Rule Update
21-036 (August 10, 2021)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
File Sharing Applications
1003651* - Windows Live FolderShare (ATT&CK T1102.002, T1567.002)
Instant Messenger Applications
1003243* - Yahoo Instant Message URL Blocker (ATT&CK T1102.002)
1002163* - Yahoo! Messenger (ATT&CK T1102.002)
1002384* - Yahoo! Messenger File Transfers (ATT&CK T1102.002)
NFS Server
1011079 - Microsoft Windows Services NFS ONCRPC XDR Driver Remote Code Execution Vulnerability (CVE-2021-26432)
OpenSSL
1006307* - Detected Too Many Suspicious TLS/SSL Client Hello Messages (ATT&CK T1573.002)
1006012* - Identified Suspicious OpenSSL TLS/DTLS Heartbeat Request (ATT&CK T1573.002)
1005474* - Identified Weak Cipher Support From TLS/SSL Server (ATT&CK T1573.002)
OpenSSL Client
1006184* - Identified OpenSSL DTLS Anonymous ECDH Cipher Suite (ATT&CK T1573.002)
1006190* - Identified OpenSSL SRP Cipher Suite In Server Hello Message (ATT&CK T1573.002)
Port Mapper FTP Client
1011089 - Identified File Upload Over FTP (ATT&CK T1048.003)
Remote Desktop Protocol Server
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1021.001, T1573.002)
Remote Login Applications
1002487* - SSH Client (ATT&CK T1021.004)
SSL Client
1006740* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Client (ATT&CK T1573.002)
SSL/TLS Server
1006026* - Identified Compression Algorithm In SSL/TLS (ATT&CK T1573.002)
Suspicious Client Application Activity
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1571)
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1571)
1007201* - TMTR-0011: FAKEM RAT TCP Request (ATT&CK T1571)
1007205* - TMTR-0012: FAKEM RAT TCP Connection (ATT&CK T1571)
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1571)
1007208* - TMTR-0016: SPLINTER RAT TCP Connection (ATT&CK T1571)
1007209* - TMTR-0017: ZIYAZO RAT BKDR Connection (ATT&CK T1571)
Trend Micro OfficeScan
1011057* - Trend Micro Multiple Products Arbitrary File Upload Vulnerability (CVE-2021-36741)
Web Application Common
1005427* - Identified Suspicious Upload Of Archive File (ATT&CK T1190)
1010122* - WordPress Plainview Activity Monitor Plugin Remote Code Execution Vulnerability (CVE-2018-15877)
Web Application PHP Based
1011074 - WordPress 'Backup Guard' Plugin Arbitrary File Upload Vulnerability (CVE-2021-24155)
Web Client Common
1011090 - Google Chrome Heap Corruption Vulnerability (CVE-2021-21148)
1011075 - Google Chrome Type Confusion Vulnerability (CVE-2019-13764)
1005269* - Identified Download Of DLL File Over WebDAV (ATT&CK T1574.002)
1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105)
1003244* - Identified Suspicious Obfuscated JavaScript (ATT&CK T1203, T1001)
1006391* - Identified Suspicious Obfuscated JavaScript - 1 (ATT&CK T1203, T1001)
1006599* - Identified Suspicious Obfuscated JavaScript - 3 (ATT&CK T1203, T1001)
1006882* - Identified Suspicious Obfuscated JavaScript - 4 (ATT&CK T1203, T1001)
1008185* - Identified Suspicious Obfuscated PDF Document (ATT&CK T1027, T1204.002)
1008297* - Identified Suspicious RTF File With Obfuscated PowerShell Execution (ATT&CK T1027, T1204.002, T1059.001)
Web Client Internet Explorer/Edge
1011077 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2021-34480)
Web Client SSL
1006024* - Identified Compression Algorithm In SSL/TLS Message (ATT&CK T1573.002)
1005040* - Identified Revoked Certificate Authority In SSL Traffic (ATT&CK T1573.002)
Web Server Common
1008621* - Disallow Upload Of A JSP File (ATT&CK T1190)
1010405* - JAWS Remote Code Execution Vulnerability
Web Server HTTPS
1008137* - Identified TLS/SSL DES Cipher Suite Is Being Supported (ATT&CK T1573.002)
1005641* - Identified TLS/SSL RC4 Cipher Suite Is Being Supported (ATT&CK T1573.002)
1006064* - Identified Too Many Compressed HTTP Responses (ATT&CK T1071.001)
1007491* - Identified Usage Of EXPORT Cipher Suite In SSLv2 Connection (ATT&CK T1573.002)
1006562* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request (ATT&CK T1573.002)
1011072* - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
1011060 - WordPress 'LearnPress' Plugin Blind SQL Injection Vulnerability (CVE-2020-6010)
1011046* - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability
Web Server Miscellaneous
1011044 - Apache Superset Open Redirect Vulnerability (CVE-2021-28125)
1010976* - SolarWinds NPM 'FromJson' Remote Code Execution Vulnerability (CVE-2021-31474)
Windows SMB Server
1011058* - Identified DCERPC EfsRpcOpenFileRaw Call Over SMB Protocol (PetitPotam)
Zabbix Server
1011073 - Zabbix Server Multiple Remote Code Execution Vulnerabilities
Zoho ManageEngine
1011062* - Zoho ManageEngine Applications Manager Cross Site Scripting Vulnerability (CVE-2021-31813)
Zoho ManageEngine ADSelfService Plus
1011064* - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability (CVE-2021-28958)
Integrity Monitoring Rules:
1011059 - Microsoft Windows - Security support providers (SSP) registry key modified (ATT&CK T1547.005)
Log Inspection Rules:
1003802* - Directory Server - Microsoft Windows Active Directory
1010002* - Microsoft PowerShell Command Execution
Deep Packet Inspection Rules:
File Sharing Applications
1003651* - Windows Live FolderShare (ATT&CK T1102.002, T1567.002)
Instant Messenger Applications
1003243* - Yahoo Instant Message URL Blocker (ATT&CK T1102.002)
1002163* - Yahoo! Messenger (ATT&CK T1102.002)
1002384* - Yahoo! Messenger File Transfers (ATT&CK T1102.002)
NFS Server
1011079 - Microsoft Windows Services NFS ONCRPC XDR Driver Remote Code Execution Vulnerability (CVE-2021-26432)
OpenSSL
1006307* - Detected Too Many Suspicious TLS/SSL Client Hello Messages (ATT&CK T1573.002)
1006012* - Identified Suspicious OpenSSL TLS/DTLS Heartbeat Request (ATT&CK T1573.002)
1005474* - Identified Weak Cipher Support From TLS/SSL Server (ATT&CK T1573.002)
OpenSSL Client
1006184* - Identified OpenSSL DTLS Anonymous ECDH Cipher Suite (ATT&CK T1573.002)
1006190* - Identified OpenSSL SRP Cipher Suite In Server Hello Message (ATT&CK T1573.002)
Port Mapper FTP Client
1011089 - Identified File Upload Over FTP (ATT&CK T1048.003)
Remote Desktop Protocol Server
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1021.001, T1573.002)
Remote Login Applications
1002487* - SSH Client (ATT&CK T1021.004)
SSL Client
1006740* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Client (ATT&CK T1573.002)
SSL/TLS Server
1006026* - Identified Compression Algorithm In SSL/TLS (ATT&CK T1573.002)
Suspicious Client Application Activity
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1571)
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1571)
1007201* - TMTR-0011: FAKEM RAT TCP Request (ATT&CK T1571)
1007205* - TMTR-0012: FAKEM RAT TCP Connection (ATT&CK T1571)
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1571)
1007208* - TMTR-0016: SPLINTER RAT TCP Connection (ATT&CK T1571)
1007209* - TMTR-0017: ZIYAZO RAT BKDR Connection (ATT&CK T1571)
Trend Micro OfficeScan
1011057* - Trend Micro Multiple Products Arbitrary File Upload Vulnerability (CVE-2021-36741)
Web Application Common
1005427* - Identified Suspicious Upload Of Archive File (ATT&CK T1190)
1010122* - WordPress Plainview Activity Monitor Plugin Remote Code Execution Vulnerability (CVE-2018-15877)
Web Application PHP Based
1011074 - WordPress 'Backup Guard' Plugin Arbitrary File Upload Vulnerability (CVE-2021-24155)
Web Client Common
1011090 - Google Chrome Heap Corruption Vulnerability (CVE-2021-21148)
1011075 - Google Chrome Type Confusion Vulnerability (CVE-2019-13764)
1005269* - Identified Download Of DLL File Over WebDAV (ATT&CK T1574.002)
1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105)
1003244* - Identified Suspicious Obfuscated JavaScript (ATT&CK T1203, T1001)
1006391* - Identified Suspicious Obfuscated JavaScript - 1 (ATT&CK T1203, T1001)
1006599* - Identified Suspicious Obfuscated JavaScript - 3 (ATT&CK T1203, T1001)
1006882* - Identified Suspicious Obfuscated JavaScript - 4 (ATT&CK T1203, T1001)
1008185* - Identified Suspicious Obfuscated PDF Document (ATT&CK T1027, T1204.002)
1008297* - Identified Suspicious RTF File With Obfuscated PowerShell Execution (ATT&CK T1027, T1204.002, T1059.001)
Web Client Internet Explorer/Edge
1011077 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2021-34480)
Web Client SSL
1006024* - Identified Compression Algorithm In SSL/TLS Message (ATT&CK T1573.002)
1005040* - Identified Revoked Certificate Authority In SSL Traffic (ATT&CK T1573.002)
Web Server Common
1008621* - Disallow Upload Of A JSP File (ATT&CK T1190)
1010405* - JAWS Remote Code Execution Vulnerability
Web Server HTTPS
1008137* - Identified TLS/SSL DES Cipher Suite Is Being Supported (ATT&CK T1573.002)
1005641* - Identified TLS/SSL RC4 Cipher Suite Is Being Supported (ATT&CK T1573.002)
1006064* - Identified Too Many Compressed HTTP Responses (ATT&CK T1071.001)
1007491* - Identified Usage Of EXPORT Cipher Suite In SSLv2 Connection (ATT&CK T1573.002)
1006562* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request (ATT&CK T1573.002)
1011072* - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
1011060 - WordPress 'LearnPress' Plugin Blind SQL Injection Vulnerability (CVE-2020-6010)
1011046* - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability
Web Server Miscellaneous
1011044 - Apache Superset Open Redirect Vulnerability (CVE-2021-28125)
1010976* - SolarWinds NPM 'FromJson' Remote Code Execution Vulnerability (CVE-2021-31474)
Windows SMB Server
1011058* - Identified DCERPC EfsRpcOpenFileRaw Call Over SMB Protocol (PetitPotam)
Zabbix Server
1011073 - Zabbix Server Multiple Remote Code Execution Vulnerabilities
Zoho ManageEngine
1011062* - Zoho ManageEngine Applications Manager Cross Site Scripting Vulnerability (CVE-2021-31813)
Zoho ManageEngine ADSelfService Plus
1011064* - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability (CVE-2021-28958)
Integrity Monitoring Rules:
1011059 - Microsoft Windows - Security support providers (SSP) registry key modified (ATT&CK T1547.005)
Log Inspection Rules:
1003802* - Directory Server - Microsoft Windows Active Directory
1010002* - Microsoft PowerShell Command Execution
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more