Rule Update
20-031 (July 7, 2020)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1077,T1105)
1009703* - Identified Domain-Level Groups/Accounts Enumeration Over SMB (ATT&CK T1069, T1087, T1018)
1010317* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2020-1301)
1005448* - SMB Null Session Detected - 1
DCERPC Services - Client
1010106* - Identify Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)
DNS Client
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
IBM WebSphere Application Server IIOP protocol
1010348* - IBM WebSphere Application Server IIOP Deserialization Vulnerabilities (CVE-2020-4449 and CVE-2020-4450)
Oracle E-Business Suite Web Interface
1010325* - Oracle E-Business Suite Advanced Outbound Telephony Calendar Cross Site Scripting Vulnerability (CVE-2020-2852)
1010360 - Oracle E-Business Suite Advanced Outbound Telephony Cross Site Scripting Vulnerability (CVE-2020-2871)
1010367 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2854)
1010383 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2856)
SSL/TLS Server
1010312* - Identified Suspicious TLS Request (ATT&CK T1190)
1010316* - Identified Suspicious TLS Request - 1 (ATT&CK T1190)
Suspicious Client Application Activity
1010327* - Identified Potential Malicious Client Traffic (ATT&CK T1105)
1010307* - Identified Reverse Shell Communication Over HTTPS (ATT&CK T1071)
1010306* - Identified Reverse Shell Communication Over HTTPS - 1 (ATT&CK T1071)
1010364 - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071)
1010365 - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071)
1010370 - Identified Reverse Shell Communication Over HTTPS - 4 (ATT&CK T1071)
Suspicious Server Application Activity
1010328* - Identified Potential Malicious Server Traffic (ATT&CK T1105)
Web Application Common
1010377 - Centreon 'RRDdatabase_status_path' Command Injection Vulnerability (CVE-2020-13252)
1010372 - Opmantek Open-AudIT Cross Site Scripting Vulnerability (CVE-2020-12261)
1010354 - Pandora FMS Ping Authenticated Remote Code Execution Vulnerability
1010282* - Sonatype Nexus Repository Manager Java EL Injection Remote Code Execution Vulnerability (CVE-2020-10199)
1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)
Web Application PHP Based
1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438)
1010359 - WordPress 'bbPress' Plugin Unauthenticated Privilege Escalation Vulnerability (CVE-2020-13693)
1010341 - Wordpress Drag and Drop Multi File Uploader Remote Code Execution Vulnerability (CVE-2020-12800)
Web Application Ruby Based
1010384 - Lodash Node Module Modification Of Assumed-Immutable Data (MAID) Vulnerability (CVE-2018-3721)
Web Client Common
1010381 - Microsoft Windows Cabinet File Remote Code Execution Vulnerability (CVE-2020-1300)
1010380 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1425)
1010379 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1457)
Web Server Common
1010162* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15980)
1010336 - Disallow Upload Of Linux Executable File (ATT&CK T1105)
1010388 - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
1010323* - Gila CMS Image Upload Remote Code Execution Vulnerability (CVE-2020-5514)
1010283* - Microsoft .NET Framework Remote Code Execution Injection Vulnerability (CVE-2020-0646)
1010376 - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-11941)
1010322* - Oracle Business Intelligence AMF Deserialization Remote Code Execution Vulnerability (CVE-2020-2950)
1010351* - vBulletin Improper Access Control Vulnerability (CVE-2020-12720)
Windows Services RPC Server DCERPC
1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
Integrity Monitoring Rules:
1010382 - CommandLine (ATT&CK T1059)
1002779* - Microsoft Windows - System File Modified
1009618* - PowerShell (ATT&CK T1086)
1010373 - Systemd Service (ATT&CK T1501)
1010389 - Unix - Process Monitor in /tmp and /var/tmp location
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD)
1002815* - Authentication Module - Unix Pluggable Authentication Module
1002831* - Unix - Syslog
Deep Packet Inspection Rules:
DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1077,T1105)
1009703* - Identified Domain-Level Groups/Accounts Enumeration Over SMB (ATT&CK T1069, T1087, T1018)
1010317* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2020-1301)
1005448* - SMB Null Session Detected - 1
DCERPC Services - Client
1010106* - Identify Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)
DNS Client
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
IBM WebSphere Application Server IIOP protocol
1010348* - IBM WebSphere Application Server IIOP Deserialization Vulnerabilities (CVE-2020-4449 and CVE-2020-4450)
Oracle E-Business Suite Web Interface
1010325* - Oracle E-Business Suite Advanced Outbound Telephony Calendar Cross Site Scripting Vulnerability (CVE-2020-2852)
1010360 - Oracle E-Business Suite Advanced Outbound Telephony Cross Site Scripting Vulnerability (CVE-2020-2871)
1010367 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2854)
1010383 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2856)
SSL/TLS Server
1010312* - Identified Suspicious TLS Request (ATT&CK T1190)
1010316* - Identified Suspicious TLS Request - 1 (ATT&CK T1190)
Suspicious Client Application Activity
1010327* - Identified Potential Malicious Client Traffic (ATT&CK T1105)
1010307* - Identified Reverse Shell Communication Over HTTPS (ATT&CK T1071)
1010306* - Identified Reverse Shell Communication Over HTTPS - 1 (ATT&CK T1071)
1010364 - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071)
1010365 - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071)
1010370 - Identified Reverse Shell Communication Over HTTPS - 4 (ATT&CK T1071)
Suspicious Server Application Activity
1010328* - Identified Potential Malicious Server Traffic (ATT&CK T1105)
Web Application Common
1010377 - Centreon 'RRDdatabase_status_path' Command Injection Vulnerability (CVE-2020-13252)
1010372 - Opmantek Open-AudIT Cross Site Scripting Vulnerability (CVE-2020-12261)
1010354 - Pandora FMS Ping Authenticated Remote Code Execution Vulnerability
1010282* - Sonatype Nexus Repository Manager Java EL Injection Remote Code Execution Vulnerability (CVE-2020-10199)
1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)
Web Application PHP Based
1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438)
1010359 - WordPress 'bbPress' Plugin Unauthenticated Privilege Escalation Vulnerability (CVE-2020-13693)
1010341 - Wordpress Drag and Drop Multi File Uploader Remote Code Execution Vulnerability (CVE-2020-12800)
Web Application Ruby Based
1010384 - Lodash Node Module Modification Of Assumed-Immutable Data (MAID) Vulnerability (CVE-2018-3721)
Web Client Common
1010381 - Microsoft Windows Cabinet File Remote Code Execution Vulnerability (CVE-2020-1300)
1010380 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1425)
1010379 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1457)
Web Server Common
1010162* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15980)
1010336 - Disallow Upload Of Linux Executable File (ATT&CK T1105)
1010388 - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
1010323* - Gila CMS Image Upload Remote Code Execution Vulnerability (CVE-2020-5514)
1010283* - Microsoft .NET Framework Remote Code Execution Injection Vulnerability (CVE-2020-0646)
1010376 - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-11941)
1010322* - Oracle Business Intelligence AMF Deserialization Remote Code Execution Vulnerability (CVE-2020-2950)
1010351* - vBulletin Improper Access Control Vulnerability (CVE-2020-12720)
Windows Services RPC Server DCERPC
1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
Integrity Monitoring Rules:
1010382 - CommandLine (ATT&CK T1059)
1002779* - Microsoft Windows - System File Modified
1009618* - PowerShell (ATT&CK T1086)
1010373 - Systemd Service (ATT&CK T1501)
1010389 - Unix - Process Monitor in /tmp and /var/tmp location
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD)
1002815* - Authentication Module - Unix Pluggable Authentication Module
1002831* - Unix - Syslog
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more