| Name | Category | Info |
|---|---|---|
| DuckDuckGo Dec22 | Social Networking/Search | DuckDuckGo (DDG) is an internet search engine that emphasizes protecting searchers' privacy and avoiding personalized search results. |
| Mastodon Dec22 | Social Networking/Search | Mastodon is a free and open-source software for running self-hosted social networking services. It has microblogging features similar to the Twitter service, which are offered by a large number of independently run nodes, each with its own code of conduct and moderation policies. |
| Name | Category | Tags | |
|---|---|---|---|
| DuckDuckGo Dec22 | Social Networking/Search | HTTP/2 | Simulates the use of the DuckDuckGo application as of December 2022 where a user opens the homepage, initiates a search, and then browses the image and news results. |
| DuckDuckGo Dec22 Get Images | Social Networking/Search | HTTP/2 | Simulates the use of the DuckDuckGo application as of December 2022 where a user opens the homepage, initiates a search, and then browses the image results. |
| DuckDuckGo Dec22 Bandwidth | Social Networking/Search | HTTP/2 | Simulates the use of the DuckDuckGo application as of December 2022 where a user initiates a search, and then browses the image and news results. |
| Mastodon Dec22 | Social Networking/Search | HTTP/2 | Simulates the use of Mastodon instance mastodon.sdf.org, where the user gets the log in page, logs in, publishes a post, reposts and favourites another user's post before sending a direct message to a user. |
| Mastodon Dec22 Login | Social Networking/Search | HTTP/2 | Simulates the use of Mastodon instance mastodon.sdf.org, where the user gets the log in page and logs in. |
| Mastodon Dec22 Bandwidth | Social Networking/Search | HTTP/2 | Simulates the use of Mastodon instance mastodon.sdf.org, where the user publishes a post, reposts and favourites another user's post before sending a direct message to a user. |
| Mastodon Dec22 Send Direct Message | Social Networking/Search | HTTP/2 | Simulates the use of Mastodon instance mastodon.sdf.org, where the user gets the log in page and logs in before sending a direct message to another user. |
| Name | Info | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CryptoLocker Ransomware Dec 2022 Campaign | This strike list contains 2 strikes simulating the 'CryptoLocker Dec 2022 Campaign'. 1. The first strike simulates the download and initial infection of the 'CryptoLocker Ransomware Dec 2022 Campaign - Malware File Transfer' malware via a file transfer. 2. The second strike simulates the 'CryptoLocker Ransomware Dec 2022 Campaign - CryptoLocker Command and Control' traffic that occurs after executing the malware. After the ransomware has enabled persistence on the host, it begins communicating with the external C2 servers. This strike sends encrypted phone-home HTTP POST requests to the attacker controlled Command and Control Servers. This communication will retrieve the RSA public key which will then be used throughout the encryption process to encrypt all of the files on the victim's machine. It contains the following sequence of strikes: 1) /strikes/malware/apt/cryptolocker_dec_2022_campaign/malware_04fb36199787f2e3e2135611a38321eb.xml 2) /strikes/botnets/apt/cryptolocker_dec_2022_campaign/cryptolocker_dec_2022_campaign_command_control.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 9.3 | E22-ebgz1 | CVE-2022-21971CVSSCVSSv3CWE-119URL | Exploits | This strike exploits a remote code execution vulnerability in Microsoft Windows. The vulnerability is due to memory corruption issue that occurs due to deallocation attempt of uninitialized pointer. An attacker can execute code by enticing an user to click on a malicious RTF file leveraging this vulnerability. |
| 9.0 | E22-epws1 | CVE-2022-40684CVSSCVSSv3CWE-288URL | Exploits | This strike exploits an Authentication Bypass vulnerability in multiple Fortinet products, including FortiOS, FortiProxy, and FortiSwitchManager. The vulnerability is due to errors in handling certain HTTP headers in user requests. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could result an attacker bypassing authentication and executing commands as an admin user on the target system. |
| 7.2 | E22-ebeh1 | CVE-2022-21881CVSSCVSSv3CWE-269URLURL | Exploits | This strike exploits a privilege escalation vulnerability in Microsoft Windows Kernel. The vulnerability is due to use-after-free caused by a race condition. A remote attacker can exploit this vulnerability by enticing a user to open a maliciously crafted PE file. Successful exploitation might result in code execution in the context of another user. Note: The file transferred in this strike crashes the kernel. |
| 7.2 | E22-ec1n1 | CVE-2022-22715CVSSCVSSv3CWE-269URLURL | Exploits | This strike exploits a sandbox escape vulnerability in Windows. The vulnerability is due to improper privilege management. A local attacker confined in a sandbox environment can exploit this vulnerability by executing the malicious program to escape the sandbox environment and further escalate the privileges. |
| 6.5 | E22-ehu01 | CVE-2022-30216CVSSCVSSv3CWE-434URLURL | Exploits | This strike exploits the vulnerability targeting Server Service in Microsoft Windows. The vulnerability is due to an off-by-one check. A remote authenticated attacker can exploit this vulnerability by sending crafted DCERPC packets and might result in certificate tampering or be used as part of a NTLM replay attack. |
| Component | Info |
|---|---|
| Apps | The number of application transactions in "FW - Small Images" superflow has been fixed. |
| Security | Strike E22-eg2c1 has had 3 of its four variants removed to more appropriately reflect the description of the vulnerability's attack vector. |
| Component | Info |
|---|---|
| Security | Campaign related strikes have had their Strike IDs changed to a new format. From now on, all Campaign related strikes (except phishing**), will start with the letter 'C' to more easily distinguish them from our other malware content. To function properly, Campaign related strikes need to be run with the Security Component. To ensure this, all Campaign strikes have been removed from Live Malware smart strike lists, so that the strikes in that strike list may be run with either the Malware or Security components.
**Phishing strikes (even if tied to a campaign) can be run individually. |