Talos Rules 2016-11-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-129: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40647 through 40656, 40659 through 40662, 40669 through 40670, 40683 through 40684, 40715 through 40716, and 40721 through 40722.

Microsoft Security Bulletin MS16-130: A coding deficiency exists in Microsoft Windows that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40645 through 40646, 40671 through 40672, and 40677 through 40678.

Microsoft Security Bulletin MS16-132: A coding deficiency exists in Microsoft Graphics Component that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40675 through 40676, 40703 through 40706, and 40729 through 40730.

Microsoft Security Bulletin MS16-133: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40667 through 40668, 40673 through 40674, 40679 through 40682, 40701 through 40702, 40711 through 40712, 40717 through 40720, and 40723 through 40726.

Microsoft Security Bulletin MS16-134: A coding deficiency exists in Microsoft Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40657 through 40658 and 40689 through 40692.

Microsoft Security Bulletin MS16-135: A coding deficiency exists in Microsoft Kernel-Mode Drivers that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40663 through 40666 and 40685 through 40688.

Microsoft Security Bulletin MS16-138: A coding deficiency exists in Microsoft Virtual Hard Drive that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40693 through 40694.

Microsoft Security Bulletin MS16-142: Microsoft Internet Explorer suffers from programming errors that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40669 through 40670, 40713 through 40714, and 40721 through 40722.

Talos has also added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc and policy-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-11-08 18:21:42 UTC

Snort Subscriber Rules Update

Date: 2016-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40711 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules)
 * 1:40641 <-> DISABLED <-> FILE-PDF Adobe Reader XFA relayoutPageArea JavaScript out of bounds memory access attempt (file-pdf.rules)
 * 1:40642 <-> DISABLED <-> FILE-PDF Adobe Reader XFA relayoutPageArea JavaScript out of bounds memory access attempt (file-pdf.rules)
 * 1:40643 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.TrickBot (blacklist.rules)
 * 1:40644 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.TrickBot (blacklist.rules)
 * 1:40645 <-> ENABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:40646 <-> ENABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:40648 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:40647 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:40649 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:40650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:40651 <-> DISABLED <-> BROWSER-IE Microsoft Edge webkit directory file disclosure attempt (browser-ie.rules)
 * 1:40652 <-> DISABLED <-> BROWSER-IE Microsoft Edge webkit directory file disclosure attempt (browser-ie.rules)
 * 1:40653 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer msSaveBlob use after free attempt (browser-ie.rules)
 * 1:40654 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer msSaveBlob use after free attempt (browser-ie.rules)
 * 1:40655 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll Array.filter type confusion attempt (browser-ie.rules)
 * 1:40656 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll Array.filter type confusion attempt (browser-ie.rules)
 * 1:40657 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:40658 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:40659 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra.dll Array.splice heap overflow attempt (browser-ie.rules)
 * 1:40660 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra.dll Array.splice heap overflow attempt (browser-ie.rules)
 * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40663 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiSetBitmapAttributes privilege escalation attempt (os-windows.rules)
 * 1:40664 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiSetBitmapAttributes privilege escalation attempt (os-windows.rules)
 * 1:40665 <-> ENABLED <-> OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt (os-windows.rules)
 * 1:40666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt (os-windows.rules)
 * 1:40667 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word PrcData out of bounds read attempt (file-office.rules)
 * 1:40668 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word PrcData out of bounds read attempt (file-office.rules)
 * 1:40669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:40670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:40671 <-> DISABLED <-> OS-WINDOWS Microsoft windows InProcServer32 privilege escalation attempt (os-windows.rules)
 * 1:40672 <-> DISABLED <-> OS-WINDOWS Microsoft windows InProcServer32 privilege escalation attempt (os-windows.rules)
 * 1:40673 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40674 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40675 <-> ENABLED <-> BROWSER-IE Microsoft Edge video html tag buffer overflow attempt (browser-ie.rules)
 * 1:40676 <-> ENABLED <-> BROWSER-IE Microsoft Edge video html tag buffer overflow attempt (browser-ie.rules)
 * 1:40677 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler SystemLocal NTLM remote path authentication challenge attempt (os-windows.rules)
 * 1:40678 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler SystemLocal NTLM remote path authentication challenge attempt (os-windows.rules)
 * 1:40679 <-> ENABLED <-> FILE-OFFICE Microsoft Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40680 <-> ENABLED <-> FILE-OFFICE Microsoft Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40681 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint ntdll out of bounds read attempt (file-office.rules)
 * 1:40682 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint ntdll out of bounds read attempt (file-office.rules)
 * 1:40683 <-> ENABLED <-> BROWSER-IE Microsoft Edge stack variable memory access attempt (browser-ie.rules)
 * 1:40684 <-> ENABLED <-> BROWSER-IE Microsoft Edge stack variable memory access attempt (browser-ie.rules)
 * 1:40685 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys MegSetLensContextInformation use after free attempt (os-windows.rules)
 * 1:40686 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys MegSetLensContextInformation use after free attempt (os-windows.rules)
 * 1:40687 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys GetDIBits out of bounds read attempt (os-windows.rules)
 * 1:40688 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys GetDIBits out of bounds read attempt (os-windows.rules)
 * 1:40689 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40690 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40691 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40692 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40693 <-> ENABLED <-> OS-WINDOWS Microsoft Windows VHDMP generic privilege escalation attempt (os-windows.rules)
 * 1:40694 <-> ENABLED <-> OS-WINDOWS Microsoft Windows VHDMP generic privilege escalation attempt (os-windows.rules)
 * 1:40695 <-> ENABLED <-> FILE-PDF Adobe Reader parser object use-after-free attempt (file-pdf.rules)
 * 1:40696 <-> ENABLED <-> FILE-PDF Adobe Reader parser object use-after-free attempt (file-pdf.rules)
 * 1:40697 <-> DISABLED <-> FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt (file-pdf.rules)
 * 1:40698 <-> DISABLED <-> FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt (file-pdf.rules)
 * 1:40699 <-> DISABLED <-> FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt (file-pdf.rules)
 * 1:40700 <-> DISABLED <-> FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt (file-pdf.rules)
 * 1:40701 <-> ENABLED <-> FILE-OFFICE Microsoft Word out of bounds memory read attempt (file-office.rules)
 * 1:40702 <-> ENABLED <-> FILE-OFFICE Microsoft Word out of bounds memory read attempt (file-office.rules)
 * 1:40703 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:40704 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:40705 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF cmap table parsing integer overflow attempt (file-other.rules)
 * 1:40706 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF cmap table parsing integer overflow attempt (file-other.rules)
 * 1:40707 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript use after free attempt (file-pdf.rules)
 * 1:40708 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript use after free attempt (file-pdf.rules)
 * 1:40709 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Komplex outbound connection (malware-cnc.rules)
 * 1:40710 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Komplex outbound connection (malware-cnc.rules)
 * 1:40733 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Sality (blacklist.rules)
 * 1:40732 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:40731 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:40730 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:40729 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:40728 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:40727 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:40726 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid signed integer attempt (file-office.rules)
 * 1:40725 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid signed integer attempt (file-office.rules)
 * 1:40724 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Viewer remote code execution attempt (file-office.rules)
 * 1:40723 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Viewer remote code execution attempt (file-office.rules)
 * 1:40722 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer print preview information disclosure attempt (browser-ie.rules)
 * 1:40721 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer print preview information disclosure attempt (browser-ie.rules)
 * 1:40720 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SST record use after free attempt  (file-office.rules)
 * 1:40719 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SST record use after free attempt  (file-office.rules)
 * 1:40718 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel LPenHelper use after free attempt (file-office.rules)
 * 1:40717 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel LPenHelper use after free attempt (file-office.rules)
 * 1:40716 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40715 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40714 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:40713 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules)

Modified Rules:


 * 1:39157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:37230 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip method use after free attempt (file-flash.rules)
 * 1:35657 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML property delete out of bounds memory write attempt (file-flash.rules)
 * 1:37229 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip method use after free attempt (file-flash.rules)
 * 1:33706 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:35656 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML property delete out of bounds memory write attempt (file-flash.rules)
 * 1:26677 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz variant inbound run command from cnc (malware-cnc.rules)
 * 1:31971 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules)
 * 1:18806 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)

2016-11-08 18:21:42 UTC

Snort Subscriber Rules Update

Date: 2016-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40733 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Sality (blacklist.rules)
 * 1:40732 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:40731 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:40730 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:40729 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:40728 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:40727 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:40726 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid signed integer attempt (file-office.rules)
 * 1:40725 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid signed integer attempt (file-office.rules)
 * 1:40724 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Viewer remote code execution attempt (file-office.rules)
 * 1:40723 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Viewer remote code execution attempt (file-office.rules)
 * 1:40722 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer print preview information disclosure attempt (browser-ie.rules)
 * 1:40721 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer print preview information disclosure attempt (browser-ie.rules)
 * 1:40720 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SST record use after free attempt  (file-office.rules)
 * 1:40719 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SST record use after free attempt  (file-office.rules)
 * 1:40718 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel LPenHelper use after free attempt (file-office.rules)
 * 1:40717 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel LPenHelper use after free attempt (file-office.rules)
 * 1:40716 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40715 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40714 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:40713 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules)
 * 1:40711 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules)
 * 1:40710 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Komplex outbound connection (malware-cnc.rules)
 * 1:40709 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Komplex outbound connection (malware-cnc.rules)
 * 1:40708 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript use after free attempt (file-pdf.rules)
 * 1:40707 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript use after free attempt (file-pdf.rules)
 * 1:40706 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF cmap table parsing integer overflow attempt (file-other.rules)
 * 1:40705 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF cmap table parsing integer overflow attempt (file-other.rules)
 * 1:40704 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:40703 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:40702 <-> ENABLED <-> FILE-OFFICE Microsoft Word out of bounds memory read attempt (file-office.rules)
 * 1:40701 <-> ENABLED <-> FILE-OFFICE Microsoft Word out of bounds memory read attempt (file-office.rules)
 * 1:40700 <-> DISABLED <-> FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt (file-pdf.rules)
 * 1:40699 <-> DISABLED <-> FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt (file-pdf.rules)
 * 1:40698 <-> DISABLED <-> FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt (file-pdf.rules)
 * 1:40697 <-> DISABLED <-> FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt (file-pdf.rules)
 * 1:40696 <-> ENABLED <-> FILE-PDF Adobe Reader parser object use-after-free attempt (file-pdf.rules)
 * 1:40695 <-> ENABLED <-> FILE-PDF Adobe Reader parser object use-after-free attempt (file-pdf.rules)
 * 1:40694 <-> ENABLED <-> OS-WINDOWS Microsoft Windows VHDMP generic privilege escalation attempt (os-windows.rules)
 * 1:40693 <-> ENABLED <-> OS-WINDOWS Microsoft Windows VHDMP generic privilege escalation attempt (os-windows.rules)
 * 1:40692 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40691 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40690 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40689 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40688 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys GetDIBits out of bounds read attempt (os-windows.rules)
 * 1:40687 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys GetDIBits out of bounds read attempt (os-windows.rules)
 * 1:40686 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys MegSetLensContextInformation use after free attempt (os-windows.rules)
 * 1:40685 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys MegSetLensContextInformation use after free attempt (os-windows.rules)
 * 1:40684 <-> ENABLED <-> BROWSER-IE Microsoft Edge stack variable memory access attempt (browser-ie.rules)
 * 1:40683 <-> ENABLED <-> BROWSER-IE Microsoft Edge stack variable memory access attempt (browser-ie.rules)
 * 1:40682 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint ntdll out of bounds read attempt (file-office.rules)
 * 1:40681 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint ntdll out of bounds read attempt (file-office.rules)
 * 1:40680 <-> ENABLED <-> FILE-OFFICE Microsoft Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40679 <-> ENABLED <-> FILE-OFFICE Microsoft Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40678 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler SystemLocal NTLM remote path authentication challenge attempt (os-windows.rules)
 * 1:40677 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler SystemLocal NTLM remote path authentication challenge attempt (os-windows.rules)
 * 1:40676 <-> ENABLED <-> BROWSER-IE Microsoft Edge video html tag buffer overflow attempt (browser-ie.rules)
 * 1:40675 <-> ENABLED <-> BROWSER-IE Microsoft Edge video html tag buffer overflow attempt (browser-ie.rules)
 * 1:40674 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40673 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40672 <-> DISABLED <-> OS-WINDOWS Microsoft windows InProcServer32 privilege escalation attempt (os-windows.rules)
 * 1:40671 <-> DISABLED <-> OS-WINDOWS Microsoft windows InProcServer32 privilege escalation attempt (os-windows.rules)
 * 1:40670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:40669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:40668 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word PrcData out of bounds read attempt (file-office.rules)
 * 1:40667 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word PrcData out of bounds read attempt (file-office.rules)
 * 1:40666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt (os-windows.rules)
 * 1:40665 <-> ENABLED <-> OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt (os-windows.rules)
 * 1:40664 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiSetBitmapAttributes privilege escalation attempt (os-windows.rules)
 * 1:40663 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiSetBitmapAttributes privilege escalation attempt (os-windows.rules)
 * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40660 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra.dll Array.splice heap overflow attempt (browser-ie.rules)
 * 1:40659 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra.dll Array.splice heap overflow attempt (browser-ie.rules)
 * 1:40658 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:40657 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:40656 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll Array.filter type confusion attempt (browser-ie.rules)
 * 1:40655 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll Array.filter type confusion attempt (browser-ie.rules)
 * 1:40654 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer msSaveBlob use after free attempt (browser-ie.rules)
 * 1:40653 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer msSaveBlob use after free attempt (browser-ie.rules)
 * 1:40652 <-> DISABLED <-> BROWSER-IE Microsoft Edge webkit directory file disclosure attempt (browser-ie.rules)
 * 1:40651 <-> DISABLED <-> BROWSER-IE Microsoft Edge webkit directory file disclosure attempt (browser-ie.rules)
 * 1:40650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:40649 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:40648 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:40647 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:40646 <-> ENABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:40645 <-> ENABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:40644 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.TrickBot (blacklist.rules)
 * 1:40643 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.TrickBot (blacklist.rules)
 * 1:40642 <-> DISABLED <-> FILE-PDF Adobe Reader XFA relayoutPageArea JavaScript out of bounds memory access attempt (file-pdf.rules)
 * 1:40641 <-> DISABLED <-> FILE-PDF Adobe Reader XFA relayoutPageArea JavaScript out of bounds memory access attempt (file-pdf.rules)

Modified Rules:


 * 1:39157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:37229 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip method use after free attempt (file-flash.rules)
 * 1:37230 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip method use after free attempt (file-flash.rules)
 * 1:35656 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML property delete out of bounds memory write attempt (file-flash.rules)
 * 1:35657 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML property delete out of bounds memory write attempt (file-flash.rules)
 * 1:31971 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules)
 * 1:33706 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)
 * 1:26677 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz variant inbound run command from cnc (malware-cnc.rules)
 * 1:18806 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)