diff --git a/Targets/Apps/QlikSense.tkape b/Targets/Apps/QlikSense.tkape new file mode 100644 index 000000000..b233eb1be --- /dev/null +++ b/Targets/Apps/QlikSense.tkape @@ -0,0 +1,46 @@ +Description: Qlik Sense +Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND +Version: 1.0 +Id: 6e979be3-4913-4d16-a508-cc3284194c2b +RecreateDirectories: true +Targets: + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Proxy + Recursive: true + FileMask: '*.txt' + Comment: "Collects the proxy logs for Qlik Sense" + + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Proxy + Recursive: true + FileMask: '*.log' + Comment: "Collects the proxy logs for Qlik Sense" + + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Scheduler + Recursive: true + FileMask: '*.txt' + Comment: "Collects the scheduler logs for Qlik Sense" + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Scheduler + Recursive: true + FileMask: '*.log' + Comment: "Collects the scheduler logs for Qlik Sense" + +# Documentation +# Qlik Sense is a powerful business intelligence solution that enables users to visualize and analyze complex data. +# We have seen three vulnerabilities (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) exploited on exposed Qlik solution in a recent Cactus Ransomware Campaign: +# https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ +# https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ +# https://www.shadowserver.org/what-we-do/network-reporting/critical-vulnerable-compromised-qlik-sense-special-report/ +# You can find details on the full exploit here: +# https://www.praetorian.com/blog/qlik-sense-technical-exploit/ +# https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/ diff --git a/Targets/Apps/UEMS.tkape b/Targets/Apps/UEMS.tkape new file mode 100644 index 000000000..1b80c2b8c --- /dev/null +++ b/Targets/Apps/UEMS.tkape @@ -0,0 +1,29 @@ +Description: UEMS Manage Engine Agent +Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND +Version: 1.0 +Id: 3ff43bb0-ac44-4374-ac4e-dbe104d81b60 +RecreateDirectories: true +Targets: + - + Name: Unified endpoint management and security solutions from ManageEngine + Category: RMM Tool + Path: C:\Program Files (x86)\ManageEngine\UEMS_Agent\logs + Recursive: true + FileMask: '*.log' + Comment: "Collects all logs for UEMS" + + - + Name: Unified endpoint management and security solutions from ManageEngine + Category: RMM Tool + Path: C:\Users\%user%\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs + Recursive: true + FileMask: '*.log' + Comment: "Collects User logs for UEMS" + +# Documentation +# https://www.manageengine.com/unified-endpoint-management-security.html +# UEMS Manage Engine Agent is a remote access tool in the ManageEngine suite. +# We have observed this tool being deployed in a recent Cactus ransomware Campaign: +# https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ +# https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/ +# https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ diff --git a/Targets/Compound/RemoteAdmin.tkape b/Targets/Compound/RemoteAdmin.tkape index c8939bfc0..1a71fbfbe 100644 --- a/Targets/Compound/RemoteAdmin.tkape +++ b/Targets/Compound/RemoteAdmin.tkape @@ -89,6 +89,10 @@ Targets: Name: TeamViewer Category: ApplicationLogs Path: TeamViewerLogs.tkape + - + Name: UEMS + Category: ApplicationLogs + Path: UEMS.tkape - Name: UltraViewer Category: ApplicationLogs