diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 217c6c1..e6f4096 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5974,7 +5974,24 @@ ], "uuid": "d52ca4c4-d214-11e8-8d29-c3e7cb78acce", "value": "GreyEnergy" + }, + { + "description": "The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA, including several zero-day exploits.[1] Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/The_Shadow_Brokers", + "https://securelist.com/darkpulsar/88199/" + ], + "synonyms": [ + "The ShadowBrokers", + "TSB", + "Shadow Brokers", + "ShadowBrokers" + ] + }, + "uuid": "d5e90854-d5c9-11e8-98b9-1f98eb80d30a", + "value": "The Shadow Brokers" } ], - "version": 73 + "version": 74 } diff --git a/clusters/tool.json b/clusters/tool.json index 3e30385..71cbd1c 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -4557,146 +4557,292 @@ }, { "description": "RedHat 7.0 - 7.1 Sendmail 8.11.x exploit", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "80c7b1bf-c35f-4831-90ce-0699f6173f1b", "value": "EARLYSHOVEL" }, { "description": "root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "370331a1-2178-4369-afb7-ce2da134a2ba", "value": "EBBISLAND (EBBSHAVE)" }, { "description": "remote Samba 3.0.x Linux exploit", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "0381c40e-81c6-4a18-b5b6-48b7eef211c7", "value": "ECHOWRECKER" }, { "description": "appears to be an MDaemon email server vulnerability", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "7f96b58d-0f41-46cd-8141-c53d2a03fb81", "value": "EASYBEE" }, { "description": "an IBM Lotus Notes exploit that gets detected as Stuxnet", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "4f3df03f-336d-4a2b-a500-47e93a4259e6", "value": "EASYPI" }, { "description": "an exploit for IBM Lotus Domino 6.5.4 & 7.0.2", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "c8fedb97-4f7e-48d1-8f2a-5e0562c1fba0", "value": "EWOKFRENZY" }, { "description": "an IIS 6.0 exploit that creates a remote backdoor", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "f843ef63-9e42-42d0-84a0-40d863985088", "value": "EXPLODINGCAN" }, { "description": "a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "b5c5174e-36a2-4b53-aed7-91b006514c8b", "value": "ETERNALROMANCE" }, { "description": "a SMB exploit (MS09-050)", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "342a64db-f130-4ac2-96d2-a773fb2bf86d", "value": "EDUCATEDSCHOLAR" }, { "description": "a SMB exploit for Windows XP and Server 2003 (MS10-061)", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "32cd0bfb-9269-43ba-9c43-9fc484a30ad0", "value": "EMERALDTHREAD" }, { "description": "a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "48393a71-3814-48ab-805b-a7914e006814", "value": "EMPHASISMINE" }, { "description": "Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "ce484c02-b538-4351-ba7e-48c7d05c013f", "value": "ENGLISHMANSDENTIST" }, { "description": "0-day exploit (RCE) for Avaya Call Server", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "7120af74-6589-44a4-aee6-0f8fd3808d54", "value": "EPICHERO" }, { "description": "SMBv1 exploit targeting Windows XP and Server 2003", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "a82fa4a0-1904-4c03-9fc4-7cbcd255ce58", "value": "ERRATICGOPHER" }, { "description": "a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "b4547fe9-25c9-40b6-9256-07f1ed7548c4", "value": "ETERNALSYNERGY" }, { "description": "SMBv2 exploit for Windows 7 SP1 (MS17-010)", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "e5b14d3e-ae59-495e-bdcb-f9d876db3f87", "value": "ETERNALBLUE" }, { "description": "a SMBv1 exploit", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "4aee9bfe-f01d-44ea-9edd-91ecad88413a", "value": "ETERNALCHAMPION" }, { "description": "Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "4a8db2c4-04fb-49e0-b688-1bc5d8354072", "value": "ESKIMOROLL" }, { "description": "RDP exploit and backdoor for Windows Server 2003", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "5d9131be-c3bb-44ac-9c4d-19fcc97d2efd", "value": "ESTEEMAUDIT" }, { "description": "RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "406ad0a9-b1fc-4edc-aa20-692a69f349a6", "value": "ECLIPSEDWING" }, { "description": "exploit for IMail 8.10 to 8.22", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "3aaef939-132c-4cfb-9243-20918373ccfe", "value": "ETRE" }, { "description": "an exploit framework, similar to MetaSploit", + "meta": { + "refs": [ + "https://securelist.com/darkpulsar/88199/", + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "3de1aa96-24cd-4790-babc-df0b2d657bdb", "value": "FUZZBUNCH" }, { "description": "implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "d20f9a41-db27-4d53-995e-547f86ff3d1e", "value": "ODDJOB" }, { "description": "utility which Bypasses authentication for Oracle servers", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "b68ac0c5-124a-4f22-9c99-0c1cd42bdee3", "value": "PASSFREELY" }, { "description": "check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "48cf4f29-41a2-4244-bb25-377362eaa3ae", "value": "SMBTOUCH" }, { "description": "Check if the target is running some RPC", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "a122b8e0-1249-4c77-8ef7-6b9caf48ab4f", "value": "ERRATICGOPHERTOUCH" }, { "description": "check if the running IIS version is vulnerable", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "7b4bf6dd-d191-429b-a5ee-9305093aa1ec", "value": "IISTOUCH" }, { "description": "get info about windows via RPC", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "2c9e90ea-7421-4101-97a6-ebe095bd29ad", "value": "RPCOUTCH" }, { "description": "used to connect to machines exploited by ETERNALCHAMPIONS", + "meta": { + "refs": [ + "https://github.com/misterch0c/shadowbroker" + ] + }, "uuid": "f1657aac-a6be-4383-8cd6-06b833acf07c", "value": "DOPU" }, @@ -6996,7 +7142,33 @@ }, "uuid": "92628a72-c874-11e8-a094-ebbb3bd1f412", "value": "CoalaBot" + }, + { + "description": "DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims\nDanderSpritz is the framework for controlling infected machines, different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar.\nFor DanderSpritz works for a larger range of backdoors, using PeedleCheap in the victim to enable operators launching plugins. PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines. Once a connection is established all DanderSpritz post-exploitation features become available.", + "meta": { + "refs": [ + "https://securelist.com/darkpulsar/88199/" + ], + "synonyms": [ + "Dander Spritz" + ] + }, + "uuid": "7e4898fa-d5d1-11e8-89bc-a36f56275b1e", + "value": "DanderSpritz" + }, + { + "description": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ‘sipauth32.tsp’ that provides remote control.", + "meta": { + "refs": [ + "https://securelist.com/darkpulsar/88199/" + ], + "synonyms": [ + "Dark Pulsar" + ] + }, + "uuid": "7e9f46aa-d5d1-11e8-b782-e71d52d8ac7c", + "value": "DarkPulsar" } ], - "version": 95 + "version": 96 }