Takaaki Mori

Investigating the Flash Exploit using Netwitness.

Discussion created by Takaaki Mori Employee on Sep 17, 2016

We will share the rules,It is the rule of the order to investigate the attack with a flash of vulnerability.

Also it includes false positives, but actually detected.
I hope I can be of any help to you.

***Situation***
Site A →Redirect→Site B Flash Exploit
1.Site A :WordPress Vulnerability Site
2.malicious Site :Redirect
3.Site B :Flash Exploit Site

***Rule***
App Rule:
・Watch-WordPress
directory contains 'wp-content' && risk.info contains 'redirect' && filetype = 'zip','rar','x86 pe','windows_executable','windows executable'
・Watch-Content-Type-Exec
content='application/x-dosexec'
・Watch-Content-Type-SWF_but_php
extension='php' && content='application/x-shockwave-flash' && extension!='swf' && alias.host !='white list'

Report Rule:
alert begins 'Watch-'

Outcomes