Rule Update

21-040 (September 7, 2021)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1011105* - Identified File Deletion From SMB Share (ATT&CK T1070.004)


DNS Server
1011102* - PowerDNS Authoritative Server Denial of Service Vulnerability (CVE-2021-36754)


Directory Server LDAP
1011114 - Identified Subnet Discovery Over LDAP (ATT&CK T1016)


Port Mapper FTP Client
1011089* - Identified File Upload Over FTP (ATT&CK T1048.003)


Suspicious Client Application Activity
1011119 - Disallow Download Of Restricted File Formats (ATT&CK T1105)


Suspicious Server Application Activity
1002378* - Detected Virtual Network Computing (VNC) Server Traffic (ATT&CK T1021.005, T1219)


Web Application Common
1011108* - GitStack Remote Code Execution Vulnerability (CVE-2018-5955) - 1
1011101* - MODX Revolution Remote Code Execution Vulnerability (CVE-2018-1000207)


Web Client Common
1011091* - Identified Download Of Executable File Over HTTP (ATT&CK T1105)
1011054* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)


Web Client Internet Explorer/Edge
1009411* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8617)


Web Server Common
1005471* - Identified Suspicious Slow HTTP Denial Of Service Attack (ATT&CK T1498.001)
1011109 - Nagios XI 'Switch.inc.php' Command Injection Vulnerability (CVE-2021-37344)


Web Server HTTPS
1011115 - Identified Microsoft Exchange Server ECP Authentication Attempt
1011041* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473)


Web Server Miscellaneous
1011117 - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)


Web Server Oracle
1011085 - Oracle Business Intelligence Arbitrary File Upload Vulnerability (CVE-2021-2392)
1011081 - Oracle Business Intelligence Publisher XML External Entity Injection Vulnerability (CVE-2021-2401)
1011096* - Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2021-2394)


Integrity Monitoring Rules:

1011116 - Linux/Unix - Kernel modules loading configuration modified (ATT&CK T1547.006)
1011111 - Linux/Unix - Users and Groups - Create and Delete Activity (ATT&CK T1136)
1009629* - Microsoft Windows - AppCert DLL Registry values modified (ATT&CK T1546.009)
1009628* - Microsoft Windows - AppInit DLL Registry values modified (ATT&CK T1546.010)
1009639* - Microsoft Windows - Application shimming detected (ATT&CK T1546.011)
1002781* - Microsoft Windows - Attributes of services modified (ATT&CK T1543.003, T1036.004)
1009895* - Microsoft Windows - Component Object Model Registry keys modified (ATT&CK T1546.015)
1002859* - Microsoft Windows - LSA Authentication Packages modified (ATT&CK T1547.002)
1010353* - Microsoft Windows - LSA Notification Packages modified (ATT&CK T1556.002)
1009638* - Microsoft Windows - NetSh Helper DLL Registry keys modified (ATT&CK T1546.007)
1011071* - Microsoft Windows - OpenSSH registry keys modified (ATT&CK T1021.004, T1112)
1009618* - Microsoft Windows - Powershell activity detected (ATT&CK T1059.001)
1009710* - Microsoft Windows - Root Certificate Registry keys modified (ATT&CK T1553.004)
1009670* - Microsoft Windows - Service Registry keys modified (ATT&CK T1574.011)
1009672* - Microsoft Windows - Time Provider Registry keys modified (ATT&CK T1547.003)
1008720* - Microsoft Windows - Users and Groups - Create and Delete Activity (ATT&CK T1136)
1010382* - Microsoft Windows - Windows Command Shell activity detected (ATT&CK T1059.003)


Log Inspection Rules:

1003802* - Directory Server - Microsoft Windows Active Directory
1010595* - Microsoft LDAP Query Execution
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1002795* - Microsoft Windows Events