82 lines
No EOL
2.8 KiB
JSON
82 lines
No EOL
2.8 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "0",
|
|
"date": "2017-02-03",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Windows SMBv3 Denial of Service Proof of Concept (0 Day Exploit)",
|
|
"publish_timestamp": "1486156232",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1486156219",
|
|
"uuid": "5894f12f-709c-4502-a896-7dbf02de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Based on this understanding of the exploit (please let me know if I didn't get it right or missed something), I wrote a simple snort signature that looks for Tree Connect messages that exceed 1000 bytes in size. Use this at your own risk. It is in \"works for me\" state:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486156118",
|
|
"to_ids": false,
|
|
"type": "snort",
|
|
"uuid": "5894f14c-b000-4526-88c4-874d02de0b81",
|
|
"value": "alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (sid: 10001515; msg: \"SMB Excessive Large Tree Connect Response\"; byte_test: 3,>,1000,1; content: \"|fe 53 4d 42 40 00|\"; offset: 4; depth: 6; content: \"|03 00|\"; offset: 16; depth:2 ;)"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486156165",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5894f176-4fe8-4611-91d5-46d602de0b81",
|
|
"value": "https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect",
|
|
"Tag": [
|
|
{
|
|
"colour": "#360044",
|
|
"local": false,
|
|
"name": "ms-caro-malware:malware-type=\"Exploit\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486156219",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5894f1a8-fda4-499e-ba27-8cd702de0b81",
|
|
"value": "https://isc.sans.edu/diary/Windows%2BSMBv3%2BDenial%2Bof%2BService%2BProof%2Bof%2BConcept%2B%280%2BDay%2BExploit%29/22029",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#075200",
|
|
"local": false,
|
|
"name": "admiralty-scale:source-reliability=\"b\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |