Rule Update
21-044 (October 5, 2021)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
Azure Open Management Infrastructure Tool
1011147* - Open Management Infrastructure Remote Code Execution Vulnerability (CVE-2021-38647)
DCERPC Services
1010164* - Identified Possible Ransomware File Extension Create Activity Over Network Share (ATT&CK T1486, T1080)
DCERPC Services - Client
1010585* - Identified Possible Ransomware File Extension Create Activity Over Network Share - Client (ATT&CK AT1486, T1080)
Directory Server LDAP
1011008* - OpenLDAP Integer Underflow Vulnerability (CVE-2020-36221)
Trend Micro ServerProtect EarthAgent
1011157* - Trend Micro ServerProtect Authentication Bypass Vulnerability (CVE-2021-36745)
Web Application Common
1011155* - FlatCore CMS Remote Code Execution Vulnerability (CVE-2021-39608)
1011103* - PHPUnit Remote Code Execution Vulnerability (CVE-2017-9841)
1010942* - WordPress XML External Entity Injection Vulnerability (CVE-2021-29447)
Web Application PHP Based
1011143 - WordPress 'ProfilePress' Plugin Privilege Escalation Vulnerability (CVE-2021-34621)
Web Client Common
1011129* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 1
1011127* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 2
Web Server HTTPS
1011156* - Centreon 'componentTemplates.php' SQL Injection Vulnerability
1011161 - Centreon 'graph-split.php' SQL Injection Vulnerability
1011158* - Detected VMware vCenter Server Analytics Service Access
1011166 - GitLab Stored Cross-Site Scripting Vulnerability (CVE-2021-22242)
1011167 - VMware vCenter Server File Upload Vulnerability (CVE-2021-22005)
1011120* - WebSVN Command Injection Vulnerability (CVE-2021-32305)
1011165 - WordPress 'Woo-Order-Export-Lite' Plugin Reflected Cross-Site Scripting Vulnerability (CVE-2021-24169)
Web Server Miscellaneous
1011153* - FasterXML jackson-databind Malicious JSON Objects Multiple Remote Code Execution Vulnerabilities
1011163 - Spring Boot Actuator Directory Traversal Vulnerability (CVE-2021-21234)
Web Server Nagios
1011164 - Nagios XI Stored Cross-Site Scripting Vulnerability (CVE-2021-38156)
Web Server Oracle
1011086* - Oracle Business Intelligence 'Scheduler' Remote Code Execution Vulnerability (CVE-2021-2391)
1011084* - Oracle Business Intelligence 'UpdateConnectionServlet' Remote Code Execution Vulnerability (CVE-2021-2396)
1011096* - Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2021-2394)
Web Server SharePoint
1011123* - Microsoft SharePoint WorkflowCompilerInternal Remote Code Execution Vulnerability (CVE-2021-26420)
Web Server Squid
1011159 - Squid HTTP Request Smuggling Vulnerability (CVE-2019-18678)
Zoho ManageEngine
1011162 - Zoho ManageEngine OpManager 'GetDataCollectionFailureReason' SQL Injection Vulnerability (CVE-2021-40493)
Integrity Monitoring Rules:
1005193* - Linux/Unix - File attributes modified (ATT&CK T1070.002, T1222.002)
1011116* - Linux/Unix - Kernel modules loading configuration modified (ATT&CK T1547.006)
1010798* - Linux/Unix - Local user and group files modified (ATT&CK T1136.001, T1531)
1010422* - Linux/Unix - SCP process detected (ATT&CK T1048.001, T1105)
1011070* - Linux/Unix - SSH authorized_keys file modified - non-root users (ATT&CK T1021.004, T1098.004, T1563.001)
1011068* - Linux/Unix - SSH authorized_keys file modified - root user (ATT&CK T1021.004, T1098.004, T1563.001)
1011069* - Linux/Unix - SSH authorized_keys file modified - systemwide (ATT&CK T1021.004, T1098.004, T1563.001)
1011111* - Linux/Unix - Users and Groups - Create and Delete Activity (ATT&CK T1136)
1010825* - Linux/Unix - adduser, useradd and deluser configuration files modified (ATT&CK T1136.001, T1531)
1010808* - Linux/Unix - bash configuration files modified (ATT&CK T1059.004, T1546.004)
1010827* - Linux/Unix - csh/tcsh configuration files modified (ATT&CK T1059.004, T1546.004)
1010828* - Linux/Unix - zsh configuration files modified (ATT&CK T1059.004, T1546.004)
1009626* - Microsoft Windows - Accessibility features registry keys or files modified (ATT&CK T1546.008, T1546.012)
1011151* - Microsoft Windows - Active directory registry keys modified (ATT&CK T1112)
1005195* - Microsoft Windows - Attributes of log file modified (ATT&CK T1070, T1222.001)
1002781* - Microsoft Windows - Attributes of services modified (ATT&CK T1036.004, T1543.003)
1002767* - Microsoft Windows - Attributes of system32 directory modified (ATT&CK T1222)
1011144* - Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001)
1011146* - Microsoft Windows - Autostart execution registries modified (ATT&CK T1547.001)
1011145* - Microsoft Windows - Boot or Logon Autostart Execution registries modified (ATT&CK T1547.004, T1547.014)
1003367* - Microsoft Windows - DHCP server files directory and service modified (ATT&CK T1036.003, T1222.001)
1002869* - Microsoft Windows - DNS Server (ATT&CK T1554, T1584.002)
1011148* - Microsoft Windows - Files in appdata startup folder modified (ATT&CK T1547.001)
1011149* - Microsoft Windows - Files in programdata startup folder modified (ATT&CK T1547.001)
1011150* - Microsoft Windows - Files in start menu directory modified (ATT&CK T1547.001)
1002780* - Microsoft Windows - Installed software attributes modified (ATT&CK T1195.002, T1554)
1002786* - Microsoft Windows - Microsoft hotfixes registry keys modified (ATT&CK T1112)
1011142* - Microsoft Windows - Network services registries modified (ATT&CK T1547.001, T1574.001)
1011071* - Microsoft Windows - OpenSSH registry keys modified (ATT&CK T1021.004, T1112)
1011092* - Microsoft Windows - OpenSSH server configuration file modified (ATT&CK T1021.004)
1002787* - Microsoft Windows - Registry values of event log modified (ATT&CK T1070.001, T1562.002)
1002776* - Microsoft Windows - Startup Programs Modified (ATT&CK T1060, T1112)
1002778* - Microsoft Windows - System .dll or .exe files modified (ATT&CK T1036.003, T1222.001)
1008257* - Microsoft Windows - USB storage device detected (ATT&CK T1052.001, T1092)
1008720* - Microsoft Windows - Users and Groups - Create and Delete Activity (ATT&CK T1136)
1011141* - Microsoft Windows - Windows file protection registry modified (ATT&CK T1112, T1546.008)
1007221* - TMTR-0026: Suspicious Files Detected In Program Files Folder
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
Azure Open Management Infrastructure Tool
1011147* - Open Management Infrastructure Remote Code Execution Vulnerability (CVE-2021-38647)
DCERPC Services
1010164* - Identified Possible Ransomware File Extension Create Activity Over Network Share (ATT&CK T1486, T1080)
DCERPC Services - Client
1010585* - Identified Possible Ransomware File Extension Create Activity Over Network Share - Client (ATT&CK AT1486, T1080)
Directory Server LDAP
1011008* - OpenLDAP Integer Underflow Vulnerability (CVE-2020-36221)
Trend Micro ServerProtect EarthAgent
1011157* - Trend Micro ServerProtect Authentication Bypass Vulnerability (CVE-2021-36745)
Web Application Common
1011155* - FlatCore CMS Remote Code Execution Vulnerability (CVE-2021-39608)
1011103* - PHPUnit Remote Code Execution Vulnerability (CVE-2017-9841)
1010942* - WordPress XML External Entity Injection Vulnerability (CVE-2021-29447)
Web Application PHP Based
1011143 - WordPress 'ProfilePress' Plugin Privilege Escalation Vulnerability (CVE-2021-34621)
Web Client Common
1011129* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 1
1011127* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 2
Web Server HTTPS
1011156* - Centreon 'componentTemplates.php' SQL Injection Vulnerability
1011161 - Centreon 'graph-split.php' SQL Injection Vulnerability
1011158* - Detected VMware vCenter Server Analytics Service Access
1011166 - GitLab Stored Cross-Site Scripting Vulnerability (CVE-2021-22242)
1011167 - VMware vCenter Server File Upload Vulnerability (CVE-2021-22005)
1011120* - WebSVN Command Injection Vulnerability (CVE-2021-32305)
1011165 - WordPress 'Woo-Order-Export-Lite' Plugin Reflected Cross-Site Scripting Vulnerability (CVE-2021-24169)
Web Server Miscellaneous
1011153* - FasterXML jackson-databind Malicious JSON Objects Multiple Remote Code Execution Vulnerabilities
1011163 - Spring Boot Actuator Directory Traversal Vulnerability (CVE-2021-21234)
Web Server Nagios
1011164 - Nagios XI Stored Cross-Site Scripting Vulnerability (CVE-2021-38156)
Web Server Oracle
1011086* - Oracle Business Intelligence 'Scheduler' Remote Code Execution Vulnerability (CVE-2021-2391)
1011084* - Oracle Business Intelligence 'UpdateConnectionServlet' Remote Code Execution Vulnerability (CVE-2021-2396)
1011096* - Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2021-2394)
Web Server SharePoint
1011123* - Microsoft SharePoint WorkflowCompilerInternal Remote Code Execution Vulnerability (CVE-2021-26420)
Web Server Squid
1011159 - Squid HTTP Request Smuggling Vulnerability (CVE-2019-18678)
Zoho ManageEngine
1011162 - Zoho ManageEngine OpManager 'GetDataCollectionFailureReason' SQL Injection Vulnerability (CVE-2021-40493)
Integrity Monitoring Rules:
1005193* - Linux/Unix - File attributes modified (ATT&CK T1070.002, T1222.002)
1011116* - Linux/Unix - Kernel modules loading configuration modified (ATT&CK T1547.006)
1010798* - Linux/Unix - Local user and group files modified (ATT&CK T1136.001, T1531)
1010422* - Linux/Unix - SCP process detected (ATT&CK T1048.001, T1105)
1011070* - Linux/Unix - SSH authorized_keys file modified - non-root users (ATT&CK T1021.004, T1098.004, T1563.001)
1011068* - Linux/Unix - SSH authorized_keys file modified - root user (ATT&CK T1021.004, T1098.004, T1563.001)
1011069* - Linux/Unix - SSH authorized_keys file modified - systemwide (ATT&CK T1021.004, T1098.004, T1563.001)
1011111* - Linux/Unix - Users and Groups - Create and Delete Activity (ATT&CK T1136)
1010825* - Linux/Unix - adduser, useradd and deluser configuration files modified (ATT&CK T1136.001, T1531)
1010808* - Linux/Unix - bash configuration files modified (ATT&CK T1059.004, T1546.004)
1010827* - Linux/Unix - csh/tcsh configuration files modified (ATT&CK T1059.004, T1546.004)
1010828* - Linux/Unix - zsh configuration files modified (ATT&CK T1059.004, T1546.004)
1009626* - Microsoft Windows - Accessibility features registry keys or files modified (ATT&CK T1546.008, T1546.012)
1011151* - Microsoft Windows - Active directory registry keys modified (ATT&CK T1112)
1005195* - Microsoft Windows - Attributes of log file modified (ATT&CK T1070, T1222.001)
1002781* - Microsoft Windows - Attributes of services modified (ATT&CK T1036.004, T1543.003)
1002767* - Microsoft Windows - Attributes of system32 directory modified (ATT&CK T1222)
1011144* - Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001)
1011146* - Microsoft Windows - Autostart execution registries modified (ATT&CK T1547.001)
1011145* - Microsoft Windows - Boot or Logon Autostart Execution registries modified (ATT&CK T1547.004, T1547.014)
1003367* - Microsoft Windows - DHCP server files directory and service modified (ATT&CK T1036.003, T1222.001)
1002869* - Microsoft Windows - DNS Server (ATT&CK T1554, T1584.002)
1011148* - Microsoft Windows - Files in appdata startup folder modified (ATT&CK T1547.001)
1011149* - Microsoft Windows - Files in programdata startup folder modified (ATT&CK T1547.001)
1011150* - Microsoft Windows - Files in start menu directory modified (ATT&CK T1547.001)
1002780* - Microsoft Windows - Installed software attributes modified (ATT&CK T1195.002, T1554)
1002786* - Microsoft Windows - Microsoft hotfixes registry keys modified (ATT&CK T1112)
1011142* - Microsoft Windows - Network services registries modified (ATT&CK T1547.001, T1574.001)
1011071* - Microsoft Windows - OpenSSH registry keys modified (ATT&CK T1021.004, T1112)
1011092* - Microsoft Windows - OpenSSH server configuration file modified (ATT&CK T1021.004)
1002787* - Microsoft Windows - Registry values of event log modified (ATT&CK T1070.001, T1562.002)
1002776* - Microsoft Windows - Startup Programs Modified (ATT&CK T1060, T1112)
1002778* - Microsoft Windows - System .dll or .exe files modified (ATT&CK T1036.003, T1222.001)
1008257* - Microsoft Windows - USB storage device detected (ATT&CK T1052.001, T1092)
1008720* - Microsoft Windows - Users and Groups - Create and Delete Activity (ATT&CK T1136)
1011141* - Microsoft Windows - Windows file protection registry modified (ATT&CK T1112, T1546.008)
1007221* - TMTR-0026: Suspicious Files Detected In Program Files Folder
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more