misp-circl-feed/feeds/circl/misp/5894f12f-709c-4502-a896-7dbf02de0b81.json

82 lines
No EOL
2.8 KiB
JSON

{
"Event": {
"analysis": "0",
"date": "2017-02-03",
"extends_uuid": "",
"info": "OSINT - Windows SMBv3 Denial of Service Proof of Concept (0 Day Exploit)",
"publish_timestamp": "1486156232",
"published": true,
"threat_level_id": "3",
"timestamp": "1486156219",
"uuid": "5894f12f-709c-4502-a896-7dbf02de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "Based on this understanding of the exploit (please let me know if I didn't get it right or missed something), I wrote a simple snort signature that looks for Tree Connect messages that exceed 1000 bytes in size. Use this at your own risk. It is in \"works for me\" state:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1486156118",
"to_ids": false,
"type": "snort",
"uuid": "5894f14c-b000-4526-88c4-874d02de0b81",
"value": "alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (sid: 10001515; msg: \"SMB Excessive Large Tree Connect Response\"; byte_test: 3,>,1000,1; content: \"|fe 53 4d 42 40 00|\"; offset: 4; depth: 6; content: \"|03 00|\"; offset: 16; depth:2 ;)"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1486156165",
"to_ids": false,
"type": "link",
"uuid": "5894f176-4fe8-4611-91d5-46d602de0b81",
"value": "https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect",
"Tag": [
{
"colour": "#360044",
"local": false,
"name": "ms-caro-malware:malware-type=\"Exploit\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1486156219",
"to_ids": false,
"type": "link",
"uuid": "5894f1a8-fda4-499e-ba27-8cd702de0b81",
"value": "https://isc.sans.edu/diary/Windows%2BSMBv3%2BDenial%2Bof%2BService%2BProof%2Bof%2BConcept%2B%280%2BDay%2BExploit%29/22029",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#075200",
"local": false,
"name": "admiralty-scale:source-reliability=\"b\"",
"relationship_type": ""
}
]
}
]
}
}