Rule Update

21-035 (August 3, 2021)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)


DNS Client
1002988* - Multiple Vendors libspf2 DNS TXT Record Parsing Buffer Overflow


File Sharing Applications
1007608* - Amazon Cloud Drive (ATT&CK T1102.002, T1567.002)
1007605* - BOX (ATT&CK T1102.002, T1567.002)
1004707* - Dropbox (ATT&CK T1102.002, T1567.002)
1002472* - FTP Client (ATT&CK T1048.003, T1071.002)
1007463* - Microsoft OneDrive (ATT&CK T1102.002, T1567.002)


Instant Messenger Applications
1002103* - AOL Instant Messenger (ATT&CK T1102.002)
1004663* - IP Messenger (ATT&CK T1102.002)
1002507* - Jabber (ATT&CK T1102.002)
1003067* - MSN Instant Message URL Blocker (ATT&CK T1102.002)
1002162* - MSN Messenger (ATT&CK T1102.002)
1002462* - MSN Messenger File Transfers (ATT&CK T1102.002)
1004941* - QQ Messenger (ATT&CK T1102.002)


Mail Client Applications
1001112* - SMTP Client (ATT&CK T1071.003)


Remote Login Applications
1002508* - RDP (ATT&CK T1021.001)


SSL Client
1006561* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response (ATT&CK T1573.002)


SSL/TLS Server
1006293* - Detected SSLv3 Request (ATT&CK T1573.002)
1006297* - Identified CBC Based Cipher Suite In SSLv3 Response (ATT&CK T1573.002)
1006311* - Identified Too Many SSL Alert Messages In SSLv3 Traffic (ATT&CK T1573.002)


Suspicious Client Application Activity
1001162* - Detected HTTP Client Traffic (ATT&CK T1071.001)
1005324* - Detected SSLv2 Response (ATT&CK T1573.002)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)


Suspicious Server Application Activity
1003594* - Detected SSL/TLS Server Traffic (ATT&CK T1573.002)
1005321* - Detected SSLv2 Request (ATT&CK T1573.002)
1002378* - Detected Virtual Network Computing (VNC) Server Traffic (ATT&CK T1021.005)


Trend Micro OfficeScan
1011057 - Trend Micro Multiple Products Arbitrary File Upload Vulnerability (CVE-2021-36741)


Web Application Common
1011047* - WordPress 'Modern Events Calendar' Plugin Remote Code Execution Vulnerability (CVE-2021-24145)
1011056* - WordPress 'SP Project & Document Manager' Plugin Remote Code Execution Vulnerability (CVE-2021-24347)
1011038* - Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability (CVE-2021-20081)


Web Application PHP Based
1011045 - WordPress 'Modern Events Calendar Lite' Plugin Improper Access Control Vulnerability (CVE-2021-24146)


Web Client Common
1011032* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-51)
1009407* - Detected Suspicious DLL Side Loading Attempt Over WebDAV (ATT&CK T1574.002)
1006442* - Identified Suspicious Obfuscated JavaScript - 2 (ATT&CK T1203, T1001)
1011054* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)
1011065 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2021-33742)
1004302* - Microsoft Windows Shortcut Remote Code Execution


Web Server Common
1007213* - Disallow Upload Of A Class File (ATT&CK T1190)
1007212* - Disallow Upload Of An Archive File (ATT&CK T1190)


Web Server HTTPS
1006741* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Server (ATT&CK T1573.002)
1011050* - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523)
1011072 - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
1011046 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability


Web Server SharePoint
1011051* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-34520)


Zoho ManageEngine
1011062 - Zoho ManageEngine Applications Manager Cross Site Scripting Vulnerability (CVE-2021-31813)


Zoho ManageEngine ADSelfService Plus
1011064 - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability (CVE-2021-28958)


Integrity Monitoring Rules:

1009643* - Linux/Unix - bash command history cleared (ATT&CK T1059.004)


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.