Exchange Marauder 分析

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (312)

时间轴

语言

en250
zh42
ru8
fr4
ja2

国家/地区

us174
cn78
ru24
kr4
jp2

演员

Exchange Marauder12
FIN72
Cobalt Strike2
RedLine Stealer2
TAG-531

活动

利益

时间轴

类型

Not Defined92
Operating System16
Content Management System14
Router Operating System10
Web Server10

供应商

Not Defined106
Microsoft8
Apache8
SolarWinds6
VMware6

产品

Nagios XI8
phpMyAdmin8
Linux Kernel6
PHP4
FreeBSD4

漏洞

#漏洞BaseTemp0day今天修正EPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash 信息公开5.35.2$5k-$25k$0-$5kHighWorkaround0.020160.02CVE-2007-1192
2net2ftp 目录遍历7.36.4$0-$5k$0-$5kUnprovenOfficial Fix0.035010.00CVE-2008-5275
3Linux Kernel Pipe Dirty Pipe Privilege Escalation6.35.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.075840.03CVE-2022-0847
4MWChat Pro Help about.php 权限升级7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.006500.02CVE-2006-5904
5Phicomm k2 权限升级6.66.5$0-$5k$0-$5kNot DefinedNot Defined0.000540.03CVE-2023-40796
6Metalinks Metacart2 productsbycategory.asp SQL注入7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.001420.04CVE-2005-1363
7Yii Yii2 Gii 跨网站脚本4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000560.03CVE-2022-34297
8Microsoft Windows Clipboard User Service Privilege Escalation7.26.5$25k-$100k$5k-$25kUnprovenOfficial Fix0.000430.09CVE-2022-21869
9SourceCodester Online Flight Booking Management System POST Parameter review_search.php SQL注入7.57.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.001340.05CVE-2023-0283
10Microsoft IIS IP/Domain Restriction 权限升级6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.008170.09CVE-2014-4078
11FuelPHP 权限升级7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.031290.00CVE-2014-1999
12phpLDAPadmin LDAP injection 权限升级8.57.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.216520.00CVE-2018-12689
13FreeBSD setrlimit 内存损坏6.55.6$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.001260.00CVE-2017-1085
14DZCP deV!L`z Clanportal config.php 权限升级7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009431.21CVE-2010-0966
15Zoho ManageEngine ServiceDesk Plus API Endpoint User 权限升级5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.004660.00CVE-2018-7248
16WebARX Plugin Stored 跨网站脚本5.25.2$0-$5k$0-$5kNot DefinedNot Defined0.002130.00CVE-2019-17213
17jforum User 权限升级5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.002890.05CVE-2019-7550
18ShowDoc 权限升级5.35.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001220.00CVE-2018-19620
19Chevereto CMS Stored 跨网站脚本5.24.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000890.00CVE-2017-1000058
20Bitrix Upload from Local Disk Feature restore.php 权限升级6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.000490.00CVE-2022-29268

活动 (1)

These are the campaigns that can be associated with the actor:

  • Exchange Marauder

IOC - Indicator of Compromise (13)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP地址Hostname参与者活动Identified类型可信度
15.254.43.18Exchange MarauderExchange Marauder2021-05-31verified
280.92.205.81vm302679.pq.hostingExchange MarauderExchange Marauder2021-05-31verified
3103.77.192.219Exchange MarauderExchange Marauder2021-05-31verified
4XXX.XXX.XXX.XXXxxxxxxxxx.xxxxxxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx2021-05-31verified
5XXX.XXX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx2021-05-31verified
6XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx2021-05-31verified
7XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx2021-05-31verified
8XXX.XXX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx2021-05-31verified
9XXX.XX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx2021-05-31verified
10XXX.XXX.XXX.XXxxxxxx.xxxxxxxxx.xxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx2021-05-31verified
11XXX.XX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx2021-05-31verified
12XXX.XXX.XX.XXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx2021-05-31verified
13XXX.XX.XX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx2021-05-31verified

TTP - Tactics, Techniques, Procedures (20)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechnique漏洞访问向量类型可信度
1T1006CWE-21, CWE-22, CWE-23, CWE-24Path Traversalpredictive
2T1055CWE-74Improper Neutralization of Data within XPath Expressionspredictive
3T1059CWE-88, CWE-94Argument Injectionpredictive
4T1059.007CWE-79, CWE-80Cross Site Scriptingpredictive
5TXXXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx Xxxxxxxxxxpredictive
6TXXXX.XXXCWE-XXX, CWE-XXXXxxx-xxxxx Xxxxxxxxxxxpredictive
7TXXXX.XXXCWE-XXXXxx-xxx Xxxx Xxxxxxx Xxxxpredictive
8TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx Xxxxxxxxxpredictive
9TXXXX.XXXCWE-XXXXxxx Xxxxxxxxpredictive
10TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx Xxxxxxpredictive
11TXXXXCWE-XX, CWE-XXXxx Xxxxxxxxxpredictive
12TXXXXCWE-XXXXxxxxxxxxxx Xxxxxxxxxxpredictive
13TXXXXCWE-XXXXxxxxxxxx Xxxxxx Xxxxpredictive
14TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx Xxxxxxxxxxpredictive
15TXXXX.XXXCWE-XXXXxxxxxxxpredictive
16TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx Xxxxxxxxxxxpredictive
17TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictive
18TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxxxx Xxxxxxpredictive
19TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx Xxxxxpredictive
20TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx Xxxxxxxxxpredictive

IOA - Indicator of Attack (123)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID分类Indicator类型可信度
1File.htaccesspredictive
2File/cgi-bin/luci/api/authpredictive
3File/filemanager/upload.phppredictive
4File/resources//../predictive
5File/src/Illuminate/Laravel.phppredictive
6File/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.phppredictive
7File/usr/local/WowzaStreamingEngine/bin/predictive
8File/wp-json/oembed/1.0/embed?urlpredictive
9Fileabout.phppredictive
10Fileadmin/modules/tools/ip_history_logs.phppredictive
11Fileadminer.phppredictive
12Fileadmin_feature.phppredictive
13Fileapi_poller.phppredictive
14Fileapplication/controllers/admin/dataentry.phppredictive
15Filexxx.xxxpredictive
16Filexxxxxx/xxxxxxxx.xxxxpredictive
17Filexxxxxxx.xxpredictive
18Filexxx-xxx/xxxxxx.xxxpredictive
19Filexxxxxxxxxx.xxxpredictive
20Filexxx.xxx?xxx=xxxxx_xxxxpredictive
21Filexxx.xxxpredictive
22Filexxxx/xxxxxxxxxxxxxxx.xxxpredictive
23Filexxxxxxxx.xxxpredictive
24Filexxxx_xxxxxxx.xxxpredictive
25Filexxxxxxxxxxxxx.xxxpredictive
26Filexxx/xxxxxx/xxxxxx.xpredictive
27Filexxxxxxx.xxxpredictive
28Filexxxxxxxxx/xx/xxxxxxxxxxxx.xxxpredictive
29Filexx_xxxx.xxxpredictive
30Filexxxxxxxxx.xxxpredictive
31Filexxx/xxxxxx.xxxpredictive
32Filexxxxxxxx/xxxx/xxxxx-xxxxx.xxxpredictive
33Filexxxxx.xxxpredictive
34Filexxxxxxx/xxxxxxxx.xxxpredictive
35Filexxxxxx/xxx/xxxxxxxx.xpredictive
36Filexx_xxxxxx.xxxpredictive
37Filexxxxxxx.xxxpredictive
38Filexxxxxxxxx/xxxx_xxxxxxx.xxx.xxxpredictive
39Filexxxx/xxxxxxxxxx.xxxpredictive
40Filexxx.xxxpredictive
41Filexxxxxx.xxpredictive
42Filexxxxxxx/xx?xxxxxxxx=predictive
43Filexxxxxxxxxxx-xxxx.xxpredictive
44Filexxx/xxxxxxx/xxx.xxxpredictive
45Filexxxxxxxxxxxxxxxxxx.xxxpredictive
46Filexxxxxxx_xxxx.xxxpredictive
47Filexxxxxxx/xxxxx/xxxxxxxxxxx/xxxxx.xxxpredictive
48Filexxxxxxxx.xxxpredictive
49Filexxxx.xxxpredictive
50Filexxxxx-xxxxxxpredictive
51Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictive
52Filexxxxxxx.xxxpredictive
53Filexxxxxx_xxxxxx.xxxpredictive
54Filexxxxxx/xxx/xx/xxx.xxpredictive
55Filexxxxxxxxxx.xxxxpredictive
56Filexxxxxx_xxx_xxxxxx.xxxpredictive
57Filexxxxxx_xxxxx.xxx/xxxxx_xxxxxxx_xxxxxxxxxx.xxpredictive
58Filexxxxxx.xpredictive
59Filexxxxxxx/xxxx/xxxxxxx_xxxxxxxx_xxxx.xxxpredictive
60Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictive
61Filexx/xx_xxxxxx.xxxpredictive
62Filexx\xxxxxxx.xxxxpredictive
63Filexxxx-xxxxxxx-xxxxxx.xxxpredictive
64File\xxxxxxx\xxxxxxxxxxxx.xxxxpredictive
65Library/xxx/xxx/xxxx.xxxpredictive
66Libraryxxxxxx[xxxxxx_xxxxpredictive
67Libraryxxxx.xxx.xxxpredictive
68Libraryxxxxxx.xxxpredictive
69Libraryxx-xxxxxxx/xxxxxxx/xx-xxxx-xxxxxxx/xxx/xxxxx/predictive
70Argument%xpredictive
71Argumentxxxxxxxpredictive
72Argumentxxxpredictive
73Argumentxxxxxx_xxxxpredictive
74Argumentxxxxxxxxpredictive
75Argumentxxxxpredictive
76Argumentxxxpredictive
77Argumentxxxxxpredictive
78Argumentxxxxxxxpredictive
79Argumentxxxpredictive
80Argumentxxxxxxxxpredictive
81Argumentxxxxxxxxxpredictive
82Argumentxxxxxx[xxxxxx_xxxx]predictive
83Argumentxxxxxx_xxxxx_xxxxxxxxxxxxxpredictive
84Argumentxxpredictive
85Argumentxxxxxxxxxxxpredictive
86Argumentxxxxpredictive
87Argumentxxxxxpredictive
88Argumentxx-xxxxpredictive
89Argumentxxxxxxxxpredictive
90Argumentxxpredictive
91Argumentxx_xxxxpredictive
92Argumentxxxxxxxxxpredictive
93Argumentxxxx/xxx_xxxxpredictive
94Argumentxxxxxxxpredictive
95Argumentxxxpredictive
96Argumentxxxxxxx/xxxxxxx/xxxxxxpredictive
97Argumentxxxxpredictive
98Argumentxxxxx_xxpredictive
99Argumentxxxx_xxpredictive
100Argumentxxxxxxxxxxxxxpredictive
101Argumentxxxx_xxpredictive
102Argumentxxxxx_xxxxxxpredictive
103Argumentxxxxxx xxxxpredictive
104Argumentxxxxxxxpredictive
105Argumentxxxxxxx xxxxpredictive
106Argumentxxxxxxpredictive
107Argumentxxxxxx_xxpredictive
108Argumentxxxxpredictive
109Argumentxxxx_xxxxxx/xxxxxx/xxxxxxpredictive
110Argumentxxxxxxxx_xxxxxpredictive
111Argumentxxxpredictive
112Argumentxxxxxxxxxx/xxxxxxxxxxxxxxxpredictive
113Argumentxxxxxxxxxpredictive
114Argumentxxxpredictive
115Argumentxxxpredictive
116Argumentxxxxxxxxxpredictive
117Argumentxxxxxxpredictive
118Argumentxxxx_xxpredictive
119Argumentxxxpredictive
120Argumentx-xxxxxxxxx-xxxpredictive
121Argumentxx_xxxx_xxxxxpredictive
122Argument_xxxpredictive
123Input Valuexxxx%xxxxxpredictive

参考 (2)

The following list contains external sources which discuss the actor and the associated activities:

上一步一览下一步

Do you know our Splunk app?

Download it now for free!