Rule Update
20-057 (November 10, 2020)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services - Client
1010594 - Google Chrome FreeType Font File Buffer Overflow Vulnerability Over SMB (CVE-2020-15999)
Directory Server LDAP
1010433* - Identified Remote System Discovery Over LDAP (ATT&CK T1018, T1033)
NFS Server
1010604 - Microsoft Windows Network File System Remote Code Execution Vulnerability (CVE-2020-17051)
1010605 - Microsoft Windows Network File System Remote Code Execution Vulnerability (CVE-2020-17056)
OpenSSL Client
1006546* - OpenSSL ECDHE Downgrade Vulnerability (CVE-2014-3572)
Port Mapper RPC
1010606 - Identified Out-Of-Sync RPCSEC_GSS_CONTINUE_INIT RPC Message
Suspicious Client Application Activity
1010364* - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071)
1010365* - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071)
Web Application Common
1010592 - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Vulnerabilities (CVE-2019-12538 and CVE-2019-12542)
1010593 - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Vulnerability (CVE-2019-12543)
Web Application PHP Based
1010564 - Joomla Arbitrary File Upload Vulnerability (CVE-2020-23972)
Web Client Common
1010603 - Adobe Acrobat Pro DC FDF Object Use After Free Vulnerability (CVE-2020-24430)
1010600 - Adobe Acrobat Pro DC URL Out Of Bounds Read Vulnerability (CVE-2020-24435)
1010599 - Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2020-17087)
Web Client Internet Explorer/Edge
1010602 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2020-17053)
1010601 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-17052)
Web Server Common
1010099 - Elastic Kibana Timelion Prototype Pollution Vulnerability (CVE-2019-7609)
Web Server Miscellaneous
1010580 - Spring Security OAuth Open Redirect Vulnerability (CVE-2019-3778)
Web Server Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882 and CVE-2020-14750)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1008852* - Auditd
1010489* - Auditd - Mitre ATT&CK TA0003: Persistence
1010528* - Auditd - Mitre ATT&CK TA0004: Privilege Escalation
1010558* - Auditd - Mitre ATT&CK TA0005: Defense Evasion
1010536* - Auditd - Mitre ATT&CK TA0006: Credential Access
1010465* - Auditd - Mitre ATT&CK TA0007: Discovery
1010582* - Auditd - Mitre ATT&CK TA0008: Lateral Movement
1003987* - Microsoft Windows Security Events - 2
Deep Packet Inspection Rules:
DCERPC Services - Client
1010594 - Google Chrome FreeType Font File Buffer Overflow Vulnerability Over SMB (CVE-2020-15999)
Directory Server LDAP
1010433* - Identified Remote System Discovery Over LDAP (ATT&CK T1018, T1033)
NFS Server
1010604 - Microsoft Windows Network File System Remote Code Execution Vulnerability (CVE-2020-17051)
1010605 - Microsoft Windows Network File System Remote Code Execution Vulnerability (CVE-2020-17056)
OpenSSL Client
1006546* - OpenSSL ECDHE Downgrade Vulnerability (CVE-2014-3572)
Port Mapper RPC
1010606 - Identified Out-Of-Sync RPCSEC_GSS_CONTINUE_INIT RPC Message
Suspicious Client Application Activity
1010364* - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071)
1010365* - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071)
Web Application Common
1010592 - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Vulnerabilities (CVE-2019-12538 and CVE-2019-12542)
1010593 - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Vulnerability (CVE-2019-12543)
Web Application PHP Based
1010564 - Joomla Arbitrary File Upload Vulnerability (CVE-2020-23972)
Web Client Common
1010603 - Adobe Acrobat Pro DC FDF Object Use After Free Vulnerability (CVE-2020-24430)
1010600 - Adobe Acrobat Pro DC URL Out Of Bounds Read Vulnerability (CVE-2020-24435)
1010599 - Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2020-17087)
Web Client Internet Explorer/Edge
1010602 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2020-17053)
1010601 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-17052)
Web Server Common
1010099 - Elastic Kibana Timelion Prototype Pollution Vulnerability (CVE-2019-7609)
Web Server Miscellaneous
1010580 - Spring Security OAuth Open Redirect Vulnerability (CVE-2019-3778)
Web Server Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882 and CVE-2020-14750)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1008852* - Auditd
1010489* - Auditd - Mitre ATT&CK TA0003: Persistence
1010528* - Auditd - Mitre ATT&CK TA0004: Privilege Escalation
1010558* - Auditd - Mitre ATT&CK TA0005: Defense Evasion
1010536* - Auditd - Mitre ATT&CK TA0006: Credential Access
1010465* - Auditd - Mitre ATT&CK TA0007: Discovery
1010582* - Auditd - Mitre ATT&CK TA0008: Lateral Movement
1003987* - Microsoft Windows Security Events - 2