Date: 10/03/2024
Severity: Medium
Summary
Researchers at Palo Alto Networks identified an automated scanning tool called Swiss Army Suite (S.A.S) during routine telemetry monitoring. This tool was used by attackers to conduct vulnerability scans on both customer web services and various online sites. An SQL injection detection model identified unusual traffic patterns linked to this tool, which may include payloads capable of bypassing web application firewalls. Further investigation revealed similar SQL injection attempts recorded by users across the internet. Understanding the tool's behavior is crucial for enhancing defense strategies, whether they rely on signature-based or machine-learning detection methods.
Indicators of Compromise (IOC) List
Hash |
dcf18b02008762072a330fcf07be885f7c7fc8d4473cb3da41de565959a6da08
abc1c1c17694fcad7f7882cc62fa87c9774b807526ed09c8087bf70b1a8c5c18
e57c2d7f779a36cb5abc9316f4c21f391901f7e07ba2d27ff1c2dd1217dbd536
7b314d68cf60c8d6a13c339a8758e60010499907b84328f238df6fc518023805
58136c339506f4e701ddead6740f72d6cd9091f308bdc64c0c29dd716d9febdd
c8d4aba7e681ca4172c2ec297786e32cc5cf35265aec0912fd2fdd6143f0c6ad
434d165748455d5e09020ab74c9d33d75a77741cae966e60977185956f663c58
32e875834f7b1990680e666266fffd4dd8782b0621e57d1b07a99bf5bf810ded |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 |
sha256hash IN ("dcf18b02008762072a330fcf07be885f7c7fc8d4473cb3da41de565959a6da08","abc1c1c17694fcad7f7882cc62fa87c9774b807526ed09c8087bf70b1a8c5c18","e57c2d7f779a36cb5abc9316f4c21f391901f7e07ba2d27ff1c2dd1217dbd536","7b314d68cf60c8d6a13c339a8758e60010499907b84328f238df6fc518023805","58136c339506f4e701ddead6740f72d6cd9091f308bdc64c0c29dd716d9febdd","c8d4aba7e681ca4172c2ec297786e32cc5cf35265aec0912fd2fdd6143f0c6ad","434d165748455d5e09020ab74c9d33d75a77741cae966e60977185956f663c58","32e875834f7b1990680e666266fffd4dd8782b0621e57d1b07a99bf5bf810ded") |
Reference:
https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/