Rule Update

21-036 (August 10, 2021)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

File Sharing Applications
1003651* - Windows Live FolderShare (ATT&CK T1102.002, T1567.002)


Instant Messenger Applications
1003243* - Yahoo Instant Message URL Blocker (ATT&CK T1102.002)
1002163* - Yahoo! Messenger (ATT&CK T1102.002)
1002384* - Yahoo! Messenger File Transfers (ATT&CK T1102.002)


NFS Server
1011079 - Microsoft Windows Services NFS ONCRPC XDR Driver Remote Code Execution Vulnerability (CVE-2021-26432)


OpenSSL
1006307* - Detected Too Many Suspicious TLS/SSL Client Hello Messages (ATT&CK T1573.002)
1006012* - Identified Suspicious OpenSSL TLS/DTLS Heartbeat Request (ATT&CK T1573.002)
1005474* - Identified Weak Cipher Support From TLS/SSL Server (ATT&CK T1573.002)


OpenSSL Client
1006184* - Identified OpenSSL DTLS Anonymous ECDH Cipher Suite (ATT&CK T1573.002)
1006190* - Identified OpenSSL SRP Cipher Suite In Server Hello Message (ATT&CK T1573.002)


Port Mapper FTP Client
1011089 - Identified File Upload Over FTP (ATT&CK T1048.003)


Remote Desktop Protocol Server
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1021.001, T1573.002)


Remote Login Applications
1002487* - SSH Client (ATT&CK T1021.004)


SSL Client
1006740* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Client (ATT&CK T1573.002)


SSL/TLS Server
1006026* - Identified Compression Algorithm In SSL/TLS (ATT&CK T1573.002)


Suspicious Client Application Activity
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1571)
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1571)
1007201* - TMTR-0011: FAKEM RAT TCP Request (ATT&CK T1571)
1007205* - TMTR-0012: FAKEM RAT TCP Connection (ATT&CK T1571)
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1571)
1007208* - TMTR-0016: SPLINTER RAT TCP Connection (ATT&CK T1571)
1007209* - TMTR-0017: ZIYAZO RAT BKDR Connection (ATT&CK T1571)


Trend Micro OfficeScan
1011057* - Trend Micro Multiple Products Arbitrary File Upload Vulnerability (CVE-2021-36741)


Web Application Common
1005427* - Identified Suspicious Upload Of Archive File (ATT&CK T1190)
1010122* - WordPress Plainview Activity Monitor Plugin Remote Code Execution Vulnerability (CVE-2018-15877)


Web Application PHP Based
1011074 - WordPress 'Backup Guard' Plugin Arbitrary File Upload Vulnerability (CVE-2021-24155)


Web Client Common
1011090 - Google Chrome Heap Corruption Vulnerability (CVE-2021-21148)
1011075 - Google Chrome Type Confusion Vulnerability (CVE-2019-13764)
1005269* - Identified Download Of DLL File Over WebDAV (ATT&CK T1574.002)
1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105)
1003244* - Identified Suspicious Obfuscated JavaScript (ATT&CK T1203, T1001)
1006391* - Identified Suspicious Obfuscated JavaScript - 1 (ATT&CK T1203, T1001)
1006599* - Identified Suspicious Obfuscated JavaScript - 3 (ATT&CK T1203, T1001)
1006882* - Identified Suspicious Obfuscated JavaScript - 4 (ATT&CK T1203, T1001)
1008185* - Identified Suspicious Obfuscated PDF Document (ATT&CK T1027, T1204.002)
1008297* - Identified Suspicious RTF File With Obfuscated PowerShell Execution (ATT&CK T1027, T1204.002, T1059.001)


Web Client Internet Explorer/Edge
1011077 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2021-34480)


Web Client SSL
1006024* - Identified Compression Algorithm In SSL/TLS Message (ATT&CK T1573.002)
1005040* - Identified Revoked Certificate Authority In SSL Traffic (ATT&CK T1573.002)


Web Server Common
1008621* - Disallow Upload Of A JSP File (ATT&CK T1190)
1010405* - JAWS Remote Code Execution Vulnerability


Web Server HTTPS
1008137* - Identified TLS/SSL DES Cipher Suite Is Being Supported (ATT&CK T1573.002)
1005641* - Identified TLS/SSL RC4 Cipher Suite Is Being Supported (ATT&CK T1573.002)
1006064* - Identified Too Many Compressed HTTP Responses (ATT&CK T1071.001)
1007491* - Identified Usage Of EXPORT Cipher Suite In SSLv2 Connection (ATT&CK T1573.002)
1006562* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request (ATT&CK T1573.002)
1011072* - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
1011060 - WordPress 'LearnPress' Plugin Blind SQL Injection Vulnerability (CVE-2020-6010)
1011046* - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability


Web Server Miscellaneous
1011044 - Apache Superset Open Redirect Vulnerability (CVE-2021-28125)
1010976* - SolarWinds NPM 'FromJson' Remote Code Execution Vulnerability (CVE-2021-31474)


Windows SMB Server
1011058* - Identified DCERPC EfsRpcOpenFileRaw Call Over SMB Protocol (PetitPotam)


Zabbix Server
1011073 - Zabbix Server Multiple Remote Code Execution Vulnerabilities


Zoho ManageEngine
1011062* - Zoho ManageEngine Applications Manager Cross Site Scripting Vulnerability (CVE-2021-31813)


Zoho ManageEngine ADSelfService Plus
1011064* - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability (CVE-2021-28958)


Integrity Monitoring Rules:

1011059 - Microsoft Windows - Security support providers (SSP) registry key modified (ATT&CK T1547.005)


Log Inspection Rules:

1003802* - Directory Server - Microsoft Windows Active Directory
1010002* - Microsoft PowerShell Command Execution