Rule Update
20-061 (December 8, 2020)
Publish date: December 08, 2020
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1010164* - Identified Possible Ransomware File Extension Create Activity Over Network Share
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1010101* - Identified Usage Of PAExec Command Line Tool (ATT&CK T1035)
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1035)
1010652 - Microsoft Windows SMB2 Server Information Disclosure Vulnerability (CVE-2020-17140)
1010653 - Microsoft Windows SMB2 Server Remote Code Execution Vulnerability (CVE-2020-17096)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
DCERPC Services - Client
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
1007912* - Identified Possible Ransomware File Rename Activity Over Network Share - Client
DHCP Server
1009542* - Microsoft Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0626)
Database Microsoft SQL
1010643 - Microsoft SQL Database Server Possible Login Brute Force Attempt
Dynamics 365 Client Services
1010656 - Microsoft Dynamics 365 Commerce Remote Code Execution Vulnerabilities (CVE-2020-17152 and CVE-2020-17158)
HP Intelligent Management Center (IMC)
1009902* - HPE Intelligent Management Center 'perfSelectTask' Expression Language Injection Vulnerability (CVE-2019-5385)
NFS Server
1010605* - Microsoft Windows Network File System NLM RPC Message Information Disclosure Vulnerability (CVE-2020-17056)
Redis Server
1009967* - Redis Unauthenticated Code Execution Vulnerability
Remote Desktop Protocol Server
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1032)
Suspicious Client Application Activity
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1032)
Suspicious Server Application Activity
1001164* - Detected Terminal Services (RDP) Server Traffic
1010647 - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request
TFTP Server
1009365* - Microsoft Windows Deployment Services TFTP Server Remote Code Execution Vulnerability (CVE-2018-8476)
Web Application Common
1010648 - Wordpress Woody Ad Snippets Plugin Remote Code Execution Vulnerability (CVE-2019-15858)
Web Application PHP Based
1009395* - PHP 'imap_open()' Remote Code Execution Vulnerability (CVE-2018-19518)
1009776 - WordPress Comment Field Remote Code Execution Vulnerability (CVE-2019-9787)
Web Client Common
1010646 - Adobe Acrobat And Reader Use After Free Vulnerability (CVE-2020-24437)
1010645 - Atlassian Confluence Server 'HTML Include And Replace Macro' Plugin Cross Site Scripting Vulnerability (CVE-2019-15053)
1010657 - Microsoft Windows PE File Signature Spoofing Vulnerability (CVE-2020-1599)
Web Server Adobe ColdFusion
1009897* - Adobe ColdFusion CFFILE Upload Action Unrestricted File Upload Vulnerability (CVE-2019-7838)
1009387* - Adobe ColdFusion Remote File Upload Vulnerability (CVE-2018-15961)
Web Server Miscellaneous
1010347* - Eclipse Jetty Chunk Length Parsing Integer Overflow Vulnerability (CVE-2017-7657)
1009942* - GNOME 'libsoup' HTTP Chunked Encoding Remote Code Execution Vulnerability (CVE-2017-2885)
1010649 - Microsoft Windows Exchange Memory Corruption Vulnerability (CVE-2020-17144)
Web Server Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)
1009806* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2647)
1009898* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2648)
Web Server SharePoint
1010655 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-17121)
Windows SMB Server
1009511* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2019-0630)
Zoho ManageEngine
1009399* - Zoho ManageEngine OpManager 'oputilsServlet' Authentication Bypass (CVE-2018-17283)
1009955* - Zoho ManageEngine OpManager Unauthenticated Remote Command Execution Vulnerability (CVE-2019-15106)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1003473* - FTP Server - Vsftpd
1002795* - Microsoft Windows Events
1008670* - Microsoft Windows Security Events - 3
1010541* - Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)
Deep Packet Inspection Rules:
DCERPC Services
1010164* - Identified Possible Ransomware File Extension Create Activity Over Network Share
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1010101* - Identified Usage Of PAExec Command Line Tool (ATT&CK T1035)
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1035)
1010652 - Microsoft Windows SMB2 Server Information Disclosure Vulnerability (CVE-2020-17140)
1010653 - Microsoft Windows SMB2 Server Remote Code Execution Vulnerability (CVE-2020-17096)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
DCERPC Services - Client
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
1007912* - Identified Possible Ransomware File Rename Activity Over Network Share - Client
DHCP Server
1009542* - Microsoft Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0626)
Database Microsoft SQL
1010643 - Microsoft SQL Database Server Possible Login Brute Force Attempt
Dynamics 365 Client Services
1010656 - Microsoft Dynamics 365 Commerce Remote Code Execution Vulnerabilities (CVE-2020-17152 and CVE-2020-17158)
HP Intelligent Management Center (IMC)
1009902* - HPE Intelligent Management Center 'perfSelectTask' Expression Language Injection Vulnerability (CVE-2019-5385)
NFS Server
1010605* - Microsoft Windows Network File System NLM RPC Message Information Disclosure Vulnerability (CVE-2020-17056)
Redis Server
1009967* - Redis Unauthenticated Code Execution Vulnerability
Remote Desktop Protocol Server
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1032)
Suspicious Client Application Activity
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1032)
Suspicious Server Application Activity
1001164* - Detected Terminal Services (RDP) Server Traffic
1010647 - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request
TFTP Server
1009365* - Microsoft Windows Deployment Services TFTP Server Remote Code Execution Vulnerability (CVE-2018-8476)
Web Application Common
1010648 - Wordpress Woody Ad Snippets Plugin Remote Code Execution Vulnerability (CVE-2019-15858)
Web Application PHP Based
1009395* - PHP 'imap_open()' Remote Code Execution Vulnerability (CVE-2018-19518)
1009776 - WordPress Comment Field Remote Code Execution Vulnerability (CVE-2019-9787)
Web Client Common
1010646 - Adobe Acrobat And Reader Use After Free Vulnerability (CVE-2020-24437)
1010645 - Atlassian Confluence Server 'HTML Include And Replace Macro' Plugin Cross Site Scripting Vulnerability (CVE-2019-15053)
1010657 - Microsoft Windows PE File Signature Spoofing Vulnerability (CVE-2020-1599)
Web Server Adobe ColdFusion
1009897* - Adobe ColdFusion CFFILE Upload Action Unrestricted File Upload Vulnerability (CVE-2019-7838)
1009387* - Adobe ColdFusion Remote File Upload Vulnerability (CVE-2018-15961)
Web Server Miscellaneous
1010347* - Eclipse Jetty Chunk Length Parsing Integer Overflow Vulnerability (CVE-2017-7657)
1009942* - GNOME 'libsoup' HTTP Chunked Encoding Remote Code Execution Vulnerability (CVE-2017-2885)
1010649 - Microsoft Windows Exchange Memory Corruption Vulnerability (CVE-2020-17144)
Web Server Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)
1009806* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2647)
1009898* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2648)
Web Server SharePoint
1010655 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-17121)
Windows SMB Server
1009511* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2019-0630)
Zoho ManageEngine
1009399* - Zoho ManageEngine OpManager 'oputilsServlet' Authentication Bypass (CVE-2018-17283)
1009955* - Zoho ManageEngine OpManager Unauthenticated Remote Command Execution Vulnerability (CVE-2019-15106)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1003473* - FTP Server - Vsftpd
1002795* - Microsoft Windows Events
1008670* - Microsoft Windows Security Events - 3
1010541* - Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)
Featured Stories
- The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
- Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more
- A Closer Exploration of Residential Proxies and CAPTCHA-Breaking ServicesThis article, the final part of a two-part series, focuses on the details of our technical findings and analyses of select residential proxies and CAPTCHA-solving services.Read more
- How Residential Proxies and CAPTCHA-Solving Services Become Agents of AbuseThis article, the first of a two-part series, provides insights on how abusers and cybercriminals use residential proxies and CAPTCHA-solving services to enable bots, scrapers, and stuffers, and proposes security countermeasures for organizations.Read more