| Name | Category | Info |
|---|---|---|
| C2 Empire | Security | Empire is a post-exploitation framework that includes a pure-PowerShell windows agent.It implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and many more post-exploitation modules, all wrapped up in a usability-focused framework. Empire uses various encryption algorithms for C2 communication and also supports TLS communication. |
| Google Quic Version 50 | Data Transfer/File Sharing | This is a simulation of Google proprietary Quic protocol(GQUIC) version Q050, used by default in the Chromium web browser. |
| IETF QUIC Draft-22 | Data Transfer/File Sharing | This simulates IETF QUIC protocol of version draft-22. The traffic is encapsulated in UDP packets. |
| IETF QUIC Draft-27 | Data Transfer/File Sharing | This simulates IETF QUIC protocol of version draft-27. The traffic is encapsulated in UDP packets. |
| League of Legends Jun21 | Games | League of Legends is a multiplayer online battle arena video game developed by Riot Games. It allows users to attack rivals in the other team with their abilities and move forward on the map. This application implements the League of Legends Tencent WeGame version 3.39.1.5260. |
| Name | Category | Tags | Info |
|---|---|---|---|
| C2 Empire | Security | C2-Framework | Simulates the scenario in Empire communication over HTTP where the server and the victim completes the staging phase of the communication. Then the victim sends beacon to the server for task to perform. Server then commands the victim to perform one of the many available post-exploitation commands supported by Empire and victim returns the results. Server also commands the victim to exfiltrate a file from the victim machine. |
| C2 Empire File Exfiltration | Security | C2-Framework | Simulates the scenario in Empire communication over HTTP the victim sends beacon to the server for any task to perform. Server then commands the victim to exfiltrate a file from the victim machine and victim returns the results. |
| C2 Empire HTTPS | Security | C2-Framework | Simulates the scenario in Empire communication over HTTPS where the server and the victim completes the staging phase of the communication. Then the victim sends beacon to the server for task to perform. Server then commands the victim to perform one of the many available post-exploitation commands supported by Empire and victim returns the results. Server also commands the victim to exfiltrate a file from the victim machine. |
| C2 Empire Post Exploitation Modules | Security | C2-Framework | Simulates the scenario in Empire communication over HTTP where the victim sends beacon to the server for any task to perform. Server then commands the victim to perform one of the many available post-exploitation commands supported by Empire and victim returns the results. |
| C2 Empire Staging | Security | C2-Framework | Simulates the staging scenario of Empire communication over HTTP where in Stage 0 beacon, the victim sends a cookie RC4 encrypted with staging key, the server then replies with the stage 0 payload rc4 encrypted with the staging key. In Stage 1 the victim sends the RSA public key, which server verifies and sends the nonce and session key RSA encrypted with the public key. In Stage 2 the victim then replies with the host information RC4+AES encrypted. The server then sends the final payload to the victim completing the staging phase. | Google QUIC Q050 - 1 RTT | Data Transfer/File Sharing | Security HTTP/3 |
Simulates generic Google QUIC Q050 handshake and payload session in 1 RTT scenario. | Google QUIC Q050 - 1 RTT Bandwidth | Data Transfer/File Sharing | Security HTTP/3 |
Simulates generic Google QUIC Q050 handshake and payload session in 1 RTT scenario and generates around 10MB of data. |
| IETF QUIC Draft-22 | Data Transfer/File Sharing | Security HTTP/3 |
Simulates the generic IETF QUIC draft-22 handshake and payload sessions. |
| IETF QUIC Draft-22 Bandwidth | Data Transfer/File Sharing | Security HTTP/3 |
Simulates video streaming over the generic IETF QUIC draft-22 which generates 10 MB of data. |
| IETF QUIC Draft-27 | Data Transfer/File Sharing | Security HTTP/3 |
Simulates the generic IETF QUIC draft-27 handshake and payload sessions. |
| IETF QUIC Draft-27 Bandwidth | Data Transfer/File Sharing | Security HTTP/3 |
Simulates video streaming over the generic IETF QUIC draft-27 which generates 10 MB of data. | League of Legends Jun21 | Games | ChinaApp | Simulates login and playing game League of Legends on WeGame as of June 2021. The user logs on to the game, loads the game and plays the game. | League of Legends Jun21 Game | Games | ChinaApp | Simulates playing game League of Legends on WeGame as of June 2021. The user moves on the map and attacks with skills. |
| YouTube IETF QUIC Draft-29 | Data Transfer/File Sharing | Security HTTP/3 |
Simulates video streaming of 5 MB over the generic IETF QUIC draft-29 when a user accesses YouTube website using the Google Chrome web browser on Windows OS. |
| Name | Info | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Trickbot June 2021 Campaign | This strikelist contains 4 strikes simulating the 'Trickbot June 2021 Campaign'. TrickBot malware was identified in 2016 as a Trojan by cybercrime actors. Trickbot was initially designed as a banking trojan to steal financial data. Through continued development and new functionality, TrickBot has become a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. Since TrickBot's inception, the cybercrime group has used the malware to attack individuals and businesses globally across a wide range of sectors. https://us-cert.cisa.gov/sites/default/files/publications/TrickBot_Fact_Sheet_508.pdf 1. The first strike simulates the download of a malicious Excel file. This is the first infection vector for this campaign in which a malicious macro will download and execute. 2. The second strike simulates the download of the 'Trickbot' malware. This malware is the second infection vector for this campaign in which a dll file will download and execute. 3. The third strike simulates the 'Trickbot' command control traffic that occurs after executing the 'Trickbot' executable. The victim sends HTTPS encrypted traffic to the attacker. 4. The fourth strike simulates the 'Cobalt Strike beacon' command control traffic that occurs after executing the 'Trickbot' executable. The victim sends HTTPS encrypted traffic to the attacker. It contains the following sequence of strikes: 1) /strikes/malware/apt/trickbot_june_2021_campaign/malware_a47dd0c0596315ca2a1d3cbb1555ba497a774a17.xml 2) /strikes/malware/apt/trickbot_june_2021_campaign/malware_8c0d352934271350cfe6c00b7587e8dc8d062817.xml 3) /strikes/botnets/apt/trickbot_june_2021_campaign/trickbot_june_2021_campaign_trickbot_command_control.xml 4) /strikes/botnets/apt/trickbot_june_2021_campaign/trickbot_june_2021_campaign_cobaltstrike_command_control.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 6.8 | E21-c6ho1 | CVE-2021-22204CVSSCVSSv3CWE-74URLURL | Exploits | This strike exploits an improper neutralization of directives in dynamically evaluated code ('eval injection') in ExifTool. An remote unauthenticated attacker can supply a malicious crafted DjVu file to be processed via ExifTool. Successful exploitation may lead to execution of arbitrary code with the context of the user running the ExifTool. Note: This strike exploits GitLab CE which runs the ExifTool internally. GitLab also identifies this same vulnerability with CVE-2021-22205. |
| Component | Info |
|---|---|
| Apps | The HTTP2 application has now been modified to perform the HPACK compression approriately. With this fix now the same header being utilized in the same connection is referenced from the dynamic table. |
| Apps | The session information for each of the applications that constitute the CISCO EMIX has been fixed by making the sessions consistent with the actual configured applications. |