Rule Update
25-028 (08 julho 2025)
Descrição
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1021.002)
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1569.002)
1008119* - Microsoft Windows Local Security Authority Subsystem Service (LSASS) Denial Of Service Vulnerability (CVE-2017-0004)
1008123* - Microsoft Windows Local Security Authority Subsystem Service Denial Of Service Vulnerability (CVE-2016-7237)
1008227* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0147)
1008432* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0267)
1008660* - Microsoft Windows SMB Out-Of-Bounds Read Denial Of Service Vulnerability (CVE-2017-11781)
1008224* - Microsoft Windows SMB Remote Code Execution Vulnerabilities (CVE-2017-0144 and CVE-2017-0146)
1008225* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
1008228* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0148)
1008306* - Microsoft Windows SMB Remote Code Execution Vulnerability (MS17-010)
1008713* - Microsoft Windows SMB Server SMBv1 Information Disclosure Vulnerability (CVE-2017-11815)
1008468* - Microsoft Windows SMBv1 Information Disclosure Vulnerability (CVE-2017-0271)
1008305* - Microsoft Windows SMBv1 Remote Code Execution Vulnerability
1008445* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)
1008560* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8620)
1007432* - Microsoft Windows Server Message Block Memory Corruption Vulnerability (CVE-2015-2474)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1078.002,T1078.001,T1021.002)
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
1007033* - Remote Scheduled Task Access Through SMBv1 Protocol Detected
1001839* - Restrict Attempt To Enumerate Windows User Accounts (ATT&CK T1087)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
1003984* - SMB NTLM Authentication Lack Of Entropy Vulnerability
1005448* - SMB Null Session Detected - 1
1005447* - SMB Null Session Detected - 2
1003761* - SMBv2 Infinite Loop Vulnerability
1003712* - Windows Vista SMB2.0 Negotiate Protocol Request Remote Code Execution
DCERPC Services - Client
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1574.002)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1059.001)
1004293* - Identified Microsoft Windows Shortcut File Over Network Share
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
1007912* - Identified Possible Ransomware File Rename Activity Over Network Share - Client
1007592* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (CVE-2016-0160 and CVE-2016-0148)
1007381* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS15-132)
1007369* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-007)
1007426* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-014)
1008177* - Microsoft Windows DLL Loading Vulnerability Over Network Share (CVE-2017-0039)
1008585* - Microsoft Windows LNK Remote Code Execution Over SMB (CVE-2017-8464)
1010394* - Microsoft Windows LNK Remote Code Execution Vulnerability Over SMB (CVE-2020-1421)
1010553* - Microsoft Windows Media Foundation Memory Corruption Vulnerability Over SMB (CVE-2020-16915)
1007531* - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128)
1008138* - Microsoft Windows SMB Tree Connect Response Denial Of Service Vulnerability (CVE-2017-0016)
DHCP Client
1000861* - Microsoft Windows DHCP Client Service Remote Code Execution
DNS Client
1010352* - Data Exfiltration Over DNS (Response) Protocol (T1048)
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
1008666* - Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)
Database Microsoft SQL
1012391 - Microsoft SQL Server Information Disclosure Vulnerability (CVE-2025-49718)
Ivanti Endpoint Manager
1012396 - Ivanti Endpoint Manager Credential Coercion Vulnerability (CVE-2024-13159)
MSMQ Service
1012227* - Microsoft Windows Message Queuing Service Remote Code Execution Vulnerability (CVE-2024-49122)
Mail Server Common
1012143* - Roundcube Webmail Stored Cross-Site Scripting Vulnerability (CVE-2024-37383)
NTP Client
1008004* - NTP 'ntpq atoascii' Memory Corruption Vulnerability (CVE-2015-7852)
Port Mapper FTP Client
1009558* - Remote File Copy Over FTP (ATT&CK T1544, T1071.002)
Ray Framework
1012153* - Ray Remote Code Execution Vulnerability (CVE-2023-48022)
Remote Desktop Protocol Server
1009562* - Identified Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110, T1021.001)
1008307* - Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (CVE-2017-0176)
1009749* - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)
Suspicious Client Application Activity
1010364* - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071.001)
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1571)
1007186* - TMTR-0007: STRAT HTTP Request
1007199* - TMTR-0008: STRAT HTTP Request
1007198* - TMTR-0009: STRAT HTTP Request
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1571)
1007201* - TMTR-0011: FAKEM RAT TCP Request (ATT&CK T1571)
1007205* - TMTR-0012: FAKEM RAT TCP Connection (ATT&CK T1571)
1007206* - TMTR-0013: FAKEMRAT HTTP Request
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1571)
1007202* - TMTR-0015: PSYRAT HTTP Request
1007208* - TMTR-0016: SPLINTER RAT TCP Connection (ATT&CK T1571)
1007209* - TMTR-0017: ZIYAZO RAT BKDR Connection (ATT&CK T1571)
Suspicious Server Application Activity
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1021.001)
WSO2
1012249* - WSO2 Multiple Products Arbitrary File Upload Vulnerability (CVE-2024-7074)
Web Application Common
1012397 - Liferay Multiple Products Reflected Cross-Site Scripting Vulnerability (CVE-2025-4388)
Web Server Common
1011242* - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
Web Server Oracle
1012244* - Oracle WebLogic Server Insecure Deserialization Vulnerability (CVE-2024-21182)
Web Server SharePoint
1012390 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-49704)
Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1021.006, T1059.001)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1021.006, T1059.001)
Windows Remote Management Client
1010073* - WinRM Service Detected & Powershell RCE Over HTTP - Client (ATT&CK T1021.006, T1059.001)
Windows SMB Client
1006994* - Executable File Download On Network Share Detected
Windows SMB Server
1007065* - Executable File Uploaded On Network Share (ATT&CK T1570)
1011018* - Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol
1012394 - Microsoft Windows NEGOEX Remote Code Execution Vulnerability (CVE-2025-47981)
1009511* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2019-0630)
Windows Server DCERPC
1011016* - Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol
Windows Services RPC Client DCERPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)
1007539* - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128) - 1
Windows Services RPC Server DCERPC
1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1047)
1003766* - Local Security Authority Subsystem Service Integer Overflow Vulnerability
1007068* - Remote Service Execution Through SMBv2 Protocol Detected
Integrity Monitoring Rules:
1002770* - Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modified
1010812* - Linux/Unix - Name resolver configuration files modified (ATT&CK T1071.004, T1583.002)
1010373* - Linux/Unix - Systemd service modified (ATT&CK T1543.002)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1021.002)
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1569.002)
1008119* - Microsoft Windows Local Security Authority Subsystem Service (LSASS) Denial Of Service Vulnerability (CVE-2017-0004)
1008123* - Microsoft Windows Local Security Authority Subsystem Service Denial Of Service Vulnerability (CVE-2016-7237)
1008227* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0147)
1008432* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0267)
1008660* - Microsoft Windows SMB Out-Of-Bounds Read Denial Of Service Vulnerability (CVE-2017-11781)
1008224* - Microsoft Windows SMB Remote Code Execution Vulnerabilities (CVE-2017-0144 and CVE-2017-0146)
1008225* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
1008228* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0148)
1008306* - Microsoft Windows SMB Remote Code Execution Vulnerability (MS17-010)
1008713* - Microsoft Windows SMB Server SMBv1 Information Disclosure Vulnerability (CVE-2017-11815)
1008468* - Microsoft Windows SMBv1 Information Disclosure Vulnerability (CVE-2017-0271)
1008305* - Microsoft Windows SMBv1 Remote Code Execution Vulnerability
1008445* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)
1008560* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8620)
1007432* - Microsoft Windows Server Message Block Memory Corruption Vulnerability (CVE-2015-2474)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1078.002,T1078.001,T1021.002)
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
1007033* - Remote Scheduled Task Access Through SMBv1 Protocol Detected
1001839* - Restrict Attempt To Enumerate Windows User Accounts (ATT&CK T1087)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
1003984* - SMB NTLM Authentication Lack Of Entropy Vulnerability
1005448* - SMB Null Session Detected - 1
1005447* - SMB Null Session Detected - 2
1003761* - SMBv2 Infinite Loop Vulnerability
1003712* - Windows Vista SMB2.0 Negotiate Protocol Request Remote Code Execution
DCERPC Services - Client
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1574.002)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1059.001)
1004293* - Identified Microsoft Windows Shortcut File Over Network Share
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
1007912* - Identified Possible Ransomware File Rename Activity Over Network Share - Client
1007592* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (CVE-2016-0160 and CVE-2016-0148)
1007381* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS15-132)
1007369* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-007)
1007426* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-014)
1008177* - Microsoft Windows DLL Loading Vulnerability Over Network Share (CVE-2017-0039)
1008585* - Microsoft Windows LNK Remote Code Execution Over SMB (CVE-2017-8464)
1010394* - Microsoft Windows LNK Remote Code Execution Vulnerability Over SMB (CVE-2020-1421)
1010553* - Microsoft Windows Media Foundation Memory Corruption Vulnerability Over SMB (CVE-2020-16915)
1007531* - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128)
1008138* - Microsoft Windows SMB Tree Connect Response Denial Of Service Vulnerability (CVE-2017-0016)
DHCP Client
1000861* - Microsoft Windows DHCP Client Service Remote Code Execution
DNS Client
1010352* - Data Exfiltration Over DNS (Response) Protocol (T1048)
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
1008666* - Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)
Database Microsoft SQL
1012391 - Microsoft SQL Server Information Disclosure Vulnerability (CVE-2025-49718)
Ivanti Endpoint Manager
1012396 - Ivanti Endpoint Manager Credential Coercion Vulnerability (CVE-2024-13159)
MSMQ Service
1012227* - Microsoft Windows Message Queuing Service Remote Code Execution Vulnerability (CVE-2024-49122)
Mail Server Common
1012143* - Roundcube Webmail Stored Cross-Site Scripting Vulnerability (CVE-2024-37383)
NTP Client
1008004* - NTP 'ntpq atoascii' Memory Corruption Vulnerability (CVE-2015-7852)
Port Mapper FTP Client
1009558* - Remote File Copy Over FTP (ATT&CK T1544, T1071.002)
Ray Framework
1012153* - Ray Remote Code Execution Vulnerability (CVE-2023-48022)
Remote Desktop Protocol Server
1009562* - Identified Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110, T1021.001)
1008307* - Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (CVE-2017-0176)
1009749* - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)
Suspicious Client Application Activity
1010364* - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071.001)
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1571)
1007186* - TMTR-0007: STRAT HTTP Request
1007199* - TMTR-0008: STRAT HTTP Request
1007198* - TMTR-0009: STRAT HTTP Request
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1571)
1007201* - TMTR-0011: FAKEM RAT TCP Request (ATT&CK T1571)
1007205* - TMTR-0012: FAKEM RAT TCP Connection (ATT&CK T1571)
1007206* - TMTR-0013: FAKEMRAT HTTP Request
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1571)
1007202* - TMTR-0015: PSYRAT HTTP Request
1007208* - TMTR-0016: SPLINTER RAT TCP Connection (ATT&CK T1571)
1007209* - TMTR-0017: ZIYAZO RAT BKDR Connection (ATT&CK T1571)
Suspicious Server Application Activity
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1021.001)
WSO2
1012249* - WSO2 Multiple Products Arbitrary File Upload Vulnerability (CVE-2024-7074)
Web Application Common
1012397 - Liferay Multiple Products Reflected Cross-Site Scripting Vulnerability (CVE-2025-4388)
Web Server Common
1011242* - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
Web Server Oracle
1012244* - Oracle WebLogic Server Insecure Deserialization Vulnerability (CVE-2024-21182)
Web Server SharePoint
1012390 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-49704)
Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1021.006, T1059.001)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1021.006, T1059.001)
Windows Remote Management Client
1010073* - WinRM Service Detected & Powershell RCE Over HTTP - Client (ATT&CK T1021.006, T1059.001)
Windows SMB Client
1006994* - Executable File Download On Network Share Detected
Windows SMB Server
1007065* - Executable File Uploaded On Network Share (ATT&CK T1570)
1011018* - Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol
1012394 - Microsoft Windows NEGOEX Remote Code Execution Vulnerability (CVE-2025-47981)
1009511* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2019-0630)
Windows Server DCERPC
1011016* - Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol
Windows Services RPC Client DCERPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)
1007539* - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128) - 1
Windows Services RPC Server DCERPC
1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1047)
1003766* - Local Security Authority Subsystem Service Integer Overflow Vulnerability
1007068* - Remote Service Execution Through SMBv2 Protocol Detected
Integrity Monitoring Rules:
1002770* - Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modified
1010812* - Linux/Unix - Name resolver configuration files modified (ATT&CK T1071.004, T1583.002)
1010373* - Linux/Unix - Systemd service modified (ATT&CK T1543.002)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.