124124 "6fcf3b73-782f-45fd-ba41-926da5a9a302",
125125 "128eb846-60c7-475f-bae9-a7a063b7467b",
126126 "931413ef-c0e4-4438-af57-d96ab837044c",
127- "f2186090-5635-4dbd-b93d-39f5c8ad2931",
128127 "1fe28db9-9a63-4020-82b4-352de6285ef4",
129128 "424d5ce0-c529-42b7-9d66-5da730b538c6",
130129 "9b753680-802f-4ca5-b4d2-557a3354a21c",
158157 "0b2518af-d570-43f3-b1c6-90988a96ace8",
159158 "9f90fa81-aa0e-4caa-b754-e33d491b56c1",
160159 "3e5ecd65-6165-4dfb-9642-2b49ce2e80a1",
161- "0c78df89-9fce-49e8-8379-bfc923a2dece",
162160 "5ecca340-5fd5-45f9-acb5-136cbe15dac8",
163161 "d1ac682d-4af2-4f22-9816-35516654dccb",
164162 "88ec52f4-e6a8-4566-a5ea-2148e438e4cf",
671669 "id": "generic_handle",
672670 "instance": "2b7f0b7d-f5a0-42bd-8530-4938f3d4ca73"
673671 },
674- {
675- "id": "dynamic_line",
676- "instance": "f2186090-5635-4dbd-b93d-39f5c8ad2931",
677- "source": "f7ceda2c-49ea-471e-9295-58d1d6988cb1",
678- "target": "1b66c66d-2431-4907-bbc1-83e75dc0d48d",
679- "handles": [
680- "4f7c9e52-e720-45af-ba04-fb691d322806"
681- ]
682- },
683- {
684- "id": "generic_latch",
685- "instance": "f7ceda2c-49ea-471e-9295-58d1d6988cb1"
686- },
687- {
688- "id": "generic_latch",
689- "instance": "1b66c66d-2431-4907-bbc1-83e75dc0d48d"
690- },
691- {
692- "id": "generic_handle",
693- "instance": "4f7c9e52-e720-45af-ba04-fb691d322806"
694- },
695672 {
696673 "id": "dynamic_line",
697674 "instance": "1fe28db9-9a63-4020-82b4-352de6285ef4",
34003377 "properties": [
34013378 [
34023379 "name",
3403- "Web Cookies"
3380+ null
34043381 ],
34053382 [
34063383 "ttp",
34073384 [
34083385 [
34093386 "tactic",
3410- "TA0006 "
3387+ "TA0003 "
34113388 ],
34123389 [
34133390 "technique",
3414- "T1606.001"
3391+ null
34153392 ]
34163393 ]
34173394 ],
34183395 [
34193396 "description",
3420- "The attacker uses the stolen MachineKey to forge a ViewState cookie ."
3397+ "The attacker uses the stolen MachineKey to forge the ASP.NET VIEWSTATE, which allows code execution even after the CVEs are patched and the web shells are removed ."
34213398 ],
34223399 [
34233400 "confidence",
35033480 {
35043481 "id": "vertical_anchor",
35053482 "instance": "f56b0a65-ed25-495e-a558-3361139be04b",
3506- "latches": [
3507- "f7ceda2c-49ea-471e-9295-58d1d6988cb1"
3508- ]
3483+ "latches": []
35093484 },
35103485 {
35113486 "id": "vertical_anchor",
35173492 "instance": "0e9e0a50-4def-4b85-a856-d691d88698f2",
35183493 "latches": []
35193494 },
3520- {
3521- "id": "action",
3522- "instance": "0c78df89-9fce-49e8-8379-bfc923a2dece",
3523- "properties": [
3524- [
3525- "name",
3526- "Forged ViewState Cookie"
3527- ],
3528- [
3529- "ttp",
3530- [
3531- [
3532- "tactic",
3533- "TA0003"
3534- ],
3535- [
3536- "technique",
3537- null
3538- ]
3539- ]
3540- ],
3541- [
3542- "description",
3543- "The attacker uses the forged cookie for persistence even after the CVEs are patched and the web shells are removed."
3544- ],
3545- [
3546- "confidence",
3547- null
3548- ],
3549- [
3550- "execution_start",
3551- null
3552- ],
3553- [
3554- "execution_end",
3555- null
3556- ]
3557- ],
3558- "anchors": {
3559- "0": "8178746e-fdfe-4683-9c30-b416800352e9",
3560- "30": "b0d23cfa-72f7-4d6a-b606-255d515513ca",
3561- "60": "83eb6272-9729-4946-a05f-bf442dc793f4",
3562- "90": "104e3744-9b51-45a8-8a1f-8d1df308938b",
3563- "120": "33554de9-9a83-43c8-adb3-bbf9749dafe9",
3564- "150": "15bbbb02-884c-4554-939c-3a40b0d387be",
3565- "180": "c16c7dec-9f45-4244-a15c-9dbd9f0d5a1b",
3566- "210": "d1d3b457-6ac2-42e6-a933-484dfddaf178",
3567- "240": "7072ea79-41c5-4d45-8c2b-88bd41f18dd9",
3568- "270": "22817cb4-8329-4db5-b9da-090b17ce0b0c",
3569- "300": "11e89f38-8f9a-48d2-b837-6300384c2b84",
3570- "330": "bc061c27-8081-4b14-b160-7099fc6c3de2"
3571- }
3572- },
3573- {
3574- "id": "horizontal_anchor",
3575- "instance": "8178746e-fdfe-4683-9c30-b416800352e9",
3576- "latches": []
3577- },
3578- {
3579- "id": "horizontal_anchor",
3580- "instance": "b0d23cfa-72f7-4d6a-b606-255d515513ca",
3581- "latches": []
3582- },
3583- {
3584- "id": "vertical_anchor",
3585- "instance": "83eb6272-9729-4946-a05f-bf442dc793f4",
3586- "latches": []
3587- },
3588- {
3589- "id": "vertical_anchor",
3590- "instance": "104e3744-9b51-45a8-8a1f-8d1df308938b",
3591- "latches": [
3592- "1b66c66d-2431-4907-bbc1-83e75dc0d48d"
3593- ]
3594- },
3595- {
3596- "id": "vertical_anchor",
3597- "instance": "33554de9-9a83-43c8-adb3-bbf9749dafe9",
3598- "latches": []
3599- },
3600- {
3601- "id": "horizontal_anchor",
3602- "instance": "15bbbb02-884c-4554-939c-3a40b0d387be",
3603- "latches": []
3604- },
3605- {
3606- "id": "horizontal_anchor",
3607- "instance": "c16c7dec-9f45-4244-a15c-9dbd9f0d5a1b",
3608- "latches": []
3609- },
3610- {
3611- "id": "horizontal_anchor",
3612- "instance": "d1d3b457-6ac2-42e6-a933-484dfddaf178",
3613- "latches": []
3614- },
3615- {
3616- "id": "vertical_anchor",
3617- "instance": "7072ea79-41c5-4d45-8c2b-88bd41f18dd9",
3618- "latches": []
3619- },
3620- {
3621- "id": "vertical_anchor",
3622- "instance": "22817cb4-8329-4db5-b9da-090b17ce0b0c",
3623- "latches": []
3624- },
3625- {
3626- "id": "vertical_anchor",
3627- "instance": "11e89f38-8f9a-48d2-b837-6300384c2b84",
3628- "latches": []
3629- },
3630- {
3631- "id": "horizontal_anchor",
3632- "instance": "bc061c27-8081-4b14-b160-7099fc6c3de2",
3633- "latches": []
3634- },
36353495 {
36363496 "id": "file",
36373497 "instance": "5ecca340-5fd5-45f9-acb5-136cbe15dac8",
44164276 1145
44174277 ],
44184278 "3e5ecd65-6165-4dfb-9642-2b49ce2e80a1": [
4419- 80 ,
4279+ 85 ,
44204280 2600
44214281 ],
4422- "0c78df89-9fce-49e8-8379-bfc923a2dece": [
4423- 80,
4424- 2940
4425- ],
44264282 "5ecca340-5fd5-45f9-acb5-136cbe15dac8": [
44274283 1465,
44284284 1610
44654321 ]
44664322 },
44674323 "camera": {
4468- "x": 70 ,
4469- "y": 1271 ,
4470- "k": 0.6350589842718954
4324+ "x": 169 ,
4325+ "y": 2847 ,
4326+ "k": 0.9220791504409355
44714327 }
44724328}
0 commit comments