Rule Update
20-059 (November 24, 2020)
Publish date: November 24, 2020
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DNS Server
1010613* - Identified DNS Trojan.Win32.Trickbot.Dns Traffic
1010633 - Malware Trojan.Linux.Anchor.A
1010632 - Malware Trojan.Win64.Anchor.A
Directory Server LDAP
1010640 - Identified Remote Account Discovery Over LDAP (ATT&CK T1087)
1010641 - Identified Remote Permission Groups Discovery Over LDAP (ATT&CK T1069)
1010433* - Identified Remote System Discovery Over LDAP (ATT&CK T1018, T1033)
Java RMI
1010579 - Adobe ColdFusion 'DataServicesCFProxy ROME' Framework Insecure Deserialization Vulnerability (CVE-2018-4939)
1009766 - Adobe Coldfusion RMI Port Mapper
NFS Server
1010604* - Microsoft Windows Network File System Remote Code Execution Vulnerability (CVE-2020-17051)
Suspicious Client Application Activity
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Application Activity
1010638 - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
1010616* - Identified HTTP Backdoor.Shell.Powertrick.A Runtime Detection
1010608* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Amazon Profile)
1010637 - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Google Safe Browsing Profile)
1010609* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Office 365 Calendar Profile)
1010636 - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora GET Profile)
1010639 - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora POST Profile)
1010614* - Identified HTTP Trickbot Data Exfiltration (Card Payment)
1010615* - Identified HTTP Trickbot Data Exfiltration (Network Module)
1010634 - Identified HTTP Trickbot Data Exfiltration - (Application Credentials Grabber)
1010610* - Identified HTTP Trojan.Win64.BazarTrickbot Traffic
1010611* - Identified HTTP TrojanDownloader.Win64.BazarLoader Traffic
1010607* - Identified TCP Meterpreter Payload
Web Application Common
1010635 - Jenkins Groovy Plugin Sandbox Bypass Vulnerability (CVE-2019-1003030)
1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)
1010592* - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Multiple Vulnerabilities
1010593* - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Vulnerability (CVE-2019-12543)
Web Client Common
1010622 - Adobe Acrobat Pro DC PDF Export Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2020-24434)
1010618 - Adobe Acrobat Pro DC PDF Export Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2020-24436)
1010619 - Adobe Acrobat Reader DC Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2020-24426)
1010620 - Adobe Acrobat Reader DC Use-After-Free Information Disclosure Vulnerability (CVE-2020-24438)
1010628 - Google Chrome V8 Memory Corruption Vulnerability (CVE-2020-16009)
Web Client Internet Explorer/Edge
1010621 - Microsoft Edge Chakra Array Iterator Type Confusion Vulnerability (CVE-2020-17048)
Web Server Apache
1004369* - Apache CXF XML DTD Processing Security Vulnerability
1000630* - Apache htgrep Header Information Leakage
1009045* - Apache httpd 'mod_cache_socache' Denial Of Service Vulnerability (CVE-2018-1303)
Web Server Common
1010099* - Elastic Kibana Timelion Prototype Pollution Vulnerability (CVE-2019-7609)
1010630 - Trend Micro InterScan Web Security Virtual Appliance Command Injection Vulnerability (CVE-2020-8605)
Web Server Miscellaneous
1008134* - Apache Struts Double OGNL Evaluation Remote Code Execution Vulnerability (CVE-2016-0785)
1010627* - Trend Micro InterScan Web Security Virtual Appliance Buffer Overflow Vulnerability (CVE-2020-28578)
1010626* - Trend Micro Interscan Web Security Virtual Appliance 'libuiauutil.so' Buffer Overflow Vulnerability (CVE-2020-28579)
Web Server Nagios
1010598* - Nagios XI 'admin_views.inc.php' Arbitrary File Overwrite Vulnerability
Web Server Oracle
1010625 - Oracle WebLogic Server IIOP Protocol Insecure Deserialization Vulnerability (CVE-2020-14825)
1010587 - Oracle WebLogic Server IIOP Protocol Remote Code Execution Vulnerability (CVE-2020-14841)
1010624 - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14825)
1010588 - Oracle WebLogic Server T3 Protocol Remote Code Execution Vulnerability (CVE-2020-14859)
Zoho ManageEngine
1010612 - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-15927)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1010465* - Auditd - Mitre ATT&CK TA0007: Discovery
1010582* - Auditd - Mitre ATT&CK TA0008: Lateral Movement
1010595 - Microsoft LDAP Query Execution
1010139* - Microsoft Windows - Remote Desktop Services (ATT&CK T1021.001)
1002795* - Microsoft Windows Events
Deep Packet Inspection Rules:
DNS Server
1010613* - Identified DNS Trojan.Win32.Trickbot.Dns Traffic
1010633 - Malware Trojan.Linux.Anchor.A
1010632 - Malware Trojan.Win64.Anchor.A
Directory Server LDAP
1010640 - Identified Remote Account Discovery Over LDAP (ATT&CK T1087)
1010641 - Identified Remote Permission Groups Discovery Over LDAP (ATT&CK T1069)
1010433* - Identified Remote System Discovery Over LDAP (ATT&CK T1018, T1033)
Java RMI
1010579 - Adobe ColdFusion 'DataServicesCFProxy ROME' Framework Insecure Deserialization Vulnerability (CVE-2018-4939)
1009766 - Adobe Coldfusion RMI Port Mapper
NFS Server
1010604* - Microsoft Windows Network File System Remote Code Execution Vulnerability (CVE-2020-17051)
Suspicious Client Application Activity
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Application Activity
1010638 - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
1010616* - Identified HTTP Backdoor.Shell.Powertrick.A Runtime Detection
1010608* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Amazon Profile)
1010637 - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Google Safe Browsing Profile)
1010609* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Office 365 Calendar Profile)
1010636 - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora GET Profile)
1010639 - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora POST Profile)
1010614* - Identified HTTP Trickbot Data Exfiltration (Card Payment)
1010615* - Identified HTTP Trickbot Data Exfiltration (Network Module)
1010634 - Identified HTTP Trickbot Data Exfiltration - (Application Credentials Grabber)
1010610* - Identified HTTP Trojan.Win64.BazarTrickbot Traffic
1010611* - Identified HTTP TrojanDownloader.Win64.BazarLoader Traffic
1010607* - Identified TCP Meterpreter Payload
Web Application Common
1010635 - Jenkins Groovy Plugin Sandbox Bypass Vulnerability (CVE-2019-1003030)
1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)
1010592* - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Multiple Vulnerabilities
1010593* - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Vulnerability (CVE-2019-12543)
Web Client Common
1010622 - Adobe Acrobat Pro DC PDF Export Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2020-24434)
1010618 - Adobe Acrobat Pro DC PDF Export Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2020-24436)
1010619 - Adobe Acrobat Reader DC Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2020-24426)
1010620 - Adobe Acrobat Reader DC Use-After-Free Information Disclosure Vulnerability (CVE-2020-24438)
1010628 - Google Chrome V8 Memory Corruption Vulnerability (CVE-2020-16009)
Web Client Internet Explorer/Edge
1010621 - Microsoft Edge Chakra Array Iterator Type Confusion Vulnerability (CVE-2020-17048)
Web Server Apache
1004369* - Apache CXF XML DTD Processing Security Vulnerability
1000630* - Apache htgrep Header Information Leakage
1009045* - Apache httpd 'mod_cache_socache' Denial Of Service Vulnerability (CVE-2018-1303)
Web Server Common
1010099* - Elastic Kibana Timelion Prototype Pollution Vulnerability (CVE-2019-7609)
1010630 - Trend Micro InterScan Web Security Virtual Appliance Command Injection Vulnerability (CVE-2020-8605)
Web Server Miscellaneous
1008134* - Apache Struts Double OGNL Evaluation Remote Code Execution Vulnerability (CVE-2016-0785)
1010627* - Trend Micro InterScan Web Security Virtual Appliance Buffer Overflow Vulnerability (CVE-2020-28578)
1010626* - Trend Micro Interscan Web Security Virtual Appliance 'libuiauutil.so' Buffer Overflow Vulnerability (CVE-2020-28579)
Web Server Nagios
1010598* - Nagios XI 'admin_views.inc.php' Arbitrary File Overwrite Vulnerability
Web Server Oracle
1010625 - Oracle WebLogic Server IIOP Protocol Insecure Deserialization Vulnerability (CVE-2020-14825)
1010587 - Oracle WebLogic Server IIOP Protocol Remote Code Execution Vulnerability (CVE-2020-14841)
1010624 - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14825)
1010588 - Oracle WebLogic Server T3 Protocol Remote Code Execution Vulnerability (CVE-2020-14859)
Zoho ManageEngine
1010612 - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-15927)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1010465* - Auditd - Mitre ATT&CK TA0007: Discovery
1010582* - Auditd - Mitre ATT&CK TA0008: Lateral Movement
1010595 - Microsoft LDAP Query Execution
1010139* - Microsoft Windows - Remote Desktop Services (ATT&CK T1021.001)
1002795* - Microsoft Windows Events
Featured Stories
- Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
- Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
- The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
- Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more