Rule Update
20-031 (July 7, 2020)
Publish date: July 07, 2020
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1077,T1105)
1009703* - Identified Domain-Level Groups/Accounts Enumeration Over SMB (ATT&CK T1069, T1087, T1018)
1010317* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2020-1301)
1005448* - SMB Null Session Detected - 1
DCERPC Services - Client
1010106* - Identify Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)
DNS Client
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
IBM WebSphere Application Server IIOP protocol
1010348* - IBM WebSphere Application Server IIOP Deserialization Vulnerabilities (CVE-2020-4449 and CVE-2020-4450)
Oracle E-Business Suite Web Interface
1010325* - Oracle E-Business Suite Advanced Outbound Telephony Calendar Cross Site Scripting Vulnerability (CVE-2020-2852)
1010360 - Oracle E-Business Suite Advanced Outbound Telephony Cross Site Scripting Vulnerability (CVE-2020-2871)
1010367 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2854)
1010383 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2856)
SSL/TLS Server
1010312* - Identified Suspicious TLS Request (ATT&CK T1190)
1010316* - Identified Suspicious TLS Request - 1 (ATT&CK T1190)
Suspicious Client Application Activity
1010327* - Identified Potential Malicious Client Traffic (ATT&CK T1105)
1010307* - Identified Reverse Shell Communication Over HTTPS (ATT&CK T1071)
1010306* - Identified Reverse Shell Communication Over HTTPS - 1 (ATT&CK T1071)
1010364 - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071)
1010365 - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071)
1010370 - Identified Reverse Shell Communication Over HTTPS - 4 (ATT&CK T1071)
Suspicious Server Application Activity
1010328* - Identified Potential Malicious Server Traffic (ATT&CK T1105)
Web Application Common
1010377 - Centreon 'RRDdatabase_status_path' Command Injection Vulnerability (CVE-2020-13252)
1010372 - Opmantek Open-AudIT Cross Site Scripting Vulnerability (CVE-2020-12261)
1010354 - Pandora FMS Ping Authenticated Remote Code Execution Vulnerability
1010282* - Sonatype Nexus Repository Manager Java EL Injection Remote Code Execution Vulnerability (CVE-2020-10199)
1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)
Web Application PHP Based
1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438)
1010359 - WordPress 'bbPress' Plugin Unauthenticated Privilege Escalation Vulnerability (CVE-2020-13693)
1010341 - Wordpress Drag and Drop Multi File Uploader Remote Code Execution Vulnerability (CVE-2020-12800)
Web Application Ruby Based
1010384 - Lodash Node Module Modification Of Assumed-Immutable Data (MAID) Vulnerability (CVE-2018-3721)
Web Client Common
1010381 - Microsoft Windows Cabinet File Remote Code Execution Vulnerability (CVE-2020-1300)
1010380 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1425)
1010379 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1457)
Web Server Common
1010162* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15980)
1010336 - Disallow Upload Of Linux Executable File (ATT&CK T1105)
1010388 - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
1010323* - Gila CMS Image Upload Remote Code Execution Vulnerability (CVE-2020-5514)
1010283* - Microsoft .NET Framework Remote Code Execution Injection Vulnerability (CVE-2020-0646)
1010376 - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-11941)
1010322* - Oracle Business Intelligence AMF Deserialization Remote Code Execution Vulnerability (CVE-2020-2950)
1010351* - vBulletin Improper Access Control Vulnerability (CVE-2020-12720)
Windows Services RPC Server DCERPC
1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
Integrity Monitoring Rules:
1010382 - CommandLine (ATT&CK T1059)
1002779* - Microsoft Windows - System File Modified
1009618* - PowerShell (ATT&CK T1086)
1010373 - Systemd Service (ATT&CK T1501)
1010389 - Unix - Process Monitor in /tmp and /var/tmp location
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD)
1002815* - Authentication Module - Unix Pluggable Authentication Module
1002831* - Unix - Syslog
Deep Packet Inspection Rules:
DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1077,T1105)
1009703* - Identified Domain-Level Groups/Accounts Enumeration Over SMB (ATT&CK T1069, T1087, T1018)
1010317* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2020-1301)
1005448* - SMB Null Session Detected - 1
DCERPC Services - Client
1010106* - Identify Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)
DNS Client
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
IBM WebSphere Application Server IIOP protocol
1010348* - IBM WebSphere Application Server IIOP Deserialization Vulnerabilities (CVE-2020-4449 and CVE-2020-4450)
Oracle E-Business Suite Web Interface
1010325* - Oracle E-Business Suite Advanced Outbound Telephony Calendar Cross Site Scripting Vulnerability (CVE-2020-2852)
1010360 - Oracle E-Business Suite Advanced Outbound Telephony Cross Site Scripting Vulnerability (CVE-2020-2871)
1010367 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2854)
1010383 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2856)
SSL/TLS Server
1010312* - Identified Suspicious TLS Request (ATT&CK T1190)
1010316* - Identified Suspicious TLS Request - 1 (ATT&CK T1190)
Suspicious Client Application Activity
1010327* - Identified Potential Malicious Client Traffic (ATT&CK T1105)
1010307* - Identified Reverse Shell Communication Over HTTPS (ATT&CK T1071)
1010306* - Identified Reverse Shell Communication Over HTTPS - 1 (ATT&CK T1071)
1010364 - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071)
1010365 - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071)
1010370 - Identified Reverse Shell Communication Over HTTPS - 4 (ATT&CK T1071)
Suspicious Server Application Activity
1010328* - Identified Potential Malicious Server Traffic (ATT&CK T1105)
Web Application Common
1010377 - Centreon 'RRDdatabase_status_path' Command Injection Vulnerability (CVE-2020-13252)
1010372 - Opmantek Open-AudIT Cross Site Scripting Vulnerability (CVE-2020-12261)
1010354 - Pandora FMS Ping Authenticated Remote Code Execution Vulnerability
1010282* - Sonatype Nexus Repository Manager Java EL Injection Remote Code Execution Vulnerability (CVE-2020-10199)
1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)
Web Application PHP Based
1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438)
1010359 - WordPress 'bbPress' Plugin Unauthenticated Privilege Escalation Vulnerability (CVE-2020-13693)
1010341 - Wordpress Drag and Drop Multi File Uploader Remote Code Execution Vulnerability (CVE-2020-12800)
Web Application Ruby Based
1010384 - Lodash Node Module Modification Of Assumed-Immutable Data (MAID) Vulnerability (CVE-2018-3721)
Web Client Common
1010381 - Microsoft Windows Cabinet File Remote Code Execution Vulnerability (CVE-2020-1300)
1010380 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1425)
1010379 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1457)
Web Server Common
1010162* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15980)
1010336 - Disallow Upload Of Linux Executable File (ATT&CK T1105)
1010388 - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
1010323* - Gila CMS Image Upload Remote Code Execution Vulnerability (CVE-2020-5514)
1010283* - Microsoft .NET Framework Remote Code Execution Injection Vulnerability (CVE-2020-0646)
1010376 - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-11941)
1010322* - Oracle Business Intelligence AMF Deserialization Remote Code Execution Vulnerability (CVE-2020-2950)
1010351* - vBulletin Improper Access Control Vulnerability (CVE-2020-12720)
Windows Services RPC Server DCERPC
1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
Integrity Monitoring Rules:
1010382 - CommandLine (ATT&CK T1059)
1002779* - Microsoft Windows - System File Modified
1009618* - PowerShell (ATT&CK T1086)
1010373 - Systemd Service (ATT&CK T1501)
1010389 - Unix - Process Monitor in /tmp and /var/tmp location
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD)
1002815* - Authentication Module - Unix Pluggable Authentication Module
1002831* - Unix - Syslog
Featured Stories
One Flaw too Many: Vulnerabilities in SCADA SystemsWhat is the current state of SCADA vulnerabilities? Staying informed is essential in the fight against exploits and cyberattacks with real-world consequences.Read more
Drilling Deep: A Look at Cyberattacks on the Oil and Gas IndustryWe break down the digital attacks against the oil and gas industry and its supply chain.Read more
Halloween Exploits Scare: BlueKeep, Chrome’s Zero-Days in the WildPatch now: Two Chrome zero-days were reported, one of them actively exploited in a campaign. Meanwhile, BlueKeep was initially reported seen in the wild to install a malicious Monero miner.Read more
PHP-FPM Vulnerability (CVE-2019-11043) can Lead to Remote Code Execution in NGINX Web ServersAdministrators of NGINX web servers running PHP-FPM are advised to patch a vulnerability (CVE-2019-11043) that can let threat actors execute remote code on vulnerable, NGINX-enabled web servers. Here’s what you need to know.Read more