Talos Rules 2016-04-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-037: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38465 through 38470, 38491 through 38492, and 38503 through 38508.

Microsoft Security Bulletin MS16-038: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38473 through 38474, 38479 through 38480, and 38483 through 38486.

Microsoft Security Bulletin MS16-039: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38459 through 38460, 38487 through 38488, and 38493 through 38494.

Microsoft Security Bulletin MS16-040: A coding deficiency exists in Microsoft XML Core Service that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38463 through 38464.

Microsoft Security Bulletin MS16-041: A coding deficiency exists in the Microsoft .NET Framework that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38469 through 38470.

Microsoft Security Bulletin MS16-042: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36751 through 36752, 38471 through 38472, 38481 through 38482, and 38495 through 38496.

Microsoft Security Bulletin MS16-044: A coding deficiency exists in Microsoft Windows OLE that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38489 through 38490.

Microsoft Security Bulletin MS16-046: A coding deficiency exists in Microsoft Secondary Logon that may lead to an escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 38458.

Microsoft Security Bulletin MS16-047: A coding deficiency exists in Microsoft SAM and LSAD Remote Protocols that may lead to a downgrade attack.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 38462.

Microsoft Security Bulletin MS16-048: A coding deficiency exists in Microsoft CRSS that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38475 through 38476.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-office, file-other and os-windows rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-04-12 19:00:59 UTC

Snort Subscriber Rules Update

Date: 2016-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38501 <-> DISABLED <-> MALWARE-OTHER samsam samsam.exe file load attempt (malware-other.rules)
 * 1:38502 <-> DISABLED <-> MALWARE-OTHER samsam sqlsrvtmg1.exe file load attempt (malware-other.rules)
 * 1:38500 <-> DISABLED <-> MALWARE-OTHER samsam delfiletype.exe file load attempt (malware-other.rules)
 * 1:38499 <-> DISABLED <-> MALWARE-OTHER samsam sqlsrvtmg1.exe file load attempt (malware-other.rules)
 * 1:38504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38503 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38505 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38506 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38458 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LSARPC LsapLookupSids denial of service attempt (os-windows.rules)
 * 1:38459 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DrawMenuBarTemp memory corruption attempt (os-windows.rules)
 * 1:38460 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DrawMenuBarTemp memory corruption attempt (os-windows.rules)
 * 1:38461 <-> ENABLED <-> OS-WINDOWS DCERPC Bind auth level packet privacy connection detected (os-windows.rules)
 * 1:38462 <-> ENABLED <-> OS-WINDOWS DCERPC Bind auth level packet privacy downgrade attempt (os-windows.rules)
 * 1:38463 <-> ENABLED <-> BROWSER-PLUGINS Microsoft XML Core Services ActiveX control use after free attempt (browser-plugins.rules)
 * 1:38464 <-> ENABLED <-> BROWSER-PLUGINS Microsoft XML Core Services ActiveX control use after free attempt (browser-plugins.rules)
 * 1:38465 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSanitizedTextEx use after free attempt (browser-ie.rules)
 * 1:38466 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSanitizedTextEx use after free attempt (browser-ie.rules)
 * 1:38467 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 frameset use after free attempt (browser-ie.rules)
 * 1:38468 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 frameset use after free attempt (browser-ie.rules)
 * 1:38469 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules)
 * 1:38470 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules)
 * 1:38471 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet object use after free attempt (file-office.rules)
 * 1:38472 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet object use after free attempt (file-office.rules)
 * 1:38473 <-> ENABLED <-> BROWSER-IE Microsoft Edge iframe cross-site scripting attempt (browser-ie.rules)
 * 1:38474 <-> ENABLED <-> BROWSER-IE Microsoft Edge iframe cross-site scripting attempt (browser-ie.rules)
 * 1:38475 <-> ENABLED <-> OS-WINDOWS Microsoft Windows anonymous user token impersonation attempt (os-windows.rules)
 * 1:38476 <-> ENABLED <-> OS-WINDOWS Microsoft Windows anonymous user token impersonation attempt (os-windows.rules)
 * 1:38477 <-> ENABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:38478 <-> ENABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:38479 <-> ENABLED <-> BROWSER-IE Microsoft Edge remove range out of bounds read attempt (browser-ie.rules)
 * 1:38480 <-> ENABLED <-> BROWSER-IE Microsoft Edge remove range out of bounds read attempt (browser-ie.rules)
 * 1:38481 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel msxml6 ParseElementN use after free attempt (file-office.rules)
 * 1:38482 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel msxml6 ParseElementN use after free attempt (file-office.rules)
 * 1:38483 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:38484 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:38486 <-> ENABLED <-> BROWSER-IE Microsoft Edge TextDataSlice type confusion attempt (browser-ie.rules)
 * 1:38487 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys PathToRegion buffer overflow attempt (os-windows.rules)
 * 1:38488 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys PathToRegion buffer overflow attempt (os-windows.rules)
 * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38491 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreatePopupMenu win32k.sys use after free attempt (os-windows.rules)
 * 1:38492 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreatePopupMenu win32k.sys use after free attempt (os-windows.rules)
 * 1:38495 <-> DISABLED <-> FILE-OFFICE Microsoft Word out of bound read exception attempt (file-office.rules)
 * 1:38493 <-> ENABLED <-> FILE-OTHER Microsoft Windows win32k.sys glyph bitmap boundary out of bounds memory access attempt (file-other.rules)
 * 1:38496 <-> DISABLED <-> FILE-OFFICE Microsoft Word out of bound read exception attempt (file-office.rules)
 * 1:38494 <-> ENABLED <-> FILE-OTHER Microsoft Windows win32k.sys glyph bitmap boundary out of bounds memory access attempt (file-other.rules)
 * 1:38485 <-> ENABLED <-> BROWSER-IE Microsoft Edge TextDataSlice type confusion attempt (browser-ie.rules)
 * 1:38498 <-> DISABLED <-> MALWARE-OTHER samsam samsam.exe file load attempt (malware-other.rules)
 * 1:38497 <-> DISABLED <-> MALWARE-OTHER samsam delfiletype.exe file load attempt (malware-other.rules)

Modified Rules:


 * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:38440 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)

2016-04-12 19:00:59 UTC

Snort Subscriber Rules Update

Date: 2016-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38458 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LSARPC LsapLookupSids denial of service attempt (os-windows.rules)
 * 1:38459 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DrawMenuBarTemp memory corruption attempt (os-windows.rules)
 * 1:38460 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DrawMenuBarTemp memory corruption attempt (os-windows.rules)
 * 1:38461 <-> ENABLED <-> OS-WINDOWS DCERPC Bind auth level packet privacy connection detected (os-windows.rules)
 * 1:38462 <-> ENABLED <-> OS-WINDOWS DCERPC Bind auth level packet privacy downgrade attempt (os-windows.rules)
 * 1:38463 <-> ENABLED <-> BROWSER-PLUGINS Microsoft XML Core Services ActiveX control use after free attempt (browser-plugins.rules)
 * 1:38464 <-> ENABLED <-> BROWSER-PLUGINS Microsoft XML Core Services ActiveX control use after free attempt (browser-plugins.rules)
 * 1:38465 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSanitizedTextEx use after free attempt (browser-ie.rules)
 * 1:38466 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSanitizedTextEx use after free attempt (browser-ie.rules)
 * 1:38467 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 frameset use after free attempt (browser-ie.rules)
 * 1:38468 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 frameset use after free attempt (browser-ie.rules)
 * 1:38469 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules)
 * 1:38470 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules)
 * 1:38471 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet object use after free attempt (file-office.rules)
 * 1:38472 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet object use after free attempt (file-office.rules)
 * 1:38473 <-> ENABLED <-> BROWSER-IE Microsoft Edge iframe cross-site scripting attempt (browser-ie.rules)
 * 1:38474 <-> ENABLED <-> BROWSER-IE Microsoft Edge iframe cross-site scripting attempt (browser-ie.rules)
 * 1:38475 <-> ENABLED <-> OS-WINDOWS Microsoft Windows anonymous user token impersonation attempt (os-windows.rules)
 * 1:38476 <-> ENABLED <-> OS-WINDOWS Microsoft Windows anonymous user token impersonation attempt (os-windows.rules)
 * 1:38477 <-> ENABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:38478 <-> ENABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:38479 <-> ENABLED <-> BROWSER-IE Microsoft Edge remove range out of bounds read attempt (browser-ie.rules)
 * 1:38480 <-> ENABLED <-> BROWSER-IE Microsoft Edge remove range out of bounds read attempt (browser-ie.rules)
 * 1:38481 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel msxml6 ParseElementN use after free attempt (file-office.rules)
 * 1:38482 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel msxml6 ParseElementN use after free attempt (file-office.rules)
 * 1:38483 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:38484 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:38485 <-> ENABLED <-> BROWSER-IE Microsoft Edge TextDataSlice type confusion attempt (browser-ie.rules)
 * 1:38486 <-> ENABLED <-> BROWSER-IE Microsoft Edge TextDataSlice type confusion attempt (browser-ie.rules)
 * 1:38487 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys PathToRegion buffer overflow attempt (os-windows.rules)
 * 1:38488 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys PathToRegion buffer overflow attempt (os-windows.rules)
 * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38491 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreatePopupMenu win32k.sys use after free attempt (os-windows.rules)
 * 1:38492 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreatePopupMenu win32k.sys use after free attempt (os-windows.rules)
 * 1:38493 <-> ENABLED <-> FILE-OTHER Microsoft Windows win32k.sys glyph bitmap boundary out of bounds memory access attempt (file-other.rules)
 * 1:38494 <-> ENABLED <-> FILE-OTHER Microsoft Windows win32k.sys glyph bitmap boundary out of bounds memory access attempt (file-other.rules)
 * 1:38495 <-> DISABLED <-> FILE-OFFICE Microsoft Word out of bound read exception attempt (file-office.rules)
 * 1:38496 <-> DISABLED <-> FILE-OFFICE Microsoft Word out of bound read exception attempt (file-office.rules)
 * 1:38508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38506 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38505 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38503 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38502 <-> DISABLED <-> MALWARE-OTHER samsam sqlsrvtmg1.exe file load attempt (malware-other.rules)
 * 1:38500 <-> DISABLED <-> MALWARE-OTHER samsam delfiletype.exe file load attempt (malware-other.rules)
 * 1:38499 <-> DISABLED <-> MALWARE-OTHER samsam sqlsrvtmg1.exe file load attempt (malware-other.rules)
 * 1:38501 <-> DISABLED <-> MALWARE-OTHER samsam samsam.exe file load attempt (malware-other.rules)
 * 1:38498 <-> DISABLED <-> MALWARE-OTHER samsam samsam.exe file load attempt (malware-other.rules)
 * 1:38497 <-> DISABLED <-> MALWARE-OTHER samsam delfiletype.exe file load attempt (malware-other.rules)

Modified Rules:


 * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:38440 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)

2016-04-12 19:00:59 UTC

Snort Subscriber Rules Update

Date: 2016-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38506 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38505 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38503 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt (browser-ie.rules)
 * 1:38502 <-> DISABLED <-> MALWARE-OTHER samsam sqlsrvtmg1.exe file load attempt (malware-other.rules)
 * 1:38501 <-> DISABLED <-> MALWARE-OTHER samsam samsam.exe file load attempt (malware-other.rules)
 * 1:38500 <-> DISABLED <-> MALWARE-OTHER samsam delfiletype.exe file load attempt (malware-other.rules)
 * 1:38499 <-> DISABLED <-> MALWARE-OTHER samsam sqlsrvtmg1.exe file load attempt (malware-other.rules)
 * 1:38498 <-> DISABLED <-> MALWARE-OTHER samsam samsam.exe file load attempt (malware-other.rules)
 * 1:38497 <-> DISABLED <-> MALWARE-OTHER samsam delfiletype.exe file load attempt (malware-other.rules)
 * 1:38496 <-> DISABLED <-> FILE-OFFICE Microsoft Word out of bound read exception attempt (file-office.rules)
 * 1:38495 <-> DISABLED <-> FILE-OFFICE Microsoft Word out of bound read exception attempt (file-office.rules)
 * 1:38494 <-> ENABLED <-> FILE-OTHER Microsoft Windows win32k.sys glyph bitmap boundary out of bounds memory access attempt (file-other.rules)
 * 1:38493 <-> ENABLED <-> FILE-OTHER Microsoft Windows win32k.sys glyph bitmap boundary out of bounds memory access attempt (file-other.rules)
 * 1:38492 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreatePopupMenu win32k.sys use after free attempt (os-windows.rules)
 * 1:38491 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreatePopupMenu win32k.sys use after free attempt (os-windows.rules)
 * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38488 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys PathToRegion buffer overflow attempt (os-windows.rules)
 * 1:38487 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys PathToRegion buffer overflow attempt (os-windows.rules)
 * 1:38486 <-> ENABLED <-> BROWSER-IE Microsoft Edge TextDataSlice type confusion attempt (browser-ie.rules)
 * 1:38485 <-> ENABLED <-> BROWSER-IE Microsoft Edge TextDataSlice type confusion attempt (browser-ie.rules)
 * 1:38484 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:38483 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:38482 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel msxml6 ParseElementN use after free attempt (file-office.rules)
 * 1:38481 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel msxml6 ParseElementN use after free attempt (file-office.rules)
 * 1:38480 <-> ENABLED <-> BROWSER-IE Microsoft Edge remove range out of bounds read attempt (browser-ie.rules)
 * 1:38479 <-> ENABLED <-> BROWSER-IE Microsoft Edge remove range out of bounds read attempt (browser-ie.rules)
 * 1:38478 <-> ENABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:38477 <-> ENABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:38476 <-> ENABLED <-> OS-WINDOWS Microsoft Windows anonymous user token impersonation attempt (os-windows.rules)
 * 1:38475 <-> ENABLED <-> OS-WINDOWS Microsoft Windows anonymous user token impersonation attempt (os-windows.rules)
 * 1:38474 <-> ENABLED <-> BROWSER-IE Microsoft Edge iframe cross-site scripting attempt (browser-ie.rules)
 * 1:38473 <-> ENABLED <-> BROWSER-IE Microsoft Edge iframe cross-site scripting attempt (browser-ie.rules)
 * 1:38472 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet object use after free attempt (file-office.rules)
 * 1:38471 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet object use after free attempt (file-office.rules)
 * 1:38470 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules)
 * 1:38469 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules)
 * 1:38468 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 frameset use after free attempt (browser-ie.rules)
 * 1:38467 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 frameset use after free attempt (browser-ie.rules)
 * 1:38466 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSanitizedTextEx use after free attempt (browser-ie.rules)
 * 1:38465 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSanitizedTextEx use after free attempt (browser-ie.rules)
 * 1:38464 <-> ENABLED <-> BROWSER-PLUGINS Microsoft XML Core Services ActiveX control use after free attempt (browser-plugins.rules)
 * 1:38463 <-> ENABLED <-> BROWSER-PLUGINS Microsoft XML Core Services ActiveX control use after free attempt (browser-plugins.rules)
 * 1:38462 <-> ENABLED <-> OS-WINDOWS DCERPC Bind auth level packet privacy downgrade attempt (os-windows.rules)
 * 1:38461 <-> ENABLED <-> OS-WINDOWS DCERPC Bind auth level packet privacy connection detected (os-windows.rules)
 * 1:38460 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DrawMenuBarTemp memory corruption attempt (os-windows.rules)
 * 1:38459 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DrawMenuBarTemp memory corruption attempt (os-windows.rules)
 * 1:38458 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LSARPC LsapLookupSids denial of service attempt (os-windows.rules)

Modified Rules:


 * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:38440 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)