Todas as vulnerabilidades

  • 21-013 (March 16, 2021)
     Data de publicação:  05 de abril de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DNS Client
    1010766* - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic


    DNS Server
    1010863* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
    1010865* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)


    Oracle E-Business Suite Web Interface
    1010730 - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


    SSL Client
    1010410* - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)


    Suspicious Server Ransomware Activity
    1010647* - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request


    Web Application PHP Based
    1010852* - phpMyAdmin 'SearchController' SQL Injection Vulnerability (CVE-2020-26935)


    Web Server Common
    1010862* - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282)
    1010858* - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282) - 1


    Web Server HTTPS
    1010849 - Identified Zoom WebSocket Upgrade Request
    1010854* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)


    Web Server Miscellaneous
    1010682* - SolarWinds Orion Platform 'SaveUserSetting' Privilege Escalation Vulnerability (CVE-2021-27258)


    Web Server Nagios
    1010866 - Nagios XI Cross Site Scripting Vulnerability (CVE-2021-25299)


    Web Server SharePoint
    1010864* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


    Windows SMB Server
    1007065* - Executable File Uploaded On Network Share (ATT&CK T1105)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 21-015 (March 30, 2021)
     Data de publicação:  05 de abril de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    Oracle E-Business Suite Web Interface
    1010730* - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


    Web Client Common
    1010877 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 4


    Web Client HTTPS
    1010132* - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) - 1


    Web Server Common
    1010867 - Apache ActiveMQ Web Console Reflected Cross-Site Scripting Vulnerability (CVE-2020-13947)


    Web Server HTTPS
    1010868* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
    1010870* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1
    1010850* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972 and CVE-2021-21973)
    1010875 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability (CVE-2020-12255)


    Windows SMB Server
    1010884 - Microsoft Windows RPC Remote Code Execution Vulnerability (CVE-2017-8461)


    Integrity Monitoring Rules:

    1010855* - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 long-lasting token vulnerability
     Schweregrad: :    
     Data de publicação:  26 de marzo de 2021

    Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.

    The vulnerability has been submitted to ZDI on Dec 3, 2019.

    ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure expired on April 30, 2020.

    The vendor addressed the vulnerability and has recommended to install an updated version of the software. The update can be found via the vendor's link:

    Details

    The researchers have tried two ways to successfully steal the access token in the HTTP header.

    1. Use a Python script (zkteco.py, see below) and a self-signed SSL certificate to simulate ZKBiosecurity Server (ADMS) and do ARP spoofing on HTTPS port 8088.
    2. Wireshark the default deployment, which does HTTP instead of HTTPS.

    We found no CSRF to prevent such attack. Moreover, the token has a long life (at least 2 weeks), and is still valid even after FaceDepot 7B (the Android tablet) issues a new token. The token can be used in replay attack, command forgery, arbitrary user addition and privilege escalation (CVE-2020-17474).

    We wrote a proof-of-concept to simulate ZKBiosecurity ADMS with reasonably dummy response. The SSL certificate is self-signed. We did not install the CA into the tablet. After taking over ZKBiosecurity Server's IP by arpspoofing, the script is able to obtain the token for further use. FaceDepot tablet reconnects to the server every 2 - 3 minutes and thus automatically submits a legit token.

    After SN and token are obtained, it is easy to, for example, create a user, by using cURL:

    curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \
        -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
        -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.post

    Where the content of bugoy.user.post is:

    user uuid=	cardno=	pin=11111	password=	group=1	starttime=0 	endtime=0	name=Bugoy Test1	privilege=14	disable=0	verify=0

    Vulnerability Type

    • CWE-613: Insufficient Session Expiration
    • CWE-295: Improper Certificate Validation

    Attack Type


    Remote

    Impact Information Disclosure


    true

    Attack Vectors


    An attacker who is able to sniff the network or arp-spoof with a fake server obtains a long-lasting token.

    Mitigation

    • Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
    • Deny all unlisted access.

    Discoverer


    Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer

    Reference

    https://www.zkteco.com/en/product_detail/FaceDepot-7B.html
  • 21-012 (March 11, 2021)
     Schweregrad: :    
     Data de publicação:  12 de marzo de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    Web Server Miscellaneous
    1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 21-011 (March 9, 2021)
     Schweregrad: :    
     Data de publicação:  10 de marzo de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DNS Server
    1010863 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
    1010865 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)


    Directory Server LDAP
    1010820* - OpenLDAP Slapd SASL Proxy Authorization Denial Of Service Vulnerability (CVE-2020-36222)


    SolarWinds Orion Platform
    1010810* - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-25274)


    Web Application Common
    1010818* - WordPress 'Code Snippets' Plugin Cross-Site Request Forgery Vulnerability (CVE-2020-8417)


    Web Application PHP Based
    1010852 - phpMyAdmin 'SearchController' SQL Injection Vulnerability (CVE-2020-26935)


    Web Client Common
    1010861 - Microsoft Windows Graphics Component Remote Code Execution Vulnerability (CVE-2021-24093)


    Web Client Internet Explorer/Edge
    1010857 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)


    Web Server Common
    1010801* - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2009-2265)
    1010862 - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282)
    1010858 - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282) - 1


    Web Server HTTPS
    1010854* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
    1010850* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972)


    Web Server Miscellaneous
    1010496* - Apache Struts2 File Upload Denial of Service Vulnerability (CVE-2019-0233)
    1010461* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)
    1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
    1010682 - SolarWinds Orion Platform 'SaveUserSetting' Privilege Escalation Vulnerability (CVE-2021-27258)


    Web Server Oracle
    1010851 - Identified Oracle Application Server 'OWA_UTIL PL/SQL' Package Access


    Web Server SharePoint
    1010836 - Identified Microsoft SharePoint GetGroupCollection Request (ATT&CK T1589, T1213.002, T1087)
    1010835 - Identified Microsoft SharePoint GetGroupCollectionFromRole Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010834 - Identified Microsoft SharePoint GetGroupCollectionFromSite Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010833 - Identified Microsoft SharePoint GetGroupCollectionFromUser Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010832 - Identified Microsoft SharePoint GetGroupCollectionFromWeb Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010831 - Identified Microsoft SharePoint GetGroupInfo Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010830 - Identified Microsoft SharePoint GetRoleCollection Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010864 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


    Zoho ManageEngine
    1010811* - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-35765)


    Integrity Monitoring Rules:

    1010855* - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 21-010 (March 3, 2021)
     Schweregrad: :    
     Data de publicação:  04 de marzo de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    Web Server HTTPS
    1010854 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)


    Integrity Monitoring Rules:

    1010855 - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 21-009 (March 2, 2021)
     Schweregrad: :    
     Data de publicação:  03 de marzo de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DNS Client
    1010744* - DNS Request To Ngrok Domain Detected


    Directory Server LDAP
    1010820 - OpenLDAP Slapd SASL Proxy Authorization Denial Of Service Vulnerability (CVE-2020-36222)
    1010799* - OpenLDAP Slapd Search Parsing Integer Underflow Vulnerability (CVE-2020-36228)


    FTP Server IIS
    1010797* - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over FTP (CVE-2020-28001)


    SAP NetWeaver Java Application Server
    1010816 - Identified SAP Solution Manager Security Software Discovery Over HTTP (ATT&CK T1518.001)
    1010822 - Identified SAP Solution Manager Tool Transfer Over HTTP (ATT&CK T1105, T1570)


    SSL Client
    1010410* - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)


    SolarWinds Orion Platform
    1010810 - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-25274)


    Trend Micro OfficeScan
    1010780 - Trend Micro Apex One Multiple Information Disclosure Vulnerabilities
    1010709* - Trend Micro Apex One Multiple Information Disclosure Vulnerabilities (CVE-2020-28573 and CVE-2020-28576)


    Web Application Common
    1010818 - WordPress 'Code Snippets' Plugin Cross-Site Request Forgery Vulnerability (CVE-2020-8417)


    Web Client Common
    1010760* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 1
    1001933* - Identified Suspicious Usage Of Shellcode For Client


    Web Server Common
    1010796* - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646)
    1010802* - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2008-6178)
    1010801 - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2009-2265)
    1008581* - Identified Suspicious IP Addresses In XFF HTTP Header
    1010761* - PRTG Network Monitor Command Injection Vulnerability (CVE-2018-9276)
    1010804* - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over HTTP (CVE-2020-28001)


    Web Server HTTPS
    1010850 - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972)
    1010712* - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)


    Zoho ManageEngine
    1010811 - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-35765)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    1003613* - DHCP Server - Microsoft Windows
    1003447* - Web Server - Apache
  • 21-008 (February 23, 2021)
     Schweregrad: :    
     Data de publicação:  24 de febrero de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DCERPC Services
    1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share


    DNS Client
    1010771* - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25683)


    Database Microsoft SQL
    1010643* - Microsoft SQL Database Server Possible Login Brute Force Attempt


    Directory Server LDAP
    1010799 - OpenLDAP Slapd Search Parsing Integer Underflow Vulnerability (CVE-2020-36228)


    FTP Server IIS
    1010797 - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over FTP (CVE-2020-28001)


    Hot Rod Client
    1009119* - Red Hat JBoss Data Grid Hot Rod Client Insecure Deserialization (CVE-2017-15089)


    Memcached
    1008916* - Identified Memcached Reflected UDP Traffic


    Web Application Common
    1010488* - Identified WordPress Database Reset Attempt
    1010562* - Mantis Bug Tracker 'verify.php' Remote Password Reset Vulnerability (CVE-2017-7615)
    1009310* - Microsoft Exchange Server SSRF Vulnerability (CVE-2018-16793)


    Web Application PHP Based
    1008858* - Identified Access To 'wp-admin' Directory


    Web Server Common
    1010796 - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646)
    1010802 - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2008-6178)
    1007651* - Identified Absence Of Configured CDN/Reverse Proxy HTTP Header
    1010761 - PRTG Network Monitor Command Injection Vulnerability (CVE-2018-9276)
    1010804 - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over HTTP (CVE-2020-28001)


    Web Server HTTPS
    1010795* - Joomla CMS Cross-Site Scripting Vulnerability (CVE-2021-23124)
    1010772* - Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-17132)


    Web Server Miscellaneous
    1008747* - Adobe ColdFusion RMI Registry Insecure Deserialization (CVE-2017-11284)
    1008840* - Apache CouchDB '_config' Command Execution Vulnerability


    Web Server Oracle
    1010752* - Oracle Coherence Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14756)


    Web Server SharePoint
    1010794* - Microsoft SharePoint Workflow Deserialization Of Untrusted Data Remote Code Execution Vulnerability (CVE-2021-24066)


    Zoho ManageEngine
    1010774 - Identified WebNMS Framework Server Sensitive File Access (ATT&CK T1552.001)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 21-007 (February 16, 2021)
     Schweregrad: :    
     Data de publicação:  17 de febrero de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DCERPC Services
    1009801* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability (CVE-2019-1040)
    1008179* - Restrict File Extensions For Rename Activity Over Network Share


    DNS Client
    1010771 - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25683)
    1010784 - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25687)
    1010766* - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic


    Database Microsoft SQL
    1008759* - Microsoft SQL Server 'EXECUTE AS' Privilege Escalation Vulnerability


    Directory Server LDAP
    1010754* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability Over LDAP (CVE-2019-1040)


    Microsoft Office
    1010785 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-24070)
    1010786 - Microsoft Excel XLSX File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-24067)


    Suspicious Client Application Activity
    1010741* - Identified HTTP Backdoor Python FreakOut A Runtime Detection


    Suspicious Client Ransomware Activity
    1010792 - Identified Cobalt Strike Default Self-signed SSL/TLS Certificate


    Suspicious Server Application Activity
    1008918* - Identified Memcached Amplified Reflected Response


    Web Application Common
    1005933* - Identified Directory Traversal Sequence In Uri Query Parameter


    Web Application Ruby Based
    1008574* - Ruby On Rails Development Web Console Code Execution Vulnerability (CVE-2015-3224)


    Web Client Common
    1010760* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 1
    1010790 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 3
    1010787 - Microsoft Windows Camera Codec Pack Image Processing Out-Of-Bounds Write Vulnerability (CVE-2021-24081)
    1010788 - Microsoft Windows Camera Codec Pack Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2021-24091)
    1004226* - Microsoft Windows Help Centre Malformed Escape Sequences Vulnerability
    1006582* - Microsoft Windows Help Centre Malformed Escape Sequences Vulnerability (CVE-2010-1885)
    1010789 - Microsoft Windows WAB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2021-24083)


    Web Client SSL
    1006296* - Detected SSLv3 Response (ATT&CK T1032)
    1006298* - Identified CBC Based Cipher Suite In SSLv3 Request (ATT&CK T1032)


    Web Server Apache
    1010751 - Proxifier Proxy Client


    Web Server Common
    1010737* - CMS Made Simple 'Showtime2' Reflected Cross Site Scripting Vulnerability (CVE-2020-20138)
    1010736* - Cisco Data Center Network Manager Authentication Bypass Vulnerability (CVE-2019-15977)
    1010769 - Identified Kubernetes Namespace API Requests
    1010477* - Java Unserialize Remote Code Execution Vulnerability - 1


    Web Server HTTPS
    1010795 - Joomla CMS Cross-Site Scripting Vulnerability (CVE-2021-23124)
    1010772 - Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-17132)


    Web Server Miscellaneous
    1008610* - Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request
    1004874* - TimThumb Plugin Remote Code Execution Vulnerability


    Web Server SharePoint
    1010764* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-24072)
    1010794 - Microsoft SharePoint Workflow Deserialization Of Untrusted Data Remote Code Execution Vulnerability (CVE-2021-24066)


    Windows Services RPC Server DCERPC
    1008479* - Identified Usage Of WMI Execute Methods - Server


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    1003631* - DNS Server - Microsoft Windows
  • 20-031 (July 7, 2020)
     Schweregrad: :    
     Data de publicação:  17 de febrero de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DCERPC Services
    1009490* - Block Administrative Share - 1 (ATT&CK T1077,T1105)
    1009703* - Identified Domain-Level Groups/Accounts Enumeration Over SMB (ATT&CK T1069, T1087, T1018)
    1010317* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2020-1301)
    1005448* - SMB Null Session Detected - 1


    DCERPC Services - Client
    1010106* - Identify Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)


    DNS Client
    1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol


    IBM WebSphere Application Server IIOP protocol
    1010348* - IBM WebSphere Application Server IIOP Deserialization Vulnerabilities (CVE-2020-4449 and CVE-2020-4450)


    Oracle E-Business Suite Web Interface
    1010325* - Oracle E-Business Suite Advanced Outbound Telephony Calendar Cross Site Scripting Vulnerability (CVE-2020-2852)
    1010360 - Oracle E-Business Suite Advanced Outbound Telephony Cross Site Scripting Vulnerability (CVE-2020-2871)
    1010367 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2854)
    1010383 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2856)


    SSL/TLS Server
    1010312* - Identified Suspicious TLS Request (ATT&CK T1190)
    1010316* - Identified Suspicious TLS Request - 1 (ATT&CK T1190)


    Suspicious Client Application Activity
    1010327* - Identified Potential Malicious Client Traffic (ATT&CK T1105)
    1010307* - Identified Reverse Shell Communication Over HTTPS (ATT&CK T1071)
    1010306* - Identified Reverse Shell Communication Over HTTPS - 1 (ATT&CK T1071)
    1010364 - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071)
    1010365 - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071)
    1010370 - Identified Reverse Shell Communication Over HTTPS - 4 (ATT&CK T1071)


    Suspicious Server Application Activity
    1010328* - Identified Potential Malicious Server Traffic (ATT&CK T1105)


    Web Application Common
    1010377 - Centreon 'RRDdatabase_status_path' Command Injection Vulnerability (CVE-2020-13252)
    1010372 - Opmantek Open-AudIT Cross Site Scripting Vulnerability (CVE-2020-12261)
    1010354 - Pandora FMS Ping Authenticated Remote Code Execution Vulnerability
    1010282* - Sonatype Nexus Repository Manager Java EL Injection Remote Code Execution Vulnerability (CVE-2020-10199)
    1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)


    Web Application PHP Based
    1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438)
    1010359 - WordPress 'bbPress' Plugin Unauthenticated Privilege Escalation Vulnerability (CVE-2020-13693)
    1010341 - Wordpress Drag and Drop Multi File Uploader Remote Code Execution Vulnerability (CVE-2020-12800)


    Web Application Ruby Based
    1010384 - Lodash Node Module Modification Of Assumed-Immutable Data (MAID) Vulnerability (CVE-2018-3721)


    Web Client Common
    1010381 - Microsoft Windows Cabinet File Remote Code Execution Vulnerability (CVE-2020-1300)
    1010380 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1425)
    1010379 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1457)


    Web Server Common
    1010162* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15980)
    1010336 - Disallow Upload Of Linux Executable File (ATT&CK T1105)
    1010388 - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
    1010323* - Gila CMS Image Upload Remote Code Execution Vulnerability (CVE-2020-5514)
    1010283* - Microsoft .NET Framework Remote Code Execution Injection Vulnerability (CVE-2020-0646)
    1010376 - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-11941)
    1010322* - Oracle Business Intelligence AMF Deserialization Remote Code Execution Vulnerability (CVE-2020-2950)
    1010351* - vBulletin Improper Access Control Vulnerability (CVE-2020-12720)


    Windows Services RPC Server DCERPC
    1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)


    Integrity Monitoring Rules:

    1010382 - CommandLine (ATT&CK T1059)
    1002779* - Microsoft Windows - System File Modified
    1009618* - PowerShell (ATT&CK T1086)
    1010373 - Systemd Service (ATT&CK T1501)
    1010389 - Unix - Process Monitor in /tmp and /var/tmp location


    Log Inspection Rules:

    1002828* - Application - Secure Shell Daemon (SSHD)
    1002815* - Authentication Module - Unix Pluggable Authentication Module
    1002831* - Unix - Syslog