Takaaki Mori

Investigating the Flash Exploit using Netwitness.

Discussion created by Takaaki Mori Employee on Sep 17, 2016

We will share the rules,It is the rule of the order to investigate the attack with a flash of vulnerability.

Also it includes false positives, but actually detected.
I hope I can be of any help to you.

Site A →Redirect→Site B Flash Exploit
1.Site A :WordPress Vulnerability Site
2.malicious Site :Redirect
3.Site B :Flash Exploit Site

App Rule:
directory contains 'wp-content' && risk.info contains 'redirect' && filetype = 'zip','rar','x86 pe','windows_executable','windows executable'
extension='php' && content='application/x-shockwave-flash' && extension!='swf' && alias.host !='white list'

Report Rule:
alert begins 'Watch-'