misp-circl-feed/feeds/circl/misp/5894f12f-709c-4502-a896-7dbf02de0b81.json

{
  "Event": {
    "analysis": "0",
    "date": "2017-02-03",
    "extends_uuid": "",
    "info": "OSINT - Windows SMBv3 Denial of Service Proof of Concept (0 Day Exploit)",
    "publish_timestamp": "1486156232",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1486156219",
    "uuid": "5894f12f-709c-4502-a896-7dbf02de0b81",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#ffffff",
        "local": "0",
        "name": "tlp:white",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "Network activity",
        "comment": "Based on this understanding of the exploit (please let me know if I didn't get it right or missed something), I wrote a simple snort signature that looks for Tree Connect messages that exceed 1000 bytes in size. Use this at your own risk. It is in \"works for me\" state:",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1486156118",
        "to_ids": false,
        "type": "snort",
        "uuid": "5894f14c-b000-4526-88c4-874d02de0b81",
        "value": "alert tcp $EXTERNAL_NET 445 -> $HOME_NET any  (sid: 10001515; msg: \"SMB Excessive Large Tree Connect Response\"; byte_test: 3,>,1000,1; content: \"|fe 53 4d 42 40 00|\"; offset: 4; depth: 6; content: \"|03 00|\"; offset: 16; depth:2 ;)"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1486156165",
        "to_ids": false,
        "type": "link",
        "uuid": "5894f176-4fe8-4611-91d5-46d602de0b81",
        "value": "https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect",
        "Tag": [
          {
            "colour": "#360044",
            "local": "0",
            "name": "ms-caro-malware:malware-type=\"Exploit\"",
            "relationship_type": ""
          }
        ]
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1486156219",
        "to_ids": false,
        "type": "link",
        "uuid": "5894f1a8-fda4-499e-ba27-8cd702de0b81",
        "value": "https://isc.sans.edu/diary/Windows%2BSMBv3%2BDenial%2Bof%2BService%2BProof%2Bof%2BConcept%2B%280%2BDay%2BExploit%29/22029",
        "Tag": [
          {
            "colour": "#00223b",
            "local": "0",
            "name": "osint:source-type=\"blog-post\"",
            "relationship_type": ""
          },
          {
            "colour": "#075200",
            "local": "0",
            "name": "admiralty-scale:source-reliability=\"b\"",
            "relationship_type": ""
          }
        ]
      }
    ]
  }
}