Talos Rules 2018-10-09
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2010-3190: A coding deficiency exists in MFC that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 18619 through 18623 and 18625 through 18629.

Microsoft Vulnerability CVE-2018-8333: A coding deficiency exists in Microsoft Filter Manager that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48055 through 48056.

Microsoft Vulnerability CVE-2018-8411: A coding deficiency exists in NTFS that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48057 through 48058.

Microsoft Vulnerability CVE-2018-8413: A coding deficiency exists in Microsoft Windows Theme API that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48059 through 48060.

Microsoft Vulnerability CVE-2018-8423: A coding deficiency exists in Microsoft JET Database Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 47885 through 47888.

Microsoft Vulnerability CVE-2018-8453: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48072 through 48073.

Microsoft Vulnerability CVE-2018-8460: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48045 through 48046.

Microsoft Vulnerability CVE-2018-8486: A coding deficiency exists in DirectX Graphics Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48047 through 48048.

Microsoft Vulnerability CVE-2018-8491: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48049 through 48050.

Microsoft Vulnerability CVE-2018-8492: A coding deficiency exists in Microsoft Device Guard that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48062 through 48063.

Microsoft Vulnerability CVE-2018-8495: A coding deficiency exists in Microsoft Windows Shell that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48053 through 48054.

Microsoft Vulnerability CVE-2018-8505: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48051 through 48052.

Talos also has added and modified multiple rules in the browser-ie, file-executable, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-10-09 18:09:24 UTC

Snort Subscriber Rules Update

Date: 2018-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48072 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:48050 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt (browser-ie.rules)
 * 1:48049 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt (browser-ie.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post 1.0 Local File Inclusion directory traversal attempt (server-webapp.rules)
 * 1:48070 <-> DISABLED <-> SERVER-WEBAPP WP plugin Wechat Broadcast directory traversal attempt (server-webapp.rules)
 * 1:48046 <-> DISABLED <-> BROWSER-IE Microsoft Edge DomAttrModified use after free attempt (browser-ie.rules)
 * 1:48060 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt (file-other.rules)
 * 1:48061 <-> DISABLED <-> SERVER-WEBAPP pfSense status_interfaces.php command injection attempt (server-webapp.rules)
 * 1:48063 <-> DISABLED <-> FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt (file-other.rules)
 * 1:48073 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:48048 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt (os-windows.rules)
 * 1:48062 <-> DISABLED <-> FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt (file-other.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48058 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt (file-executable.rules)
 * 1:48059 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt (file-other.rules)
 * 1:48054 <-> ENABLED <-> BROWSER-IE Microsoft Edge App-v vbs command attempt (browser-ie.rules)
 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48053 <-> ENABLED <-> BROWSER-IE Microsoft Edge App-v vbs command attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48057 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt (file-executable.rules)
 * 1:48056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48047 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt (os-windows.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post 1.0 Local File Inclusion directory traversal attempt (server-webapp.rules)
 * 1:48071 <-> DISABLED <-> SERVER-WEBAPP WP plugin Wechat Broadcast remote file inclusion attempt (server-webapp.rules)
 * 1:48045 <-> DISABLED <-> BROWSER-IE Microsoft Edge DomAttrModified use after free attempt (browser-ie.rules)
 * 3:48067 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0684 attack attempt (server-webapp.rules)
 * 3:48068 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0684 attack attempt (server-webapp.rules)
 * 3:48066 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0685 attack attempt (server-webapp.rules)
 * 3:48069 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0689 attack attempt (server-webapp.rules)

Modified Rules:



2018-10-09 18:09:24 UTC

Snort Subscriber Rules Update

Date: 2018-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48072 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:48073 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:48070 <-> DISABLED <-> SERVER-WEBAPP WP plugin Wechat Broadcast directory traversal attempt (server-webapp.rules)
 * 1:48045 <-> DISABLED <-> BROWSER-IE Microsoft Edge DomAttrModified use after free attempt (browser-ie.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post 1.0 Local File Inclusion directory traversal attempt (server-webapp.rules)
 * 1:48046 <-> DISABLED <-> BROWSER-IE Microsoft Edge DomAttrModified use after free attempt (browser-ie.rules)
 * 1:48047 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt (os-windows.rules)
 * 1:48048 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt (os-windows.rules)
 * 1:48062 <-> DISABLED <-> FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt (file-other.rules)
 * 1:48049 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt (browser-ie.rules)
 * 1:48050 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt (browser-ie.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48053 <-> ENABLED <-> BROWSER-IE Microsoft Edge App-v vbs command attempt (browser-ie.rules)
 * 1:48054 <-> ENABLED <-> BROWSER-IE Microsoft Edge App-v vbs command attempt (browser-ie.rules)
 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48057 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt (file-executable.rules)
 * 1:48058 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt (file-executable.rules)
 * 1:48059 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt (file-other.rules)
 * 1:48060 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt (file-other.rules)
 * 1:48061 <-> DISABLED <-> SERVER-WEBAPP pfSense status_interfaces.php command injection attempt (server-webapp.rules)
 * 1:48071 <-> DISABLED <-> SERVER-WEBAPP WP plugin Wechat Broadcast remote file inclusion attempt (server-webapp.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post 1.0 Local File Inclusion directory traversal attempt (server-webapp.rules)
 * 1:48063 <-> DISABLED <-> FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt (file-other.rules)
 * 3:48069 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0689 attack attempt (server-webapp.rules)
 * 3:48066 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0685 attack attempt (server-webapp.rules)
 * 3:48067 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0684 attack attempt (server-webapp.rules)
 * 3:48068 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0684 attack attempt (server-webapp.rules)

Modified Rules:



2018-10-09 18:09:24 UTC

Snort Subscriber Rules Update

Date: 2018-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48072 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (snort3-os-windows.rules)
 * 1:48045 <-> DISABLED <-> BROWSER-IE Microsoft Edge DomAttrModified use after free attempt (snort3-browser-ie.rules)
 * 1:48047 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt (snort3-os-windows.rules)
 * 1:48049 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt (snort3-browser-ie.rules)
 * 1:48056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (snort3-os-windows.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (snort3-browser-ie.rules)
 * 1:48073 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (snort3-os-windows.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (snort3-browser-ie.rules)
 * 1:48048 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt (snort3-os-windows.rules)
 * 1:48054 <-> ENABLED <-> BROWSER-IE Microsoft Edge App-v vbs command attempt (snort3-browser-ie.rules)
 * 1:48071 <-> DISABLED <-> SERVER-WEBAPP WP plugin Wechat Broadcast remote file inclusion attempt (snort3-server-webapp.rules)
 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (snort3-os-windows.rules)
 * 1:48057 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt (snort3-file-executable.rules)
 * 1:48053 <-> ENABLED <-> BROWSER-IE Microsoft Edge App-v vbs command attempt (snort3-browser-ie.rules)
 * 1:48058 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt (snort3-file-executable.rules)
 * 1:48059 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt (snort3-file-other.rules)
 * 1:48060 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt (snort3-file-other.rules)
 * 1:48061 <-> DISABLED <-> SERVER-WEBAPP pfSense status_interfaces.php command injection attempt (snort3-server-webapp.rules)
 * 1:48062 <-> DISABLED <-> FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt (snort3-file-other.rules)
 * 1:48063 <-> DISABLED <-> FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt (snort3-file-other.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post 1.0 Local File Inclusion directory traversal attempt (snort3-server-webapp.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post 1.0 Local File Inclusion directory traversal attempt (snort3-server-webapp.rules)
 * 1:48046 <-> DISABLED <-> BROWSER-IE Microsoft Edge DomAttrModified use after free attempt (snort3-browser-ie.rules)
 * 1:48070 <-> DISABLED <-> SERVER-WEBAPP WP plugin Wechat Broadcast directory traversal attempt (snort3-server-webapp.rules)
 * 1:48050 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt (snort3-browser-ie.rules)

Modified Rules:



2018-10-09 18:09:24 UTC

Snort Subscriber Rules Update

Date: 2018-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48057 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt (file-executable.rules)
 * 1:48056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48054 <-> ENABLED <-> BROWSER-IE Microsoft Edge App-v vbs command attempt (browser-ie.rules)
 * 1:48053 <-> ENABLED <-> BROWSER-IE Microsoft Edge App-v vbs command attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48050 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt (browser-ie.rules)
 * 1:48049 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt (browser-ie.rules)
 * 1:48048 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt (os-windows.rules)
 * 1:48047 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt (os-windows.rules)
 * 1:48046 <-> DISABLED <-> BROWSER-IE Microsoft Edge DomAttrModified use after free attempt (browser-ie.rules)
 * 1:48045 <-> DISABLED <-> BROWSER-IE Microsoft Edge DomAttrModified use after free attempt (browser-ie.rules)
 * 1:48073 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:48072 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:48071 <-> DISABLED <-> SERVER-WEBAPP WP plugin Wechat Broadcast remote file inclusion attempt (server-webapp.rules)
 * 1:48070 <-> DISABLED <-> SERVER-WEBAPP WP plugin Wechat Broadcast directory traversal attempt (server-webapp.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post 1.0 Local File Inclusion directory traversal attempt (server-webapp.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post 1.0 Local File Inclusion directory traversal attempt (server-webapp.rules)
 * 1:48063 <-> DISABLED <-> FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt (file-other.rules)
 * 1:48062 <-> DISABLED <-> FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt (file-other.rules)
 * 1:48061 <-> DISABLED <-> SERVER-WEBAPP pfSense status_interfaces.php command injection attempt (server-webapp.rules)
 * 1:48060 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt (file-other.rules)
 * 1:48059 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt (file-other.rules)
 * 1:48058 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt (file-executable.rules)
 * 3:48066 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0685 attack attempt (server-webapp.rules)
 * 3:48067 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0684 attack attempt (server-webapp.rules)
 * 3:48068 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0684 attack attempt (server-webapp.rules)
 * 3:48069 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0689 attack attempt (server-webapp.rules)

Modified Rules:



2018-10-09 18:09:24 UTC

Snort Subscriber Rules Update

Date: 2018-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48046 <-> DISABLED <-> BROWSER-IE Microsoft Edge DomAttrModified use after free attempt (browser-ie.rules)
 * 1:48049 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt (browser-ie.rules)
 * 1:48050 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt (browser-ie.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post 1.0 Local File Inclusion directory traversal attempt (server-webapp.rules)
 * 1:48073 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:48072 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:48048 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt (os-windows.rules)
 * 1:48071 <-> DISABLED <-> SERVER-WEBAPP WP plugin Wechat Broadcast remote file inclusion attempt (server-webapp.rules)
 * 1:48070 <-> DISABLED <-> SERVER-WEBAPP WP plugin Wechat Broadcast directory traversal attempt (server-webapp.rules)
 * 1:48047 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt (os-windows.rules)
 * 1:48045 <-> DISABLED <-> BROWSER-IE Microsoft Edge DomAttrModified use after free attempt (browser-ie.rules)
 * 1:48061 <-> DISABLED <-> SERVER-WEBAPP pfSense status_interfaces.php command injection attempt (server-webapp.rules)
 * 1:48053 <-> ENABLED <-> BROWSER-IE Microsoft Edge App-v vbs command attempt (browser-ie.rules)
 * 1:48060 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt (file-other.rules)
 * 1:48058 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt (file-executable.rules)
 * 1:48059 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt (file-other.rules)
 * 1:48056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48057 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt (file-executable.rules)
 * 1:48054 <-> ENABLED <-> BROWSER-IE Microsoft Edge App-v vbs command attempt (browser-ie.rules)
 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48062 <-> DISABLED <-> FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt (file-other.rules)
 * 1:48063 <-> DISABLED <-> FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt (file-other.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post 1.0 Local File Inclusion directory traversal attempt (server-webapp.rules)
 * 3:48066 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0685 attack attempt (server-webapp.rules)
 * 3:48069 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0689 attack attempt (server-webapp.rules)
 * 3:48067 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0684 attack attempt (server-webapp.rules)
 * 3:48068 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0684 attack attempt (server-webapp.rules)

Modified Rules: