CVE-2021-21243CVSSCVSSv3CWE-502URLURL | Exploits | This strike exploits an Insecure Deserialization vulnerability in the OneDev Platform. The vulnerability occurs due to an API which exposes two methods that deserialize untrusted data from the request body. These API methods do not enforce any authentication checks so it could allow an unauthenticated attacker to execute arbitrary code on the target system. *NOTE: When running this strike in OneArm mode, the strike sends a DNS request to example.com or creates a new file with random data in the "C://" directory depending on the variant. |
| 5.1 | E21-c5sk1 | CVE-2021-21300CVSSCVSSv3CWE-59URLURL | Exploits | This strike exploits an improper link resolution in the checkout mechanism of Git Source Code Management. An out-of-order checkout triggered by a delayed checkout or checkout-index may result in an improper validation of a file system resource type prior to performing a file write operation. A remote attacker can exploit this vulnerability by enticing a user to clone a malicious repository. Successful exploitation can result in remote code execution in the context of the git process. |
| 4.3 | E22-co5t1 | CVE-2021-45105CVSSCVSSv3CWE-674URLZDI-21-1541 | Exploits | An uncontrolled recursion from self-referential lookups exists in Apache Log4j version 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1). An attacker who can control an item in Thread Context Map can exploit this vulnerability by sending a crafted message to be logged by the target application, a remote unauthenticated attacker can cause denial of service by sending a crafted message. |