| Name | Category | Info |
|---|---|---|
| Apple Podcasts Jul 2022 | Voice/Video/Media | Apple Podcasts is an audio streaming service and media player application developed by Apple Inc. for downloading, streaming, discovering, playing, and sharing podcasts. |
| Wattpad Jul22 | Social Networking/Search | Wattpad is an online social reading platform intended for users to read and write original stories. Users can read books or publish their own on the website. |
| Name | Category | Tags | Info |
|---|---|---|---|
| Apple Podcasts Jul 2022 | Voice/Video/Media | Culture Streaming Web SimulatedTLS |
Apple Podcasts is an audio streaming service and media player application developed by Apple Inc. for downloading, streaming, discovering, playing, and sharing podcasts. This simulates the scenario when an user opens Apple Podcasts app, browses content, plays a podcast, searches a podcast and logs out. |
| Wattpad Jul22 | Social Networking/Search | HTTP/2 | Simulates the use of the Wattpad application as of July 2022 where a user opens the website, gets the log in page, logs in, searches for a writer, reads a book, and writes and publishes their own book before signing out. |
| Wattpad Bandwidth Jul22 | Social Networking/Search | HTTP/2 | Simulates the use of the Wattpad application as of July 2022 where a user opens the website, searches for a writer, reads a book, and writes and publishes their own book. |
| Name | Info | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Matanbuchus Jun 2022 Campaign | This strike list contains 5 strikes simulating the 'Matanbuchus Jun 2022 Campaign'. 1. The first strike simulates a phishing email that has been linked with the Matanbuchus June 2022 Campaign. It tries to trick the user into downloading a malicious zip archive file. This archive contains an HTML file that when executed decodes embedded base64 content to drop another zip archive on the system. This dropped archive contains an MSI installer that when executed will drop a dll and vbs file. 2. The second strike simulates the 'Matanbuchus Jun 2022 Campaign - Matanbuchus DLL Download' traffic that occurs after executing the Matanbuchus MSI package. The malware is retrieved via a GET request over HTTPS. 3. The third strike simulates the 'Matanbuchus Jun 2022 Campaign - base64 Encoded XOR Encrypted Matanbuchus Binary Download' traffic that occurs after executing the Matanbuchus MSI package. This binary is the actual Matanbuchus malware that gets loaded into memory and executed, so that it is never dropped onto the disk. It is retrieved via HTTPS. 4. The fourth strike simulates the 'Matanbuchus Jun 2022 Campaign - Command and Control' traffic that occurs once the Matanbuchus dll has been executed. This strike sends 3 different HTTP POST requests to the command and control server that each contains various system information. The requests are base64 encoded and RC4 encrypted. 5. The fifth strike simulates the 'Matanbuchus Jun 2022 Campaign - Cobalt Strike Beacons' traffic that occurs once the Matanbuchus command and control traffic has been sent. This strike sends 2 HTTP GET requests to the command and control server to download Cobalt Strike beacons. The first request downloads a hexadecimal binary that gets converted to ASCII characters, and the second request downloads a dll. It contains the following sequence of strikes: 1) /strikes/phishing/matanbuchus_june_2022_campaign_phishing_email.xml 2) /strikes/botnets/apt/matanbuchus_jun_2022_campaign/matanbuchus_jun_2022_msi_retrieved_matanbuchus_dll.xml 3) /strikes/botnets/apt/matanbuchus_jun_2022_campaign/matanbuchus_jun_2022_b64_xor_matanbuchus.xml 4) /strikes/botnets/apt/matanbuchus_jun_2022_campaign/matanbuchus_jun_2022_command_control.xml 5) /strikes/botnets/apt/matanbuchus_jun_2022_campaign/matanbuchus_jun_2022_cobalt_strike_beacons.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 7.5 | E22-1enk2 | CVE-2022-1040CVSSCVSSv3CWE-287URL | Exploits | This strike exploits an Authentication Bypass vulnerability in Sophos Firewall. The vulnerability is due to insufficient sanitization of null characters in the "json" parameter sent to the Controller endpoint. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result in access control policy bypass and remote code execution at worst. *NOTE: When running this strike in OneArm mode, it sends a crafted request to the target server on port 4444 for webadnin or on port 443 for userportal. Due to Authentication Bypass, the target server responds with a valid session cookie for the username in the request. |
| 7.2 | E22-18kk1 | CVE-2021-3156CVSSCVSSv3CWE-193URLURL | Exploits | This strike exploits a heap-based buffer overflow in Sudo. By exploiting this vulnerability, a local attacker with low privileges can gain root access on the targeted Linux machine. Attacker can take advantage of this vulnerability to execute arbitrary code as root. |
| 6.4 | E22-0vof1 | CVE-2019-6447CVSSCVSSv3CWE-306URLURL | Exploits | This strike exploits a policy bypass vulnerability in the android app ES File Explorer File Manager. The vulnerability is due to misconfigured access control of a web server listening for commands. A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to an Android device running a vulnerable version of the product. Successful exploitation of this vulnerability could allow the attacker to download then launch applications as well as read arbitrary files. *NOTE: In OneArm mode, the strike will try to perform one of the following actions depending on the variant ran - open the settings app or list Files or download the /system/bin/cp binary present on the victim android device. |
| Component | Info |
|---|---|
| Apps | Added multiple new cipher suite support for Replay HTTP1.1 TLS1.2 action in HTTP Archive Simulation Protocol. |