ATI Update ATI-2022-18

New Protocols & Applications (2)

Name Category Info
Netflix Aug 2022 Voice/Video/Media Netflix is a subscription based provider of streaming media and video-on-demand.
WireGuard Security This flow emulates the WireGuard protocol (as of Augsut 2022) which is a free and open-source suite for efficient implementation of encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface. This protocol utilizes UDP as the transport layer and can also be used as an alternative to other VPN protocols such as OpenVPN and IPSec.

New Superflows (4)

Name Category Tags Info
IETF QUIC Version-1 Bandwidth Data Transfer/File Sharing Streaming
HTTP/3
RFC 9000
Simulates video streaming over the IETF QUIC Version-1 (aka RFC 9000) which generates 10 MB of data.
Netflix Aug 2022 Voice/Video/Media Streaming
SimulatedTLS
Netflix is a subscription based provider of streaming media and video-on-demand. This is a TLS traffic simulation of Netflix web application including user login, homepage scroll, search for a video, play video and log out after a short time.
WireGuard VPN Bandwidth Aug 2022 Security Privacy Simulates a basic use of WireGuard VPN as of August 2022 where the client and server exchange transport data.
WireGuard VPN Bandwidth Aug 2022 Security Privacy Simulates a basic use of WireGuard VPN as of August 2022 where the client and server exchange transport data.

New Application Profiles (1)

Name Info
Sandvine 2022 Global Downstream It simulates the downstream traffic generated by the top 10 applications reported in the Sandvine Global Internet Phenomena Report January 2022.

New Security Tests (1)

Name Info
IcedID ISO Aug 2022 Campaign This strike list contains 2 strikes simulating the 'IcedID ISO Aug 2022 Campaign'.

1. The first strike simulates the network transfer of the IcedID malware in an iso package. When executed this malware mounts to the DVD drive on the machine containing a shortcut lnk and the IcedID malicious dll. Once the shortcut is executed the dll is loaded.
2. The second strike simulates the 'IcedID Command and Control' traffic that occurs after executing the IcedID malware. The malware sends a GET request to the malicious carismorth C2 server and receives a 401 NOT FOUND HTML page in response. This server can the send further commands such as downloading additional malware.

It contains the following sequence of strikes:
1) /strikes/malware/apt/icedid_iso_aug_2022_campaign/malware_354c059e6f6a7d52046855496e9bbcff.xml
2) /strikes/botnets/apt/icedid_iso_aug_2022_campaign/icedid_iso_aug_2022_campaign_command_control.xml

# Strike ID Name Description
1 M22-Cehf1 IcedID ISO File transfer This strike simulates the network transfer of the IcedID iso. When executed this malware mounts to the DVD drive on the machine containing a shortcut lnk and the IcedID malicious dll. Once the shortcut is executed the dll is loaded.
2 B22-vp441 IcedID Command and Control This strike simulates the 'IcedID Command and Control' traffic that occurs after executing the IcedID malware. The malware sends a GET request to the malicious carismorth C2 server and receives a 401 NOT FOUND HTML page in response. This server can then send further commands such as downloading additional malware.

New Strikes (4)

CVSS ID References Category Info
10.0 E22-cfyh1 CVE-2021-34473CVSSCVSSv3CWE-918URLZDI-21-821 Exploits This strike exploits a server side request forgery (SSRF) vulnerability in the EwsAutodiscoverProxyRequestHandler component of Microsoft Exchange. The vulnerability is due to insufficient handling of explicit logon requests to the autodiscover component of Exchange. An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted request to the vulnerable Exchange server. Successful exploitation results in requests being made to backend servers with administrative privileges without any need of authentication. *NOTE: In OneArm mode, the strike makes requests for enumerating email addresses, Server ID , Legacy DN and saves a draft email with a file attachment with SID 'S-1-5-21-1943555408-1405878097-3563671238-500'.
7.5 E22-cfzv1 CVE-2021-34523CVSSCVSSv3CWE-287URLURLZDI-21-822 Exploits This strike exploits a privilege escalation vulnerability in the PowerShell remoting feature of Microsoft Exchange. The vulnerability is due to improperly deserializing access token provided in the request. A remote authenticated attacker can provide the access token for an user (including the Exchange Admin user) as part of X-Rps-CAT query in the request resulting in to run powershell commands impersonating the that user.
7.5 E22-eko31 CVE-2022-33891CVSSCVSSv3CWE-77URL Exploits This strike exploits a command injection vulnerability in Apache Spark. The vulnerability is due to improper validation of user input. A remote, unauthenticated attacker could exploit this vulnerability by submitting a specially crafted HTTP request which could result in arbitrary command execution in the context of the user running the server.
5.0 E22-c9hh1 CVE-2021-26085CVSSCVSSv3CWE-862URL Exploits This strike exploits an information disclosure vulnerability in Atlassian Confluence. The vulnerability is due to improper path validation. A remote, unauthenticated attacker could exploit this vulnerability by submitting a specially crafted HTTP request which could result in arbitrary file read.