IBM QRadar Wincollect Escalation of Privilege
Tags
| attack-pattern: | Exploits - T1587.004 Exploits - T1588.005 Malware - T1587.001 Malware - T1588.001 Msiexec - T1218.007 Vulnerabilities - T1588.006 |
Common Information
| Type | Value |
|---|---|
| UUID | 92907672-61f6-4627-a2f7-48e255416233 |
| Fingerprint | 9440a3d905aa87d1 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Sept. 11, 2020, 12:57 p.m. |
| Added to db | Jan. 18, 2023, 9:56 p.m. |
| Last updated | Nov. 17, 2024, 11:40 p.m. |
| Headline | IBM QRadar Wincollect Escalation of Privilege (CVE-2020-4485 & CVE-2020-4486) |
| Title | IBM QRadar Wincollect Escalation of Privilege |
| Detected Hints/Tags/Attributes | 33/1/31 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 1 | cve-2020-4485 |
|
| Details | CVE | 1 | cve-2020-4486 |
|
| Details | Domain | 124 | www.ibm.com |
|
| Details | Domain | 1 | secret.club |
|
| Details | Domain | 4128 | github.com |
|
| Details | Domain | 2 | redyops.com |
|
| Details | Domain | 2 | angelcyber.gr |
|
| Details | Domain | 2 | deceivewithillicium.com |
|
| Details | Domain | 2 | neurosoft.gr |
|
| Details | File | 1 | xxxx.tmp |
|
| Details | File | 1 | c:\program files\ibm\wincollect\config\cmdline.txt |
|
| Details | File | 1 | c:\users\attacker\appdata\local\temp_isfd30 c:\program files\ibm\wincollect\config\logconfig_template.xml |
|
| Details | File | 1 | c:\users\attacker\appdata\local\temp_isfd8f c:\program files\ibm\wincollect\templates\tmplt_agentcore.xml |
|
| Details | File | 8 | c:\windows\win.ini |
|
| Details | File | 1 | c:\program files\ibm\wincollect\config\logconfig_template.xml |
|
| Details | File | 1 | c:\users\admin\whatever.exe |
|
| Details | File | 1 | c:\program files\ibm\wincollect\templates\tmplt_agentcore.xml |
|
| Details | File | 1 | c:\users\anotheruser\logs.txt |
|
| Details | File | 1 | directory-deletion-shell.html |
|
| Details | File | 2 | delete.exe |
|
| Details | File | 1 | 11ec43.msi |
|
| Details | Github username | 1 | dimopouloselias |
|
| Details | Github username | 2 | redyopsresearchlabs |
|
| Details | Url | 1 | https://www.ibm.com/support/pages/node/6257885 |
|
| Details | Url | 1 | https://secret.club/2020/04/23/directory-deletion-shell.html |
|
| Details | Url | 1 | https://github.com/dimopouloselias/primitives |
|
| Details | Url | 1 | https://github.com/redyopsresearchlabs |
|
| Details | Url | 2 | https://redyops.com |
|
| Details | Url | 2 | https://angelcyber.gr |
|
| Details | Url | 2 | https://deceivewithillicium.com |
|
| Details | Url | 2 | https://neurosoft.gr/contact |