Rule Update
25-027 (01 julho 2025)
Descrição
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1001852* - Identified Attempt To Brute Force Windows Login Credentials (ATT&CK T1110)
1004808* - Identified Big-Endian Byte Order
1005889* - Identified POSWDS Malware Connection Over SMB
1002937* - Integer Overflow In IPP Service Vulnerability
1003824* - License Logging Server Heap Overflow Vulnerability
1004600* - Microsoft Active Directory 'BROWSER ELECTION' Buffer Overflow Vulnerability
1003015* - Microsoft SMB Credential Reflection Vulnerability
1006579* - Microsoft Windows NETLOGON Spoofing Vulnerability (CVE-2015-0005)
1002931* - Microsoft Windows SMB Buffer Underflow Vulnerability
1000972* - Microsoft Windows svcctl ChangeServiceConfig2A() Memory Corruption Vulnerability
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1003564* - Print Spooler Load Library Vulnerability
1005140* - Print Spooler Service Format String Vulnerability (CVE-2012-1851)
1004401* - Print Spooler Service Impersonation Vulnerability
1007125* - Remote Access Event Through SMBv1 Protocol Detected
1007121* - Remote Access Event Through SMBv2 Protocol Detected
1006995* - Remote Add Job Through SMBv1 Protocol Detected
1007037* - Remote Add Job Through SMBv2 Protocol Detected
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007066* - Remote Delete Job Through SMBv1 Protocol Detected
1007038* - Remote Delete Job Through SMBv2 Protocol Detected
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007070* - Remote PWDUMP Through SMBv1 Protocol Detected
1007057* - Remote Registry Access Through SMBv1 Protocol Detected (ATT&CK T1012)
1007032* - Remote Schedule Task Create Through SMBv1 Protocol Detected
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)
1003985* - SMB Memory Corruption Vulnerability
1003979* - SMB Null Pointer Vulnerability
1003978* - SMB Pathname Overflow Vulnerability
1004346* - SMB Pool Overflow Vulnerability
1004355* - SMB Stack Exhaustion Vulnerability
1004641* - SMB Transaction Parsing Vulnerability (CVE-2011-0661)
1004348* - SMB Variable Validation Vulnerability
1002975* - Server Service Vulnerability (wkssvc)
1004542* - Windows Netlogon Service Denial Of Service (CVE-2010-2742)
1003676* - Workstation Service Memory Corruption Vulnerability
DCERPC Services - Client
1004821* - Active Accessibility Insecure Library Loading Vulnerability (CVE-2011-1247)
1004924* - Color Control Panel Insecure Library Loading Vulnerability Over Network Share (CVE-2010-5082)
1004700* - DFS Memory Corruption Vulnerability (CVE-2011-1868)
1004762* - Data Access Components Insecure Library Loading Vulnerability Over Network Share (CVE-2011-1975)
1004304* - Identified Suspicious Microsoft Windows Shortcut File Over Network Share (ATT&CK T1080)
1004926* - Indeo Codec Insecure Library Loading Vulnerability Over Network Share (CVE-2010-3138)
1004563* - Microsoft Windows 'CreateSizedDIBSECTION()' Thumbnail View Stack Buffer Overflow Vulnerability Over Network Share
1003832* - Microsoft Windows 'KeAccumulateTicks()' SMB2 Packet Remote Denial Of Service Vulnerability
1005281* - Microsoft Windows Briefcase Integer Overflow Vulnerability Over Network Share (CVE-2012-1528)
1005280* - Microsoft Windows Briefcase Integer Underflow Vulnerability Over Network Share (CVE-2012-1527)
1004053* - Microsoft Windows CHM Notepad Remote Code Execution
1006554* - Microsoft Windows DLL Planting Remote Code Execution Vulnerability (CVE-2015-0096)
1006013* - Microsoft Windows Insecure Binary Loading Vulnerability Over Network Share (CVE-2014-0315)
1006292* - Microsoft Windows OLE Remote Code Execution Vulnerability Over SMB
1004697* - OLE Automation Underflow Vulnerability ( CVE-2011-0658 )
1004897* - Object Packager Insecure Executable Launching Vulnerability Over Network Share (CVE-2012-0009)
1004877* - PowerPoint Insecure Library Loading Vulnerability Over Network Share (CVE-2011-3396)
1005153* - Print Spooler Service Format String Vulnerability (CVE-2012-1851) II
1005139* - Remote Administration Protocol Denial Of Service Vulnerability (CVE-2012-1850)
1005142* - Remote Administration Protocol Stack Overflow Vulnerability
1004094* - SMB Client Memory Allocation Vulnerability
1004100* - SMB Client Message Size Vulnerability
1003973* - SMB Client Pool Corruption Vulnerability
1003980* - SMB Client Race Condition Vulnerability
1004096* - SMB Client Response Parsing Vulnerability
1004637* - SMB Client Response Parsing Vulnerability (CVE-2011-0660)
1004095* - SMB Client Transaction Vulnerability
1003014* - SMB Credential Reflection Vulnerability
1004692* - SMB Response Parsing Vulnerability (CVE-2011-1268)
1004775* - Telnet Handler Remote Code Execution Vulnerability Over Network Share (CVE-2011-1961)
1012387 - Trend Micro Apex One Client Remote Code Execution Vulnerability Over SMB (CVE-2025-49155)
1005081* - Vulnerability In Windows Shell Could Allow Remote Code Execution (CVE-2012-0175)
1004797* - Windows Components Insecure Library Loading Vulnerability Over Network Share (CVE-2011-1991)
1004843* - Windows Mail Insecure Library Loading Vulnerability Over Network Share (CVE-2011-2016)
DNS Client
1003189* - Malware AGENT.BTZ Domain Blocker
1000468* - Microsoft Word Malformed Object Pointer Remote Code Execution
1003133* - Pointer Reference Memory Corruption Vulnerability Domain Blocker
HP Intelligent Management Center (IMC)
1012392 - Apache OFBiz Stored Cross-Site Scripting Vulnerability (CVE-2025-30676)
Ivanti Endpoint Manager
1012204* - Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2024-50328)
1012283* - Ivanti Endpoint Manager Untrusted Search Path Vulnerability (CVE-2024-13158)
JetBrains TeamCity
1012238* - JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2024-47951)
Link-Local Multicast Name Resolution
1004645* - DNS Query Vulnerability (CVE-2011-0657)
NTP Client
1006630* - NTP MAC Security Bypass Vulnerability (CVE-2015-1798)
Remote Desktop Protocol Server
1006870* - Microsoft Windows Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability (CVE-2015-2373)
1004949* - Remote Desktop Protocol Vulnerability (CVE-2012-0002)
1005138* - Remote Desktop Protocol Vulnerability (CVE-2012-2526)
Shellcode
1005428* - Identified Suspicious Shellcode Over Network Traffic
1001183* - Identified Suspicious Usage Of Shellcode
1001202* - Identified Suspicious Usage Of Shellcode Encoders
1002359* - Identified Suspicious Usage Of Shellcode In Network Traffic
Suspicious Client Application Activity
1007113* - HTRANS Response Detected
1005067* - Identified Potentially Harmful Client Traffic
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1571)
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1571, T1219)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1571)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1571)
1006247* - Identified Potentially Malicious RAT Traffic - VI (ATT&CK T1571)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)
1007181* - TMTR-0001: PRORAT HTTP Request
1007182* - TMTR-0003: PRORAT HTTP Request
1005294* - TMTR-0004: GHOST RAT HTTP Request
1007184* - TMTR-0006: BUTERAT HTTP Request
Suspicious Server Application Activity
1001164* - Detected Terminal Services (RDP) Server Traffic
1005090* - Identified Potentially Harmful Server Traffic
TFTP Client
1003527* - Allow TFTP Client Traffic
Telnet Client
1003687* - Telnet Credential Reflection Vulnerability
Web Application PHP Based
1012281* - LibreNMS Stored Cross-Site Scripting Vulnerability (CVE-2024-49754)
Web Client Common
1005924* - Restrict Download Of EICAR Test File Over HTTP
Web Server Miscellaneous
1012248* - Jenkins 'Simple Queue' Plugin Stored Cross-Site Scripting Vulnerability (CVE-2024-54003)
Web Server Nagios
1012385 - Nagios XI Arbitrary File Write Vulnerability
Windows Services RPC Server DCERPC
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
DCERPC Services
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1001852* - Identified Attempt To Brute Force Windows Login Credentials (ATT&CK T1110)
1004808* - Identified Big-Endian Byte Order
1005889* - Identified POSWDS Malware Connection Over SMB
1002937* - Integer Overflow In IPP Service Vulnerability
1003824* - License Logging Server Heap Overflow Vulnerability
1004600* - Microsoft Active Directory 'BROWSER ELECTION' Buffer Overflow Vulnerability
1003015* - Microsoft SMB Credential Reflection Vulnerability
1006579* - Microsoft Windows NETLOGON Spoofing Vulnerability (CVE-2015-0005)
1002931* - Microsoft Windows SMB Buffer Underflow Vulnerability
1000972* - Microsoft Windows svcctl ChangeServiceConfig2A() Memory Corruption Vulnerability
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1003564* - Print Spooler Load Library Vulnerability
1005140* - Print Spooler Service Format String Vulnerability (CVE-2012-1851)
1004401* - Print Spooler Service Impersonation Vulnerability
1007125* - Remote Access Event Through SMBv1 Protocol Detected
1007121* - Remote Access Event Through SMBv2 Protocol Detected
1006995* - Remote Add Job Through SMBv1 Protocol Detected
1007037* - Remote Add Job Through SMBv2 Protocol Detected
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007066* - Remote Delete Job Through SMBv1 Protocol Detected
1007038* - Remote Delete Job Through SMBv2 Protocol Detected
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007070* - Remote PWDUMP Through SMBv1 Protocol Detected
1007057* - Remote Registry Access Through SMBv1 Protocol Detected (ATT&CK T1012)
1007032* - Remote Schedule Task Create Through SMBv1 Protocol Detected
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)
1003985* - SMB Memory Corruption Vulnerability
1003979* - SMB Null Pointer Vulnerability
1003978* - SMB Pathname Overflow Vulnerability
1004346* - SMB Pool Overflow Vulnerability
1004355* - SMB Stack Exhaustion Vulnerability
1004641* - SMB Transaction Parsing Vulnerability (CVE-2011-0661)
1004348* - SMB Variable Validation Vulnerability
1002975* - Server Service Vulnerability (wkssvc)
1004542* - Windows Netlogon Service Denial Of Service (CVE-2010-2742)
1003676* - Workstation Service Memory Corruption Vulnerability
DCERPC Services - Client
1004821* - Active Accessibility Insecure Library Loading Vulnerability (CVE-2011-1247)
1004924* - Color Control Panel Insecure Library Loading Vulnerability Over Network Share (CVE-2010-5082)
1004700* - DFS Memory Corruption Vulnerability (CVE-2011-1868)
1004762* - Data Access Components Insecure Library Loading Vulnerability Over Network Share (CVE-2011-1975)
1004304* - Identified Suspicious Microsoft Windows Shortcut File Over Network Share (ATT&CK T1080)
1004926* - Indeo Codec Insecure Library Loading Vulnerability Over Network Share (CVE-2010-3138)
1004563* - Microsoft Windows 'CreateSizedDIBSECTION()' Thumbnail View Stack Buffer Overflow Vulnerability Over Network Share
1003832* - Microsoft Windows 'KeAccumulateTicks()' SMB2 Packet Remote Denial Of Service Vulnerability
1005281* - Microsoft Windows Briefcase Integer Overflow Vulnerability Over Network Share (CVE-2012-1528)
1005280* - Microsoft Windows Briefcase Integer Underflow Vulnerability Over Network Share (CVE-2012-1527)
1004053* - Microsoft Windows CHM Notepad Remote Code Execution
1006554* - Microsoft Windows DLL Planting Remote Code Execution Vulnerability (CVE-2015-0096)
1006013* - Microsoft Windows Insecure Binary Loading Vulnerability Over Network Share (CVE-2014-0315)
1006292* - Microsoft Windows OLE Remote Code Execution Vulnerability Over SMB
1004697* - OLE Automation Underflow Vulnerability ( CVE-2011-0658 )
1004897* - Object Packager Insecure Executable Launching Vulnerability Over Network Share (CVE-2012-0009)
1004877* - PowerPoint Insecure Library Loading Vulnerability Over Network Share (CVE-2011-3396)
1005153* - Print Spooler Service Format String Vulnerability (CVE-2012-1851) II
1005139* - Remote Administration Protocol Denial Of Service Vulnerability (CVE-2012-1850)
1005142* - Remote Administration Protocol Stack Overflow Vulnerability
1004094* - SMB Client Memory Allocation Vulnerability
1004100* - SMB Client Message Size Vulnerability
1003973* - SMB Client Pool Corruption Vulnerability
1003980* - SMB Client Race Condition Vulnerability
1004096* - SMB Client Response Parsing Vulnerability
1004637* - SMB Client Response Parsing Vulnerability (CVE-2011-0660)
1004095* - SMB Client Transaction Vulnerability
1003014* - SMB Credential Reflection Vulnerability
1004692* - SMB Response Parsing Vulnerability (CVE-2011-1268)
1004775* - Telnet Handler Remote Code Execution Vulnerability Over Network Share (CVE-2011-1961)
1012387 - Trend Micro Apex One Client Remote Code Execution Vulnerability Over SMB (CVE-2025-49155)
1005081* - Vulnerability In Windows Shell Could Allow Remote Code Execution (CVE-2012-0175)
1004797* - Windows Components Insecure Library Loading Vulnerability Over Network Share (CVE-2011-1991)
1004843* - Windows Mail Insecure Library Loading Vulnerability Over Network Share (CVE-2011-2016)
DNS Client
1003189* - Malware AGENT.BTZ Domain Blocker
1000468* - Microsoft Word Malformed Object Pointer Remote Code Execution
1003133* - Pointer Reference Memory Corruption Vulnerability Domain Blocker
HP Intelligent Management Center (IMC)
1012392 - Apache OFBiz Stored Cross-Site Scripting Vulnerability (CVE-2025-30676)
Ivanti Endpoint Manager
1012204* - Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2024-50328)
1012283* - Ivanti Endpoint Manager Untrusted Search Path Vulnerability (CVE-2024-13158)
JetBrains TeamCity
1012238* - JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2024-47951)
Link-Local Multicast Name Resolution
1004645* - DNS Query Vulnerability (CVE-2011-0657)
NTP Client
1006630* - NTP MAC Security Bypass Vulnerability (CVE-2015-1798)
Remote Desktop Protocol Server
1006870* - Microsoft Windows Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability (CVE-2015-2373)
1004949* - Remote Desktop Protocol Vulnerability (CVE-2012-0002)
1005138* - Remote Desktop Protocol Vulnerability (CVE-2012-2526)
Shellcode
1005428* - Identified Suspicious Shellcode Over Network Traffic
1001183* - Identified Suspicious Usage Of Shellcode
1001202* - Identified Suspicious Usage Of Shellcode Encoders
1002359* - Identified Suspicious Usage Of Shellcode In Network Traffic
Suspicious Client Application Activity
1007113* - HTRANS Response Detected
1005067* - Identified Potentially Harmful Client Traffic
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1571)
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1571, T1219)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1571)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1571)
1006247* - Identified Potentially Malicious RAT Traffic - VI (ATT&CK T1571)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)
1007181* - TMTR-0001: PRORAT HTTP Request
1007182* - TMTR-0003: PRORAT HTTP Request
1005294* - TMTR-0004: GHOST RAT HTTP Request
1007184* - TMTR-0006: BUTERAT HTTP Request
Suspicious Server Application Activity
1001164* - Detected Terminal Services (RDP) Server Traffic
1005090* - Identified Potentially Harmful Server Traffic
TFTP Client
1003527* - Allow TFTP Client Traffic
Telnet Client
1003687* - Telnet Credential Reflection Vulnerability
Web Application PHP Based
1012281* - LibreNMS Stored Cross-Site Scripting Vulnerability (CVE-2024-49754)
Web Client Common
1005924* - Restrict Download Of EICAR Test File Over HTTP
Web Server Miscellaneous
1012248* - Jenkins 'Simple Queue' Plugin Stored Cross-Site Scripting Vulnerability (CVE-2024-54003)
Web Server Nagios
1012385 - Nagios XI Arbitrary File Write Vulnerability
Windows Services RPC Server DCERPC
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.