MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add DarkPulsar and affiliates + update some refs

pull/292/head
Deborah Servili 2018-10-22 10:14:30 +02:00
parent c8cbb609a2
commit 4564c5eb37
No known key found for this signature in database
GPG Key ID: 7E3A832850D4D7D1
2 changed files with 191 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
clusters/threat-actor.json
View File

@ -5974,7 +5974,24 @@
],
"uuid": "d52ca4c4-d214-11e8-8d29-c3e7cb78acce",
"value": "GreyEnergy"
},
{
"description": "The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA, including several zero-day exploits.[1] Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/The_Shadow_Brokers",
"https://securelist.com/darkpulsar/88199/"
],
"synonyms": [
"The ShadowBrokers",
"TSB",
"Shadow Brokers",
"ShadowBrokers"
]
},
"uuid": "d5e90854-d5c9-11e8-98b9-1f98eb80d30a",
"value": "The Shadow Brokers"
}
],
"version": 73
"version": 74
}

174
clusters/tool.json
View File

@ -4557,146 +4557,292 @@
},
{
"description": "RedHat 7.0 - 7.1 Sendmail 8.11.x exploit",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "80c7b1bf-c35f-4831-90ce-0699f6173f1b",
"value": "EARLYSHOVEL"
},
{
"description": "root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "370331a1-2178-4369-afb7-ce2da134a2ba",
"value": "EBBISLAND (EBBSHAVE)"
},
{
"description": "remote Samba 3.0.x Linux exploit",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "0381c40e-81c6-4a18-b5b6-48b7eef211c7",
"value": "ECHOWRECKER"
},
{
"description": "appears to be an MDaemon email server vulnerability",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "7f96b58d-0f41-46cd-8141-c53d2a03fb81",
"value": "EASYBEE"
},
{
"description": "an IBM Lotus Notes exploit that gets detected as Stuxnet",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "4f3df03f-336d-4a2b-a500-47e93a4259e6",
"value": "EASYPI"
},
{
"description": "an exploit for IBM Lotus Domino 6.5.4 & 7.0.2",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "c8fedb97-4f7e-48d1-8f2a-5e0562c1fba0",
"value": "EWOKFRENZY"
},
{
"description": "an IIS 6.0 exploit that creates a remote backdoor",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "f843ef63-9e42-42d0-84a0-40d863985088",
"value": "EXPLODINGCAN"
},
{
"description": "a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "b5c5174e-36a2-4b53-aed7-91b006514c8b",
"value": "ETERNALROMANCE"
},
{
"description": "a SMB exploit (MS09-050)",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "342a64db-f130-4ac2-96d2-a773fb2bf86d",
"value": "EDUCATEDSCHOLAR"
},
{
"description": "a SMB exploit for Windows XP and Server 2003 (MS10-061)",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "32cd0bfb-9269-43ba-9c43-9fc484a30ad0",
"value": "EMERALDTHREAD"
},
{
"description": "a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "48393a71-3814-48ab-805b-a7914e006814",
"value": "EMPHASISMINE"
},
{
"description": "Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "ce484c02-b538-4351-ba7e-48c7d05c013f",
"value": "ENGLISHMANSDENTIST"
},
{
"description": "0-day exploit (RCE) for Avaya Call Server",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "7120af74-6589-44a4-aee6-0f8fd3808d54",
"value": "EPICHERO"
},
{
"description": "SMBv1 exploit targeting Windows XP and Server 2003",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "a82fa4a0-1904-4c03-9fc4-7cbcd255ce58",
"value": "ERRATICGOPHER"
},
{
"description": "a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "b4547fe9-25c9-40b6-9256-07f1ed7548c4",
"value": "ETERNALSYNERGY"
},
{
"description": "SMBv2 exploit for Windows 7 SP1 (MS17-010)",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "e5b14d3e-ae59-495e-bdcb-f9d876db3f87",
"value": "ETERNALBLUE"
},
{
"description": "a SMBv1 exploit",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "4aee9bfe-f01d-44ea-9edd-91ecad88413a",
"value": "ETERNALCHAMPION"
},
{
"description": "Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "4a8db2c4-04fb-49e0-b688-1bc5d8354072",
"value": "ESKIMOROLL"
},
{
"description": "RDP exploit and backdoor for Windows Server 2003",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "5d9131be-c3bb-44ac-9c4d-19fcc97d2efd",
"value": "ESTEEMAUDIT"
},
{
"description": "RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "406ad0a9-b1fc-4edc-aa20-692a69f349a6",
"value": "ECLIPSEDWING"
},
{
"description": "exploit for IMail 8.10 to 8.22",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "3aaef939-132c-4cfb-9243-20918373ccfe",
"value": "ETRE"
},
{
"description": "an exploit framework, similar to MetaSploit",
"meta": {
"refs": [
"https://securelist.com/darkpulsar/88199/",
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "3de1aa96-24cd-4790-babc-df0b2d657bdb",
"value": "FUZZBUNCH"
},
{
"description": "implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "d20f9a41-db27-4d53-995e-547f86ff3d1e",
"value": "ODDJOB"
},
{
"description": "utility which Bypasses authentication for Oracle servers",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "b68ac0c5-124a-4f22-9c99-0c1cd42bdee3",
"value": "PASSFREELY"
},
{
"description": "check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "48cf4f29-41a2-4244-bb25-377362eaa3ae",
"value": "SMBTOUCH"
},
{
"description": "Check if the target is running some RPC",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "a122b8e0-1249-4c77-8ef7-6b9caf48ab4f",
"value": "ERRATICGOPHERTOUCH"
},
{
"description": "check if the running IIS version is vulnerable",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "7b4bf6dd-d191-429b-a5ee-9305093aa1ec",
"value": "IISTOUCH"
},
{
"description": "get info about windows via RPC",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "2c9e90ea-7421-4101-97a6-ebe095bd29ad",
"value": "RPCOUTCH"
},
{
"description": "used to connect to machines exploited by ETERNALCHAMPIONS",
"meta": {
"refs": [
"https://github.com/misterch0c/shadowbroker"
]
},
"uuid": "f1657aac-a6be-4383-8cd6-06b833acf07c",
"value": "DOPU"
},
@ -6996,7 +7142,33 @@
},
"uuid": "92628a72-c874-11e8-a094-ebbb3bd1f412",
"value": "CoalaBot"
},
{
"description": "DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims\nDanderSpritz is the framework for controlling infected machines, different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar.\nFor DanderSpritz works for a larger range of backdoors, using PeedleCheap in the victim to enable operators launching plugins. PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines. Once a connection is established all DanderSpritz post-exploitation features become available.",
"meta": {
"refs": [
"https://securelist.com/darkpulsar/88199/"
],
"synonyms": [
"Dander Spritz"
]
},
"uuid": "7e4898fa-d5d1-11e8-89bc-a36f56275b1e",
"value": "DanderSpritz"
},
{
"description": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named sipauth32.tsp that provides remote control.",
"meta": {
"refs": [
"https://securelist.com/darkpulsar/88199/"
],
"synonyms": [
"Dark Pulsar"
]
},
"uuid": "7e9f46aa-d5d1-11e8-b782-e71d52d8ac7c",
"value": "DarkPulsar"
}
],
"version": 95
"version": 96
}