Rule Update
21-035 (August 3, 2021)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)
DNS Client
1002988* - Multiple Vendors libspf2 DNS TXT Record Parsing Buffer Overflow
File Sharing Applications
1007608* - Amazon Cloud Drive (ATT&CK T1102.002, T1567.002)
1007605* - BOX (ATT&CK T1102.002, T1567.002)
1004707* - Dropbox (ATT&CK T1102.002, T1567.002)
1002472* - FTP Client (ATT&CK T1048.003, T1071.002)
1007463* - Microsoft OneDrive (ATT&CK T1102.002, T1567.002)
Instant Messenger Applications
1002103* - AOL Instant Messenger (ATT&CK T1102.002)
1004663* - IP Messenger (ATT&CK T1102.002)
1002507* - Jabber (ATT&CK T1102.002)
1003067* - MSN Instant Message URL Blocker (ATT&CK T1102.002)
1002162* - MSN Messenger (ATT&CK T1102.002)
1002462* - MSN Messenger File Transfers (ATT&CK T1102.002)
1004941* - QQ Messenger (ATT&CK T1102.002)
Mail Client Applications
1001112* - SMTP Client (ATT&CK T1071.003)
Remote Login Applications
1002508* - RDP (ATT&CK T1021.001)
SSL Client
1006561* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response (ATT&CK T1573.002)
SSL/TLS Server
1006293* - Detected SSLv3 Request (ATT&CK T1573.002)
1006297* - Identified CBC Based Cipher Suite In SSLv3 Response (ATT&CK T1573.002)
1006311* - Identified Too Many SSL Alert Messages In SSLv3 Traffic (ATT&CK T1573.002)
Suspicious Client Application Activity
1001162* - Detected HTTP Client Traffic (ATT&CK T1071.001)
1005324* - Detected SSLv2 Response (ATT&CK T1573.002)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)
Suspicious Server Application Activity
1003594* - Detected SSL/TLS Server Traffic (ATT&CK T1573.002)
1005321* - Detected SSLv2 Request (ATT&CK T1573.002)
1002378* - Detected Virtual Network Computing (VNC) Server Traffic (ATT&CK T1021.005)
Trend Micro OfficeScan
1011057 - Trend Micro Multiple Products Arbitrary File Upload Vulnerability (CVE-2021-36741)
Web Application Common
1011047* - WordPress 'Modern Events Calendar' Plugin Remote Code Execution Vulnerability (CVE-2021-24145)
1011056* - WordPress 'SP Project & Document Manager' Plugin Remote Code Execution Vulnerability (CVE-2021-24347)
1011038* - Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability (CVE-2021-20081)
Web Application PHP Based
1011045 - WordPress 'Modern Events Calendar Lite' Plugin Improper Access Control Vulnerability (CVE-2021-24146)
Web Client Common
1011032* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-51)
1009407* - Detected Suspicious DLL Side Loading Attempt Over WebDAV (ATT&CK T1574.002)
1006442* - Identified Suspicious Obfuscated JavaScript - 2 (ATT&CK T1203, T1001)
1011054* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)
1011065 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2021-33742)
1004302* - Microsoft Windows Shortcut Remote Code Execution
Web Server Common
1007213* - Disallow Upload Of A Class File (ATT&CK T1190)
1007212* - Disallow Upload Of An Archive File (ATT&CK T1190)
Web Server HTTPS
1006741* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Server (ATT&CK T1573.002)
1011050* - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523)
1011072 - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
1011046 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability
Web Server SharePoint
1011051* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-34520)
Zoho ManageEngine
1011062 - Zoho ManageEngine Applications Manager Cross Site Scripting Vulnerability (CVE-2021-31813)
Zoho ManageEngine ADSelfService Plus
1011064 - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability (CVE-2021-28958)
Integrity Monitoring Rules:
1009643* - Linux/Unix - bash command history cleared (ATT&CK T1059.004)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
DCERPC Services
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)
DNS Client
1002988* - Multiple Vendors libspf2 DNS TXT Record Parsing Buffer Overflow
File Sharing Applications
1007608* - Amazon Cloud Drive (ATT&CK T1102.002, T1567.002)
1007605* - BOX (ATT&CK T1102.002, T1567.002)
1004707* - Dropbox (ATT&CK T1102.002, T1567.002)
1002472* - FTP Client (ATT&CK T1048.003, T1071.002)
1007463* - Microsoft OneDrive (ATT&CK T1102.002, T1567.002)
Instant Messenger Applications
1002103* - AOL Instant Messenger (ATT&CK T1102.002)
1004663* - IP Messenger (ATT&CK T1102.002)
1002507* - Jabber (ATT&CK T1102.002)
1003067* - MSN Instant Message URL Blocker (ATT&CK T1102.002)
1002162* - MSN Messenger (ATT&CK T1102.002)
1002462* - MSN Messenger File Transfers (ATT&CK T1102.002)
1004941* - QQ Messenger (ATT&CK T1102.002)
Mail Client Applications
1001112* - SMTP Client (ATT&CK T1071.003)
Remote Login Applications
1002508* - RDP (ATT&CK T1021.001)
SSL Client
1006561* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response (ATT&CK T1573.002)
SSL/TLS Server
1006293* - Detected SSLv3 Request (ATT&CK T1573.002)
1006297* - Identified CBC Based Cipher Suite In SSLv3 Response (ATT&CK T1573.002)
1006311* - Identified Too Many SSL Alert Messages In SSLv3 Traffic (ATT&CK T1573.002)
Suspicious Client Application Activity
1001162* - Detected HTTP Client Traffic (ATT&CK T1071.001)
1005324* - Detected SSLv2 Response (ATT&CK T1573.002)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)
Suspicious Server Application Activity
1003594* - Detected SSL/TLS Server Traffic (ATT&CK T1573.002)
1005321* - Detected SSLv2 Request (ATT&CK T1573.002)
1002378* - Detected Virtual Network Computing (VNC) Server Traffic (ATT&CK T1021.005)
Trend Micro OfficeScan
1011057 - Trend Micro Multiple Products Arbitrary File Upload Vulnerability (CVE-2021-36741)
Web Application Common
1011047* - WordPress 'Modern Events Calendar' Plugin Remote Code Execution Vulnerability (CVE-2021-24145)
1011056* - WordPress 'SP Project & Document Manager' Plugin Remote Code Execution Vulnerability (CVE-2021-24347)
1011038* - Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability (CVE-2021-20081)
Web Application PHP Based
1011045 - WordPress 'Modern Events Calendar Lite' Plugin Improper Access Control Vulnerability (CVE-2021-24146)
Web Client Common
1011032* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-51)
1009407* - Detected Suspicious DLL Side Loading Attempt Over WebDAV (ATT&CK T1574.002)
1006442* - Identified Suspicious Obfuscated JavaScript - 2 (ATT&CK T1203, T1001)
1011054* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)
1011065 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2021-33742)
1004302* - Microsoft Windows Shortcut Remote Code Execution
Web Server Common
1007213* - Disallow Upload Of A Class File (ATT&CK T1190)
1007212* - Disallow Upload Of An Archive File (ATT&CK T1190)
Web Server HTTPS
1006741* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Server (ATT&CK T1573.002)
1011050* - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523)
1011072 - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
1011046 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability
Web Server SharePoint
1011051* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-34520)
Zoho ManageEngine
1011062 - Zoho ManageEngine Applications Manager Cross Site Scripting Vulnerability (CVE-2021-31813)
Zoho ManageEngine ADSelfService Plus
1011064 - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability (CVE-2021-28958)
Integrity Monitoring Rules:
1009643* - Linux/Unix - bash command history cleared (ATT&CK T1059.004)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more