Rule Update
25-028 (July 8, 2025)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1021.002)
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1569.002)
1008119* - Microsoft Windows Local Security Authority Subsystem Service (LSASS) Denial Of Service Vulnerability (CVE-2017-0004)
1008123* - Microsoft Windows Local Security Authority Subsystem Service Denial Of Service Vulnerability (CVE-2016-7237)
1008227* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0147)
1008432* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0267)
1008660* - Microsoft Windows SMB Out-Of-Bounds Read Denial Of Service Vulnerability (CVE-2017-11781)
1008224* - Microsoft Windows SMB Remote Code Execution Vulnerabilities (CVE-2017-0144 and CVE-2017-0146)
1008225* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
1008228* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0148)
1008306* - Microsoft Windows SMB Remote Code Execution Vulnerability (MS17-010)
1008713* - Microsoft Windows SMB Server SMBv1 Information Disclosure Vulnerability (CVE-2017-11815)
1008468* - Microsoft Windows SMBv1 Information Disclosure Vulnerability (CVE-2017-0271)
1008305* - Microsoft Windows SMBv1 Remote Code Execution Vulnerability
1008445* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)
1008560* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8620)
1007432* - Microsoft Windows Server Message Block Memory Corruption Vulnerability (CVE-2015-2474)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1078.002,T1078.001,T1021.002)
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
1007033* - Remote Scheduled Task Access Through SMBv1 Protocol Detected
1001839* - Restrict Attempt To Enumerate Windows User Accounts (ATT&CK T1087)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
1003984* - SMB NTLM Authentication Lack Of Entropy Vulnerability
1005448* - SMB Null Session Detected - 1
1005447* - SMB Null Session Detected - 2
1003761* - SMBv2 Infinite Loop Vulnerability
1003712* - Windows Vista SMB2.0 Negotiate Protocol Request Remote Code Execution
DCERPC Services - Client
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1574.002)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1059.001)
1004293* - Identified Microsoft Windows Shortcut File Over Network Share
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
1007912* - Identified Possible Ransomware File Rename Activity Over Network Share - Client
1007592* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (CVE-2016-0160 and CVE-2016-0148)
1007381* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS15-132)
1007369* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-007)
1007426* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-014)
1008177* - Microsoft Windows DLL Loading Vulnerability Over Network Share (CVE-2017-0039)
1008585* - Microsoft Windows LNK Remote Code Execution Over SMB (CVE-2017-8464)
1010394* - Microsoft Windows LNK Remote Code Execution Vulnerability Over SMB (CVE-2020-1421)
1010553* - Microsoft Windows Media Foundation Memory Corruption Vulnerability Over SMB (CVE-2020-16915)
1007531* - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128)
1008138* - Microsoft Windows SMB Tree Connect Response Denial Of Service Vulnerability (CVE-2017-0016)
DHCP Client
1000861* - Microsoft Windows DHCP Client Service Remote Code Execution
DNS Client
1010352* - Data Exfiltration Over DNS (Response) Protocol (T1048)
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
1008666* - Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)
Database Microsoft SQL
1012391 - Microsoft SQL Server Information Disclosure Vulnerability (CVE-2025-49718)
Ivanti Endpoint Manager
1012396 - Ivanti Endpoint Manager Credential Coercion Vulnerability (CVE-2024-13159)
MSMQ Service
1012227* - Microsoft Windows Message Queuing Service Remote Code Execution Vulnerability (CVE-2024-49122)
Mail Server Common
1012143* - Roundcube Webmail Stored Cross-Site Scripting Vulnerability (CVE-2024-37383)
NTP Client
1008004* - NTP 'ntpq atoascii' Memory Corruption Vulnerability (CVE-2015-7852)
Port Mapper FTP Client
1009558* - Remote File Copy Over FTP (ATT&CK T1544, T1071.002)
Ray Framework
1012153* - Ray Remote Code Execution Vulnerability (CVE-2023-48022)
Remote Desktop Protocol Server
1009562* - Identified Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110, T1021.001)
1008307* - Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (CVE-2017-0176)
1009749* - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)
Suspicious Client Application Activity
1010364* - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071.001)
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1571)
1007186* - TMTR-0007: STRAT HTTP Request
1007199* - TMTR-0008: STRAT HTTP Request
1007198* - TMTR-0009: STRAT HTTP Request
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1571)
1007201* - TMTR-0011: FAKEM RAT TCP Request (ATT&CK T1571)
1007205* - TMTR-0012: FAKEM RAT TCP Connection (ATT&CK T1571)
1007206* - TMTR-0013: FAKEMRAT HTTP Request
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1571)
1007202* - TMTR-0015: PSYRAT HTTP Request
1007208* - TMTR-0016: SPLINTER RAT TCP Connection (ATT&CK T1571)
1007209* - TMTR-0017: ZIYAZO RAT BKDR Connection (ATT&CK T1571)
Suspicious Server Application Activity
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1021.001)
WSO2
1012249* - WSO2 Multiple Products Arbitrary File Upload Vulnerability (CVE-2024-7074)
Web Application Common
1012397 - Liferay Multiple Products Reflected Cross-Site Scripting Vulnerability (CVE-2025-4388)
Web Server Common
1011242* - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
Web Server Oracle
1012244* - Oracle WebLogic Server Insecure Deserialization Vulnerability (CVE-2024-21182)
Web Server SharePoint
1012390 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-49704)
Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1021.006, T1059.001)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1021.006, T1059.001)
Windows Remote Management Client
1010073* - WinRM Service Detected & Powershell RCE Over HTTP - Client (ATT&CK T1021.006, T1059.001)
Windows SMB Client
1006994* - Executable File Download On Network Share Detected
Windows SMB Server
1007065* - Executable File Uploaded On Network Share (ATT&CK T1570)
1011018* - Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol
1012394 - Microsoft Windows NEGOEX Remote Code Execution Vulnerability (CVE-2025-47981)
1009511* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2019-0630)
Windows Server DCERPC
1011016* - Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol
Windows Services RPC Client DCERPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)
1007539* - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128) - 1
Windows Services RPC Server DCERPC
1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1047)
1003766* - Local Security Authority Subsystem Service Integer Overflow Vulnerability
1007068* - Remote Service Execution Through SMBv2 Protocol Detected
Integrity Monitoring Rules:
1002770* - Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modified
1010812* - Linux/Unix - Name resolver configuration files modified (ATT&CK T1071.004, T1583.002)
1010373* - Linux/Unix - Systemd service modified (ATT&CK T1543.002)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1021.002)
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1569.002)
1008119* - Microsoft Windows Local Security Authority Subsystem Service (LSASS) Denial Of Service Vulnerability (CVE-2017-0004)
1008123* - Microsoft Windows Local Security Authority Subsystem Service Denial Of Service Vulnerability (CVE-2016-7237)
1008227* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0147)
1008432* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0267)
1008660* - Microsoft Windows SMB Out-Of-Bounds Read Denial Of Service Vulnerability (CVE-2017-11781)
1008224* - Microsoft Windows SMB Remote Code Execution Vulnerabilities (CVE-2017-0144 and CVE-2017-0146)
1008225* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
1008228* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0148)
1008306* - Microsoft Windows SMB Remote Code Execution Vulnerability (MS17-010)
1008713* - Microsoft Windows SMB Server SMBv1 Information Disclosure Vulnerability (CVE-2017-11815)
1008468* - Microsoft Windows SMBv1 Information Disclosure Vulnerability (CVE-2017-0271)
1008305* - Microsoft Windows SMBv1 Remote Code Execution Vulnerability
1008445* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)
1008560* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8620)
1007432* - Microsoft Windows Server Message Block Memory Corruption Vulnerability (CVE-2015-2474)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1078.002,T1078.001,T1021.002)
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
1007033* - Remote Scheduled Task Access Through SMBv1 Protocol Detected
1001839* - Restrict Attempt To Enumerate Windows User Accounts (ATT&CK T1087)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
1003984* - SMB NTLM Authentication Lack Of Entropy Vulnerability
1005448* - SMB Null Session Detected - 1
1005447* - SMB Null Session Detected - 2
1003761* - SMBv2 Infinite Loop Vulnerability
1003712* - Windows Vista SMB2.0 Negotiate Protocol Request Remote Code Execution
DCERPC Services - Client
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1574.002)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1059.001)
1004293* - Identified Microsoft Windows Shortcut File Over Network Share
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
1007912* - Identified Possible Ransomware File Rename Activity Over Network Share - Client
1007592* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (CVE-2016-0160 and CVE-2016-0148)
1007381* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS15-132)
1007369* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-007)
1007426* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-014)
1008177* - Microsoft Windows DLL Loading Vulnerability Over Network Share (CVE-2017-0039)
1008585* - Microsoft Windows LNK Remote Code Execution Over SMB (CVE-2017-8464)
1010394* - Microsoft Windows LNK Remote Code Execution Vulnerability Over SMB (CVE-2020-1421)
1010553* - Microsoft Windows Media Foundation Memory Corruption Vulnerability Over SMB (CVE-2020-16915)
1007531* - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128)
1008138* - Microsoft Windows SMB Tree Connect Response Denial Of Service Vulnerability (CVE-2017-0016)
DHCP Client
1000861* - Microsoft Windows DHCP Client Service Remote Code Execution
DNS Client
1010352* - Data Exfiltration Over DNS (Response) Protocol (T1048)
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
1008666* - Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)
Database Microsoft SQL
1012391 - Microsoft SQL Server Information Disclosure Vulnerability (CVE-2025-49718)
Ivanti Endpoint Manager
1012396 - Ivanti Endpoint Manager Credential Coercion Vulnerability (CVE-2024-13159)
MSMQ Service
1012227* - Microsoft Windows Message Queuing Service Remote Code Execution Vulnerability (CVE-2024-49122)
Mail Server Common
1012143* - Roundcube Webmail Stored Cross-Site Scripting Vulnerability (CVE-2024-37383)
NTP Client
1008004* - NTP 'ntpq atoascii' Memory Corruption Vulnerability (CVE-2015-7852)
Port Mapper FTP Client
1009558* - Remote File Copy Over FTP (ATT&CK T1544, T1071.002)
Ray Framework
1012153* - Ray Remote Code Execution Vulnerability (CVE-2023-48022)
Remote Desktop Protocol Server
1009562* - Identified Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110, T1021.001)
1008307* - Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (CVE-2017-0176)
1009749* - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)
Suspicious Client Application Activity
1010364* - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071.001)
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1571)
1007186* - TMTR-0007: STRAT HTTP Request
1007199* - TMTR-0008: STRAT HTTP Request
1007198* - TMTR-0009: STRAT HTTP Request
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1571)
1007201* - TMTR-0011: FAKEM RAT TCP Request (ATT&CK T1571)
1007205* - TMTR-0012: FAKEM RAT TCP Connection (ATT&CK T1571)
1007206* - TMTR-0013: FAKEMRAT HTTP Request
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1571)
1007202* - TMTR-0015: PSYRAT HTTP Request
1007208* - TMTR-0016: SPLINTER RAT TCP Connection (ATT&CK T1571)
1007209* - TMTR-0017: ZIYAZO RAT BKDR Connection (ATT&CK T1571)
Suspicious Server Application Activity
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1021.001)
WSO2
1012249* - WSO2 Multiple Products Arbitrary File Upload Vulnerability (CVE-2024-7074)
Web Application Common
1012397 - Liferay Multiple Products Reflected Cross-Site Scripting Vulnerability (CVE-2025-4388)
Web Server Common
1011242* - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
Web Server Oracle
1012244* - Oracle WebLogic Server Insecure Deserialization Vulnerability (CVE-2024-21182)
Web Server SharePoint
1012390 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-49704)
Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1021.006, T1059.001)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1021.006, T1059.001)
Windows Remote Management Client
1010073* - WinRM Service Detected & Powershell RCE Over HTTP - Client (ATT&CK T1021.006, T1059.001)
Windows SMB Client
1006994* - Executable File Download On Network Share Detected
Windows SMB Server
1007065* - Executable File Uploaded On Network Share (ATT&CK T1570)
1011018* - Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol
1012394 - Microsoft Windows NEGOEX Remote Code Execution Vulnerability (CVE-2025-47981)
1009511* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2019-0630)
Windows Server DCERPC
1011016* - Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol
Windows Services RPC Client DCERPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)
1007539* - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128) - 1
Windows Services RPC Server DCERPC
1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1047)
1003766* - Local Security Authority Subsystem Service Integer Overflow Vulnerability
1007068* - Remote Service Execution Through SMBv2 Protocol Detected
Integrity Monitoring Rules:
1002770* - Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modified
1010812* - Linux/Unix - Name resolver configuration files modified (ATT&CK T1071.004, T1583.002)
1010373* - Linux/Unix - Systemd service modified (ATT&CK T1543.002)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more