Rule Update

25-026 (June 24, 2025)

Publish date: June 24, 2025

  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1008679* - Identified BADRABBIT Ransomware Propagation Over SMB
1008327* - Identified Server Suspicious SMB Session
1010214* - Identified Trend Micro ApexOne Backup Folder Access
1010101* - Identified Usage Of PAExec Command Line Tool (ATT&CK T1569.002)
1009801* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability (CVE-2019-1040)
1010025* - Microsoft Windows NTLM Tampering Vulnerability (CVE-2019-1166)
1012187* - Microsoft Windows SMB Denial of Service Vulnerability (CVE-2024-43642)
1010900* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2021-28325)
1010317* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2020-1301)
1010652* - Microsoft Windows SMB2 Server Information Disclosure Vulnerability (CVE-2020-17140)
1010653* - Microsoft Windows SMB2 Server Remote Code Execution Vulnerability (CVE-2020-17096)
1010192* - Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)
1008717* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-11771)
1011587* - Microsoft Windows Server Service Tampering Vulnerability (CVE-2022-30216)
1010521* - Netlogon Elevation Of Privilege Vulnerability Over SMB (Zerologon) (CVE-2020-1472)


DCERPC Services - Client
1008328* - Identified Client Suspicious SMB Session
1010585* - Identified Possible Ransomware File Extension Create Activity Over Network Share - Client (ATT&CK T1486, T1080)
1004566* - Identified Suspicious Microsoft DLL File Over Network Share
1009331* - Microsoft Filter Manager Elevation Of Privilege Vulnerability (CVE-2018-8333)
1012183* - Microsoft Windows LNK File UI Misrepresentation Vulnerability Over SMB (ZDI-25-148)
1010201* - Microsoft Windows LNK Remote Code Execution Vulnerability Over SMB (CVE-2020-0729)
1012075* - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability Over SMB (CVE-2024-38112)
1009717* - Microsoft Windows PowerShell ISE Filename Parsing Remote Code Execution Vulnerability Over SMB
1011436* - Microsoft Windows RPC Remote Code Execution Vulnerability Over SMB (CVE-2022-26809)
1011459* - Microsoft Windows RPC Remote Code Execution Vulnerability Over TCP (CVE-2022-26809)
1010319* - Microsoft Windows SMB Denial of Service Vulnerability (CVE-2020-1284)
1008915* - Microsoft Windows SMBv3 Denial Of Service Vulnerability (CVE-2018-0833)
1011950* - Microsoft Windows SmartScreen Security Feature Bypass Vulnerability Over SMB (CVE-2024-21412)
1007120* - SMB DLL Injection Exploit Detected (ATT&CK T1055.001)


DNS Client
1007456* - DNS Malformed Response Detected
1008571* - DNS Request To ShadowPad Domain Detection
1008203* - DNSMessenger Malware C&C Traffic Over DNS Protocol
1008204* - DNSMessenger Malware Domain Blocker
1009135* - Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2018-8225)


IPSec-IKE
1011669* - Microsoft Windows Internet Key Exchange (IKE) Protocol Extensions Denial Of Service Vulnerability (CVE-2023-21547)
1011801* - Microsoft Windows Internet Key Exchange (IKE) Protocol Extensions Denial Of Service Vulnerability (CVE-2023-21758)
1011536* - Microsoft Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability (CVE-2022-34721)


Ivanti Endpoint Manager
1012205* - Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2024-50326)
1012207* - Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2024-50330)


JetBrains TeamCity
1012381 - JetBrains TeamCity Cross-Site Scripting Vulnerability (CVE-2025-46618)


Kerberos KDC Client
1012338* - Microsoft Windows Defender Credential Guard Security Feature Bypass Vulnerability (CVE-2025-29809)


LDAP Client
1011269* - Identified Java Code Download Attempt Over LDAP


MS-RDPEUDP2
1009940* - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1224)
1009941* - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1225)


Microsoft Office
1011208* - Microsoft Access Remote Code Execution Vulnerability (CVE-2021-41368)
1011303* - Microsoft Excel Information Disclosure Vulnerability (CVE-2022-22716)
1011137* - Microsoft Office Graphics Remote Code Execution Vulnerability (CVE-2021-38658)
1011138* - Microsoft Office Remote Code Execution Vulnerability (CVE-2021-38659)
1011181* - Microsoft Office Visio Remote Code Execution Vulnerability (CVE-2021-40480)
1011182* - Microsoft Office Visio Remote Code Execution Vulnerability (CVE-2021-40481)
1011136* - Microsoft Word Remote Code Execution Vulnerability (CVE-2021-38656)
1011184* - Microsoft Word Remote Code Execution Vulnerability (CVE-2021-40486)
1011701* - Microsoft Word Remote Code Execution Vulnerability (CVE-2023-21716)


Port Mapper FTP Client
1011089* - Identified File Upload Over FTP (ATT&CK T1048.003)


Port Mapper Windows
1001033* - Windows Port Mapper Decoder


Remote Desktop Protocol Client
1009031* - Microsoft Windows CredSSP Remote Code Execution Vulnerability (CVE-2018-0886)
1010402* - Microsoft Windows Remote Desktop Client Remote Code Execution Vulnerability (CVE-2020-1374)


Remote Desktop Protocol Server
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1021.001, T1573.002)
1009958* - Microsoft Windows RDP Remote Code Execution Vulnerability (CVE-2019-1181)
1009961* - Microsoft Windows RDP Remote Code Execution Vulnerability (CVE-2019-1182)
1009448* - Microsoft Windows Remote Desktop Protocol (RDP) Brute Force Attempt
1010556* - Microsoft Windows Remote Desktop Protocol Information Disclosure Vulnerability (CVE-2020-16896)


Suspicious Client Application Activity
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1587.003)
1008756* - Identified Potentially Malicious RAT Traffic - VII (ATT&CK T1571)
1010307* - Identified Reverse Shell Communication Over HTTPS (ATT&CK T1071.001)
1010306* - Identified Reverse Shell Communication Over HTTPS - 1 (ATT&CK T1071.001)
1010365* - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071.001)
1010370* - Identified Reverse Shell Communication Over HTTPS - 4 (ATT&CK T1071.001)
1009952* - Identified WhatsApp Communication Attempt (ATT&CK T1102.002)
1009432* - Tildeb Acknowledgment Request


TFTP Client Decoder
1003526* - Enable TFTP Decoder


Web Application PHP Based
1012193* - WordPress 'WP Brutal AI' Plugin SQL Injection Vulnerability (CVE-2023-2601)
1012194* - WordPress 'WP Brutal AI' Plugin Stored Cross-Site Scripting Vulnerability (CVE-2023-2606)
1012226* - WordPress 'wpForo' Plugin Local File Inclusion Vulnerability (CVE-2023-2249)


Web Client Common
1010540* - Download Of A Suspicious PowerShell Script File Detected
1004715* - HTTP Web Client Decoding
1011091* - Identified Download Of Executable File Over HTTP (ATT&CK T1105)
1011500* - Identified Download of Python Reverse Shell Payload Over HTTP
1011225* - Microsoft Project MPT File Parsing Out-Of-Bounds Read Vulnerability (ZDI-CAN-14518)
1012070* - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2023-35628)
1012074* - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2024-38112)
1012141* - Microsoft Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43461)
1012142* - Microsoft Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43461) - 1
1011949* - Microsoft Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2024-21412)


Web Client HTTPS
1010130* - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
1010132* - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) - 1
1010290* - Microsoft Windows Transport Layer Security Denial Of Service Vulnerability (CVE-2020-1118) - Client


Web Server Common
1011249* - Apache Log4j Denial of Service Vulnerability (CVE-2021-45105)
1011270* - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) - 1
1011265* - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-45046)
1011279* - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-45046) - 1
1000128* - HTTP Protocol Decoding


Web Server HTTPS
1012384 - Roundcube Webmail Insecure Deserialization Vulnerability (CVE-2025-49113)


Windows SMB Client
1011055* - Identified DCERPC OpenPrinterEx Call Over SMB Protocol
1010701* - Microsoft Windows Defender Remote Code Execution Vulnerability Over SMB (CVE-2021-1647)


Windows SMB Server
1011058* - Identified DCERPC EFSRPC Methods Call Over SMB Protocol (PetitPotam)
1011593* - Identified Executable File Upload On Network Share (ATT&CK T1570)
1012318* - Identified Possible Ransomware File Rename Activity Over Network Share - 1
1011680* - Microsoft Windows NEGOEX Remote Code Execution Vulnerability (CVE-2022-37958)
1010884* - Microsoft Windows RPC Remote Code Execution Vulnerability (CVE-2017-8461)


Windows Services RPC Client DCERPC
1012178* - Identified Windows DCERPC AUTH LEVEL CONNECT Windows Remote Registry Request
1007538* - Windows Client Port Mapper Decoder


Windows Services RPC Server DCERPC
1009892* - Identified Domain-Level Information Dumping Over DCERPC (ATT&CK T1003.006, T1018)
1010539* - Identified NTLM Brute Force Attempt (ZeroLogon) (CVE-2020-1472)
1009478* - Identified Remote Service Creation Over DCE/RPC Protocol (ATT&CK T1543.003)
1007561* - Identified Windows DCERPC AUTH LEVEL CONNECT Password Validate Request
1010519* - Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

Featured Stories