Rule Update
21-007 (February 16, 2021)
Publish date: February 16, 2021
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1009801* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability (CVE-2019-1040)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
DNS Client
1010771 - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25683)
1010784 - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25687)
1010766* - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic
Database Microsoft SQL
1008759* - Microsoft SQL Server 'EXECUTE AS' Privilege Escalation Vulnerability
Directory Server LDAP
1010754* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability Over LDAP (CVE-2019-1040)
Microsoft Office
1010785 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-24070)
1010786 - Microsoft Excel XLSX File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-24067)
Suspicious Client Application Activity
1010741* - Identified HTTP Backdoor Python FreakOut A Runtime Detection
Suspicious Client Ransomware Activity
1010792 - Identified Cobalt Strike Default Self-signed SSL/TLS Certificate
Suspicious Server Application Activity
1008918* - Identified Memcached Amplified Reflected Response
Web Application Common
1005933* - Identified Directory Traversal Sequence In Uri Query Parameter
Web Application Ruby Based
1008574* - Ruby On Rails Development Web Console Code Execution Vulnerability (CVE-2015-3224)
Web Client Common
1010760* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 1
1010790 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 3
1010787 - Microsoft Windows Camera Codec Pack Image Processing Out-Of-Bounds Write Vulnerability (CVE-2021-24081)
1010788 - Microsoft Windows Camera Codec Pack Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2021-24091)
1004226* - Microsoft Windows Help Centre Malformed Escape Sequences Vulnerability
1006582* - Microsoft Windows Help Centre Malformed Escape Sequences Vulnerability (CVE-2010-1885)
1010789 - Microsoft Windows WAB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2021-24083)
Web Client SSL
1006296* - Detected SSLv3 Response (ATT&CK T1032)
1006298* - Identified CBC Based Cipher Suite In SSLv3 Request (ATT&CK T1032)
Web Server Apache
1010751 - Proxifier Proxy Client
Web Server Common
1010737* - CMS Made Simple 'Showtime2' Reflected Cross Site Scripting Vulnerability (CVE-2020-20138)
1010736* - Cisco Data Center Network Manager Authentication Bypass Vulnerability (CVE-2019-15977)
1010769 - Identified Kubernetes Namespace API Requests
1010477* - Java Unserialize Remote Code Execution Vulnerability - 1
Web Server HTTPS
1010795 - Joomla CMS Cross-Site Scripting Vulnerability (CVE-2021-23124)
1010772 - Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-17132)
Web Server Miscellaneous
1008610* - Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request
1004874* - TimThumb Plugin Remote Code Execution Vulnerability
Web Server SharePoint
1010764* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-24072)
1010794 - Microsoft SharePoint Workflow Deserialization Of Untrusted Data Remote Code Execution Vulnerability (CVE-2021-24066)
Windows Services RPC Server DCERPC
1008479* - Identified Usage Of WMI Execute Methods - Server
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1003631* - DNS Server - Microsoft Windows
Deep Packet Inspection Rules:
DCERPC Services
1009801* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability (CVE-2019-1040)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
DNS Client
1010771 - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25683)
1010784 - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25687)
1010766* - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic
Database Microsoft SQL
1008759* - Microsoft SQL Server 'EXECUTE AS' Privilege Escalation Vulnerability
Directory Server LDAP
1010754* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability Over LDAP (CVE-2019-1040)
Microsoft Office
1010785 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-24070)
1010786 - Microsoft Excel XLSX File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-24067)
Suspicious Client Application Activity
1010741* - Identified HTTP Backdoor Python FreakOut A Runtime Detection
Suspicious Client Ransomware Activity
1010792 - Identified Cobalt Strike Default Self-signed SSL/TLS Certificate
Suspicious Server Application Activity
1008918* - Identified Memcached Amplified Reflected Response
Web Application Common
1005933* - Identified Directory Traversal Sequence In Uri Query Parameter
Web Application Ruby Based
1008574* - Ruby On Rails Development Web Console Code Execution Vulnerability (CVE-2015-3224)
Web Client Common
1010760* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 1
1010790 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 3
1010787 - Microsoft Windows Camera Codec Pack Image Processing Out-Of-Bounds Write Vulnerability (CVE-2021-24081)
1010788 - Microsoft Windows Camera Codec Pack Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2021-24091)
1004226* - Microsoft Windows Help Centre Malformed Escape Sequences Vulnerability
1006582* - Microsoft Windows Help Centre Malformed Escape Sequences Vulnerability (CVE-2010-1885)
1010789 - Microsoft Windows WAB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2021-24083)
Web Client SSL
1006296* - Detected SSLv3 Response (ATT&CK T1032)
1006298* - Identified CBC Based Cipher Suite In SSLv3 Request (ATT&CK T1032)
Web Server Apache
1010751 - Proxifier Proxy Client
Web Server Common
1010737* - CMS Made Simple 'Showtime2' Reflected Cross Site Scripting Vulnerability (CVE-2020-20138)
1010736* - Cisco Data Center Network Manager Authentication Bypass Vulnerability (CVE-2019-15977)
1010769 - Identified Kubernetes Namespace API Requests
1010477* - Java Unserialize Remote Code Execution Vulnerability - 1
Web Server HTTPS
1010795 - Joomla CMS Cross-Site Scripting Vulnerability (CVE-2021-23124)
1010772 - Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-17132)
Web Server Miscellaneous
1008610* - Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request
1004874* - TimThumb Plugin Remote Code Execution Vulnerability
Web Server SharePoint
1010764* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-24072)
1010794 - Microsoft SharePoint Workflow Deserialization Of Untrusted Data Remote Code Execution Vulnerability (CVE-2021-24066)
Windows Services RPC Server DCERPC
1008479* - Identified Usage Of WMI Execute Methods - Server
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1003631* - DNS Server - Microsoft Windows
Featured Stories
- Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
- Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
- The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
- Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more