DCERPC Services - Client 1010106* - Identify Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)
DNS Client 1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
IBM WebSphere Application Server IIOP protocol 1010348* - IBM WebSphere Application Server IIOP Deserialization Vulnerabilities (CVE-2020-4449 and CVE-2020-4450)
Oracle E-Business Suite Web Interface 1010325* - Oracle E-Business Suite Advanced Outbound Telephony Calendar Cross Site Scripting Vulnerability (CVE-2020-2852) 1010360 - Oracle E-Business Suite Advanced Outbound Telephony Cross Site Scripting Vulnerability (CVE-2020-2871) 1010367 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2854) 1010383 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2856)
Suspicious Client Application Activity 1010327* - Identified Potential Malicious Client Traffic (ATT&CK T1105) 1010307* - Identified Reverse Shell Communication Over HTTPS (ATT&CK T1071) 1010306* - Identified Reverse Shell Communication Over HTTPS - 1 (ATT&CK T1071) 1010364 - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071) 1010365 - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071) 1010370 - Identified Reverse Shell Communication Over HTTPS - 4 (ATT&CK T1071)
Suspicious Server Application Activity 1010328* - Identified Potential Malicious Server Traffic (ATT&CK T1105)
Web Application Common 1010377 - Centreon 'RRDdatabase_status_path' Command Injection Vulnerability (CVE-2020-13252) 1010372 - Opmantek Open-AudIT Cross Site Scripting Vulnerability (CVE-2020-12261) 1010354 - Pandora FMS Ping Authenticated Remote Code Execution Vulnerability 1010282* - Sonatype Nexus Repository Manager Java EL Injection Remote Code Execution Vulnerability (CVE-2020-10199) 1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)
Web Application PHP Based 1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438) 1010359 - WordPress 'bbPress' Plugin Unauthenticated Privilege Escalation Vulnerability (CVE-2020-13693) 1010341 - Wordpress Drag and Drop Multi File Uploader Remote Code Execution Vulnerability (CVE-2020-12800)
Web Application Ruby Based 1010384 - Lodash Node Module Modification Of Assumed-Immutable Data (MAID) Vulnerability (CVE-2018-3721)
Web Client Common 1010381 - Microsoft Windows Cabinet File Remote Code Execution Vulnerability (CVE-2020-1300) 1010380 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1425) 1010379 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1457)
Web Server Common 1010162* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15980) 1010336 - Disallow Upload Of Linux Executable File (ATT&CK T1105) 1010388 - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902) 1010323* - Gila CMS Image Upload Remote Code Execution Vulnerability (CVE-2020-5514) 1010283* - Microsoft .NET Framework Remote Code Execution Injection Vulnerability (CVE-2020-0646) 1010376 - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-11941) 1010322* - Oracle Business Intelligence AMF Deserialization Remote Code Execution Vulnerability (CVE-2020-2950) 1010351* - vBulletin Improper Access Control Vulnerability (CVE-2020-12720)
Windows Services RPC Server DCERPC 1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
Integrity Monitoring Rules:
1010382 - CommandLine (ATT&CK T1059) 1002779* - Microsoft Windows - System File Modified 1009618* - PowerShell (ATT&CK T1086) 1010373 - Systemd Service (ATT&CK T1501) 1010389 - Unix - Process Monitor in /tmp and /var/tmp location
Our two-year research provides insights into the life cycle of exploits, the types of exploit buyers and sellers, and the business models that are reshaping the underground exploit market.
Malicious attacks have consistently been launched on weak points in the supply chain. Like all attacks, these will evolve into more advanced forms. Software development, with multiple phases that could be placed at risk, is particularly vulnerable.