Microsoft Office 1011135 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-38655) 1011137 - Microsoft Office Graphics Remote Code Execution Vulnerability (CVE-2021-38658) 1011121 - Microsoft Office Remote Code Execution Vulnerability (CVE-2021-34478) 1011138 - Microsoft Office Remote Code Execution Vulnerability (CVE-2021-38659) 1011134 - Microsoft Office Visio Remote Code Execution Vulnerability (CVE-2021-38653) 1011136 - Microsoft Word Remote Code Execution Vulnerability (CVE-2021-38656)
Web Application PHP Based 1011154 - Identified WordPress 'wp-login.php' Brute Force Attempt 1010642* - WordPress XMLRPC Brute Force Amplification Attack
Web Client Common 1011129* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 1 1011130* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 3 1011140 - Google Chrome Use After Free Vulnerability (CVE-2020-6550) 1011139 - Google Chrome V8 Type Confusion Vulnerability (CVE-2021-30561) 1011080 - Microsoft 3D Viewer Remote Code Execution Vulnerability (ZDI-CAN-13085) 1011133 - Microsoft Visual Studio Remote Code Execution Vulnerability (CVE-2021-36952)
Web Server Common 1011118 - Centreon 'csv_HostGroupLogs.php' SQL Injection Vulnerability (CVE-2021-37556) 1011113* - Nagios XI Remote Command Injection Vulnerability (CVE-2021-37346)
Web Server HTTPS 1011132 - Centreon 'metaService.php' SQL Injection Vulnerability
Web Server Nagios 1011131 - Nagios XI Bulk Modification Tool SQL Injection Vulnerability (CVE-2021-37350)
Web Server Oracle 1011083* - Oracle Business Intelligence 'BIRemotingServlet' Insecure Deserialization Vulnerability (CVE-2021-2456) 1011086* - Oracle Business Intelligence 'Scheduler' Remote Code Execution Vulnerability (CVE-2021-2391) 1011084* - Oracle Business Intelligence 'UpdateConnectionServlet' Remote Code Execution Vulnerability (CVE-2021-2396)
Windows Services RPC Server DCERPC 1009892* - Identified Domain-Level Information Dumping Over DCERPC (ATT&CK T1003.006, T1018)
Integrity Monitoring Rules:
1011152 - Microsoft Windows - Active directory files modified (ATT&CK T1552.006) 1011151 - Microsoft Windows - Active directory registry keys modified (ATTACK T1112) 1011144 - Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001) 1011146 - Microsoft Windows - Autostart execution registries modified (ATT&CK T1547.001) 1011145 - Microsoft Windows - Boot or Logon Autostart Execution registries modified (ATT&CK T1547.014, T1547.004) 1011148 - Microsoft Windows - Files in appdata startup folder modified (ATT&CK T1547.001) 1011149 - Microsoft Windows - Files in programdata startup folder modified (ATT&CK T1547.001) 1011150 - Microsoft Windows - Files in start menu directory modified (ATT&CK T1547.001) 1011142 - Microsoft Windows - Network services registries modified (ATT&CK T1574.001, T1547.001) 1002860* - Microsoft Windows - SAM registry keys modified (ATT&CK T1098, T1136) 1011141 - Microsoft Windows - Windows file protection registry modified (ATT&CK T1546.008, T1112) 1006800* - TMTR-0002: Suspicious Files Detected In Operating System Directories (ATT&CK T1053.005) 1006798* - TMTR-0005: Suspicious Files Detected In Application Directories (ATT&CK T1562.001) 1006796* - TMTR-0007: Suspicious Files Detected In Application Directories (ATT&CK T1574.002) 1006799* - TMTR-0014: Suspicious Service Detected (ATT&CK T1543.003) 1006684* - TMTR-0015: Suspicious Service Detected (ATT&CK T1543.003) 1006691* - TMTR-0017: Microsoft Windows - SAM Domain Account Users Modification Detected (ATT&CK T1098, T1136) 1007214* - TMTR-0019: Suspicious Files Detected In System Drivers Directory (ATT&CK T1014) 1007218* - TMTR-0023: Suspicious Changes In NTLM Settings (ATT&CK T1547.005) 1010515* - Vulnerability - Trend Micro ServerProtect For Linux Command Execution Vulnerability (CVE-2020-24561)
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD) 1008852* - Auditd 1003802* - Directory Server - Microsoft Windows Active Directory 1010595* - Microsoft LDAP Query Execution 1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001) 1002795* - Microsoft Windows Events 1010095* - Microsoft Windows Management Instrumentation Events 1003987* - Microsoft Windows Security Events - 2 1008792* - Microsoft Windows Security Events - 4 1002831* - Unix - Syslog 1003447* - Web Server - Apache 1002835* - Web Server - Web Access Events