Releases: mandiant/ioc-scanner-CVE-2019-19781
v1.4
fixes:
- #9
- #20 thanks @cybgit
- #24 thanks @evilsibling
adds:
- additional artifacts, namely from upcoming blog posts
from git revision: 3f53c14b928aaa85fab704ee9184be1b52f88b26
filename: ioc-scanner-CVE-2019-19781-v1.4.sh
md5: 5f3c979125252e0bfdeacccd0f5b9f9d
sha256: eba4a5a610c7c6a769fa3a5e3955f6a2b28883534d940cdb68d72b07545c54fd
v1.3
Mitigations for false positives:
- removed detection of /etc/passwd from shell history
- disabled scanning of binary files (i.e. .gif) for text artifacts
- selective scanning of .xml files in the bookmarks folder
New detections:
- added scanning for php webshells under /var/vpn/themes and subdirectories
Report format and content:
- added a scan summary paragraph to the top of the output report
- include full text of detected .xml files in the report
FAQ:
- added a FAQ item on disk imaging and a sample script for imaging a remote NS device
v1.2
fixes:
- match post exploitation of /etc/passwd due to example in this scanner (thanks for reports by @t0i and @marcoklose!)
from git revision: e7ce03e00da3a786e473a7c3d47fb0f7512785fa
filename: ioc-scanner-CVE-2019-19781-v1.2.sh
md5: 457ee3559409586edcd4c8c34fbe056c
sha256: d808928ccdb8a3f8705989fd28bb6d6b71c7edd1723bc6dfbbd8ad5e67f431d6
v1.1
adds:
- FAQ document
/var/log/sh.log
evidence source/var/log/cron
evidence source- new shell history terms contributed by the community
fixes:
- don't match legit bookmark files like
bm_prefix_*
- don't match
build.sh
in post exploitation - relaxed regex matching exploitation in access logs
from git revision: 1f827398b587cf4716839b0ab50a7576237ddce8
filename: ioc-scanner-CVE-2019-19781-v1.1.sh
md5: 12087dd6772ec09845f6f11971e93775
sha256: 195292335bc777359255af0af96ac8c8eccc83637fea1f1296dfc2ce02b9d354
v1.0
from git revision: 43b93286852cc5481419454b9d7f27b3b756d576
filename: ioc-scanner-CVE-2019-19781-v1.0.sh
md5: b719b84cacc80859a1779e501d57a380
sha256: 1f198b562573ba767430fa46796860276574e8c7add33389a1e9c9d3042520a2