Home
Attack
Dataset
Contact Us
Attack
2024 01
T1-24–01–S–N–CL
T2-24–01–S–N–CL
T3-24–01–S–N–CL
T4-24–01–S–E–M
T5-24–01–S–E–LM
T6-24–01–S–E–FH
T7-24–01–M–NE–CLM
T8-24–01–M–NE–CFHL
T9-24–01–M–NE–CLM
2024 02
comming soon
Dataset
Contact Us
T8-24–01–M–NE–CFHL
Apache ActiveMQ + SU-Bruteforce
This attack is a combination of T3-24-01-S-N-CL and T6-24-01-S-E-FH, and two logs are collected: pcap and log.
The attacker executes code in Apache(ActiveMQ 5.17.3) remotely using T3-24-01-S-N-CL attack. Files (poc_1.xml, poc_2.xml) will be imported to perform malicious behavior and poc_3.xml's Python file run will execute a bruteforce attack using via su command, which is T6-24-01-S-E-FH.
OS
IP
Software
Log collection
time
Program
runtime
Attacker
Windows 11
192.168.56.1
-
120 sec
150 sec
Victim
Ubuntu 20.04.1
192.168.56.103 (Internal)
10.0.2.15 (External)
ActiveMQ 5.17.3
Installing
python3 -m pip install -r requirements.txt
Using
You have to run terminal 1 before terminal 2
[Terminal 1]
python3 -m http.server 8888
[Terminal 2]
python3 run.py
MITRE ATT&CK Framework
Attack Tactic
Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Logs
./log/2024_01_T8_{time}.log # YYmmdd_HHMMSS
./log/2024_01_T8_{time}.pcap # YYmmdd_HHMMSS
References
[1]
NIST [CVE-2023-46604]
[2]
Ahnlab ASEC [지속적인 공격 대상이 되고 있는 Apache ActiveMQ 취약점 (CVE-2023-46604)]
[3]
Apache [security-advisories.data]
[4]
MITRE [Brute Force: Password Guessing]
[5]
MITRE [Privilege Escalation]
※ Click on the attack name to see a description and scenario for the attack
2024
T1-24–01–S–N–CL
T2-24–01–S–N–CL
T3-24–01–S–N–CL
T4-24–01–S–E–M
T5-24–01–S–E–LM
T6-24–01–S–E–FH
T7-24–01–M–NE–CLM
T8-24–01–M–NE–CFHL
T9-24–01–M–NE–CLM
Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.
