| Name | Category | Info |
|---|---|---|
| Patreon Jul 2022 | Enterprise Applications | Patreon is a membership platform that provides business tools for content creators to run a subscription service. |
| WordPress Jul22 | Social Networking/Search | WordPress is a free and open-source content management system that includes a plugin architecture and a template system. Users can create their own digital space in WordPress for blogs and articles. |
| Name | Category | Tags | Info |
|---|---|---|---|
| DNS over HTTP/2 and TLS using JSONAPI | Testing and Measurement | HTTP/2 | The server replies with HTTP/2 response which contains a DNS message with a single resolved IP address. The communication is over HTTP/2 and TLS using JSONAPI. |
| Patreon Jul 2022 | Enterprise Applications | SimulatedTLS | CPatreon is a membership platform that provides business tools for content creators to run a subscription service. It helps creators and artists earn a monthly income by providing rewards and perks to their subscribers. |
| Quora WebSocket HAR Replay over TLS1.2 | Social Networking/Search | HARSimulation | Simulates the WebSocket session in the HAR collected from user chat function of the Quora webpage as of June 2022. This WebSocket session is initiated via HTTP1.1 connection upgrade over a single TCP connection encrypted by TLS1.2. |
| Quora WebSocket HAR Replay over TLS1.3 | Social Networking/Search | HARSimulation | Simulates the WebSocket session in the HAR collected from user chat function of the Quora webpage as of June 2022. This WebSocket session is initiated via HTTP1.1 connection upgrade over a single TCP connection encrypted by TLS1.3. |
| WordPress Jul22 | Social Networking/Search | HTTP/2 | Simulates the use of the WordPress application as of July 2022 where a user opens the website, gets the sign in page, signs in, writes a blog post, adds a page to their site, and stars and comments on a post before signing out. |
| WordPress Bandwidth Jul22 | Social Networking/Search | HTTP/2 | Simulates the use of the WordPress application as of July 2022 where a user opens the website, writes a blog post, adds a page to their site, and stars and comments on a post. |
| Name | Info | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SVCReady Jun 2022 Campaign | This strike list contains 3 strikes simulating the 'SVCReady Jun 2022 Campaign'. 1. The first strike simulates the download of the SVCReady initial infection document via an HTTP GET request. The document contains a VBA macro and shellcode that drops the SVCReady malware DLL into the tmp directory. 2. The second strike simulates the command and control traffic that occurs when the preceeding DLL is executed with rundll32. For the first HTTP request the malware begins by acting as a downloader and sends an initial status report to the C2 server. In the second POST request the malware sends the system information it has collected like the username, firmware and bios details, and installed software back to the C2 server. In the third HTTP POST SVCReady sends a snaphot to the C2 server. In the fourth request the malware reports the results of virtual machine detection checks that deterimine if the malware is being run inside of a virtual machine. After this SVCReady enters a sleep state for 30min and informs the C2 server of this status by sending another HTTP POST for the fifth request. For the sixth and final request the malware sends a beacon to the C2 server updating its status, and the server responds with a list of domains and commands to execute. Once 6 beacons are received the malware will then send a task request to the C2 server to run a command. Some of these commands include taking a screenshot, running a shell command, and downloading a file. 3. The third strike simulates the follow on malware file transfer and download of the Redline Stealer malware. It contains the following sequence of strikes: 1) /strikes/malware/apt/svcready_jun_2022_campaign/malware_0db094bad3872d9988c8645c14189833.xml 2) /strikes/botnets/apt/svcready_jun_2022_campaign/svcready_jun_2022_campaign_command_control.xml 3) /strikes/botnets/apt/svcready_jun_2022_campaign/svcready_jun_2022_campaign_redline_file_transfer.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 7.2 | E22-ebei1 | CVE-2022-21882CVSSCVSSv3CWE-269URL | Exploits | This strike exploits a privilege escalation vulnerability in Win32k.sys driver of Windows. This vulnerability is due to Win32k Window Object type confussion issue. An attacker with low level privilges can exploit this vulnerability by using the malicious DLL file being transferred in the strike leading to privilege escalation to the NT Authority\System user. |
| 6.8 | E22-cinr1 | CVE-2021-37975CVSSCVSSv3CWE-416url | Exploits | This strike exploits a use-after-free vulnerability in Google Chrome browsers and causes the browser to crash. The vulnerability is due to a logic bug in the V8 garbage collector while handling ephemerons. An attacker could exploit this vulnerability by convincing a user to open a malicious HTML page, which could lead to remote code execution. |
| 5.1 | E22-ecd71 | CVE-2022-23131CVSSCVSSv3CWE-290URLURL | Exploits | This strike exploits a Authentication Bypass vulnerability in Zabbix Server Frontend where the SAML SSO authentication is enabled. The vulnerability is due to the lack of verification of the authenticity of the client side session information sent to the Zabbix Server. A remote attacker could exploit this vulnerability by sending a crafted request to the target system. Successful exploitation of this vulnerability could result in gaining admin access to Zabbix Frontend. |
| Component | Info |
|---|---|
| Apps | WebSocket support was added to HTTP Archive Record (HAR) Simulation. |
| Apps | Added HTTP/2 tag in the following superflows: Udemy Jun22, Udemy Jun22 Browse, Udemy Jun22 Search, Udemy Jun22 Enroll and Start Course, Youtube Dec18, Twitter Mobile Apr21 Host Space, Twitter Mobile Apr21 Add Fleet, Twitter Mobile Apr21 View Home Timeline, Twitter Mobile Apr21 Post Tweet, Twitter Mobile Apr21 Show Profile and OperaVPN Jun22. |