misp-circl-feed/feeds/circl/misp/5894f12f-709c-4502-a896-7dbf02de0b81.json

{
  "Event": {
    "analysis": "0",
    "date": "2017-02-03",
    "extends_uuid": "",
    "info": "OSINT - Windows SMBv3 Denial of Service Proof of Concept (0 Day Exploit)",
    "publish_timestamp": "1486156232",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1486156219",
    "uuid": "5894f12f-709c-4502-a896-7dbf02de0b81",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "Network activity",
        "comment": "Based on this understanding of the exploit (please let me know if I didn't get it right or missed something), I wrote a simple snort signature that looks for Tree Connect messages that exceed 1000 bytes in size. Use this at your own risk. It is in \"works for me\" state:",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1486156118",
        "to_ids": false,
        "type": "snort",
        "uuid": "5894f14c-b000-4526-88c4-874d02de0b81",
        "value": "alert tcp $EXTERNAL_NET 445 -> $HOME_NET any  (sid: 10001515; msg: \"SMB Excessive Large Tree Connect Response\"; byte_test: 3,>,1000,1; content: \"|fe 53 4d 42 40 00|\"; offset: 4; depth: 6; content: \"|03 00|\"; offset: 16; depth:2 ;)"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1486156165",
        "to_ids": false,
        "type": "link",
        "uuid": "5894f176-4fe8-4611-91d5-46d602de0b81",
        "value": "https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect",
        "Tag": [
          {
            "colour": "#360044",
            "local": false,
            "name": "ms-caro-malware:malware-type=\"Exploit\"",
            "relationship_type": ""
          }
        ]
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1486156219",
        "to_ids": false,
        "type": "link",
        "uuid": "5894f1a8-fda4-499e-ba27-8cd702de0b81",
        "value": "https://isc.sans.edu/diary/Windows%2BSMBv3%2BDenial%2Bof%2BService%2BProof%2Bof%2BConcept%2B%280%2BDay%2BExploit%29/22029",
        "Tag": [
          {
            "colour": "#00223b",
            "local": false,
            "name": "osint:source-type=\"blog-post\"",
            "relationship_type": ""
          },
          {
            "colour": "#075200",
            "local": false,
            "name": "admiralty-scale:source-reliability=\"b\"",
            "relationship_type": ""
          }
        ]
      }
    ]
  }
}
chg: [feed] added 2023-04-21 13:25:09 +00:00			`{`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"Event": {`
			`"analysis": "0",`
			`"date": "2017-02-03",`
			`"extends_uuid": "",`
			`"info": "OSINT - Windows SMBv3 Denial of Service Proof of Concept (0 Day Exploit)",`
			`"publish_timestamp": "1486156232",`
			`"published": true,`
			`"threat_level_id": "3",`
			`"timestamp": "1486156219",`
			`"uuid": "5894f12f-709c-4502-a896-7dbf02de0b81",`
			`"Orgc": {`
			`"name": "CIRCL",`
			`"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"`
			`},`
			`"Tag": [`
			`{`
			`"colour": "#ffffff",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "tlp:white",`
			`"relationship_type": ""`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "Network activity",`
			`"comment": "Based on this understanding of the exploit (please let me know if I didn't get it right or missed something), I wrote a simple snort signature that looks for Tree Connect messages that exceed 1000 bytes in size. Use this at your own risk. It is in \"works for me\" state:",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1486156118",`
			`"to_ids": false,`
			`"type": "snort",`
			`"uuid": "5894f14c-b000-4526-88c4-874d02de0b81",`
			`"value": "alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (sid: 10001515; msg: \"SMB Excessive Large Tree Connect Response\"; byte_test: 3,>,1000,1; content: \"\|fe 53 4d 42 40 00\|\"; offset: 4; depth: 6; content: \"\|03 00\|\"; offset: 16; depth:2 ;)"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1486156165",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "5894f176-4fe8-4611-91d5-46d602de0b81",`
			`"value": "https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect",`
			`"Tag": [`
			`{`
			`"colour": "#360044",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "ms-caro-malware:malware-type=\"Exploit\"",`
			`"relationship_type": ""`
			`}`
			`]`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1486156219",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "5894f1a8-fda4-499e-ba27-8cd702de0b81",`
			`"value": "https://isc.sans.edu/diary/Windows%2BSMBv3%2BDenial%2Bof%2BService%2BProof%2Bof%2BConcept%2B%280%2BDay%2BExploit%29/22029",`
			`"Tag": [`
			`{`
			`"colour": "#00223b",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "osint:source-type=\"blog-post\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#075200",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "admiralty-scale:source-reliability=\"b\"",`
			`"relationship_type": ""`
			`}`
			`]`
			`}`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`]`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`}`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`}`