Rule Update
20-034 (July 21, 2020)
Publish date: July 21, 2020
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
DCERPC Services - Client
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1073)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)
DNS Client
1010352 - Data Exfiltration Over DNS (Response) Protocol (ATT&CK T1048)
LDAP Client
1009112 - PHP LDAP 'ldap_get_dn' Denial Of Service Vulnerability (CVE-2018-10548)
SAP NetWeaver Java Application Server
1010409 - Identified SAP NetWeaver AS JAVA Authentication Attempt
1010413 - SAP NetWeaver AS JAVA Directory Traversal Vulnerability (CVE-2020-6286)
Web Application Common
1010344 - ThinkPHP Remote Code Exection Vulnerability (CVE-2019-9082)
Web Application PHP Based
1010375 - WordPress 10Web Photo Gallery Plugin SQL Injection Vulnerability
Web Application Ruby Based
1010411 - Ruby On Rails Remote Code Execution Vulnerability (CVE-2020-8163)
Web Server Apache
1010400 - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
Web Server Common
1006540* - Enable X-Forwarded-For HTTP Header Logging
1010388* - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
1000473* - Parameter Name Length Restriction
Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1028)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1028)
ZeroMQ Message Transport Protocol (ZMTP)
1010265* - SaltStack Salt Authorization Weakness Vulnerability (CVE-2020-11651)
Integrity Monitoring Rules:
1008271* - Application - Docker
Log Inspection Rules:
1008852* - Auditd
1010390 - Microsoft Windows User Logon Events
Deep Packet Inspection Rules:
DCERPC Services
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
DCERPC Services - Client
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1073)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)
DNS Client
1010352 - Data Exfiltration Over DNS (Response) Protocol (ATT&CK T1048)
LDAP Client
1009112 - PHP LDAP 'ldap_get_dn' Denial Of Service Vulnerability (CVE-2018-10548)
SAP NetWeaver Java Application Server
1010409 - Identified SAP NetWeaver AS JAVA Authentication Attempt
1010413 - SAP NetWeaver AS JAVA Directory Traversal Vulnerability (CVE-2020-6286)
Web Application Common
1010344 - ThinkPHP Remote Code Exection Vulnerability (CVE-2019-9082)
Web Application PHP Based
1010375 - WordPress 10Web Photo Gallery Plugin SQL Injection Vulnerability
Web Application Ruby Based
1010411 - Ruby On Rails Remote Code Execution Vulnerability (CVE-2020-8163)
Web Server Apache
1010400 - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
Web Server Common
1006540* - Enable X-Forwarded-For HTTP Header Logging
1010388* - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
1000473* - Parameter Name Length Restriction
Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1028)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1028)
ZeroMQ Message Transport Protocol (ZMTP)
1010265* - SaltStack Salt Authorization Weakness Vulnerability (CVE-2020-11651)
Integrity Monitoring Rules:
1008271* - Application - Docker
Log Inspection Rules:
1008852* - Auditd
1010390 - Microsoft Windows User Logon Events
Featured Stories
One Flaw too Many: Vulnerabilities in SCADA SystemsWhat is the current state of SCADA vulnerabilities? Staying informed is essential in the fight against exploits and cyberattacks with real-world consequences.Read more
Drilling Deep: A Look at Cyberattacks on the Oil and Gas IndustryWe break down the digital attacks against the oil and gas industry and its supply chain.Read more
Halloween Exploits Scare: BlueKeep, Chrome’s Zero-Days in the WildPatch now: Two Chrome zero-days were reported, one of them actively exploited in a campaign. Meanwhile, BlueKeep was initially reported seen in the wild to install a malicious Monero miner.Read more
PHP-FPM Vulnerability (CVE-2019-11043) can Lead to Remote Code Execution in NGINX Web ServersAdministrators of NGINX web servers running PHP-FPM are advised to patch a vulnerability (CVE-2019-11043) that can let threat actors execute remote code on vulnerable, NGINX-enabled web servers. Here’s what you need to know.Read more