This Gist aims to centralise the most relevant public sources of information related to the HTTP/2 Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.
Please help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.
| This search is designed to work with Crowdstrike FDR data ingested into Splunk. I will leave the exercise to you to translate this into your own SIEM. | |
| ``` Identied PatternIds via | inputlookup detect_patterns.csv where description="mything ``` | |
| ```Join AssociateIndicator events to the process and command that did them. We sub-search for our suspect aid + TargetProcessId combination and use them to look for the associated ProcessRollup2 events.``` | |
| ``` Process rollup events ``` | |
| ( `Your FDR Index` | |
| event_platform="Win" | |
| event_simpleName IN (ProcessRollup2,SyntheticProcessRollup2) |
| title: Suspicious msdt.exe execution - Office Exploit | |
| id: 97a80ed7-1f3f-4d05-9ef4-65760e634f6b | |
| status: experimental | |
| description: This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation. | |
| references: | |
| - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e | |
| - https://twitter.com/MalwareJake/status/1531019243411623939 | |
| author: 'Matthew Brennan' | |
| tags: | |
| - attack.execution |
| $path_ = "C:\" | |
| $list = @(Get-ChildItem -Path $path_ -Name "SolarWinds.Orion.Core.BusinessLayer.dll" -Recurse) | |
| $list | % { | |
| $fullPath = $path_ + $_ | |
| Get-FileHash $fullPath -Algorithm SHA256 | Format-List | |
| } |
FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible with Sysmon are listed below
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ParentImage="C:\\Windows\System32\\svchost.exe" and ImageLoaded="*NetSetupSvc.dll"
| input { | |
| kafka { | |
| bootstrap_servers => "" #configurable | |
| group_id => "" #configurable | |
| auto_offset_reset => "" #configurable | |
| security_protocol => "SASL_SSL" | |
| sasl_mechanism => "SCRAM-SHA-512" | |
| sasl_jaas_config => "org.apache.kafka.common.security.scram.ScramLoginModule required username='' password='';" | |
| ssl_endpoint_identification_algorithm => "" | |
| topics => [""] #configurable |
| input { | |
| kafka { | |
| bootstrap_servers => "" #configurable | |
| group_id => "" #configurable | |
| auto_offset_reset => "" #configurable | |
| security_protocol => "SASL_SSL" | |
| sasl_mechanism => "SCRAM-SHA-512" | |
| sasl_jaas_config => "org.apache.kafka.common.security.scram.ScramLoginModule required username='' password='';" | |
| ssl_endpoint_identification_algorithm => "" | |
| topics => [""] #configurable |
Collection of BloodHound Cypher Query Examples
The following content is generated using a preview release of Swimlane's pyattck.
This snippet of data is scoped to the following actor groups:
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
