Deep Security Center

Page 1 of 25:
1
2
3
4
5
6
7
8
9
10
...
25

RULE UPDATE: 19-056 (November 12, 2019)

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1077,T1105)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1077)

DNS Client
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol

Suspicious Server Application Activity
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076,T1048,T1032,T1071)

Web Application Tomcat
1009697* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2019-0232)

Web Client Common
1008206* - ImageMagick 'coders/rle.c' Remote Buffer Overflow Vulnerability (CVE-2016-10049) - 1
1010053 - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1358)
1010054 - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1359)
1010052 - Microsoft Windows Imaging API Remote Code Execution Vulnerability (CVE-2019-1311)

Web Client Internet Explorer/Edge
1010050 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-1429)
1010051 - Microsoft Internet Explorer VBScript Remote Code Execution Vulnerability (CVE-2019-1390)

Web Server HTTPS
1010049 - Apache Traffic Server HTTP/2 Denial Of Service Vulnerability (CVE-2019-9515)

Web Server Miscellaneous
1005604* - Apache Struts Multiple Remote Command Execution Vulnerability
1005509* - nginx "ngx_http_parse_chunked()" Buffer Overflow Vulnerability

Windows Services RPC Client DCERPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)

Windows Services RPC Server DCERPC
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1005)

Integrity Monitoring Rules:

1005645* - Microsoft Windows - AutoRun Registry Entries Modified (ATT&CK T1013, T1060)
1002776* - Microsoft Windows - Startup Programs Modified (ATT&CK T1112, T1060)

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

RULE UPDATE: 19-055 (November 5, 2019)

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

HP Intelligent Management Center (IMC)
1010042 - HPE Intelligent Management Center AMF3 Externalizable Deserialization (CVE-2019-11944)

Remote Login Applications
1004364* - TeamViewer (ATT&CK T1219)

Suspicious Client Application Activity
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1094)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1094)

Suspicious Server Ransomware Activity
1007582* - Ransomware Lectool-1

Web Application Common
1005934* - Identified Suspicious Command Injection Attack
1010046 - rConfig Remote Command Execution Vulnerability (CVE-2019-16662)
1010047 - rConfig Remote Command Execution Vulnerability (CVE-2019-16663)

Web Application Tomcat
1009697* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2019-0232)

Web Server Common
1005839* - Identified XML External Entity Injection In HTTP Request
1009226* - Wing FTP Server Authenticated Command Execution Vulnerability (CVE-2015-4107)

Webmin
1010043* - Webmin Unauthenticated Remote Code Execution Vulnerability (CVE-2019-15107)

Windows Services RPC Server DCERPC
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)

Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

RULE UPDATE: 19-054 (October 29, 2019)

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1009703 - Identified Domain-Level Groups/Accounts Enumeration Over SMB (ATT&CK T1069, T1087, T1018)

Remote Desktop Protocol Server
1009562 - Identified Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1076)

Trend Micro OfficeScan
1010041 - Trend Micro ApexOne And OfficeScan Directory Traversal Vulnerability (CVE-2019-18189)
1010040 - Trend Micro ApexOne Command Injection Vulnerability (CVE-2019-18188)
1010039 - Trend Micro OfficeScan Directory Traversal Vulnerability (CVE-2019-18187)

Web Application Common
1010013 - Identified Encoded PowerShell Script Execution on Server
1010035* - PHP EXIF Uninitialized Read Vulnerability (CVE-2019-9640)
1010037 - PHP Out Of Bounds Read Vulnerability (CVE-2018-20783)
1010036 - SDCMS Remote Code Execution Vulnerability (CVE-2018-19520)

Web Server Common
1010044 - PHP Unauthenticated Remote Code Execution Vulnerability (CVE-2019-11043)

Webmin
1010043 - Webmin Unauthenticated Remote Code Execution Vulnerability (CVE-2019-15107)

Windows Remote Management
1009894 - Identified Usage Of Windows Remote Management (ATT&CK T1028)

Windows Services RPC Server DCERPC
1009892 - Identified Domain-Level Credentials Dumping Over DCERPC (ATT&CK T1003)
1009615 - Identified Initialization Of WMI - Server (ATT&CK T1047)

Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

RULE UPDATE: 19-053 (October 22, 2019)

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1010025* - Microsoft Windows NTLM Tampering Vulnerability (CVE-2019-1166)

HP Intelligent Management Center Dbman
1010022 - HPE Intelligent Management Center Information Disclosure Vulnerability (CVE-2019-5392)

Mail Server Over SSL/TLS
1010010* - Exim Remote Code Execution Vulnerability (CVE-2019-16928)

Redis Server
1009967* - Redis Unauthenticated Code Execution Vulnerability

SolarWinds Dameware Mini Remote Control
1009999* - SolarWinds DameWare Mini Remote Control CltDHPubKeyLen Out Of Bounds Read Vulnerability (CVE-2019-3956)
1010005* - SolarWinds DameWare Mini Remote Control RsaSignatureLen Out Of Bounds Read Vulnerability (CVE-2019-3957)

Web Application Common
1010023 - October CMS Upload Protection Bypass Code Execution Vulnerability (CVE-2017-1000119)
1010035 - PHP EXIF Uninitialized Read Vulnerability (CVE-2019-9640)

Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

RULE UPDATE: 19-052 (October 17, 2019)

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1010025 - Microsoft Windows NTLM Tampering Vulnerability (CVE-2019-1166)

Web Application Common
1009746 - Telerik Web UI Cryptographic Security Bypass Vulnerability (CVE-2017-9248)

Web Client Common
1010028 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-49) - 1
1010027 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-49) - 2
1010029 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-49) - 3
1010031 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-49) - 4
1010032 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-49) - 5
1010026 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-49) - 6
1010030 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-49) - 7
1010033 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-49) - 8

Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

RULE UPDATE: 19-051 (October 15, 2019)

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

HP Intelligent Management Center (IMC)
1009947* - HPE Intelligent Management Center Various Expression Language Injection Vulnerabilities

Redis Server
1009967 - Redis Unauthenticated Code Execution Vulnerability

SSL Client
1010014 - Hola VPN Certificate Exchange Detected

SolarWinds Dameware Mini Remote Control
1009999 - SolarWinds DameWare Mini Remote Control CltDHPubKeyLen Out Of Bounds Read Vulnerability (CVE-2019-3956)
1010005 - SolarWinds DameWare Mini Remote Control RsaSignatureLen Out Of Bounds Read Vulnerability (CVE-2019-3957)

Web Application Common
1009531* - Jenkins CI Server Groovy Plugin Sandbox Bypass Multiple Vulnerabilities

Web Client Common
1010007 - LibreOffice Macro Python Code Execution Vulnerability (CVE-2019-9851)
1009987* - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1249)
1010024 - Microsoft Windows Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1250)

Web Server NAI ePolicy Orchestrator
1002360* - McAfee ePolicy Orchestrator Framework Services HTTP Buffer Overflow

Integrity Monitoring Rules:

1002781* - Microsoft Windows - Attributes of a service modified (ATT&CK T1050, T1036, T1031)

Log Inspection Rules:

1008670* - Microsoft Windows Security Events - 3
1009771 - Microsoft Windows Sysmon Events - 1
1009777 - Microsoft Windows Sysmon Events - 2

RULE UPDATE: 19-050 (October 8, 2019)

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1007134* - Batch File Uploaded On Network Share (ATT&CK T1105)
1007065* - Executable File Uploaded On Network Share (ATT&CK T1105)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1105)
1001852* - Identified Attempt To Brute Force Windows Login Credentials (ATT&CK T1110)
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1035)
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1105)
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1021)
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1021)
1007057* - Remote Registry Access Through SMBv1 Protocol Detected (ATT&CK T1012)
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1021)

DCERPC Services - Client
1007120* - SMB DLL Injection Exploit Detected (ATT&CK T1039)

Database MySQL
1005045* - MySQL Database Server Possible Login Brute Force Attempt (ATT&CK T1110)

File Sharing Applications
1007608* - Amazon Cloud Drive (ATT&CK T1102)
1007605* - BOX (ATT&CK T1102)
1007463* - Microsoft OneDrive (ATT&CK T1102)

Mail Server Over SSL/TLS
1010010 - Exim Remote Code Execution Vulnerability (CVE-2019-16928)

Remote Desktop Protocol Server
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1032)

SSL Client
1006561* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response (ATT&CK T1032)

Suspicious Client Application Activity
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1032)
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1094)
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1094)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1094)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1094)
1008756* - Identified Potentially Malicious RAT Traffic - VII (ATT&CK T1094)
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1094)
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1094)
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1094)

Web Client Common
1010000 - Adobe Acrobat And Reader Out-of-Bounds Read Vulnerability (CVE-2019-7110)
1000943* - Detect UPX Packed Executable Download (ATT&CK T1045)
1010021 - Microsoft Graphics Components Information Disclosure Vulnerability (CVE-2019-1361)
1010009 - Microsoft Windows Elevation of Privilege Vulnerability (CVE-2019-1364)
1009981* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1252)
1010015 - Microsoft XML Remote Code Execution Vulnerability (CVE-2019-1060)

Web Client Internet Explorer/Edge
1009787* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1024)
1009788* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1051)
1009792* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1052)
1010018 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1307)
1010019 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1308)
1010008 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1335)
1010020 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1366)
1010016 - Microsoft Internet Explorer VBScript Engine Remote Code Execution Vulnerability (CVE-2019-1238)
1010017 - Microsoft Internet Explorer VBScript Engine Remote Code Execution Vulnerability (CVE-2019-1239)

Web Server Common
1005434* - Disallow Upload Of A PHP File (ATT&CK T1105)
1003025* - Web Server Restrict Executable File Uploads (ATT&CK T1105)

Web Server Miscellaneous
1005604* - Apache Struts Multiple Remote Command Execution Vulnerability

Web Server Oracle
1009816* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2729)

Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

RULE UPDATE: 19-049 (October 1, 2019)

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1009801* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability (CVE-2019-1040)
1001839* - Restrict Attempt To Enumerate Windows User Accounts (ATT&CK T1087)

DCERPC Services - Client
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1073)

DNS Server
1009667 - DNSmasq 'add_pseudoheader' Memory Exhaustion Denial Of Service (CVE-2017-14495)

Database Oracle
1001832* - Oracle Database Server Possible Brute Force Attempt (ATT&CK T1110)

FTP Server Common
1002413* - FTP Server Possible Brute Force Attempt (ATT&CK T1110)

File Sharing Applications
1004707* - Dropbox (ATT&CK T1102)
1002472* - FTP Client (ATT&CK T1048)
1003651* - Windows Live FolderShare (ATT&CK T1102)

Instant Messenger Applications
1002103* - AOL Instant Messenger (ATT&CK T1102)
1004663* - IP Messenger (ATT&CK T1102)
1002507* - Jabber (ATT&CK T1102)
1003067* - MSN Instant Message URL Blocker (ATT&CK T1102)
1002162* - MSN Messenger (ATT&CK T1102)
1002462* - MSN Messenger File Transfers (ATT&CK T1102)
1004941* - QQ Messenger (ATT&CK T1102)
1003243* - Yahoo Instant Message URL Blocker (ATT&CK T1102)
1002163* - Yahoo! Messenger (ATT&CK T1102)
1002384* - Yahoo! Messenger File Transfers (ATT&CK T1102)

Mail Client Applications
1001112* - SMTP Client (ATT&CK T1071,T1048)

Mail Server Common
1010001 - Dovecot And Pigeonhole Remote Code Execution Vulnerability (CVE-2019-11500)

Remote Login Applications
1002508* - RDP (ATT&CK T1076)
1002490* - Radmin (ATT&CK T1219)
1002487* - SSH Client (ATT&CK T1032,T1071)
1004364* - TeamViewer (ATT&CK T1219)
1002475* - Telnet Client (ATT&CK T1021)
1002503* - VNC Client (ATT&CK T1076,T1219)

SSL/TLS Server
1006293* - Detected SSLv3 Request (ATT&CK T1032)
1006297* - Identified CBC Based Cipher Suite In SSLv3 Response (ATT&CK T1032)
1006311* - Identified Too Many SSL Alert Messages In SSLv3 Traffic (ATT&CK T1032)

Suspicious Client Application Activity
1001162* - Detected HTTP Client Traffic (ATT&CK T1071,T1048)
1005324* - Detected SSLv2 Response (ATT&CK T1032)
1006247* - Identified Potentially Malicious RAT Traffic - VI (ATT&CK T1094)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1048)

Suspicious Server Application Activity
1003806* - Detected Rlogin Server Traffic (ATT&CK T1021)
1003593* - Detected SSH Server Traffic (ATT&CK T1021)
1003594* - Detected SSL/TLS Server Traffic (ATT&CK T1032)
1005321* - Detected SSLv2 Request (ATT&CK T1032)
1003595* - Detected Telnet Server Traffic (ATT&CK T1021)
1002378* - Detected Virtual Network Computing (VNC) Server Traffic (ATT&CK T1021)
1001163* - Detected X11 Server Traffic (ATT&CK T1021)
1005463* - Identified Finger Service Traffic (ATT&CK T1021)

Unix Telnet
1002414* - Telnet Server Possible Brute Force Attempt (ATT&CK T1110)

Web Application Common
1009991* - Jenkins Core 'FileParameterValue' Directory Traversal Vulnerability (CVE-2019-10352)
1009970* - PHP EXIF Parsing Heap Overflow Vulnerability (CVE-2019-11041 and CVE-2019-11042)
1009975* - Sonatype Nexus Repository Manager OS Command Injection Vulnerability (CVE-2019-5475)

Web Application PHP Based
1008970* - Drupal Core Remote Code Execution Vulnerability (CVE-2018-7600)
1009978* - Joomla! Component JS Support Ticket 'com_jssupportticket' Arbitrary File Deletion Vulnerability

Web Client Common
1009986* - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1243)
1009760* - Microsoft Windows Jet Database Engine Multiple Remote Code Execution Vulnerabilities (May-2019)
1010004 - Oracle Java ActiveX Plugin Uninitialized Window Handle Remote Code Execution Vulnerability (CVE-2010-3555)

Web Media Applications
1009913* - Identified Pastebin Communication (ATT&CK T1102)

Web Server Common
1009996* - Atlassian Confluence Server PackageResourceManager Information Disclosure Vulnerability (CVE-2019-3394)
1005567* - Identified No Ending Protocol In HTTP Request

Web Server HTTPS
1009998* - Microsoft Windows HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9511)
1009968* - Microsoft Windows HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9513)

Web Server Miscellaneous
1009992* - Microsoft Azure DevOps Server Remote Code Execution Vulnerability (CVE-2019-1306)

Web Server Squid
1009997* - Squid Proxy Digest Authentication Denial of Service (CVE-2019-12525)

Integrity Monitoring Rules:

1002776* - Microsoft Windows - Startup Programs Modified (ATT&CK T1112)
1006803* - TMTR-0001: Suspicious Files Detected In Operating System Directories
1006800* - TMTR-0002: Suspicious Files Detected In Operating System Directories
1006798* - TMTR-0005: Suspicious Files Detected In Application Directories
1006797* - TMTR-0006: Suspicious Files Detected In Application Directories
1006796* - TMTR-0007: Suspicious Files Detected In Application Directories
1006682* - TMTR-0008: Suspicious Directories Detected In Program Files Folder
1006805* - TMTR-0009: Suspicious Files Detected In System Folder
1006804* - TMTR-0010: Suspicious Files Detected In System Folder
1006795* - TMTR-0011: Suspicious Files Detected In System Folder
1006677* - TMTR-0013: Suspicious Files Detected In Windows Folder
1006799* - TMTR-0014: Suspicious Service Detected
1006684* - TMTR-0015: Suspicious Service Detected
1006683* - TMTR-0016: Suspicious Running Processes Detected
1006691* - TMTR-0017: Microsoft Windows - SAM Domain Account Users Modification Detected
1007210* - TMTR-0018: Suspicious Files Detected In User Profile Directory
1007214* - TMTR-0019: Suspicious Files Detected In System Drivers Directory
1007215* - TMTR-0020: Suspicious Directories Detected In System Drive
1007216* - TMTR-0021: Suspicious Files Detected In System Drive
1007217* - TMTR-0022: Suspicious Files Detected In Recycle Bin
1007218* - TMTR-0023: Suspicious Changes In NTLM Settings
1007219* - TMTR-0024: Suspicious Files Detected In C Drive
1007221* - TMTR-0026: Suspicious Files Detected In Program FIles Folder

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

RULE UPDATE: 19-048 (September 24, 2019)

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1004542* - Windows Netlogon Service Denial Of Service (CVE-2010-2742)

FTP Server Common
1003784* - FTP Server Restrict Executable File Uploads (ATT&CK T1105)

HP Intelligent Management Center (IMC)
1009947* - HPE Intelligent Management Center Various Expression Language Injection Vulnerabilities

Mail Server Common
1005344* - POP3 Mail Server Possible Brute Force Attempt (ATT&CK T1110)

OpenSSL
1006307* - Detected Too Many Suspicious TLS/SSL Client Hello Messages (ATT&CK T1032)
1006012* - Identified Suspicious OpenSSL TLS/DTLS Heartbeat Request (ATT&CK T1032)
1005474* - Identified Weak Cipher Support From TLS/SSL Server (ATT&CK T1032)

OpenSSL Client
1006184* - Identified OpenSSL DTLS Anonymous ECDH Cipher Suite (ATT&CK T1032)
1006190* - Identified OpenSSL SRP Cipher Suite In Server Hello Message (ATT&CK T1032)
1006017* - Restrict OpenSSL TLS/DTLS Heartbeat Message (ATT&CK T1032)

Remote Desktop Protocol Server
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)

SSL Client
1006740* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Client (ATT&CK T1032)

SSL/TLS Server
1006026* - Identified Compression Algorithm In SSL/TLS (ATT&CK T1002)

Suspicious Client Application Activity
1007201* - TMTR-0011: FAKEM RAT TCP Request (ATT&CK T1094)
1007205* - TMTR-0012: FAKEM RAT TCP Connection (ATT&CK T1094)
1007208* - TMTR-0016: SPLINTER RAT TCP Connection (ATT&CK T1094)
1007209* - TMTR-0017: ZIYAZO RAT BKDR Connection (ATT&CK T1094)

Suspicious Server Application Activity
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076,T1048,T1032,T1071)

Web Application Common
1005427* - Identified Suspicious Upload Of Archive File (ATT&CK T1105)
1009991 - Jenkins Core 'FileParameterValue' Directory Traversal Vulnerability (CVE-2019-10352)
1009970 - PHP EXIF Parsing Heap Overflow Vulnerability (CVE-2019-11041 and CVE-2019-11042)
1009975 - Sonatype Nexus Repository Manager OS Command Injection Vulnerability (CVE-2019-5475)
1005208* - Web Application Possible Brute Force Attempt (ATT&CK T1110)

Web Application PHP Based
1009978 - Joomla! Component JS Support Ticket 'com_jssupportticket' Arbitrary File Deletion Vulnerability

Web Client Common
1009407* - Detected Suspicious DLL Side Loading Attempt Over WebDAV (ATT&CK T1073)
1005269* - Identified Download Of DLL File Over WebDAV (ATT&CK T1073)
1003244* - Identified Suspicious Obfuscated JavaScript (ATT&CK T1027)
1006391* - Identified Suspicious Obfuscated JavaScript - 1 (ATT&CK T1027)
1006442* - Identified Suspicious Obfuscated JavaScript - 2 (ATT&CK T1027)
1006599* - Identified Suspicious Obfuscated JavaScript - 3 (ATT&CK T1027)
1006882* - Identified Suspicious Obfuscated JavaScript - 4 (ATT&CK T1027)
1008185* - Identified Suspicious Obfuscated PDF Document (ATT&CK T1027)
1008297* - Identified Suspicious RTF File With Obfuscated PowerShell Execution (ATT&CK T1027,T1086)
1009994 - Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability (CVE-2019-0672)
1009995 - Microsoft Word Remote Code Execution Vulnerability (CVE-2019-0585)

Web Client Internet Explorer/Edge
1009993 - Microsoft Internet Explorer And Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0746)
1010003 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-1367)

Web Client SSL
1006296* - Detected SSLv3 Response (ATT&CK T1032)
1006298* - Identified CBC Based Cipher Suite In SSLv3 Request (ATT&CK T1032)
1006024* - Identified Compression Algorithm In SSL/TLS Message (ATT&CK T1002)
1005040* - Identified Revoked Certificate Authority In SSL Traffic (ATT&CK T1032)

Web Server Common
1009996 - Atlassian Confluence Server PackageResourceManager Information Disclosure Vulnerability (CVE-2019-3394)
1007213* - Disallow Upload Of A Class File (ATT&CK T1105)
1008621* - Disallow Upload Of A JSP File (ATT&CK T1105)
1007212* - Disallow Upload Of An Archive File (ATT&CK T1105)
1005013* - Restrict Microsoft .Net Executable File Upload (ATT&CK T1105)

Web Server HTTPS
1006741* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Server (ATT&CK T1032)
1008137* - Identified TLS/SSL DES Cipher Suite Is Being Supported (ATT&CK T1032)
1005641* - Identified TLS/SSL RC4 Cipher Suite Is Being Supported (ATT&CK T1032)
1006064* - Identified Too Many Compressed HTTP Responses (ATT&CK T1002)
1007491* - Identified Usage Of EXPORT Cipher Suite In SSLv2 Connection (ATT&CK T1032)
1006562* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request (ATT&CK T1032)
1009998 - Microsoft Windows HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9511)
1009968 - Microsoft Windows HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9513)

Web Server Miscellaneous
1009992 - Microsoft Azure DevOps Server Remote Code Execution Vulnerability (CVE-2019-1306)

Web Server SharePoint
1009974 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-1295)

Web Server Squid
1009997 - Squid Proxy Digest Authentication Denial of Service (CVE-2019-12525)

Integrity Monitoring Rules:

1005645* - Microsoft Windows - AutoRun Registry Entries Modified (ATT&CK T1013, T1060)

Log Inspection Rules:

1002795* - Microsoft Windows Events

RULE UPDATE: 19-047 (September 17, 2019)

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Mail Server Over SSL/TLS
1009977 - Exim Mail Server Remote Code Execution Vulnerability (CVE-2019-15846)

Microsoft Office
1009982 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2019-1297)
1009848 - Microsoft Office Memory Corruption Vulnerability (CVE-2018-0798)

Web Application Common
1009979 - XStream Library ReflectionConverter Insecure Deserialization Remote Command Execution Vulnerability (CVE-2019-10173) - Server

Web Client Common
1009988 - Microsoft DirectWrite Information Disclosure Vulnerability (CVE-2019-1251)
1009984 - Microsoft Graphics Components Information Disclosure Vulnerability (CVE-2019-1283)
1009985 - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1241)
1009986 - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1243)
1009989 - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1246)
1009987 - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1249)
1009981 - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1252)
1009980 - Microsoft Windows JET Database Engine Integer Underflow Remote Code Execution Vulnerability (CVE-2019-1248)
1009983 - Microsoft Windows Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1242)
1009990 - Microsoft Windows VBScript Remote Code Execution Vulnerability (CVE-2019-1208)
1009976 - XStream Library ReflectionConverter Insecure Deserialization Remote Command Execution Vulnerability (CVE-2019-10173)

Web Server Common
1003598* - Multiple HTTP Server Low Bandwidth Denial Of Service

Integrity Monitoring Rules:

1006802* - TMTR-0003: Suspicious Files Detected In Operating System Directories
1006801* - TMTR-0004: Suspicious Files Detected In Operating System Directories
1006658* - TMTR-0012: Suspicious Files Detected In Temporary Directories

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

Featured Stories

View All

$halloween exploits vulnerabilities bluekeep chrome zero days$
Halloween Exploits Scare: BlueKeep, Chrome’s Zero-Days in the Wild
Patch now: Two Chrome zero-days were reported, one of them actively exploited in a campaign. Meanwhile, BlueKeep was initially reported seen in the wild to install a malicious Monero miner.
Read more
$PHP-FPM Vulnerability (CVE-2019-11043) can Lead to Remote Code Execution in NGINX Web Servers$
PHP-FPM Vulnerability (CVE-2019-11043) can Lead to Remote Code Execution in NGINX Web Servers
Administrators of NGINX web servers running PHP-FPM are advised to patch a vulnerability (CVE-2019-11043) that can let threat actors execute remote code on vulnerable, NGINX-enabled web servers. Here’s what you need to know.
Read more
$Secure Complex IoT Environments$
Securing Smart Homes and Buildings: Threats and Risks to Complex IoT Environments
The evolution of smart homes and smart buildings into complex IoT environments reflects the continuing developments in home and industrial automation. Security should not be left behind as increased complexity also means new threats and risks.
Read more
$https://documents.trendmicro.com/images/TEx/articles/20180903221730972-24-yhxppax-800.jpg$
MQTT and CoAP: Security and Privacy Issues in IoT and IIoT Communication Protocols
We looked into MQTT brokers and CoAP servers around the world to assess IoT protocol security. Learn how to prevent risks and secure machine-to-machine (M2M) communications over MQTT and CoAP in our research.
Read more