Rule Update
20-063 (December 22, 2020)
Publish date: December 22, 2020
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DNS Server
1010633* - Identified DNS Trojan.Linux.Anchor.A Traffic
1010613* - Identified DNS Trojan.Win32.Trickbot.Dns Traffic
1010632* - Identified DNS Trojan.Win64.Anchor.A Traffic
Directory Server LDAP
1010667* - Microsoft Windows Active Directory IntegratedDNS Remote Code Execution Vulnerability (CVE-2020-0761)
HP LoadRunner Agent Protocol
1010690 - HP LoadRunner 'launcher.dll' Stack Buffer Overflow Vulnerability (CVE-2015-2110)
SSL Client
1010410* - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)
Suspicious Client Ransomware Activity
1010675* - Identified HTTP Backdoor Win32.Beaconsolar.A Runtime Detection
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
1010616* - Identified HTTP Backdoor.Shell.Powertrick.A Runtime Detection
1010647* - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request
1010608* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Amazon Profile)
1010637* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Google Safe Browsing Profile)
1010609* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Office 365 Calendar Profile)
1010636* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora GET Profile)
1010639* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora POST Profile)
1010462* - Identified HTTP Drovorub Command And Control Traffic
1010614* - Identified HTTP Trickbot Data Exfiltration (Card Payment)
1010615* - Identified HTTP Trickbot Data Exfiltration (Network Module)
1010634* - Identified HTTP Trickbot Data Exfiltration - (Application Credentials Grabber)
1010644* - Identified HTTP Trojan-Downloader.Shell.Lightbot.A C&C Traffic Request
1010610* - Identified HTTP Trojan.Win64.BazarTrickbot Traffic
1010611* - Identified HTTP TrojanDownloader.Win64.BazarLoader Traffic
1010607* - Identified TCP Meterpreter Payload
Trend Micro InterScan Web Security Virtual Appliance
1010665* - Trend Micro InterScan Web Security Virtual Appliance Multiple Security Vulnerabilities
Web Application Common
1010661 - BlackCat CMS Cross-Site Request Forgery Bypass Vulnerability (CVE-2020-25453)
1010654 - Opmantek Open-AuditIT Professional Cross Site Request Forgery Vulnerability (CVE-2018-8979)
1010660* - Zoho ManageEngine ServiceDesk Plus Arbitrary File Upload Vulnerability (CVE-2019-8394)
Web Application Tomcat
1010686 - Apache Tomcat HTTP PUT Windows Remote Code Execution Vulnerability (CVE-2017-12615)
1010688 - Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12617)
Web Client Common
1010583* - Google Chrome CSP Bypass Vulnerability (CVE-2020-6519)
Web Client HTTPS
1010676* - Identified HTTP Trojan.MSIL.Sunburst.A Traffic Request
1010693 - Identified HTTP Trojan.MSIL.Sunburst.A Traffic Request - 1
Web Server Apache
1010400* - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
Web Server Common
1010692 - CentOS Web Panel Arbitrary File Write Remote Code Execution Vulnerability (CVE-2020-15623)
1010650* - SaltStack Salt 'rest_cherrypy' Command Injection Remote Code Execution Vulnerability (CVE-2020-16846)
Web Server HTTPS
1010694 - Identified HTTP Backdoor.MSIL.Supernova.A Traffic Request
1010479* - Identified HTTP Ngioweb Command And Control Traffic
1010649* - Microsoft Exchange Memory Corruption Vulnerability (CVE-2020-17144)
Web Server Miscellaneous
1010691 - SolarWinds Orion Remote Code Execution Vulnerability (CVE-2020-14005)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
DNS Server
1010633* - Identified DNS Trojan.Linux.Anchor.A Traffic
1010613* - Identified DNS Trojan.Win32.Trickbot.Dns Traffic
1010632* - Identified DNS Trojan.Win64.Anchor.A Traffic
Directory Server LDAP
1010667* - Microsoft Windows Active Directory IntegratedDNS Remote Code Execution Vulnerability (CVE-2020-0761)
HP LoadRunner Agent Protocol
1010690 - HP LoadRunner 'launcher.dll' Stack Buffer Overflow Vulnerability (CVE-2015-2110)
SSL Client
1010410* - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)
Suspicious Client Ransomware Activity
1010675* - Identified HTTP Backdoor Win32.Beaconsolar.A Runtime Detection
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
1010616* - Identified HTTP Backdoor.Shell.Powertrick.A Runtime Detection
1010647* - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request
1010608* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Amazon Profile)
1010637* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Google Safe Browsing Profile)
1010609* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Office 365 Calendar Profile)
1010636* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora GET Profile)
1010639* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora POST Profile)
1010462* - Identified HTTP Drovorub Command And Control Traffic
1010614* - Identified HTTP Trickbot Data Exfiltration (Card Payment)
1010615* - Identified HTTP Trickbot Data Exfiltration (Network Module)
1010634* - Identified HTTP Trickbot Data Exfiltration - (Application Credentials Grabber)
1010644* - Identified HTTP Trojan-Downloader.Shell.Lightbot.A C&C Traffic Request
1010610* - Identified HTTP Trojan.Win64.BazarTrickbot Traffic
1010611* - Identified HTTP TrojanDownloader.Win64.BazarLoader Traffic
1010607* - Identified TCP Meterpreter Payload
Trend Micro InterScan Web Security Virtual Appliance
1010665* - Trend Micro InterScan Web Security Virtual Appliance Multiple Security Vulnerabilities
Web Application Common
1010661 - BlackCat CMS Cross-Site Request Forgery Bypass Vulnerability (CVE-2020-25453)
1010654 - Opmantek Open-AuditIT Professional Cross Site Request Forgery Vulnerability (CVE-2018-8979)
1010660* - Zoho ManageEngine ServiceDesk Plus Arbitrary File Upload Vulnerability (CVE-2019-8394)
Web Application Tomcat
1010686 - Apache Tomcat HTTP PUT Windows Remote Code Execution Vulnerability (CVE-2017-12615)
1010688 - Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12617)
Web Client Common
1010583* - Google Chrome CSP Bypass Vulnerability (CVE-2020-6519)
Web Client HTTPS
1010676* - Identified HTTP Trojan.MSIL.Sunburst.A Traffic Request
1010693 - Identified HTTP Trojan.MSIL.Sunburst.A Traffic Request - 1
Web Server Apache
1010400* - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
Web Server Common
1010692 - CentOS Web Panel Arbitrary File Write Remote Code Execution Vulnerability (CVE-2020-15623)
1010650* - SaltStack Salt 'rest_cherrypy' Command Injection Remote Code Execution Vulnerability (CVE-2020-16846)
Web Server HTTPS
1010694 - Identified HTTP Backdoor.MSIL.Supernova.A Traffic Request
1010479* - Identified HTTP Ngioweb Command And Control Traffic
1010649* - Microsoft Exchange Memory Corruption Vulnerability (CVE-2020-17144)
Web Server Miscellaneous
1010691 - SolarWinds Orion Remote Code Execution Vulnerability (CVE-2020-14005)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Featured Stories
- Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
- Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
- The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
- Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more