Skip to content
This repository has been archived by the owner on Jul 14, 2023. It is now read-only.

Releases: mandiant/ioc-scanner-CVE-2019-19781

v1.4

25 Mar 05:07
@williballenthin williballenthin
v1.4
3f53c14
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.4 Latest
Latest

fixes:

adds:

  • additional artifacts, namely from upcoming blog posts

diff

from git revision: 3f53c14b928aaa85fab704ee9184be1b52f88b26

filename: ioc-scanner-CVE-2019-19781-v1.4.sh
md5: 5f3c979125252e0bfdeacccd0f5b9f9d
sha256: eba4a5a610c7c6a769fa3a5e3955f6a2b28883534d940cdb68d72b07545c54fd

Assets 3
Loading

v1.3

12 Feb 16:53
@drstrng drstrng
v1.3
ac821c4
Compare
Choose a tag to compare
v1.3

Mitigations for false positives:

  • removed detection of /etc/passwd from shell history
  • disabled scanning of binary files (i.e. .gif) for text artifacts
  • selective scanning of .xml files in the bookmarks folder

New detections:

  • added scanning for php webshells under /var/vpn/themes and subdirectories

Report format and content:

  • added a scan summary paragraph to the top of the output report
  • include full text of detected .xml files in the report

FAQ:

  • added a FAQ item on disk imaging and a sample script for imaging a remote NS device
Assets 3
Loading

v1.2

25 Jan 19:18
@williballenthin williballenthin
v1.2
e7ce03e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2

fixes:

  • match post exploitation of /etc/passwd due to example in this scanner (thanks for reports by @t0i and @marcoklose!)

diff

from git revision: e7ce03e00da3a786e473a7c3d47fb0f7512785fa

filename: ioc-scanner-CVE-2019-19781-v1.2.sh
md5: 457ee3559409586edcd4c8c34fbe056c
sha256: d808928ccdb8a3f8705989fd28bb6d6b71c7edd1723bc6dfbbd8ad5e67f431d6

Assets 3
Loading

v1.1

24 Jan 17:01
@williballenthin williballenthin
v1.1
1f82739
Compare
Choose a tag to compare
v1.1

adds:

  • FAQ document
  • /var/log/sh.log evidence source
  • /var/log/cron evidence source
  • new shell history terms contributed by the community

fixes:

  • don't match legit bookmark files like bm_prefix_*
  • don't match build.sh in post exploitation
  • relaxed regex matching exploitation in access logs

diff

from git revision: 1f827398b587cf4716839b0ab50a7576237ddce8

filename: ioc-scanner-CVE-2019-19781-v1.1.sh
md5: 12087dd6772ec09845f6f11971e93775
sha256: 195292335bc777359255af0af96ac8c8eccc83637fea1f1296dfc2ce02b9d354

Assets 3
Loading

v1.0

22 Jan 12:54
@williballenthin williballenthin
v1.0
43b9328
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0

from git revision: 43b93286852cc5481419454b9d7f27b3b756d576

filename: ioc-scanner-CVE-2019-19781-v1.0.sh
md5: b719b84cacc80859a1779e501d57a380
sha256: 1f198b562573ba767430fa46796860276574e8c7add33389a1e9c9d3042520a2

recommend using the standalone .sh, download below

Assets 3
Loading