Rule Update
25-027 (July 1, 2025)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1001852* - Identified Attempt To Brute Force Windows Login Credentials (ATT&CK T1110)
1004808* - Identified Big-Endian Byte Order
1005889* - Identified POSWDS Malware Connection Over SMB
1002937* - Integer Overflow In IPP Service Vulnerability
1003824* - License Logging Server Heap Overflow Vulnerability
1004600* - Microsoft Active Directory 'BROWSER ELECTION' Buffer Overflow Vulnerability
1003015* - Microsoft SMB Credential Reflection Vulnerability
1006579* - Microsoft Windows NETLOGON Spoofing Vulnerability (CVE-2015-0005)
1002931* - Microsoft Windows SMB Buffer Underflow Vulnerability
1000972* - Microsoft Windows svcctl ChangeServiceConfig2A() Memory Corruption Vulnerability
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1003564* - Print Spooler Load Library Vulnerability
1005140* - Print Spooler Service Format String Vulnerability (CVE-2012-1851)
1004401* - Print Spooler Service Impersonation Vulnerability
1007125* - Remote Access Event Through SMBv1 Protocol Detected
1007121* - Remote Access Event Through SMBv2 Protocol Detected
1006995* - Remote Add Job Through SMBv1 Protocol Detected
1007037* - Remote Add Job Through SMBv2 Protocol Detected
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007066* - Remote Delete Job Through SMBv1 Protocol Detected
1007038* - Remote Delete Job Through SMBv2 Protocol Detected
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007070* - Remote PWDUMP Through SMBv1 Protocol Detected
1007057* - Remote Registry Access Through SMBv1 Protocol Detected (ATT&CK T1012)
1007032* - Remote Schedule Task Create Through SMBv1 Protocol Detected
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)
1003985* - SMB Memory Corruption Vulnerability
1003979* - SMB Null Pointer Vulnerability
1003978* - SMB Pathname Overflow Vulnerability
1004346* - SMB Pool Overflow Vulnerability
1004355* - SMB Stack Exhaustion Vulnerability
1004641* - SMB Transaction Parsing Vulnerability (CVE-2011-0661)
1004348* - SMB Variable Validation Vulnerability
1002975* - Server Service Vulnerability (wkssvc)
1004542* - Windows Netlogon Service Denial Of Service (CVE-2010-2742)
1003676* - Workstation Service Memory Corruption Vulnerability
DCERPC Services - Client
1004821* - Active Accessibility Insecure Library Loading Vulnerability (CVE-2011-1247)
1004924* - Color Control Panel Insecure Library Loading Vulnerability Over Network Share (CVE-2010-5082)
1004700* - DFS Memory Corruption Vulnerability (CVE-2011-1868)
1004762* - Data Access Components Insecure Library Loading Vulnerability Over Network Share (CVE-2011-1975)
1004304* - Identified Suspicious Microsoft Windows Shortcut File Over Network Share (ATT&CK T1080)
1004926* - Indeo Codec Insecure Library Loading Vulnerability Over Network Share (CVE-2010-3138)
1004563* - Microsoft Windows 'CreateSizedDIBSECTION()' Thumbnail View Stack Buffer Overflow Vulnerability Over Network Share
1003832* - Microsoft Windows 'KeAccumulateTicks()' SMB2 Packet Remote Denial Of Service Vulnerability
1005281* - Microsoft Windows Briefcase Integer Overflow Vulnerability Over Network Share (CVE-2012-1528)
1005280* - Microsoft Windows Briefcase Integer Underflow Vulnerability Over Network Share (CVE-2012-1527)
1004053* - Microsoft Windows CHM Notepad Remote Code Execution
1006554* - Microsoft Windows DLL Planting Remote Code Execution Vulnerability (CVE-2015-0096)
1006013* - Microsoft Windows Insecure Binary Loading Vulnerability Over Network Share (CVE-2014-0315)
1006292* - Microsoft Windows OLE Remote Code Execution Vulnerability Over SMB
1004697* - OLE Automation Underflow Vulnerability ( CVE-2011-0658 )
1004897* - Object Packager Insecure Executable Launching Vulnerability Over Network Share (CVE-2012-0009)
1004877* - PowerPoint Insecure Library Loading Vulnerability Over Network Share (CVE-2011-3396)
1005153* - Print Spooler Service Format String Vulnerability (CVE-2012-1851) II
1005139* - Remote Administration Protocol Denial Of Service Vulnerability (CVE-2012-1850)
1005142* - Remote Administration Protocol Stack Overflow Vulnerability
1004094* - SMB Client Memory Allocation Vulnerability
1004100* - SMB Client Message Size Vulnerability
1003973* - SMB Client Pool Corruption Vulnerability
1003980* - SMB Client Race Condition Vulnerability
1004096* - SMB Client Response Parsing Vulnerability
1004637* - SMB Client Response Parsing Vulnerability (CVE-2011-0660)
1004095* - SMB Client Transaction Vulnerability
1003014* - SMB Credential Reflection Vulnerability
1004692* - SMB Response Parsing Vulnerability (CVE-2011-1268)
1004775* - Telnet Handler Remote Code Execution Vulnerability Over Network Share (CVE-2011-1961)
1012387 - Trend Micro Apex One Client Remote Code Execution Vulnerability Over SMB (CVE-2025-49155)
1005081* - Vulnerability In Windows Shell Could Allow Remote Code Execution (CVE-2012-0175)
1004797* - Windows Components Insecure Library Loading Vulnerability Over Network Share (CVE-2011-1991)
1004843* - Windows Mail Insecure Library Loading Vulnerability Over Network Share (CVE-2011-2016)
DNS Client
1003189* - Malware AGENT.BTZ Domain Blocker
1000468* - Microsoft Word Malformed Object Pointer Remote Code Execution
1003133* - Pointer Reference Memory Corruption Vulnerability Domain Blocker
HP Intelligent Management Center (IMC)
1012392 - Apache OFBiz Stored Cross-Site Scripting Vulnerability (CVE-2025-30676)
Ivanti Endpoint Manager
1012204* - Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2024-50328)
1012283* - Ivanti Endpoint Manager Untrusted Search Path Vulnerability (CVE-2024-13158)
JetBrains TeamCity
1012238* - JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2024-47951)
Link-Local Multicast Name Resolution
1004645* - DNS Query Vulnerability (CVE-2011-0657)
NTP Client
1006630* - NTP MAC Security Bypass Vulnerability (CVE-2015-1798)
Remote Desktop Protocol Server
1006870* - Microsoft Windows Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability (CVE-2015-2373)
1004949* - Remote Desktop Protocol Vulnerability (CVE-2012-0002)
1005138* - Remote Desktop Protocol Vulnerability (CVE-2012-2526)
Shellcode
1005428* - Identified Suspicious Shellcode Over Network Traffic
1001183* - Identified Suspicious Usage Of Shellcode
1001202* - Identified Suspicious Usage Of Shellcode Encoders
1002359* - Identified Suspicious Usage Of Shellcode In Network Traffic
Suspicious Client Application Activity
1007113* - HTRANS Response Detected
1005067* - Identified Potentially Harmful Client Traffic
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1571)
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1571, T1219)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1571)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1571)
1006247* - Identified Potentially Malicious RAT Traffic - VI (ATT&CK T1571)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)
1007181* - TMTR-0001: PRORAT HTTP Request
1007182* - TMTR-0003: PRORAT HTTP Request
1005294* - TMTR-0004: GHOST RAT HTTP Request
1007184* - TMTR-0006: BUTERAT HTTP Request
Suspicious Server Application Activity
1001164* - Detected Terminal Services (RDP) Server Traffic
1005090* - Identified Potentially Harmful Server Traffic
TFTP Client
1003527* - Allow TFTP Client Traffic
Telnet Client
1003687* - Telnet Credential Reflection Vulnerability
Web Application PHP Based
1012281* - LibreNMS Stored Cross-Site Scripting Vulnerability (CVE-2024-49754)
Web Client Common
1005924* - Restrict Download Of EICAR Test File Over HTTP
Web Server Miscellaneous
1012248* - Jenkins 'Simple Queue' Plugin Stored Cross-Site Scripting Vulnerability (CVE-2024-54003)
Web Server Nagios
1012385 - Nagios XI Arbitrary File Write Vulnerability
Windows Services RPC Server DCERPC
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
DCERPC Services
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1001852* - Identified Attempt To Brute Force Windows Login Credentials (ATT&CK T1110)
1004808* - Identified Big-Endian Byte Order
1005889* - Identified POSWDS Malware Connection Over SMB
1002937* - Integer Overflow In IPP Service Vulnerability
1003824* - License Logging Server Heap Overflow Vulnerability
1004600* - Microsoft Active Directory 'BROWSER ELECTION' Buffer Overflow Vulnerability
1003015* - Microsoft SMB Credential Reflection Vulnerability
1006579* - Microsoft Windows NETLOGON Spoofing Vulnerability (CVE-2015-0005)
1002931* - Microsoft Windows SMB Buffer Underflow Vulnerability
1000972* - Microsoft Windows svcctl ChangeServiceConfig2A() Memory Corruption Vulnerability
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1003564* - Print Spooler Load Library Vulnerability
1005140* - Print Spooler Service Format String Vulnerability (CVE-2012-1851)
1004401* - Print Spooler Service Impersonation Vulnerability
1007125* - Remote Access Event Through SMBv1 Protocol Detected
1007121* - Remote Access Event Through SMBv2 Protocol Detected
1006995* - Remote Add Job Through SMBv1 Protocol Detected
1007037* - Remote Add Job Through SMBv2 Protocol Detected
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007066* - Remote Delete Job Through SMBv1 Protocol Detected
1007038* - Remote Delete Job Through SMBv2 Protocol Detected
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007070* - Remote PWDUMP Through SMBv1 Protocol Detected
1007057* - Remote Registry Access Through SMBv1 Protocol Detected (ATT&CK T1012)
1007032* - Remote Schedule Task Create Through SMBv1 Protocol Detected
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)
1003985* - SMB Memory Corruption Vulnerability
1003979* - SMB Null Pointer Vulnerability
1003978* - SMB Pathname Overflow Vulnerability
1004346* - SMB Pool Overflow Vulnerability
1004355* - SMB Stack Exhaustion Vulnerability
1004641* - SMB Transaction Parsing Vulnerability (CVE-2011-0661)
1004348* - SMB Variable Validation Vulnerability
1002975* - Server Service Vulnerability (wkssvc)
1004542* - Windows Netlogon Service Denial Of Service (CVE-2010-2742)
1003676* - Workstation Service Memory Corruption Vulnerability
DCERPC Services - Client
1004821* - Active Accessibility Insecure Library Loading Vulnerability (CVE-2011-1247)
1004924* - Color Control Panel Insecure Library Loading Vulnerability Over Network Share (CVE-2010-5082)
1004700* - DFS Memory Corruption Vulnerability (CVE-2011-1868)
1004762* - Data Access Components Insecure Library Loading Vulnerability Over Network Share (CVE-2011-1975)
1004304* - Identified Suspicious Microsoft Windows Shortcut File Over Network Share (ATT&CK T1080)
1004926* - Indeo Codec Insecure Library Loading Vulnerability Over Network Share (CVE-2010-3138)
1004563* - Microsoft Windows 'CreateSizedDIBSECTION()' Thumbnail View Stack Buffer Overflow Vulnerability Over Network Share
1003832* - Microsoft Windows 'KeAccumulateTicks()' SMB2 Packet Remote Denial Of Service Vulnerability
1005281* - Microsoft Windows Briefcase Integer Overflow Vulnerability Over Network Share (CVE-2012-1528)
1005280* - Microsoft Windows Briefcase Integer Underflow Vulnerability Over Network Share (CVE-2012-1527)
1004053* - Microsoft Windows CHM Notepad Remote Code Execution
1006554* - Microsoft Windows DLL Planting Remote Code Execution Vulnerability (CVE-2015-0096)
1006013* - Microsoft Windows Insecure Binary Loading Vulnerability Over Network Share (CVE-2014-0315)
1006292* - Microsoft Windows OLE Remote Code Execution Vulnerability Over SMB
1004697* - OLE Automation Underflow Vulnerability ( CVE-2011-0658 )
1004897* - Object Packager Insecure Executable Launching Vulnerability Over Network Share (CVE-2012-0009)
1004877* - PowerPoint Insecure Library Loading Vulnerability Over Network Share (CVE-2011-3396)
1005153* - Print Spooler Service Format String Vulnerability (CVE-2012-1851) II
1005139* - Remote Administration Protocol Denial Of Service Vulnerability (CVE-2012-1850)
1005142* - Remote Administration Protocol Stack Overflow Vulnerability
1004094* - SMB Client Memory Allocation Vulnerability
1004100* - SMB Client Message Size Vulnerability
1003973* - SMB Client Pool Corruption Vulnerability
1003980* - SMB Client Race Condition Vulnerability
1004096* - SMB Client Response Parsing Vulnerability
1004637* - SMB Client Response Parsing Vulnerability (CVE-2011-0660)
1004095* - SMB Client Transaction Vulnerability
1003014* - SMB Credential Reflection Vulnerability
1004692* - SMB Response Parsing Vulnerability (CVE-2011-1268)
1004775* - Telnet Handler Remote Code Execution Vulnerability Over Network Share (CVE-2011-1961)
1012387 - Trend Micro Apex One Client Remote Code Execution Vulnerability Over SMB (CVE-2025-49155)
1005081* - Vulnerability In Windows Shell Could Allow Remote Code Execution (CVE-2012-0175)
1004797* - Windows Components Insecure Library Loading Vulnerability Over Network Share (CVE-2011-1991)
1004843* - Windows Mail Insecure Library Loading Vulnerability Over Network Share (CVE-2011-2016)
DNS Client
1003189* - Malware AGENT.BTZ Domain Blocker
1000468* - Microsoft Word Malformed Object Pointer Remote Code Execution
1003133* - Pointer Reference Memory Corruption Vulnerability Domain Blocker
HP Intelligent Management Center (IMC)
1012392 - Apache OFBiz Stored Cross-Site Scripting Vulnerability (CVE-2025-30676)
Ivanti Endpoint Manager
1012204* - Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2024-50328)
1012283* - Ivanti Endpoint Manager Untrusted Search Path Vulnerability (CVE-2024-13158)
JetBrains TeamCity
1012238* - JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2024-47951)
Link-Local Multicast Name Resolution
1004645* - DNS Query Vulnerability (CVE-2011-0657)
NTP Client
1006630* - NTP MAC Security Bypass Vulnerability (CVE-2015-1798)
Remote Desktop Protocol Server
1006870* - Microsoft Windows Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability (CVE-2015-2373)
1004949* - Remote Desktop Protocol Vulnerability (CVE-2012-0002)
1005138* - Remote Desktop Protocol Vulnerability (CVE-2012-2526)
Shellcode
1005428* - Identified Suspicious Shellcode Over Network Traffic
1001183* - Identified Suspicious Usage Of Shellcode
1001202* - Identified Suspicious Usage Of Shellcode Encoders
1002359* - Identified Suspicious Usage Of Shellcode In Network Traffic
Suspicious Client Application Activity
1007113* - HTRANS Response Detected
1005067* - Identified Potentially Harmful Client Traffic
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1571)
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1571, T1219)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1571)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1571)
1006247* - Identified Potentially Malicious RAT Traffic - VI (ATT&CK T1571)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)
1007181* - TMTR-0001: PRORAT HTTP Request
1007182* - TMTR-0003: PRORAT HTTP Request
1005294* - TMTR-0004: GHOST RAT HTTP Request
1007184* - TMTR-0006: BUTERAT HTTP Request
Suspicious Server Application Activity
1001164* - Detected Terminal Services (RDP) Server Traffic
1005090* - Identified Potentially Harmful Server Traffic
TFTP Client
1003527* - Allow TFTP Client Traffic
Telnet Client
1003687* - Telnet Credential Reflection Vulnerability
Web Application PHP Based
1012281* - LibreNMS Stored Cross-Site Scripting Vulnerability (CVE-2024-49754)
Web Client Common
1005924* - Restrict Download Of EICAR Test File Over HTTP
Web Server Miscellaneous
1012248* - Jenkins 'Simple Queue' Plugin Stored Cross-Site Scripting Vulnerability (CVE-2024-54003)
Web Server Nagios
1012385 - Nagios XI Arbitrary File Write Vulnerability
Windows Services RPC Server DCERPC
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more