Talos Rules 2019-06-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-0920: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50373 through 50374.

Microsoft Vulnerability CVE-2019-0943: A coding deficiency exists in Microsoft Windows ALPC that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50413 through 50414.

Microsoft Vulnerability CVE-2019-0959: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50371 through 50372.

Microsoft Vulnerability CVE-2019-0984: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50411 through 50412.

Microsoft Vulnerability CVE-2019-0985: A coding deficiency exists in Microsoft Speech API that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50393 through 50394.

Microsoft Vulnerability CVE-2019-0986: A coding deficiency exists in Microsoft Windows User Profile Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50369 through 50370.

Microsoft Vulnerability CVE-2019-0988: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50405 through 50406.

Microsoft Vulnerability CVE-2019-0989: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50407 through 50408.

Microsoft Vulnerability CVE-2019-0990: A coding deficiency exists in Microsoft Scripting Engine that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50357 through 50358.

Microsoft Vulnerability CVE-2019-0991: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50403 through 50404.

Microsoft Vulnerability CVE-2019-0992: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 49380 through 49381.

Microsoft Vulnerability CVE-2019-0993: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50401 through 50402.

Microsoft Vulnerability CVE-2019-1002: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50399 through 50400.

Microsoft Vulnerability CVE-2019-1003: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50395 through 50396.

Microsoft Vulnerability CVE-2019-1005: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50397 through 50398.

Microsoft Vulnerability CVE-2019-1017: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50363 through 50364.

Microsoft Vulnerability CVE-2019-1023: A coding deficiency exists in Microsoft Scripting Engine that may lead to information disclosure.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 44813 through 44814.

Microsoft Vulnerability CVE-2019-1024: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50361 through 50362.

Microsoft Vulnerability CVE-2019-1041: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50365 through 50366.

Microsoft Vulnerability CVE-2019-1051: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50359 through 50360.

Microsoft Vulnerability CVE-2019-1052: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 48051 through 48052.

Microsoft Vulnerability CVE-2019-1053: A coding deficiency exists in Microsoft Windows Shell that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 50183 through 50184.

Microsoft Vulnerability CVE-2019-1055: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50367 through 50368.

Microsoft Vulnerability CVE-2019-1064: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 50198 through 50199.

Microsoft Vulnerability CVE-2019-1065: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50375 through 50376.

Microsoft Vulnerability CVE-2019-1069: A coding deficiency exists in Microsoft Windows Task Scheduler that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 50162 through 50163.

Talos also has added and modified multiple rules in the browser-ie, file-pdf, indicator-compromise, malware-cnc, malware-other, malware-tools, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2019-06-11 17:03:00 UTC

Snort Subscriber Rules Update

Date: 2019-06-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50360 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50359 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50358 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50357 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50356 <-> ENABLED <-> SERVER-MAIL Exim remote command execution attempt (server-mail.rules)
 * 1:50355 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (malware-other.rules)
 * 1:50354 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (malware-other.rules)
 * 1:50353 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50352 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (malware-other.rules)
 * 1:50351 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (malware-other.rules)
 * 1:50350 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50349 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50348 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50366 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (os-windows.rules)
 * 1:50363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (os-windows.rules)
 * 1:50362 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50361 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (os-windows.rules)
 * 1:50364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (os-windows.rules)
 * 1:50367 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50370 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (os-windows.rules)
 * 1:50369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (os-windows.rules)
 * 1:50368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50372 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50371 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50373 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50411 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50394 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (file-pdf.rules)
 * 1:50393 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (file-pdf.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules)
 * 1:50391 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (indicator-compromise.rules)
 * 1:50390 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (indicator-compromise.rules)
 * 1:50389 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Termite communication attempt (malware-cnc.rules)
 * 1:50388 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (malware-cnc.rules)
 * 1:50387 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (malware-cnc.rules)
 * 1:50386 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell access attempt (malware-cnc.rules)
 * 1:50385 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (policy-other.rules)
 * 1:50384 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (policy-other.rules)
 * 1:50383 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50382 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50381 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50380 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PlugX variant outbound connection (malware-cnc.rules)
 * 1:50379 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (malware-other.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:50377 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (malware-other.rules)
 * 1:50376 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50375 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50374 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50410 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (malware-tools.rules)
 * 1:50409 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (malware-tools.rules)
 * 1:50408 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50407 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50406 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50405 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50404 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50403 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50402 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50401 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50400 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50399 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50398 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50397 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50396 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (browser-ie.rules)
 * 1:50395 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (browser-ie.rules)
 * 1:50415 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra authentication bypass attempt (server-webapp.rules)
 * 1:50414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules)
 * 1:50413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules)
 * 1:50412 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:37966 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:37967 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:44813 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44814 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:50184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules)

2019-06-11 17:03:00 UTC

Snort Subscriber Rules Update

Date: 2019-06-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50399 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50401 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50353 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50348 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50352 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (malware-other.rules)
 * 1:50349 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50350 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50351 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (malware-other.rules)
 * 1:50362 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (os-windows.rules)
 * 1:50364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (os-windows.rules)
 * 1:50365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (os-windows.rules)
 * 1:50366 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (os-windows.rules)
 * 1:50367 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (os-windows.rules)
 * 1:50370 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (os-windows.rules)
 * 1:50371 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50372 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50373 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50358 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50374 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50375 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50357 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50377 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (malware-other.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:50379 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (malware-other.rules)
 * 1:50380 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PlugX variant outbound connection (malware-cnc.rules)
 * 1:50381 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50382 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50383 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50384 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (policy-other.rules)
 * 1:50385 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (policy-other.rules)
 * 1:50386 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell access attempt (malware-cnc.rules)
 * 1:50387 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (malware-cnc.rules)
 * 1:50388 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (malware-cnc.rules)
 * 1:50389 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Termite communication attempt (malware-cnc.rules)
 * 1:50390 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (indicator-compromise.rules)
 * 1:50391 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (indicator-compromise.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules)
 * 1:50393 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (file-pdf.rules)
 * 1:50394 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (file-pdf.rules)
 * 1:50395 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (browser-ie.rules)
 * 1:50414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules)
 * 1:50413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules)
 * 1:50412 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50411 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50410 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (malware-tools.rules)
 * 1:50409 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (malware-tools.rules)
 * 1:50408 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50407 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50406 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50405 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50404 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50403 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50402 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50396 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (browser-ie.rules)
 * 1:50397 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50398 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50400 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50415 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra authentication bypass attempt (server-webapp.rules)
 * 1:50361 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50360 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50359 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50376 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50356 <-> ENABLED <-> SERVER-MAIL Exim remote command execution attempt (server-mail.rules)
 * 1:50354 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (malware-other.rules)
 * 1:50355 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (malware-other.rules)

Modified Rules:


 * 1:44814 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:50184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:37966 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:44813 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:37967 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules)

2019-06-11 17:03:00 UTC

Snort Subscriber Rules Update

Date: 2019-06-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules)
 * 1:50391 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (indicator-compromise.rules)
 * 1:50401 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50399 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50411 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50410 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (malware-tools.rules)
 * 1:50409 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (malware-tools.rules)
 * 1:50408 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50407 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50406 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50404 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50405 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50403 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50402 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50348 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50398 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50415 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra authentication bypass attempt (server-webapp.rules)
 * 1:50414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules)
 * 1:50413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules)
 * 1:50412 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50351 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (malware-other.rules)
 * 1:50362 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50396 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (browser-ie.rules)
 * 1:50363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (os-windows.rules)
 * 1:50364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (os-windows.rules)
 * 1:50365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (os-windows.rules)
 * 1:50366 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (os-windows.rules)
 * 1:50367 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (os-windows.rules)
 * 1:50370 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (os-windows.rules)
 * 1:50371 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50372 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50358 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50373 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50374 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50375 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50357 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50377 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (malware-other.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:50379 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (malware-other.rules)
 * 1:50380 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PlugX variant outbound connection (malware-cnc.rules)
 * 1:50381 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50382 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50383 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50384 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (policy-other.rules)
 * 1:50386 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell access attempt (malware-cnc.rules)
 * 1:50385 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (policy-other.rules)
 * 1:50387 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (malware-cnc.rules)
 * 1:50353 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50388 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (malware-cnc.rules)
 * 1:50389 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Termite communication attempt (malware-cnc.rules)
 * 1:50361 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50360 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50359 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50376 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50355 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (malware-other.rules)
 * 1:50356 <-> ENABLED <-> SERVER-MAIL Exim remote command execution attempt (server-mail.rules)
 * 1:50354 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (malware-other.rules)
 * 1:50400 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50393 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (file-pdf.rules)
 * 1:50394 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (file-pdf.rules)
 * 1:50395 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (browser-ie.rules)
 * 1:50397 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50349 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50350 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50352 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (malware-other.rules)
 * 1:50390 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (indicator-compromise.rules)

Modified Rules:


 * 1:37966 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:37967 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:44813 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44814 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)

2019-06-11 17:03:00 UTC

Snort Subscriber Rules Update

Date: 2019-06-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50401 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:50403 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:50399 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:50391 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (snort3-indicator-compromise.rules)
 * 1:50402 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:50348 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (snort3-malware-other.rules)
 * 1:50396 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (snort3-browser-ie.rules)
 * 1:50400 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:50381 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (snort3-malware-cnc.rules)
 * 1:50404 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:50350 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (snort3-malware-other.rules)
 * 1:50406 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50407 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:50408 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:50409 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (snort3-malware-tools.rules)
 * 1:50410 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (snort3-malware-tools.rules)
 * 1:50411 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:50412 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:50413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (snort3-os-windows.rules)
 * 1:50414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (snort3-os-windows.rules)
 * 1:50388 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (snort3-malware-cnc.rules)
 * 1:50397 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50415 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra authentication bypass attempt (snort3-server-webapp.rules)
 * 1:50398 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50362 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (snort3-os-windows.rules)
 * 1:50364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (snort3-os-windows.rules)
 * 1:50365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (snort3-os-windows.rules)
 * 1:50366 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (snort3-os-windows.rules)
 * 1:50367 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:50368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:50369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (snort3-os-windows.rules)
 * 1:50370 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (snort3-os-windows.rules)
 * 1:50371 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:50372 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:50358 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50387 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (snort3-malware-cnc.rules)
 * 1:50374 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50375 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:50357 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50377 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (snort3-malware-other.rules)
 * 1:50379 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (snort3-malware-other.rules)
 * 1:50405 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (snort3-malware-other.rules)
 * 1:50380 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PlugX variant outbound connection (snort3-malware-cnc.rules)
 * 1:50382 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (snort3-malware-cnc.rules)
 * 1:50383 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (snort3-malware-cnc.rules)
 * 1:50360 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50359 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50376 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:50355 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (snort3-malware-other.rules)
 * 1:50356 <-> ENABLED <-> SERVER-MAIL Exim remote command execution attempt (snort3-server-mail.rules)
 * 1:50354 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (snort3-malware-other.rules)
 * 1:50352 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (snort3-malware-other.rules)
 * 1:50384 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (snort3-policy-other.rules)
 * 1:50385 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (snort3-policy-other.rules)
 * 1:50386 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell access attempt (snort3-malware-cnc.rules)
 * 1:50389 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Termite communication attempt (snort3-malware-cnc.rules)
 * 1:50361 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50390 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (snort3-indicator-compromise.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (snort3-server-webapp.rules)
 * 1:50393 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (snort3-file-pdf.rules)
 * 1:50394 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (snort3-file-pdf.rules)
 * 1:50351 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (snort3-malware-other.rules)
 * 1:50395 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (snort3-browser-ie.rules)
 * 1:50353 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (snort3-malware-other.rules)
 * 1:50373 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50349 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:44813 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (snort3-browser-ie.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (snort3-os-windows.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (snort3-os-windows.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (snort3-os-windows.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (snort3-os-windows.rules)
 * 1:50184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (snort3-browser-ie.rules)
 * 1:37966 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (snort3-browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (snort3-browser-ie.rules)
 * 1:44814 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (snort3-browser-ie.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (snort3-malware-other.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:37967 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (snort3-browser-ie.rules)

2019-06-11 17:03:00 UTC

Snort Subscriber Rules Update

Date: 2019-06-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50403 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50400 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50356 <-> ENABLED <-> SERVER-MAIL Exim remote command execution attempt (server-mail.rules)
 * 1:50354 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (malware-other.rules)
 * 1:50402 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50401 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50353 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50376 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50405 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50361 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50360 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50404 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50406 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50407 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50408 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50409 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (malware-tools.rules)
 * 1:50351 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (malware-other.rules)
 * 1:50352 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (malware-other.rules)
 * 1:50415 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra authentication bypass attempt (server-webapp.rules)
 * 1:50373 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50374 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50375 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50357 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50377 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (malware-other.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:50410 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (malware-tools.rules)
 * 1:50411 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50348 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (os-windows.rules)
 * 1:50368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50366 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (os-windows.rules)
 * 1:50364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (os-windows.rules)
 * 1:50362 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50358 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50371 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (os-windows.rules)
 * 1:50367 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50372 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (os-windows.rules)
 * 1:50370 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (os-windows.rules)
 * 1:50379 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (malware-other.rules)
 * 1:50399 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50380 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PlugX variant outbound connection (malware-cnc.rules)
 * 1:50381 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50382 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50383 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50384 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (policy-other.rules)
 * 1:50385 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (policy-other.rules)
 * 1:50386 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell access attempt (malware-cnc.rules)
 * 1:50387 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (malware-cnc.rules)
 * 1:50388 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (malware-cnc.rules)
 * 1:50389 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Termite communication attempt (malware-cnc.rules)
 * 1:50355 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (malware-other.rules)
 * 1:50359 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50390 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (indicator-compromise.rules)
 * 1:50412 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50391 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (indicator-compromise.rules)
 * 1:50413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules)
 * 1:50393 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (file-pdf.rules)
 * 1:50394 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (file-pdf.rules)
 * 1:50395 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (browser-ie.rules)
 * 1:50396 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (browser-ie.rules)
 * 1:50350 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50397 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50398 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules)
 * 1:50349 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)

Modified Rules:


 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:37967 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:37966 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:44814 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:44813 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)

2019-06-11 17:03:00 UTC

Snort Subscriber Rules Update

Date: 2019-06-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50353 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50348 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50399 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50384 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (policy-other.rules)
 * 1:50400 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50402 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50405 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50403 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50404 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50406 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50407 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50408 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50409 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (malware-tools.rules)
 * 1:50376 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50410 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.OilRig jason bruteforcing tool download attempt (malware-tools.rules)
 * 1:50401 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50411 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50412 <-> DISABLED <-> OS-WINDOWS Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules)
 * 1:50385 <-> DISABLED <-> POLICY-OTHER Remote Command Executor remote administration tool use attempt (policy-other.rules)
 * 1:50356 <-> ENABLED <-> SERVER-MAIL Exim remote command execution attempt (server-mail.rules)
 * 1:50354 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (malware-other.rules)
 * 1:50389 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Termite communication attempt (malware-cnc.rules)
 * 1:50415 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra authentication bypass attempt (server-webapp.rules)
 * 1:50359 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50355 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (malware-other.rules)
 * 1:50362 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (os-windows.rules)
 * 1:50361 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50360 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50387 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (malware-cnc.rules)
 * 1:50364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt (os-windows.rules)
 * 1:50365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (os-windows.rules)
 * 1:50366 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DComposition privilege escalation attempt (os-windows.rules)
 * 1:50367 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50395 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (browser-ie.rules)
 * 1:50368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (os-windows.rules)
 * 1:50370 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user profile service elevation of privilege attempt (os-windows.rules)
 * 1:50371 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50372 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:50373 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50358 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50357 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50352 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff binary download attempt (malware-other.rules)
 * 1:50396 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra memory corruption attempt (browser-ie.rules)
 * 1:50393 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (file-pdf.rules)
 * 1:50391 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (indicator-compromise.rules)
 * 1:50397 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50388 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell communication attempt (malware-cnc.rules)
 * 1:50394 <-> DISABLED <-> FILE-PDF Microsoft Speech API remote code execution attempt (file-pdf.rules)
 * 1:50383 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules)
 * 1:50381 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50390 <-> ENABLED <-> INDICATOR-COMPROMISE SMBRelay tool use attempt (indicator-compromise.rules)
 * 1:50379 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (malware-other.rules)
 * 1:50386 <-> ENABLED <-> MALWARE-CNC MultiOS.Backdoor.Antak webshell access attempt (malware-cnc.rules)
 * 1:50377 <-> ENABLED <-> MALWARE-OTHER Doc.Downloader.Agent variant download attempt (malware-other.rules)
 * 1:50382 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quasar variant outbound connection (malware-cnc.rules)
 * 1:50380 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PlugX variant outbound connection (malware-cnc.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:50350 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50351 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Karkoff variant download attempt (malware-other.rules)
 * 1:50414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules)
 * 1:50398 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50375 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50349 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.DNSpionage variant download attempt (malware-other.rules)
 * 1:50374 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:37966 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:44814 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:44813 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:50184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:37967 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)