Rule Update
21-037 (August 17, 2021)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services - Client
1007120* - SMB DLL Injection Exploit Detected (ATT&CK T1055.001)
Microsoft Office
1011095 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-34501)
NFS Server
1011079* - Microsoft Windows Services NFS ONCRPC XDR Driver Remote Code Execution Vulnerability (CVE-2021-26432)
OpenSSL Client
1006017* - Restrict OpenSSL TLS/DTLS Heartbeat Message (ATT&CK T1573.002)
Port Mapper FTP Client
1009558* - Remote File Copy Over FTP (ATT&CK T1544, T1071.002)
SAP NetWeaver Java Application Server
1010822* - Identified SAP Solution Manager Tool Transfer Over HTTP (ATT&CK T1105)
SSL Client
1009915* - Identified WhatsApp Registration (ATT&CK T1102.002)
1009932* - Telegram Bot API Usage (Used by Telecrypt) (ATT&CK T1102.002)
SSL Client Applications
1009914* - Identified Github Authentication (ATT&CK T1102.002)
1001113* - SSL/TLS Client (ATT&CK T1573.002)
Suspicious Client Application Activity
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1571)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1571)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1571)
1006247* - Identified Potentially Malicious RAT Traffic - VI (ATT&CK T1571)
1008756* - Identified Potentially Malicious RAT Traffic - VII (ATT&CK T1571)
Web Application Common
1007170* - Identified Suspicious China Chopper Webshell Communication (ATT&CK T1505.003)
1009911* - Identified Twitter Command & Control Communication (ATT&CK T1102.002)
Web Application PHP Based
1011074* - WordPress 'Backup Guard' Plugin Arbitrary File Upload Vulnerability (CVE-2021-24155)
Web Client Common
1000943* - Detect UPX Packed Executable Download (ATT&CK T1027.002)
1009912* - Detected Vkontakte Site Access Over HTTP (ATT&CK T1102.002)
Web Client SSL
1006296* - Detected SSLv3 Response (ATT&CK T1573.002)
1006298* - Identified CBC Based Cipher Suite In SSLv3 Request (ATT&CK T1573.002)
Web Server Common
1005434* - Disallow Upload Of A PHP File (ATT&CK T1190)
1005013* - Restrict Microsoft .Net Executable File Upload (ATT&CK T1190)
1003025* - Web Server Restrict Executable File Uploads (ATT&CK T1190)
Web Server HTTPS
1011088 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31198)
1011060* - WordPress 'LearnPress' Plugin Blind SQL Injection Vulnerability (CVE-2020-6010)
Web Server Miscellaneous
1011044* - Apache Superset Open Redirect Vulnerability (CVE-2021-28125)
1011061 - Jenkins 'Config File Provider' Plugin External Entity Injection Vulnerability (CVE-2021-21642)
1011093 - Pivotal Spring Security OAuth Remote Code Execution Vulnerability (CVE-2016-4977)
Web Server SharePoint
1010836* - Identified Microsoft SharePoint GetGroupCollection Request (ATT&CK T1213.002)
1010835* - Identified Microsoft SharePoint GetGroupCollectionFromRole Request (ATT&CK T1213.002, T1087)
1010834* - Identified Microsoft SharePoint GetGroupCollectionFromSite Request (ATT&CK T1213.002)
1010833* - Identified Microsoft SharePoint GetGroupCollectionFromUser Request (ATT&CK T1213.002, T1087)
1010832* - Identified Microsoft SharePoint GetGroupCollectionFromWeb Request (ATT&CK T1213.002)
1010831* - Identified Microsoft SharePoint GetGroupInfo Request (ATT&CK T1213.002)
1010823* - Identified Microsoft SharePoint GetPermissionCollection Request (ATT&CK T1069, T1213.002, T1589.002)
1010830* - Identified Microsoft SharePoint GetRoleCollection Request (ATT&CK T1213.002)
1010747* - Identified Microsoft SharePoint GetRolesAndPermissionsForSite Request (ATT&CK T1589.003)
1010746* - Identified Microsoft SharePoint GetUserInfo Request (ATT&CK T1589.003)
Windows Services RPC Server DCERPC
1009478* - Identified Remote Service Creation Over DCE/RPC Protocol (ATT&CK T1543.003)
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
Zabbix Server
1011073* - Zabbix Server Multiple Remote Code Execution Vulnerabilities
Integrity Monitoring Rules:
1003354* - Linux/Unix - Configuration files of sendmail utility modified
1003168* - Linux/Unix - Listening ports modified
1003169* - Linux/Unix - Process attributes modified
1009745* - Linux/Unix - Removable Device Detected (ATT&CK T1092)
1010422* - Linux/Unix - SCP process detected (ATT&CK T1105, T1048.001)
1010791* - Linux/Unix - Task scheduler entries modified (ATT&CK T1053)
1009704* - Microsoft Windows - Boot or Logon Autostart Execution: Port Monitors (ATT&CK T1547.010)
Log Inspection Rules:
1002797* - Database Server - MySQL
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1008670* - Microsoft Windows Security Events - 3
Deep Packet Inspection Rules:
DCERPC Services - Client
1007120* - SMB DLL Injection Exploit Detected (ATT&CK T1055.001)
Microsoft Office
1011095 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-34501)
NFS Server
1011079* - Microsoft Windows Services NFS ONCRPC XDR Driver Remote Code Execution Vulnerability (CVE-2021-26432)
OpenSSL Client
1006017* - Restrict OpenSSL TLS/DTLS Heartbeat Message (ATT&CK T1573.002)
Port Mapper FTP Client
1009558* - Remote File Copy Over FTP (ATT&CK T1544, T1071.002)
SAP NetWeaver Java Application Server
1010822* - Identified SAP Solution Manager Tool Transfer Over HTTP (ATT&CK T1105)
SSL Client
1009915* - Identified WhatsApp Registration (ATT&CK T1102.002)
1009932* - Telegram Bot API Usage (Used by Telecrypt) (ATT&CK T1102.002)
SSL Client Applications
1009914* - Identified Github Authentication (ATT&CK T1102.002)
1001113* - SSL/TLS Client (ATT&CK T1573.002)
Suspicious Client Application Activity
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1571)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1571)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1571)
1006247* - Identified Potentially Malicious RAT Traffic - VI (ATT&CK T1571)
1008756* - Identified Potentially Malicious RAT Traffic - VII (ATT&CK T1571)
Web Application Common
1007170* - Identified Suspicious China Chopper Webshell Communication (ATT&CK T1505.003)
1009911* - Identified Twitter Command & Control Communication (ATT&CK T1102.002)
Web Application PHP Based
1011074* - WordPress 'Backup Guard' Plugin Arbitrary File Upload Vulnerability (CVE-2021-24155)
Web Client Common
1000943* - Detect UPX Packed Executable Download (ATT&CK T1027.002)
1009912* - Detected Vkontakte Site Access Over HTTP (ATT&CK T1102.002)
Web Client SSL
1006296* - Detected SSLv3 Response (ATT&CK T1573.002)
1006298* - Identified CBC Based Cipher Suite In SSLv3 Request (ATT&CK T1573.002)
Web Server Common
1005434* - Disallow Upload Of A PHP File (ATT&CK T1190)
1005013* - Restrict Microsoft .Net Executable File Upload (ATT&CK T1190)
1003025* - Web Server Restrict Executable File Uploads (ATT&CK T1190)
Web Server HTTPS
1011088 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31198)
1011060* - WordPress 'LearnPress' Plugin Blind SQL Injection Vulnerability (CVE-2020-6010)
Web Server Miscellaneous
1011044* - Apache Superset Open Redirect Vulnerability (CVE-2021-28125)
1011061 - Jenkins 'Config File Provider' Plugin External Entity Injection Vulnerability (CVE-2021-21642)
1011093 - Pivotal Spring Security OAuth Remote Code Execution Vulnerability (CVE-2016-4977)
Web Server SharePoint
1010836* - Identified Microsoft SharePoint GetGroupCollection Request (ATT&CK T1213.002)
1010835* - Identified Microsoft SharePoint GetGroupCollectionFromRole Request (ATT&CK T1213.002, T1087)
1010834* - Identified Microsoft SharePoint GetGroupCollectionFromSite Request (ATT&CK T1213.002)
1010833* - Identified Microsoft SharePoint GetGroupCollectionFromUser Request (ATT&CK T1213.002, T1087)
1010832* - Identified Microsoft SharePoint GetGroupCollectionFromWeb Request (ATT&CK T1213.002)
1010831* - Identified Microsoft SharePoint GetGroupInfo Request (ATT&CK T1213.002)
1010823* - Identified Microsoft SharePoint GetPermissionCollection Request (ATT&CK T1069, T1213.002, T1589.002)
1010830* - Identified Microsoft SharePoint GetRoleCollection Request (ATT&CK T1213.002)
1010747* - Identified Microsoft SharePoint GetRolesAndPermissionsForSite Request (ATT&CK T1589.003)
1010746* - Identified Microsoft SharePoint GetUserInfo Request (ATT&CK T1589.003)
Windows Services RPC Server DCERPC
1009478* - Identified Remote Service Creation Over DCE/RPC Protocol (ATT&CK T1543.003)
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
Zabbix Server
1011073* - Zabbix Server Multiple Remote Code Execution Vulnerabilities
Integrity Monitoring Rules:
1003354* - Linux/Unix - Configuration files of sendmail utility modified
1003168* - Linux/Unix - Listening ports modified
1003169* - Linux/Unix - Process attributes modified
1009745* - Linux/Unix - Removable Device Detected (ATT&CK T1092)
1010422* - Linux/Unix - SCP process detected (ATT&CK T1105, T1048.001)
1010791* - Linux/Unix - Task scheduler entries modified (ATT&CK T1053)
1009704* - Microsoft Windows - Boot or Logon Autostart Execution: Port Monitors (ATT&CK T1547.010)
Log Inspection Rules:
1002797* - Database Server - MySQL
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1008670* - Microsoft Windows Security Events - 3
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more