Talos Rules 2018-12-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-pdf, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-12-06 22:49:55 UTC

Snort Subscriber Rules Update

Date: 2018-12-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules)
 * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (malware-cnc.rules)
 * 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)

2018-12-06 22:49:55 UTC

Snort Subscriber Rules Update

Date: 2018-12-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules)
 * 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (malware-cnc.rules)
 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)

2018-12-06 22:49:55 UTC

Snort Subscriber Rules Update

Date: 2018-12-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (malware-cnc.rules)
 * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules)
 * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (malware-cnc.rules)
 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)

Modified Rules:


 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)

2018-12-06 22:49:55 UTC

Snort Subscriber Rules Update

Date: 2018-12-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (snort3-malware-cnc.rules)
 * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (snort3-malware-cnc.rules)
 * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (snort3-malware-cnc.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (snort3-malware-tools.rules)
 * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (snort3-server-other.rules)
 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (snort3-malware-tools.rules)

Modified Rules:


 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules)

2018-12-06 22:49:55 UTC

Snort Subscriber Rules Update

Date: 2018-12-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (malware-cnc.rules)
 * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules)
 * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (malware-cnc.rules)
 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)

Modified Rules:


 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)

2018-12-06 22:49:55 UTC

Snort Subscriber Rules Update

Date: 2018-12-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (malware-cnc.rules)
 * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)