Rule Update

20-061 (December 8, 2020)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1010164* - Identified Possible Ransomware File Extension Create Activity Over Network Share
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1010101* - Identified Usage Of PAExec Command Line Tool (ATT&CK T1035)
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1035)
1010652 - Microsoft Windows SMB2 Server Information Disclosure Vulnerability (CVE-2020-17140)
1010653 - Microsoft Windows SMB2 Server Remote Code Execution Vulnerability (CVE-2020-17096)
1008179* - Restrict File Extensions For Rename Activity Over Network Share


DCERPC Services - Client
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
1007912* - Identified Possible Ransomware File Rename Activity Over Network Share - Client


DHCP Server
1009542* - Microsoft Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0626)


Database Microsoft SQL
1010643 - Microsoft SQL Database Server Possible Login Brute Force Attempt


Dynamics 365 Client Services
1010656 - Microsoft Dynamics 365 Commerce Remote Code Execution Vulnerabilities (CVE-2020-17152 and CVE-2020-17158)


HP Intelligent Management Center (IMC)
1009902* - HPE Intelligent Management Center 'perfSelectTask' Expression Language Injection Vulnerability (CVE-2019-5385)


NFS Server
1010605* - Microsoft Windows Network File System NLM RPC Message Information Disclosure Vulnerability (CVE-2020-17056)


Redis Server
1009967* - Redis Unauthenticated Code Execution Vulnerability


Remote Desktop Protocol Server
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1032)


Suspicious Client Application Activity
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1032)


Suspicious Server Application Activity
1001164* - Detected Terminal Services (RDP) Server Traffic
1010647 - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request


TFTP Server
1009365* - Microsoft Windows Deployment Services TFTP Server Remote Code Execution Vulnerability (CVE-2018-8476)


Web Application Common
1010648 - Wordpress Woody Ad Snippets Plugin Remote Code Execution Vulnerability (CVE-2019-15858)


Web Application PHP Based
1009395* - PHP 'imap_open()' Remote Code Execution Vulnerability (CVE-2018-19518)
1009776 - WordPress Comment Field Remote Code Execution Vulnerability (CVE-2019-9787)


Web Client Common
1010646 - Adobe Acrobat And Reader Use After Free Vulnerability (CVE-2020-24437)
1010645 - Atlassian Confluence Server 'HTML Include And Replace Macro' Plugin Cross Site Scripting Vulnerability (CVE-2019-15053)
1010657 - Microsoft Windows PE File Signature Spoofing Vulnerability (CVE-2020-1599)


Web Server Adobe ColdFusion
1009897* - Adobe ColdFusion CFFILE Upload Action Unrestricted File Upload Vulnerability (CVE-2019-7838)
1009387* - Adobe ColdFusion Remote File Upload Vulnerability (CVE-2018-15961)


Web Server Miscellaneous
1010347* - Eclipse Jetty Chunk Length Parsing Integer Overflow Vulnerability (CVE-2017-7657)
1009942* - GNOME 'libsoup' HTTP Chunked Encoding Remote Code Execution Vulnerability (CVE-2017-2885)
1010649 - Microsoft Windows Exchange Memory Corruption Vulnerability (CVE-2020-17144)


Web Server Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)
1009806* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2647)
1009898* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2648)


Web Server SharePoint
1010655 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-17121)


Windows SMB Server
1009511* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2019-0630)


Zoho ManageEngine
1009399* - Zoho ManageEngine OpManager 'oputilsServlet' Authentication Bypass (CVE-2018-17283)
1009955* - Zoho ManageEngine OpManager Unauthenticated Remote Command Execution Vulnerability (CVE-2019-15106)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1003473* - FTP Server - Vsftpd
1002795* - Microsoft Windows Events
1008670* - Microsoft Windows Security Events - 3
1010541* - Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)

Featured Stories