Rule Update

20-059 (November 24, 2020)

Publish date: November 24, 2020

  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DNS Server
1010613* - Identified DNS Trojan.Win32.Trickbot.Dns Traffic
1010633 - Malware Trojan.Linux.Anchor.A
1010632 - Malware Trojan.Win64.Anchor.A


Directory Server LDAP
1010640 - Identified Remote Account Discovery Over LDAP (ATT&CK T1087)
1010641 - Identified Remote Permission Groups Discovery Over LDAP (ATT&CK T1069)
1010433* - Identified Remote System Discovery Over LDAP (ATT&CK T1018, T1033)


Java RMI
1010579 - Adobe ColdFusion 'DataServicesCFProxy ROME' Framework Insecure Deserialization Vulnerability (CVE-2018-4939)
1009766 - Adobe Coldfusion RMI Port Mapper


NFS Server
1010604* - Microsoft Windows Network File System Remote Code Execution Vulnerability (CVE-2020-17051)


Suspicious Client Application Activity
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)


Suspicious Server Application Activity
1010638 - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
1010616* - Identified HTTP Backdoor.Shell.Powertrick.A Runtime Detection
1010608* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Amazon Profile)
1010637 - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Google Safe Browsing Profile)
1010609* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Office 365 Calendar Profile)
1010636 - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora GET Profile)
1010639 - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora POST Profile)
1010614* - Identified HTTP Trickbot Data Exfiltration (Card Payment)
1010615* - Identified HTTP Trickbot Data Exfiltration (Network Module)
1010634 - Identified HTTP Trickbot Data Exfiltration - (Application Credentials Grabber)
1010610* - Identified HTTP Trojan.Win64.BazarTrickbot Traffic
1010611* - Identified HTTP TrojanDownloader.Win64.BazarLoader Traffic
1010607* - Identified TCP Meterpreter Payload


Web Application Common
1010635 - Jenkins Groovy Plugin Sandbox Bypass Vulnerability (CVE-2019-1003030)
1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)
1010592* - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Multiple Vulnerabilities
1010593* - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Vulnerability (CVE-2019-12543)


Web Client Common
1010622 - Adobe Acrobat Pro DC PDF Export Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2020-24434)
1010618 - Adobe Acrobat Pro DC PDF Export Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2020-24436)
1010619 - Adobe Acrobat Reader DC Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2020-24426)
1010620 - Adobe Acrobat Reader DC Use-After-Free Information Disclosure Vulnerability (CVE-2020-24438)
1010628 - Google Chrome V8 Memory Corruption Vulnerability (CVE-2020-16009)


Web Client Internet Explorer/Edge
1010621 - Microsoft Edge Chakra Array Iterator Type Confusion Vulnerability (CVE-2020-17048)


Web Server Apache
1004369* - Apache CXF XML DTD Processing Security Vulnerability
1000630* - Apache htgrep Header Information Leakage
1009045* - Apache httpd 'mod_cache_socache' Denial Of Service Vulnerability (CVE-2018-1303)


Web Server Common
1010099* - Elastic Kibana Timelion Prototype Pollution Vulnerability (CVE-2019-7609)
1010630 - Trend Micro InterScan Web Security Virtual Appliance Command Injection Vulnerability (CVE-2020-8605)


Web Server Miscellaneous
1008134* - Apache Struts Double OGNL Evaluation Remote Code Execution Vulnerability (CVE-2016-0785)
1010627* - Trend Micro InterScan Web Security Virtual Appliance Buffer Overflow Vulnerability (CVE-2020-28578)
1010626* - Trend Micro Interscan Web Security Virtual Appliance 'libuiauutil.so' Buffer Overflow Vulnerability (CVE-2020-28579)


Web Server Nagios
1010598* - Nagios XI 'admin_views.inc.php' Arbitrary File Overwrite Vulnerability


Web Server Oracle
1010625 - Oracle WebLogic Server IIOP Protocol Insecure Deserialization Vulnerability (CVE-2020-14825)
1010587 - Oracle WebLogic Server IIOP Protocol Remote Code Execution Vulnerability (CVE-2020-14841)
1010624 - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14825)
1010588 - Oracle WebLogic Server T3 Protocol Remote Code Execution Vulnerability (CVE-2020-14859)


Zoho ManageEngine
1010612 - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-15927)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1010465* - Auditd - Mitre ATT&CK TA0007: Discovery
1010582* - Auditd - Mitre ATT&CK TA0008: Lateral Movement
1010595 - Microsoft LDAP Query Execution
1010139* - Microsoft Windows - Remote Desktop Services (ATT&CK T1021.001)
1002795* - Microsoft Windows Events

Featured Stories