Rule Update

21-042 (September 21, 2021)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Azure Open Management Infrastructure Tool
1011147 - Open Management Infrastructure Remote Code Execution Vulnerability (CVE-2021-38647)


DCERPC Services
1011105* - Identified File Deletion From SMB Share (ATT&CK T1070.004)


Microsoft Office
1011135 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-38655)
1011137 - Microsoft Office Graphics Remote Code Execution Vulnerability (CVE-2021-38658)
1011121 - Microsoft Office Remote Code Execution Vulnerability (CVE-2021-34478)
1011138 - Microsoft Office Remote Code Execution Vulnerability (CVE-2021-38659)
1011134 - Microsoft Office Visio Remote Code Execution Vulnerability (CVE-2021-38653)
1011136 - Microsoft Word Remote Code Execution Vulnerability (CVE-2021-38656)


Web Application PHP Based
1011154 - Identified WordPress 'wp-login.php' Brute Force Attempt
1010642* - WordPress XMLRPC Brute Force Amplification Attack


Web Client Common
1011129* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 1
1011130* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 3
1011140 - Google Chrome Use After Free Vulnerability (CVE-2020-6550)
1011139 - Google Chrome V8 Type Confusion Vulnerability (CVE-2021-30561)
1011080 - Microsoft 3D Viewer Remote Code Execution Vulnerability (ZDI-CAN-13085)
1011133 - Microsoft Visual Studio Remote Code Execution Vulnerability (CVE-2021-36952)


Web Server Common
1011118 - Centreon 'csv_HostGroupLogs.php' SQL Injection Vulnerability (CVE-2021-37556)
1011113* - Nagios XI Remote Command Injection Vulnerability (CVE-2021-37346)


Web Server HTTPS
1011132 - Centreon 'metaService.php' SQL Injection Vulnerability


Web Server Nagios
1011131 - Nagios XI Bulk Modification Tool SQL Injection Vulnerability (CVE-2021-37350)


Web Server Oracle
1011083* - Oracle Business Intelligence 'BIRemotingServlet' Insecure Deserialization Vulnerability (CVE-2021-2456)
1011086* - Oracle Business Intelligence 'Scheduler' Remote Code Execution Vulnerability (CVE-2021-2391)
1011084* - Oracle Business Intelligence 'UpdateConnectionServlet' Remote Code Execution Vulnerability (CVE-2021-2396)


Windows Services RPC Server DCERPC
1009892* - Identified Domain-Level Information Dumping Over DCERPC (ATT&CK T1003.006, T1018)


Integrity Monitoring Rules:

1011152 - Microsoft Windows - Active directory files modified (ATT&CK T1552.006)
1011151 - Microsoft Windows - Active directory registry keys modified (ATTACK T1112)
1011144 - Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001)
1011146 - Microsoft Windows - Autostart execution registries modified (ATT&CK T1547.001)
1011145 - Microsoft Windows - Boot or Logon Autostart Execution registries modified (ATT&CK T1547.014, T1547.004)
1011148 - Microsoft Windows - Files in appdata startup folder modified (ATT&CK T1547.001)
1011149 - Microsoft Windows - Files in programdata startup folder modified (ATT&CK T1547.001)
1011150 - Microsoft Windows - Files in start menu directory modified (ATT&CK T1547.001)
1011142 - Microsoft Windows - Network services registries modified (ATT&CK T1574.001, T1547.001)
1002860* - Microsoft Windows - SAM registry keys modified (ATT&CK T1098, T1136)
1011141 - Microsoft Windows - Windows file protection registry modified (ATT&CK T1546.008, T1112)
1006800* - TMTR-0002: Suspicious Files Detected In Operating System Directories (ATT&CK T1053.005)
1006798* - TMTR-0005: Suspicious Files Detected In Application Directories (ATT&CK T1562.001)
1006796* - TMTR-0007: Suspicious Files Detected In Application Directories (ATT&CK T1574.002)
1006799* - TMTR-0014: Suspicious Service Detected (ATT&CK T1543.003)
1006684* - TMTR-0015: Suspicious Service Detected (ATT&CK T1543.003)
1006691* - TMTR-0017: Microsoft Windows - SAM Domain Account Users Modification Detected (ATT&CK T1098, T1136)
1007214* - TMTR-0019: Suspicious Files Detected In System Drivers Directory (ATT&CK T1014)
1007218* - TMTR-0023: Suspicious Changes In NTLM Settings (ATT&CK T1547.005)
1010515* - Vulnerability - Trend Micro ServerProtect For Linux Command Execution Vulnerability (CVE-2020-24561)


Log Inspection Rules:

1002828* - Application - Secure Shell Daemon (SSHD)
1008852* - Auditd
1003802* - Directory Server - Microsoft Windows Active Directory
1010595* - Microsoft LDAP Query Execution
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1002795* - Microsoft Windows Events
1010095* - Microsoft Windows Management Instrumentation Events
1003987* - Microsoft Windows Security Events - 2
1008792* - Microsoft Windows Security Events - 4
1002831* - Unix - Syslog
1003447* - Web Server - Apache
1002835* - Web Server - Web Access Events