| Name | Category | Info |
|---|---|---|
| Apple Software Update Aug 2022 | Secure Data Transfer | Apple Software Updates service takes care of iOS update search, downloads new updates and installs them. |
| YouTube TLS 1.2 2022 | Secure Data Transfer | Simulates generic YouTube traffic using Simulated TLS flows after a downgrade scenario from HTTP/3 to HTTPS over TLS 1.2.. |
| Name | Category | Tags | Info |
|---|---|---|---|
| Apple Software Update Aug 2022 | Secure Data Transfer | Cloud SimulatedTLS |
Apple Software Updates service takes care of iOS update search, downloads new updates and installs them. This simulates traffic for a user-triggered Apple Software Update on iPhone. User searches for the new iOS updates, downloads and installs them. |
| YouTube TLS 1.2 2022 | Social Networking/Search | Secure Data Transfer SimulatedTLS SimulatedUDP |
Simulates generic YouTube traffic using Simulated TLS flows after a downgrade scenario from HTTP/3 to HTTPS over TLS 1.2. The HTTP/3 version of this scenario is named: YouTube Aug 2022. |
| YouTube Aug 2022 | Voice/Video/Media | Streaming HTTP/3 |
Simulates watching videos posted on YouTube as of August 2022. The user visits youtube.com from a Windows Desktop client and spends 2 minutes streaming videos that utilizes QUIC v1 (aka RFC9000) transport over UDP. |
| Name | Info | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Amadey Bot July 2022 Campaign | This strike list contains 4 strikes simulating the 'Amadey Bot July 2022 Campaign'. 1. The first strike simulates the download of the SmokeLoader trojan. SmokeLoader is injected into the explorer process and used to download the Amadey Bot binary. 2. The second strike simulates the download of the Amadey Bot malware. Once executed Amadey copies itself to a temp directory, and then begins to establish persistence on the machine by creating its location as a startup folder. 3. The third strike simulates the 'Amadey Bot July 2022 Campaign - Command and Control' traffic that occurs once the Amadey binary has been downloaded, copied to a temp path, renamed, and executed. The malware begins communicating with the command and control server by sending out several different HTTP POST requests. The first POST request contains a variety of system information such as windows ver, architecture, admin privs, computer name, username, and installed antivirus software. The second POST request contains screenshot of the victim machine that gets sent back to the attacker's C2 server. Next the malware performs an HTTP GET request for a plugin dll that allows for the malware to send out additional information to the attacker. The third POST request represents this stolen information being sent to the C2 server. The fourth and final POST request is made to a completely different command and control server containing the same system information that is sent in the original POST request. 4. The fourth strike simulates the 'Amadey Bot July 2022 Campaign - Additional Malware Download' C2 traffic that occurs once the Amadey malware has been executed. This strike sends 3 HTTP GET requests to the attacker to download additional malware to the victim's machine. The first GET request downloads the xyz named binary that retrieves the next binary named bin. The second GET request downloads the bin binary from the same location. This binary's purpose is to make requests to download both the Redline Stealer malware as well as another version of Amadey Bot padded with Null bytes. The third and final GET request downloads the Redline stealer malware. It contains the following sequence of strikes: 1) /strikes/malware/apt/amadey_july_2022_campaign/malware_c3b7cf4c76cc20e56b180b001535696f.xml 2) /strikes/malware/apt/amadey_july_2022_campaign/malware_18bb226e2739a3ed48a96f9f92c91359.xml 3) /strikes/botnets/apt/amadey_july_2022_campaign/amadey_july_2022_command_control.xml 4) /strikes/botnets/apt/amadey_july_2022_campaign/amadey_july_2022_c2_malware_retrieval.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 10.0 | E22-cgq01 | CVE-2021-35464CVSSCVSSv3CWE-502URL | Exploits | An insecure deserialization vulnerability exists in ForgeRock Access Management and OpenAM. The vulnerability is due to insufficient validation of user-supplied data. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request. Successful exploitation results in full control of the target server. |
| 9.0 | E22-cdfr1 | CVE-2021-31207CVSSCVSSv3CWE-22URLZDI-21-819 | Exploits | This strike exploits an arbitrary file write vulnerability in Microsoft Exchange. The vulnerability is due to improper handling of MailboxExportRequest commands. An authenticated, remote attacker can exploit this vulnerability by sending a crafted MailboxExportRequest command to the target server. Successful exploitation could result in the writing of an arbitrary file which may be used to facilitate the execution of arbitrary code. |
| 7.5 | E22-9tfu1 | CVE-2020-11978CVSSCVSSv3CWE-78URL | Exploits | This strike exploits remote code/command injection vulnerability in Apache Airflow. This vulnerability was discovered in one of the example DAGs(Directed Acyclic Graph) shipped with Airflow which would allow any user to run arbitrary commands as the user running airflow worker/scheduler(depending on the executor in use). A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request to apache airflow. *NOTE: When running this strike in OneArm mode, first it searches for the example_trigger_target_dag on the target server. If found, then it unpauses the example dag and then creates a DAG(it is a collection of all the tasks that one may want to run), which in this case is creation of a file /tmp/test . |
| 7.5 | E22-eetq1 | CVE-2022-26318CVSSCVSSv3CWE-119URLURL | Exploits | This strike exploits a buffer overflow vulnerability in Watchguard Fireware. The vulnerability is due to improper validation of user input. A remote, unauthenticated attacker could exploit this vulnerability by submitting a specially crafted HTTP request which could result in arbitrary command execution in the context of NOBODY user. Note: In one-arm, a reverse shell is executed to the IP 192.168.102.113, port 8888. |
| 7.2 | E22-1ei71 | CVE-2022-0847CVSSCVSSv3CWE-665URLURL | Exploits | This strike exploits a privilege escalation vulnerability in the Linux kernel. The vulnerability is due to combination of a few flaws which allows linux pipes to use arbitrary flags to overwrite read only files. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files like /etc/passwd leading to escalation of their privileges on the system. |
| Component | Info |
|---|---|
| Apps | Added HTTP/2 tag in 2 superflows: Nextdoor Mar22 and Nextdoor Mar22 Browse. |