Rule Update
21-042 (September 21, 2021)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
Azure Open Management Infrastructure Tool
1011147 - Open Management Infrastructure Remote Code Execution Vulnerability (CVE-2021-38647)
DCERPC Services
1011105* - Identified File Deletion From SMB Share (ATT&CK T1070.004)
Microsoft Office
1011135 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-38655)
1011137 - Microsoft Office Graphics Remote Code Execution Vulnerability (CVE-2021-38658)
1011121 - Microsoft Office Remote Code Execution Vulnerability (CVE-2021-34478)
1011138 - Microsoft Office Remote Code Execution Vulnerability (CVE-2021-38659)
1011134 - Microsoft Office Visio Remote Code Execution Vulnerability (CVE-2021-38653)
1011136 - Microsoft Word Remote Code Execution Vulnerability (CVE-2021-38656)
Web Application PHP Based
1011154 - Identified WordPress 'wp-login.php' Brute Force Attempt
1010642* - WordPress XMLRPC Brute Force Amplification Attack
Web Client Common
1011129* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 1
1011130* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 3
1011140 - Google Chrome Use After Free Vulnerability (CVE-2020-6550)
1011139 - Google Chrome V8 Type Confusion Vulnerability (CVE-2021-30561)
1011080 - Microsoft 3D Viewer Remote Code Execution Vulnerability (ZDI-CAN-13085)
1011133 - Microsoft Visual Studio Remote Code Execution Vulnerability (CVE-2021-36952)
Web Server Common
1011118 - Centreon 'csv_HostGroupLogs.php' SQL Injection Vulnerability (CVE-2021-37556)
1011113* - Nagios XI Remote Command Injection Vulnerability (CVE-2021-37346)
Web Server HTTPS
1011132 - Centreon 'metaService.php' SQL Injection Vulnerability
Web Server Nagios
1011131 - Nagios XI Bulk Modification Tool SQL Injection Vulnerability (CVE-2021-37350)
Web Server Oracle
1011083* - Oracle Business Intelligence 'BIRemotingServlet' Insecure Deserialization Vulnerability (CVE-2021-2456)
1011086* - Oracle Business Intelligence 'Scheduler' Remote Code Execution Vulnerability (CVE-2021-2391)
1011084* - Oracle Business Intelligence 'UpdateConnectionServlet' Remote Code Execution Vulnerability (CVE-2021-2396)
Windows Services RPC Server DCERPC
1009892* - Identified Domain-Level Information Dumping Over DCERPC (ATT&CK T1003.006, T1018)
Integrity Monitoring Rules:
1011152 - Microsoft Windows - Active directory files modified (ATT&CK T1552.006)
1011151 - Microsoft Windows - Active directory registry keys modified (ATTACK T1112)
1011144 - Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001)
1011146 - Microsoft Windows - Autostart execution registries modified (ATT&CK T1547.001)
1011145 - Microsoft Windows - Boot or Logon Autostart Execution registries modified (ATT&CK T1547.014, T1547.004)
1011148 - Microsoft Windows - Files in appdata startup folder modified (ATT&CK T1547.001)
1011149 - Microsoft Windows - Files in programdata startup folder modified (ATT&CK T1547.001)
1011150 - Microsoft Windows - Files in start menu directory modified (ATT&CK T1547.001)
1011142 - Microsoft Windows - Network services registries modified (ATT&CK T1574.001, T1547.001)
1002860* - Microsoft Windows - SAM registry keys modified (ATT&CK T1098, T1136)
1011141 - Microsoft Windows - Windows file protection registry modified (ATT&CK T1546.008, T1112)
1006800* - TMTR-0002: Suspicious Files Detected In Operating System Directories (ATT&CK T1053.005)
1006798* - TMTR-0005: Suspicious Files Detected In Application Directories (ATT&CK T1562.001)
1006796* - TMTR-0007: Suspicious Files Detected In Application Directories (ATT&CK T1574.002)
1006799* - TMTR-0014: Suspicious Service Detected (ATT&CK T1543.003)
1006684* - TMTR-0015: Suspicious Service Detected (ATT&CK T1543.003)
1006691* - TMTR-0017: Microsoft Windows - SAM Domain Account Users Modification Detected (ATT&CK T1098, T1136)
1007214* - TMTR-0019: Suspicious Files Detected In System Drivers Directory (ATT&CK T1014)
1007218* - TMTR-0023: Suspicious Changes In NTLM Settings (ATT&CK T1547.005)
1010515* - Vulnerability - Trend Micro ServerProtect For Linux Command Execution Vulnerability (CVE-2020-24561)
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD)
1008852* - Auditd
1003802* - Directory Server - Microsoft Windows Active Directory
1010595* - Microsoft LDAP Query Execution
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1002795* - Microsoft Windows Events
1010095* - Microsoft Windows Management Instrumentation Events
1003987* - Microsoft Windows Security Events - 2
1008792* - Microsoft Windows Security Events - 4
1002831* - Unix - Syslog
1003447* - Web Server - Apache
1002835* - Web Server - Web Access Events
Deep Packet Inspection Rules:
Azure Open Management Infrastructure Tool
1011147 - Open Management Infrastructure Remote Code Execution Vulnerability (CVE-2021-38647)
DCERPC Services
1011105* - Identified File Deletion From SMB Share (ATT&CK T1070.004)
Microsoft Office
1011135 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-38655)
1011137 - Microsoft Office Graphics Remote Code Execution Vulnerability (CVE-2021-38658)
1011121 - Microsoft Office Remote Code Execution Vulnerability (CVE-2021-34478)
1011138 - Microsoft Office Remote Code Execution Vulnerability (CVE-2021-38659)
1011134 - Microsoft Office Visio Remote Code Execution Vulnerability (CVE-2021-38653)
1011136 - Microsoft Word Remote Code Execution Vulnerability (CVE-2021-38656)
Web Application PHP Based
1011154 - Identified WordPress 'wp-login.php' Brute Force Attempt
1010642* - WordPress XMLRPC Brute Force Amplification Attack
Web Client Common
1011129* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 1
1011130* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 3
1011140 - Google Chrome Use After Free Vulnerability (CVE-2020-6550)
1011139 - Google Chrome V8 Type Confusion Vulnerability (CVE-2021-30561)
1011080 - Microsoft 3D Viewer Remote Code Execution Vulnerability (ZDI-CAN-13085)
1011133 - Microsoft Visual Studio Remote Code Execution Vulnerability (CVE-2021-36952)
Web Server Common
1011118 - Centreon 'csv_HostGroupLogs.php' SQL Injection Vulnerability (CVE-2021-37556)
1011113* - Nagios XI Remote Command Injection Vulnerability (CVE-2021-37346)
Web Server HTTPS
1011132 - Centreon 'metaService.php' SQL Injection Vulnerability
Web Server Nagios
1011131 - Nagios XI Bulk Modification Tool SQL Injection Vulnerability (CVE-2021-37350)
Web Server Oracle
1011083* - Oracle Business Intelligence 'BIRemotingServlet' Insecure Deserialization Vulnerability (CVE-2021-2456)
1011086* - Oracle Business Intelligence 'Scheduler' Remote Code Execution Vulnerability (CVE-2021-2391)
1011084* - Oracle Business Intelligence 'UpdateConnectionServlet' Remote Code Execution Vulnerability (CVE-2021-2396)
Windows Services RPC Server DCERPC
1009892* - Identified Domain-Level Information Dumping Over DCERPC (ATT&CK T1003.006, T1018)
Integrity Monitoring Rules:
1011152 - Microsoft Windows - Active directory files modified (ATT&CK T1552.006)
1011151 - Microsoft Windows - Active directory registry keys modified (ATTACK T1112)
1011144 - Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001)
1011146 - Microsoft Windows - Autostart execution registries modified (ATT&CK T1547.001)
1011145 - Microsoft Windows - Boot or Logon Autostart Execution registries modified (ATT&CK T1547.014, T1547.004)
1011148 - Microsoft Windows - Files in appdata startup folder modified (ATT&CK T1547.001)
1011149 - Microsoft Windows - Files in programdata startup folder modified (ATT&CK T1547.001)
1011150 - Microsoft Windows - Files in start menu directory modified (ATT&CK T1547.001)
1011142 - Microsoft Windows - Network services registries modified (ATT&CK T1574.001, T1547.001)
1002860* - Microsoft Windows - SAM registry keys modified (ATT&CK T1098, T1136)
1011141 - Microsoft Windows - Windows file protection registry modified (ATT&CK T1546.008, T1112)
1006800* - TMTR-0002: Suspicious Files Detected In Operating System Directories (ATT&CK T1053.005)
1006798* - TMTR-0005: Suspicious Files Detected In Application Directories (ATT&CK T1562.001)
1006796* - TMTR-0007: Suspicious Files Detected In Application Directories (ATT&CK T1574.002)
1006799* - TMTR-0014: Suspicious Service Detected (ATT&CK T1543.003)
1006684* - TMTR-0015: Suspicious Service Detected (ATT&CK T1543.003)
1006691* - TMTR-0017: Microsoft Windows - SAM Domain Account Users Modification Detected (ATT&CK T1098, T1136)
1007214* - TMTR-0019: Suspicious Files Detected In System Drivers Directory (ATT&CK T1014)
1007218* - TMTR-0023: Suspicious Changes In NTLM Settings (ATT&CK T1547.005)
1010515* - Vulnerability - Trend Micro ServerProtect For Linux Command Execution Vulnerability (CVE-2020-24561)
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD)
1008852* - Auditd
1003802* - Directory Server - Microsoft Windows Active Directory
1010595* - Microsoft LDAP Query Execution
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1002795* - Microsoft Windows Events
1010095* - Microsoft Windows Management Instrumentation Events
1003987* - Microsoft Windows Security Events - 2
1008792* - Microsoft Windows Security Events - 4
1002831* - Unix - Syslog
1003447* - Web Server - Apache
1002835* - Web Server - Web Access Events
Featured Stories
Beware of MCP Hardcoded Credentials: A Perfect Target for Threat ActorsPoor secret management in MCP servers can lead to serious consequences, including data breaches and supply chain attacks. This article examines the reality of these unsecure configurations and offers practical recommendations that minimize the chances of exposure.Read more
Lessons in Resilience from the Race to Patch SharePoint VulnerabilitiesIn this article, Trend Micro discusses how the fast-moving attacks using CVE-2025-53770 and CVE-2025-53771 have underscored the essential role of virtual patching and reliable intelligence in protecting organizations against evolving threats.Read more
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more